Knowledge Center / CCPA / CPRA
State of California · United States

CCPA / CPRA

California’s consumer privacy law and its CPRA amendments.

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the leading US state privacy law. It gives California consumers rights over their personal information and imposes obligations on businesses, enforced by the California Privacy Protection Agency (CPPA).

Who must comply

For-profit businesses handling California residents’ personal information that meet at least one threshold: annual gross revenue above the statutory limit; buying/selling/sharing the personal information of 100,000+ consumers/households; or deriving 50%+ of revenue from selling/sharing personal information. Extraterritorial — applies to non-US businesses meeting the criteria.

Consumer rights

RightWhat it allows
Know / accessWhat personal information is collected, used, shared or sold
DeleteRequest deletion of personal information
CorrectCorrect inaccurate personal information (CPRA)
Opt-outOpt out of the sale or sharing of personal information
LimitLimit use of sensitive personal information (CPRA)
Non-discriminationNot be discriminated against for exercising rights

Business obligations

  • Provide privacy notices and a "Do Not Sell or Share My Personal Information" mechanism.
  • Honour consumer requests within statutory timelines.
  • Implement reasonable security; apply data minimisation and purpose limitation (CPRA).
  • Manage service-provider/contractor and third-party contracts.
  • Conduct risk assessments and cybersecurity audits for high-risk processing (as required by CPPA rules).

Penalties

  • Administrative fines per violation (higher for violations involving minors), enforced by the CPPA and Attorney General.
  • A private right of action for certain data breaches.
How CyberSigma helps
We map your data, build CCPA/CPRA notices, rights and opt-out mechanisms, and align them with your GDPR and DPDP programmes for a single global privacy posture.

Frequently asked questions

Does CCPA apply to companies outside the US?
Yes — if a business meets the thresholds and handles California residents’ personal information, it applies regardless of where the business is located.

Need help with CCPA / CPRA?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.