California Consumer Privacy Act (CCPA) and CPRA

California Consumer Privacy Act (CCPA) and CPRA: A Comprehensive Guide for the CIPP/US Exam

Why Is This Topic Important?

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), represents the most comprehensive state-level privacy law in the United States. It is often described as the closest U.S. equivalent to the EU's General Data Protection Regulation (GDPR). For the CIPP/US exam, this topic is absolutely critical because it forms a substantial portion of the State Privacy Laws domain. Understanding the CCPA/CPRA is essential not only for the exam but also for any privacy professional working in the United States, as California's law has influenced privacy legislation across multiple other states and has set the benchmark for consumer privacy rights in America.

What Is the CCPA/CPRA?

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and became effective on January 1, 2020. It was the first major comprehensive consumer privacy law in the United States. The CCPA grants California residents (referred to as consumers) significant rights over their personal information and imposes obligations on businesses that collect, use, or sell that information.

The California Privacy Rights Act (CPRA) was passed as a ballot initiative (Proposition 24) on November 3, 2020, and became operative on January 1, 2023, with a lookback period to January 1, 2022. The CPRA significantly amended and expanded the CCPA rather than replacing it. The combined law is often referred to as the CCPA, as amended by the CPRA, or simply the CCPA/CPRA.

Key milestones:
- 2018: CCPA enacted (AB 375)
- January 1, 2020: CCPA became effective
- July 1, 2020: Attorney General began enforcement
- November 2020: CPRA passed via ballot initiative
- January 1, 2023: CPRA became operative
- July 1, 2023: CPRA enforcement began

Who Does the CCPA/CPRA Apply To?

The CCPA/CPRA applies to businesses that:

1. Do business in California, AND
2. Collect consumers' personal information (or have it collected on their behalf), AND
3. Meet one or more of the following thresholds:

- Have annual gross revenues exceeding $25 million in the preceding calendar year, OR
- Alone or in combination, annually buy, sell, or share the personal information of 100,000 or more consumers or households (CPRA changed this from the original CCPA threshold of 50,000 consumers, households, or devices), OR
- Derive 50% or more of annual revenues from selling or sharing consumers' personal information (CPRA added sharing)

Important note: The CPRA added the concept of sharing personal information alongside selling, which is a key amendment to remember.

The law also applies to:
- Service providers — entities that process personal information on behalf of a business pursuant to a written contract
- Contractors — a new category introduced by the CPRA, similar to service providers but with distinct contractual requirements
- Third parties — entities that are not the business, a service provider, or a contractor

Key Definitions

Consumer: A California resident, as defined by California tax law. This includes any natural person who is in California for other than a temporary or transitory purpose, or who is domiciled in California but outside the state for a temporary or transitory purpose.

Personal Information: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This is a very broad definition and includes categories such as:
- Identifiers (name, alias, address, email, SSN, IP address, etc.)
- Commercial information (purchasing history, tendencies)
- Biometric information
- Internet or network activity
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information
- Inferences drawn from any of the above

Sensitive Personal Information (SPI): Introduced by the CPRA, this is a new category that includes:
- Social Security numbers, driver's license, state ID, or passport numbers
- Account log-in credentials (with passwords or security questions/answers)
- Financial account, debit, or credit card numbers with access codes
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, union membership
- Contents of mail, email, and text messages (unless the business is the intended recipient)
- Genetic data
- Biometric information for identification purposes
- Health information
- Sex life or sexual orientation information

Sale: Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's personal information to a third party for monetary or other valuable consideration.

Sharing: Added by the CPRA, this means making personal information available to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. This was designed to close the loophole where companies argued that exchanging data for targeted advertising purposes did not constitute a sale.

Cross-Context Behavioral Advertising: Targeting advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services other than the one with which the consumer intentionally interacts.

Consumer Rights Under the CCPA/CPRA

The CCPA/CPRA grants California consumers the following rights:

1. Right to Know / Right to Access: Consumers have the right to know what personal information a business has collected about them, the categories of sources, the business or commercial purpose for collection, the categories of third parties with whom the information is shared, and the specific pieces of personal information collected. Businesses must respond to verifiable consumer requests within 45 days (extendable by an additional 45 days with notice).

2. Right to Delete: Consumers can request deletion of their personal information. Businesses must comply and direct service providers and contractors to do the same, subject to certain exceptions (e.g., completing transactions, detecting security incidents, complying with legal obligations, internal uses reasonably aligned with consumer expectations).

3. Right to Opt-Out of Sale or Sharing: Consumers have the right to direct a business not to sell or share their personal information. Businesses must provide a clear and conspicuous "Do Not Sell or Share My Personal Information" link on their website. After a consumer opts out, the business must wait at least 12 months before asking the consumer to opt back in.

4. Right to Non-Discrimination: Businesses cannot discriminate against consumers who exercise their CCPA/CPRA rights by denying goods or services, charging different prices, providing different quality, or suggesting different treatment. However, businesses may offer financial incentives for the collection, sale, or retention of personal information if reasonably related to the value of the consumer's data.

5. Right to Correct: Added by the CPRA, consumers can request that a business correct inaccurate personal information.

6. Right to Limit Use and Disclosure of Sensitive Personal Information: Added by the CPRA, consumers can direct a business to limit the use and disclosure of their sensitive personal information to only what is necessary to perform the services or provide the goods reasonably expected by an average consumer. Businesses must provide a "Limit the Use of My Sensitive Personal Information" link.

7. Right to Access Information About Automated Decision-Making: The CPRA provides for regulations concerning consumers' rights related to automated decision-making technology, including profiling.

8. Right to Data Portability: Consumers can request their personal information in a portable and, to the extent technically feasible, readily usable format.

Business Obligations

Businesses subject to the CCPA/CPRA must:

1. Provide Notice at Collection: Before or at the point of collection, businesses must inform consumers about the categories of personal information to be collected, the purposes for which it will be used, whether it is sold or shared, and the retention period for each category.

2. Maintain a Privacy Policy: Businesses must have a comprehensive privacy policy that is updated at least every 12 months. The privacy policy must include information about consumer rights, categories of personal information collected, sold, or shared in the preceding 12 months, and more.

3. Respond to Consumer Requests: Businesses must provide at least two methods for consumers to submit requests (including a toll-free number and, if the business operates a website, a web address). They must respond within 45 days.

4. Implement Reasonable Security Measures: While not a detailed prescriptive requirement within the statute itself, the CCPA's private right of action provision incentivizes businesses to implement and maintain reasonable security procedures.

5. Contractual Requirements: Businesses must enter into specific contracts with service providers, contractors, and third parties that restrict how personal information can be used, require compliance with CCPA/CPRA obligations, and grant the business rights to take steps to ensure compliance.

6. Data Minimization: The CPRA introduced a principle that businesses should not collect, use, retain, or share personal information beyond what is reasonably necessary and proportionate to achieve the disclosed purposes.

7. Purpose Limitation: Businesses cannot use personal information for purposes materially different from those disclosed at the time of collection without providing new notice.

8. Storage Limitation: The CPRA requires businesses to disclose retention periods and not retain personal information longer than reasonably necessary for the disclosed purpose.

Special Provisions for Minors

The CCPA/CPRA has special protections for minors:

- For consumers under 13 years old, a parent or guardian must affirmatively authorize (opt in to) the sale or sharing of the minor's personal information.
- For consumers between 13 and 16 years old, the minor must affirmatively authorize (opt in to) the sale or sharing of their personal information.
- The default for minors is opt-in, meaning their data cannot be sold or shared unless consent is obtained.

Enforcement and Penalties

Under the original CCPA, enforcement was handled exclusively by the California Attorney General. The CPRA created the California Privacy Protection Agency (CPPA), the first dedicated state privacy enforcement agency in the United States. Both the AG and the CPPA have enforcement authority.

Administrative fines under the CPRA:
- Up to $2,500 per violation (unintentional)
- Up to $7,500 per intentional violation
- Up to $7,500 per violation involving the personal information of minors under 16 (CPRA increased penalties for children's data violations)

The CCPA originally provided a 30-day cure period after notice of a violation. The CPRA eliminated this mandatory cure period, giving enforcement agencies discretion.

Private Right of Action

The CCPA/CPRA provides a limited private right of action — only for data breaches resulting from a business's failure to implement and maintain reasonable security procedures and practices. Consumers can seek:
- Statutory damages of $100 to $750 per consumer per incident, OR actual damages, whichever is greater
- Injunctive or declaratory relief
- Any other relief the court deems proper

Before filing suit, consumers must provide the business with 30 days' written notice identifying the specific provisions violated. If the business cures the violation within 30 days and provides an express written statement that it has done so and will not commit further violations, no action for statutory damages may be brought.

Important: The private right of action does not extend to other CCPA/CPRA violations — only to data breach scenarios involving nonencrypted and nonredacted personal information.

Exemptions

Several exemptions exist under the CCPA/CPRA:

- HIPAA/Medical Information: Health information governed by HIPAA or the California Confidentiality of Medical Information Act (CMIA) is exempt.
- Gramm-Leach-Bliley Act (GLBA): Financial information collected under GLBA is exempt.
- Fair Credit Reporting Act (FCRA): Information collected and used in compliance with the FCRA is exempt.
- Driver's Privacy Protection Act: Information covered by this act is exempt.
- Clinical trial data is exempt under certain conditions.
- Publicly available information from government records is generally excluded from the definition of personal information.
- Deidentified or aggregate consumer information is excluded.

The CPRA also provides that it does not restrict a business's ability to comply with federal, state, or local laws, cooperate with law enforcement agencies, or exercise or defend legal claims.

The California Privacy Protection Agency (CPPA)

The CPRA created the CPPA, a dedicated enforcement agency with a five-member board appointed by the Governor, Attorney General, Senate Rules Committee, and Speaker of the Assembly. The CPPA has:
- Rulemaking authority to implement the CCPA/CPRA
- Administrative enforcement powers
- The ability to investigate potential violations
- Authority to bring civil actions

This is significant because California became the first state to establish an independent privacy agency, signaling the seriousness of privacy enforcement.

How the CCPA/CPRA Works in Practice

Here is a practical overview of how the law operates:

1. A business determines it meets the applicability thresholds.
2. The business maps its data collection practices and identifies categories of personal information and sensitive personal information collected.
3. The business updates its privacy policy, notices at collection, and provides opt-out mechanisms.
4. When a consumer submits a request (to know, delete, correct, opt out, or limit SPI use), the business must verify the consumer's identity and respond within 45 days.
5. The business ensures contracts with service providers, contractors, and third parties contain required CCPA/CPRA provisions.
6. The business implements reasonable security measures to protect personal information.
7. The business conducts regular risk assessments for processing that presents significant risk to consumers' privacy (a CPRA requirement, subject to CPPA rulemaking).
8. If the CPPA or AG identifies a violation, they can impose administrative fines or bring enforcement actions.

Key Differences Between the CCPA and CPRA

For exam purposes, it is critical to understand what the CPRA changed:

- Created the concept of sensitive personal information and the right to limit its use
- Added the right to correct inaccurate personal information
- Introduced the concept of sharing and cross-context behavioral advertising
- Created the California Privacy Protection Agency
- Changed the threshold from 50,000 consumers/households/devices to 100,000 consumers/households (removed devices)
- Added data minimization, purpose limitation, and storage limitation principles
- Introduced contractors as a distinct category
- Removed the mandatory 30-day cure period for enforcement
- Increased penalties for violations involving children's data to $7,500
- Required cybersecurity audits and risk assessments for certain businesses (subject to rulemaking)
- Extended opt-in requirements related to sale/sharing from only under-16 to include sharing as well

Comparison with Other Frameworks

The CCPA/CPRA differs from the GDPR in several key ways:
- The CCPA/CPRA is not a consent-based framework for most processing; it relies primarily on notice and opt-out
- It applies to businesses meeting specific thresholds, not all data controllers
- The private right of action is limited to data breaches, unlike the GDPR's broader enforcement
- It does not require a specific legal basis for processing (unlike the GDPR's six legal bases)

Compared to other U.S. state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, etc.), the CCPA/CPRA is generally considered the most consumer-friendly because it provides a private right of action (albeit limited), has broader applicability, and created a dedicated enforcement agency.

Global Privacy Control (GPC)

The CCPA/CPRA regulations recognize browser-based opt-out preference signals such as the Global Privacy Control (GPC). Businesses must treat a GPC signal as a valid opt-out request for the sale or sharing of personal information. This is a frequently tested concept.

Exam Tips: Answering Questions on the CCPA/CPRA

1. Know the thresholds: Memorize the three applicability thresholds ($25 million revenue, 100,000 consumers/households, 50% revenue from selling/sharing). Pay close attention to the CPRA changes — the threshold changed from 50,000 to 100,000 and removed devices.

2. Distinguish between sale and sharing: This is a critical CPRA addition. Sale requires monetary or other valuable consideration; sharing is specifically for cross-context behavioral advertising and does not require monetary consideration. Expect questions that test whether you can differentiate between the two.

3. Know all consumer rights: Be able to list and explain all rights, and know which ones were added by the CPRA (right to correct, right to limit SPI use). Questions often present scenarios where you must identify which right applies.

4. Understand sensitive personal information: Know the categories of SPI and how the right to limit use works. This is a CPRA-specific addition and is frequently tested.

5. Remember the private right of action is limited: It only applies to data breaches involving nonencrypted/nonredacted personal information due to failure to maintain reasonable security. It does NOT apply to other CCPA/CPRA violations. This is a common trap in exam questions.

6. Know the enforcement structure: The CPPA and the AG both have enforcement authority. The CPPA was created by the CPRA. Remember that the 30-day cure period was eliminated by the CPRA.

7. Understand the role of service providers vs. contractors vs. third parties: Know the distinctions and the contractual requirements for each. Contractors were added by the CPRA.

8. Pay attention to minor protections: Under 13 requires parental opt-in; 13-16 requires the minor's opt-in. The CPRA increased penalties for children's data violations to $7,500.

9. Remember the response timeline: 45 days to respond to verifiable consumer requests, extendable by an additional 45 days with notice to the consumer. Businesses must provide at least two methods for submitting requests.

10. Focus on CPRA amendments: Many exam questions specifically test your knowledge of what changed from the CCPA to the CPRA. Make a list of CPRA changes and review it thoroughly.

11. Know the exemptions: HIPAA, GLBA, FCRA-covered information is exempt. Publicly available information from government records is excluded from the definition of personal information.

12. Understand data minimization and purpose limitation: These are CPRA additions that align the law more closely with the GDPR. Know that businesses cannot collect more personal information than reasonably necessary for the disclosed purpose.

13. Read questions carefully: Exam questions may try to trick you with subtle wording. For example, a question might ask about the right to opt out of sale only (pre-CPRA) versus sale or sharing (post-CPRA). Always consider whether the question is asking about the CCPA as originally enacted or as amended by the CPRA.

14. Global Privacy Control: Remember that businesses must honor browser-based opt-out signals like GPC as valid opt-out requests under the CCPA/CPRA regulations.

15. Use process of elimination: When faced with a challenging question, eliminate clearly wrong answers first. Common distractors include suggesting that the CCPA/CPRA requires opt-in consent for all data collection (it doesn't), that the private right of action applies broadly (it doesn't), or that the CCPA/CPRA applies to all businesses (it only applies to those meeting the thresholds).

16. Connect concepts: The exam may present cross-topic questions that require you to understand how the CCPA/CPRA interacts with federal laws like HIPAA, GLBA, or COPPA. Understand the exemptions and overlaps.

17. Practice with scenarios: The CIPP/US exam often uses scenario-based questions. Practice identifying which CCPA/CPRA provisions apply in given factual situations, such as a business receiving an opt-out request, a consumer requesting deletion, or a company sharing data for targeted advertising.

By thoroughly understanding these concepts and practicing application-based questions, you will be well-prepared to tackle CCPA/CPRA questions on the CIPP/US exam with confidence.