Understanding CCPA & CPRA
The California Consumer Privacy Act and California Privacy Rights Act and their impact on data privacy in the digital age
What are CCPA & CPRA?
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are comprehensive privacy laws designed to enhance privacy rights and consumer protection for residents of California. The CCPA, which took effect on January 1, 2020, was the first major consumer privacy law in the United States. The CPRA, sometimes called "CCPA 2.0," was approved in November 2020 and became effective on January 1, 2023, significantly expanding and strengthening the original CCPA.
These groundbreaking laws give California residents unprecedented control over their personal information and impose significant obligations on businesses that collect and process this data. They represent California's response to growing concerns about data privacy in the digital age and align with global privacy trends, moving closer to the standards set by the European Union's General Data Protection Regulation (GDPR).
The CPRA notably established the California Privacy Protection Agency (CPPA), a dedicated enforcement body, and introduced stronger protections for sensitive personal information, reflecting the increased importance of data privacy in today's digital economy.
Scope & Applicability
The CCPA/CPRA applies to for-profit businesses that collect personal information from California residents, determine the purposes of processing, and do business in California, if they meet one of these thresholds:
- •Annual gross revenue exceeding $25 million (adjusted to $26.625 million by 2025)
- •Annually buys, sells, or shares personal information of 100,000+ California residents or households
- •Derives 50% or more of annual revenue from selling/sharing California residents' personal information
Key Differences: CPRA vs CCPA
The CPRA significantly enhanced the original CCPA with several important changes:
- •Created the California Privacy Protection Agency (CPPA) for dedicated enforcement
- •Added special protections for sensitive personal information
- •Expanded consumer rights, including the right to correct inaccurate information
- •Extended to "sharing" of data for cross-context behavioral advertising
- •Removed B2B and employee data exemptions
Consumer Rights Under CCPA/CPRA
The CCPA and CPRA grant California residents significant rights over their personal data
Right to Know
Consumers can request information about what personal data is collected, how it's used, and whether it's sold or shared with third parties.
Right to Delete
Consumers can request deletion of their personal information, with certain exceptions for necessary business operations.
Right to Opt-Out
Consumers can opt-out of the sale or sharing of their personal information, including for cross-context behavioral advertising.
Right to Non-Discrimination
Consumers cannot be discriminated against for exercising their CCPA/CPRA rights, including in terms of price or service quality.
Right to Correct
Added by CPRA, consumers can request corrections to inaccurate personal information.
Right to Limit Use of Sensitive Data
CPRA allows consumers to limit the use and disclosure of sensitive personal information to necessary purposes.
Right to Opt-Out of Automated Decision-Making
Under CPRA, consumers can opt-out of profiling and automated decision-making technology.
Business Obligations
Businesses must fulfill several key obligations to comply with CCPA/CPRA
Notice at Collection
Businesses must inform consumers about categories of personal information collected and purposes of use at the time of collection.
Privacy Policy Disclosures
Detailed privacy policy must disclose data practices, consumer rights, and how to exercise those rights.
Data Subject Request Processes
Businesses must establish clear procedures to handle and respond to consumer requests within 45 days.
Reasonable Security Measures
Implementation of appropriate security measures to protect personal information from unauthorized access.
Service Provider Requirements
Written contracts with service providers and contractors restricting their use of personal information.
Data Minimization
CPRA requires collection and processing of only the necessary personal information for disclosed purposes.
Honor Opt-Out Preference Signals
Respect technical opt-out signals like Global Privacy Control (GPC) for sale/sharing of data.
Impact on Web Analytics
Websites commonly employ web analytics to track user behavior, understand website traffic, and improve user experience. Under CCPA/CPRA, the use of tracking cookies and the processing of personal data for analytics generally require explicit consent from the user.
This means that websites can no longer rely on implied consent or pre-checked boxes; users must actively and affirmatively agree to the collection of their data for these purposes. The consent obtained must be freely given, specific, informed, and unambiguous.
Websites are also obligated to provide transparent information about their use of cookies and data processing practices in their privacy policies. This includes detailing the types of cookies used, their purpose, the data collected, and whether this data is shared with any third parties.
Moreover, it must be as easy for users to withdraw their consent as it was to grant it. This emphasis on explicit consent and transparency has led to the widespread implementation of cookie consent banners and a greater awareness among internet users regarding online tracking practices.
Notice Requirements
Businesses must provide clear information in privacy policies and at collection points about cookies and tracking technologies, detailing categories of data collected, purposes, and third parties involved.
Tracking Cookies & Consent
Data collected through cookies is considered personal information. Businesses that sell or share this information must provide a "Do Not Sell or Share" link and honor opt-out signals like Global Privacy Control.
Analytics Processing
When using analytics tools, businesses must provide opt-out mechanisms for data sold or shared for cross-context behavioral advertising, potentially requiring IP anonymization and limited data sharing.
Transparency in Practice
CCPA/CPRA mandates transparency in web analytics, requiring clear disclosures about data collection and respecting users' choices regarding the sale or sharing of their information collected through these technologies.
Enforcement & Penalties
The CPPA and California Attorney General enforce these laws with significant penalties for non-compliance
Administrative Fines
The CPPA can impose civil penalties of:
- •Up to $2,500 per unintentional violation
- •Up to $7,500 per intentional violation or violations involving minors
- •Amounts adjusted for inflation every two years
Private Right of Action
For certain data breaches, consumers can seek:
- •Statutory damages between $100-$750 per incident
- •Significant collective damages for large-scale breaches
- •Injunctive or declaratory relief
Notable Enforcement Actions
Sephora
2022
$1.2 million fine for failing to disclose data sales and honor opt-out requests.
DoorDash
2024
$375,000 fine for issues related to opt-out provisions.
Tilting Point Media
2024
$500,000 fine for violations concerning children's privacy.
Honda
2025
$632,500 settlement for problems with consumer rights request processes.
Compliance Challenges
Despite being in effect for several years, studies indicate only a small percentage of companies fully meet requirements. The average cost for manually processing a single Data Subject Access Request (DSAR) is approximately $1,524.
How Databuddy Helps With CCPA/CPRA Compliance
Our privacy-first analytics solutions are designed with CCPA/CPRA compliance in mind
Cookieless Tracking
Our technology doesn't rely on cookies for analytics, reducing requirements for opt-out mechanisms under CCPA/CPRA.
Data Minimization By Design
Engineered to collect only essential data, aligning with CPRA's data minimization requirements.
Enhanced Transparency
Clear, accessible information about data practices to help our clients meet CCPA/CPRA disclosure requirements.
Limited Data Sharing
Minimal third-party data sharing reduces exposure to CCPA/CPRA obligations regarding the sale and sharing of personal information.
Key Takeaways
Comprehensive Protection
The CCPA and CPRA provide California residents with unprecedented rights over their personal information and impose substantial obligations on businesses that collect this data.
Growing Enforcement
As enforcement actions increase and consumer awareness grows, compliance with these laws is becoming increasingly important for businesses of all sizes.
Proactive Compliance
The financial and reputational consequences of non-compliance are significant, making it essential for organizations to prioritize privacy in their data practices.
Privacy-First Approach
Databuddy's privacy-first analytics solutions help businesses navigate these complex requirements while still delivering the insights they need to succeed.