Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
🔒 US Privacy Laws

CCPA / CPRA — California Consumer Privacy Act / California Privacy Rights Act

CCPA (2020) and CPRA (2023) form California's comprehensive consumer data privacy law, granting residents rights over their personal information.

LinkedIn X WhatsApp

Summary

The California Consumer Privacy Act (CCPA) took effect on 1 January 2020 and is the most comprehensive data privacy law in the US. It was expanded by the California Privacy Rights Act (CPRA), effective from 1 January 2023, which among other things established the California Privacy Protection Agency (CPPA) as an independent data protection authority.

  • Right to know: Consumers can find out what data is collected about them and for what purpose.
  • Right to deletion: Request deletion of personal information.
  • Right to opt out: Opt out of the sale or sharing of personal information.
  • Sensitive personal information: CPRA introduces a new category of sensitive data with enhanced protections.

History

The CCPA was passed in June 2018 and took effect on 1 January 2020, after initiative sponsor Alastair Mactaggart threatened to put a stricter measure on the ballot. It was immediately regarded as the strictest data privacy legislation in the US. In November 2020, 56% of Californians voted for Proposition 24 (CPRA), which significantly expanded the CCPA. CPRA provisions became fully applicable from 1 January 2023, and the CPPA began enforcement in 2023.

Scope

CCPA/CPRA applies to for-profit businesses that do business in California or process data of California residents and meet at least one of the following criteria: (1) annual gross revenues over USD 25 million; (2) buy, receive, sell, or share personal information of 100,000 or more consumers or households; (3) derive more than 50% of annual revenues from selling consumer personal information. The law protects California residents regardless of where the business is located.

Key Requirements

  • Privacy notice: Clear disclosure of categories of data collected and purposes of use.
  • Consumer rights: Right to know, delete, correct, data portability, opt out of sale/sharing, limit use of sensitive personal information.
  • "Do Not Sell or Share": Easily accessible opt-out mechanism on the website.
  • Response timelines: Response to consumer requests within 45 days.
  • Data processing agreements: Contracts with service providers.
  • Risk assessments: CPRA requires businesses to conduct annual privacy risk assessments for high-risk processing.
  • Fines: Up to USD 2,500 per unintentional violation, USD 7,500 per intentional violation.

Corrections & Errata

2026-QA-207 Clarification 20 March 2026
Missing connection: ccpa → gdpr

CCPA is the US equivalent of GDPR — baseline cross-reference was missing. lgpd↔gdpr and appi↔gdpr already existed.

Full details on the errata page →
2026-QA-039 Update 28 February 2026
Quality Audit: CCPA / CPRA — California Consumer Privacy Act / California Privacy Rights Act

1 update:
- CCPA: New regulations effective January 1, 2026 missing from key_dates

Full details on the errata page →

Content last reviewed: 22 February 2026. Found an error or need an update? [email protected]