The CCPA and CPRA,explained
The CCPA, as amended by the CPRA, is California privacy law. It gives California consumers rights over their personal information and places obligations on the businesses that handle it. It is not a certification but a law, so the goal is operationalised rights and demonstrable accountability rather than a certificate.
What the CCPA and CPRA are
The California Consumer Privacy Act (CCPA) took effect in 2020 and was significantly amended by the California Privacy Rights Act (CPRA). Together they form the most prominent US state privacy law, often the benchmark other states follow. They are enforced by the California Privacy Protection Agency and the state Attorney General.
Who has to comply
The law applies to for-profit businesses that handle the personal information of California residents and meet at least one threshold, such as a revenue threshold, processing the data of a large number of consumers, or deriving significant revenue from selling or sharing personal information. Many SaaS companies fall in scope once they have meaningful US traffic.
Consumer rights
- The right to know what personal information is collected and how it is used.
- The right to delete personal information, subject to exceptions.
- The right to correct inaccurate personal information.
- The right to opt out of the sale or sharing of personal information.
- The right to limit the use and disclosure of sensitive personal information.
- The right not to be discriminated against for exercising these rights.
Business obligations
Supporting those rights means putting concrete things in place:
- A notice at collection telling consumers what is collected and why.
- A process to receive and honour consumer requests, including opt-out preference signals.
- Contracts with service providers, contractors, and third parties that contain the required terms.
- A data inventory so you know what you hold and where it flows.
- Reasonable security appropriate to the personal information you handle.
CCPA vs GDPR
The CCPA and GDPR overlap heavily: both are built on consumer rights, transparency, and accountability, so much of the work is shared. But they differ in concepts and framing. The CCPA centres on opting out of the sale or sharing of data, while GDPR centres on a lawful basis for processing. If you already run a GDPR programme, you are well placed to meet much of the CCPA with the same records and processes.
Frequently asked questions
Is the CCPA the same as GDPR?
No, but they overlap a lot. Both are privacy laws built on rights, transparency, and accountability, so much of the work is shared. The CCPA and CPRA have California-specific concepts, such as the right to opt out of sale or sharing, that GDPR frames differently.
Who must comply with the CCPA?
For-profit businesses that handle the personal information of California residents and meet at least one threshold, such as a revenue level, processing data on many consumers, or earning significant revenue from selling or sharing personal information.
What are opt-out preference signals?
They are browser or device signals, such as Global Privacy Control, that automatically communicate a consumer choice to opt out of the sale or sharing of their data. Under the CPRA, businesses are expected to detect and honour them.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.