CCPA & CPRA: California’s Privacy Laws Explained

California led US privacy law with the CCPA, then sharpened it with the CPRA — adding new rights, a dedicated regulator, and GDPR-style concepts. If you do business with Californians, it likely reaches you, wherever you’re based.

Who’s in scope

For-profit businesses that handle Californians’ personal information and meet one of these thresholds: $25M+ annual revenue; buy/sell/share the personal information of 100,000+ consumers or households; or derive 50%+ of revenue from selling/sharing personal information. The CPRA also created the California Privacy Protection Agency (CPPA) to enforce it.

Consumer rights

What the CPRA added

Beyond the new rights, the CPRA introduced a category of sensitive personal information, data-minimisation and purpose-limitation principles, contractual requirements for service providers and contractors, and obligations around risk assessments and cybersecurity audits for higher-risk processing — moving California much closer to GDPR.

How to comply

• Confirm scope against the revenue / volume / revenue-share thresholds.
• Map what personal (and sensitive) information you collect, why, and who you share it with.
• Publish a compliant privacy notice and the opt-out / GPC mechanisms.
• Stand up rights handling (know, delete, correct, opt-out) within statutory timelines.
• Update service-provider contracts and run the required risk assessments.

The bottom line

CCPA/CPRA is the closest thing the US has to GDPR, and it’s the template other states are following. If you have a GDPR programme, extend it for California’s specifics — the opt-out mechanism, sensitive-data limits and contractor terms — and operationalise the rights.