Who must comply with CCPA/CPRA?

For-profit entities doing business in California that meet revenue or data thresholds, or sell/share personal information, including certain affiliates.

What is the response time for consumer requests?

Businesses must respond within 45 days of a verifiable request, with a possible 45-day extension when reasonably necessary.

Do businesses need to honor Global Privacy Control (GPC)?

Yes. GPC is a valid opt-out signal for selling or sharing personal information and must be honored without additional friction.

How are vendors classified under CPRA?

Vendors may be service providers, contractors, or third parties. Contracts must restrict use, combining, and retention and require purpose limits.

What penalties exist under CCPA/CPRA?

Regulators may impose fines per violation; consumers may seek statutory damages for certain security breaches linked to inadequate safeguards.

What is CCPA?

Short answer: CCPA is California’s data privacy law. If you meet certain thresholds (revenue, data volumes, or data sales/sharing), you must provide notices; honor access, deletion, correction, and opt-out/opt-in (for minors) requests; enable a “Do Not Sell or Share” choice and respect Global Privacy Control (GPC); limit the use of sensitive personal information; sign contracts with service providers; secure data; and respond to consumer requests within 45 days (extensions allowed).

Core Principles Of CCPA/CPRA Compliance

Scope & Thresholds — Covers for-profit entities doing business in CA that meet revenue/data criteria or derive significant revenue from selling or sharing data.

Consumer Rights — Right to know, access, delete, correct, opt out of sale/share, and limit use of sensitive personal info; non-discrimination for exercising rights.

Notices & Transparency — Clear privacy policy, notice at collection, retention periods, and links to opt-out and limit use of sensitive data where applicable.

Signals & Preferences — Recognize GPC and honor preference signals for selling/sharing and sensitive data limits without requiring login.

Contracts & Vendors — Define roles (service provider, contractor, third party), include purpose limits, and restrict secondary use/combining data.

Security & Retention — Reasonable safeguards, least privilege, encryption at rest/in transit, and retention aligned to disclosed purposes.

Enforcement — California Privacy Protection Agency (CPPA) & Attorney General enforce; statutory damages for certain breaches via private right of action.

CCPA/CPRA Compliance Playbook

A practical sequence to operationalize notices, rights, signals, vendor controls, and security.

Step-By-Step

Confirm applicability — Test against thresholds (revenue, personal info counts, selling/sharing, or deriving 50%+ revenue from data sales).
Map collection & uses — Inventory data categories, sources, purposes, disclosures, retention, and “selling/sharing” flows.
Publish notices — Update privacy policy, notice at collection, retention periods, and disclosures about selling/sharing and sensitive data.
Enable consumer requests — Provide at least two methods (web form, toll-free, etc.), verify identity, and respond within 45 days.
Honor opt-out & GPC — Implement “Do Not Sell or Share” controls and respect browser-based signals without extra friction.
Sensitive data limits — Provide “Limit the Use of My Sensitive Personal Information” where required; minimize and purpose-bind.
Vendor governance — Execute CPRA-compliant contracts with service providers/contractors; restrict cross-context use and combining.
Security & minimization — Apply access control, encryption, logging, and data minimization; test incident response plans.
Children’s data — Obtain opt-in to sell/share for ages under 16 (parental consent under 13); document age-gate processes.
Training & audits — Train staff handling requests; review metrics, retention schedules, and update records of processing.

Key CCPA/CPRA Rights: What They Require

Right	Who It Applies To	Business Obligations	Timeframe	Common Pitfalls	Examples
Know & Access	California residents	Disclose categories/specific pieces, purposes, recipients, retention	45 days (extend +45)	Incomplete data maps; missing retention	Provide data report via secure portal
Delete	Upon verifiable request	Delete and flow-down to service providers/contractors	45 days (extend +45)	Not propagating deletes; overbroad exceptions	Erase profile while retaining fraud logs
Correct	Inaccurate personal information	Update records; notify vendors where feasible	45 days (extend +45)	No evidence of verification; partial updates	Fix misspelled name in CRM
Opt Out of Sell/Share	All consumers; opt-in for minors	Show link; honor GPC; block downstream sharing	Immediate upon signal	Ignoring GPC; dark patterns; partial coverage	Disable cross-context ads post-signal
Limit Sensitive PI Use	Where sensitive data is used beyond necessary	Provide limit link; purpose-bound; minimize	Prompt implementation	Over-collection; weak purpose definitions	Restrict precise geolocation analytics
Non-Discrimination	All consumers	No reduced service/price for exercising rights (with narrow exceptions)	Ongoing	Improper loyalty programs	Offer opt-in value-for-data with proper disclosures

Client Snapshot: Signals To Scale

A nationwide retailer deployed full data mapping, added “Do Not Sell or Share” and “Limit Sensitive PI” controls, and implemented GPC recognition. Within two quarters, request fulfillment time dropped 38%, opt-out accuracy reached 99.4%, and audit exceptions were reduced to zero critical findings.

Treat privacy as a product feature: design for transparency, control, and security from the first touch to retention and deletion.

FAQ: Understanding CCPA/CPRA

Clear answers for legal, security, marketing, and operations teams.

What is the difference between CCPA and CPRA?

CCPA established California privacy rights; CPRA amended and expanded them—adding correction rights, sensitive data limits, “sharing” for ads, GPC, and the state privacy agency.

Who must comply?

For-profit entities doing business in CA that meet thresholds (e.g., revenue or data volumes) or that sell/share consumer data; affiliates may also be covered.

How fast must we handle requests?

Respond without undue delay and within 45 days of receipt; you may extend once by an additional 45 days when reasonably necessary with notice.

Do we have to honor GPC?

Yes. You must treat Global Privacy Control as a valid request to opt out of selling/sharing and apply it globally to that browser or device.

How are vendors classified?

Service providers and contractors process data under your instructions via contract; third parties receive data for their own purposes and require opt-out controls when selling/sharing occurs.

What are the penalties?

Regulators may seek administrative fines per violation; consumers can bring actions for certain data breaches involving inadequate security, with statutory damages per affected consumer.

Make Privacy A Competitive Advantage

We help you operationalize CCPA/CPRA—policies, signals, contracts, and workflows that scale.

Elevate Marketing Operations Take the Self-Test

Explore More

Revenue Marketing Architecture Guide Revenue Marketing Index Customer Journey Map (The Loop™) Marketing Operations Services

Compliance & Regulations:
What Is CCPA?

Core Principles Of CCPA/CPRA Compliance

CCPA/CPRA Compliance Playbook

Step-By-Step

Key CCPA/CPRA Rights: What They Require

Client Snapshot: Signals To Scale

FAQ: Understanding CCPA/CPRA

Make Privacy A Competitive Advantage

Get in touch with a revenue marketing expert.

Send Us an Email

Schedule a Call

Solutions

Resources

About TPG