liminfo

CCPA/CPRA Reference

Free reference guide: CCPA/CPRA Reference

20 results

About CCPA/CPRA Reference

The CCPA/CPRA Reference provides a searchable guide to the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA). It covers six core consumer rights: the Right to Know what personal information is collected, the Right to Delete collected data, the Right to Opt-Out of data sales or sharing, the Right to Non-Discrimination, the Right to Correct inaccurate information, and the Right to Limit use of sensitive personal data.

Business obligations are detailed including Notice at Collection requirements, comprehensive Privacy Policy mandates updated annually, the homepage "Do Not Sell or Share" link requirement, Global Privacy Control (GPC) signal honoring, data minimization principles, purpose limitation rules, and written service provider contracts restricting personal information use.

The reference also covers enforcement mechanisms through the California Attorney General and the new California Privacy Protection Agency (CPPA), private right of action for data breaches with statutory damages of $100-$750 per consumer per incident, penalty amounts ($2,500 unintentional, $7,500 intentional), and the three applicability thresholds that determine which businesses must comply.

Key Features

  • All six CCPA/CPRA consumer rights explained: Know, Delete, Opt-Out, Non-Discrimination, Correct, and Limit Sensitive Data
  • Business obligation details including Notice at Collection, Privacy Policy, and Opt-Out link requirements
  • CPRA-specific additions: data minimization, purpose limitation, and sensitive personal information controls
  • Enforcement mechanisms through the AG, CPPA agency, and private right of action for data breaches
  • Penalty amounts for unintentional ($2,500) and intentional ($7,500) violations per incident
  • Three applicability thresholds: $25M revenue, 100K+ consumers, or 50%+ revenue from data sales
  • Service provider contract requirements and restrictions on personal information processing
  • Global Privacy Control (GPC) signal compliance and Do Not Sell/Share link placement rules

Frequently Asked Questions

What consumer rights does the CCPA/CPRA grant?

The CCPA/CPRA provides six rights: (1) Right to Know what personal information is collected, used, and shared, (2) Right to Delete collected data, (3) Right to Opt-Out of sale or sharing, (4) Right to Non-Discrimination for exercising rights, (5) Right to Correct inaccurate information (CPRA addition), and (6) Right to Limit use of sensitive personal information (CPRA addition).

Which businesses must comply with the CCPA/CPRA?

A business must comply if it meets any one of three thresholds: annual gross revenue exceeding $25 million, buying/selling/sharing personal information of 100,000 or more consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing consumer personal information.

What are the penalties for CCPA/CPRA violations?

Unintentional violations carry a $2,500 civil penalty per violation. Intentional violations or violations involving minors carry a $7,500 penalty per violation. Additionally, consumers can sue for data breaches involving unencrypted personal information with statutory damages of $100 to $750 per consumer per incident, or actual damages if greater.

What is the CPPA and how does it differ from AG enforcement?

The California Privacy Protection Agency (CPPA) was created under the CPRA as a dedicated enforcement body with full administrative power to investigate, enforce, and issue regulations. Unlike the AG, which handles civil actions, the CPPA has specialized focus and the 30-day cure period for violations was removed under CPRA.

What must a CCPA/CPRA privacy policy include?

The privacy policy must describe consumer rights, list categories of personal information collected, identify sources of data, state the purposes of collection, name third parties data is shared with, explain how to submit consumer requests, and be updated at least annually.

What is the Right to Limit Sensitive Data under CPRA?

The CPRA allows consumers to limit a business's use of sensitive personal information, which includes Social Security numbers, financial account information, precise geolocation data, racial/ethnic origin, health data, and other categories that pose heightened privacy risks.

What are the data minimization and purpose limitation rules?

Data minimization (CPRA) requires businesses to collect only personal information reasonably necessary for the disclosed purpose. Purpose limitation prevents using personal information for purposes incompatible with the originally disclosed purpose without providing new notice to the consumer.

Does the CCPA/CPRA require honoring Global Privacy Control signals?

Yes. Businesses must honor Global Privacy Control (GPC) browser signals as a valid opt-out request. The homepage must also display a "Do Not Sell or Share My Personal Information" link that allows consumers to directly exercise their opt-out right.