Home / Study Resources / CCPA & CPRA Complete Guide
🌴 California Law

CCPA & CPRA Complete Guide 2025: California Privacy Rights Act Requirements for CIPP/US Certification

πŸ“… Updated November 2025 ⏱️ 26 min read 🎯 CIPP/US Domain V 🌴 California Focus

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), stands as the most comprehensive and influential privacy law in the United States. For CIPP/US exam candidates, California law is essential knowledgeβ€”it forms the foundation of Domain V (State Privacy Laws) and influences questions throughout the exam. This guide provides everything you need to master California privacy law for certification success.

🌴 Why California Matters for CIPP/US

California's CCPA/CPRA is the gold standard for US state privacy laws. It was the first comprehensive state privacy law (2018), created the nation's first dedicated privacy enforcement agency (CPPA), and remains the most strictly enforced. Many other state laws are modeled after California's framework, making CCPA/CPRA knowledge transferable across the entire state privacy landscape.

πŸ“‘ Table of Contents

1. CCPA vs CPRA: Understanding the Evolution

The California Consumer Privacy Act (CCPA) was enacted in 2018 and became effective on January 1, 2020. In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which significantly amended and expanded the CCPA. The CPRA amendments took effect on January 1, 2023.

πŸ“œ Key CPRA Amendments to CCPA

  • Created the CPPA: First dedicated state privacy enforcement agency in the US
  • Added "Sharing" to "Sale": Expanded opt-out rights to include cross-context behavioral advertising
  • Sensitive Personal Information: New category with additional protections
  • Right to Correct: New consumer right to fix inaccurate data
  • Right to Limit: Consumers can limit use of sensitive PI
  • Eliminated Cure Period: No mandatory 30-day fix period before enforcement
  • Data Minimization: Collect only what's necessary
  • Retention Limits: Disclose how long data is kept
  • Employee & B2B Data: No longer exempt from coverage
πŸ“ CIPP/US Exam Tip

The CPRA amended the CCPAβ€”it did not create a separate law. The CPPA officially refers to the law as "CCPA" or "CCPA, as amended." On the exam, both terms may be used interchangeably.

2. Applicability Thresholds (2025 Updated)

The CCPA applies to for-profit businesses that collect California consumers' personal information, do business in California, and meet ANY ONE of the following thresholds:

πŸ“Š 2025 Applicability Thresholds

Threshold 2024 Amount 2025 Amount (CPI Adjusted)
Revenue $25,000,000 $26,625,000
Consumer Data 100,000+ California consumers or households
Data Revenue 50%+ annual revenue from selling/sharing PI

Important considerations for threshold applicability:

  • Revenue threshold: Gross annual revenue from all sources, not just California operations
  • Consumer threshold: Includes website visitors, customers, employees, and B2B contactsβ€”measured on a rolling 12-month basis
  • Data revenue threshold: "Selling" and "sharing" (behavioral advertising) both count
  • Location: Applies to businesses worldwide if they serve California consumers
πŸ“ CIPP/US Exam Tip

California is unique: It's the only state that applies its privacy law to employee data and B2B contacts. All other states exempt these categories. This distinction frequently appears on the exam.

3. Consumer Rights: The LOCKD Framework

California provides the most extensive set of consumer rights among US state privacy laws. The CPPA uses the acronym LOCKD to help remember these rights:

πŸ”’ L - Limit

Right to limit the use and disclosure of sensitive personal information to what's necessary for providing services

🚫 O - Opt-Out

Right to opt out of the sale of personal information AND the sharing of PI for cross-context behavioral advertising

✏️ C - Correct

Right to correct inaccurate personal information that a business has about them (added by CPRA)

πŸ“‹ K - Know

Right to know what personal information is collected, sources, purposes, and third parties it's shared with

πŸ—‘οΈ D - Delete

Right to delete personal information collected, subject to certain exceptions

πŸ“¦ Portability

Right to obtain personal information in a portable, usable format that can be transmitted to another entity

Additional Consumer Protections

  • Non-discrimination: Businesses cannot deny services, charge different prices, or provide different quality for exercising privacy rights
  • Financial incentives: Businesses may offer incentives for data collection but must disclose the value of data
  • Authorized agents: Consumers can designate agents to submit requests on their behalf
  • Response time: Businesses must respond to requests within 45 days (extendable by 45 days with notice)

4. Personal Information Categories

The CCPA defines personal information broadly as information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

πŸ“‚ Categories of Personal Information

  1. Identifiers: Name, alias, postal address, email, IP address, SSN, driver's license, passport number, account name
  2. Customer Records: Information in customer records (California Customer Records Act categories)
  3. Protected Classifications: Race, religion, sexual orientation, gender identity, marital status, disability, veteran status
  4. Commercial Information: Records of products/services purchased, purchasing histories, tendencies
  5. Biometric Information: Fingerprints, facial recognition, voice prints, iris scans
  6. Internet Activity: Browsing history, search history, interaction with websites/apps/ads
  7. Geolocation Data: Physical location or movements
  8. Sensory Data: Audio, visual, thermal, olfactory information
  9. Professional/Employment: Current/past job history, performance evaluations
  10. Education Information: Non-FERPA covered education records
  11. Inferences: Profiles drawn from any PI to predict preferences, characteristics, behavior
  12. Sensitive Personal Information: Special category added by CPRA (see below)

5. Sensitive Personal Information (SPI)

The CPRA introduced Sensitive Personal Information as a distinct category requiring heightened protections. Consumers have the right to limit the use of SPI to what's necessary for providing services.

⚠️ Sensitive Personal Information Categories:
  • Social Security, driver's license, state ID, or passport numbers
  • Account log-in credentials with required security codes
  • Financial account, debit card, or credit card numbers with access codes
  • Precise geolocation (within 1,850 feet/~563 meters)
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
  • Contents of mail, email, or text messages (unless business is intended recipient)
  • Genetic data
  • Biometric information for identification purposes
  • Health information
  • Sex life or sexual orientation
  • Neural data (added in 2025 regulations)

Business Obligations for SPI

  • Provide a "Limit the Use of My Sensitive Personal Information" link on homepage
  • Honor consumer requests to limit use to necessary business purposes
  • Disclose SPI collection and use in privacy notice
  • Implement stricter security measures for SPI

6. Business Obligations

Privacy Notice Requirements

Businesses must provide a comprehensive privacy policy that includes:

  • Categories of PI collected in the past 12 months
  • Purposes for each category of PI
  • Categories of sources of PI
  • Categories of third parties to whom PI is disclosed
  • Whether PI is sold or shared, and categories involved
  • SPI collection and use practices
  • Retention periods for each category (CPRA requirement)
  • Consumer rights and how to exercise them

Required Links on Website

  • "Do Not Sell or Share My Personal Information" link
  • "Limit the Use of My Sensitive Personal Information" link (if applicable)
  • Privacy policy link
  • Method to submit consumer requests (at least two methods required)

Universal Opt-Out Mechanisms

Businesses must honor opt-out preference signals such as Global Privacy Control (GPC). When detected, businesses must:

  • Treat the signal as a valid opt-out request for sale and sharing
  • Display confirmation (e.g., "Opt-Out Request Honored")
  • Not require consumers to take additional steps to opt out

Contracts with Service Providers/Contractors

Businesses must enter contracts with service providers and contractors that:

  • Prohibit selling or sharing received PI
  • Limit use to specified business purposes
  • Require compliance with CCPA obligations
  • Grant audit rights to the business

7. California Privacy Protection Agency (CPPA)

The CPRA established the California Privacy Protection Agency, the first dedicated privacy enforcement agency in the United States. This is a critical distinction from all other states, which rely on their Attorneys General for enforcement.

πŸ›οΈ CPPA Structure & Powers

  • Governance: Five-member board appointed by Governor and Legislature
  • Executive Director: Tom Kemp (appointed March 2025)
  • Rulemaking Authority: Full authority to interpret and implement CCPA
  • Investigation Powers: Can initiate investigations and conduct audits
  • Enforcement: Can levy administrative fines and seek injunctions
  • Education: Required to educate public on privacy rights
  • Technical Assistance: Provides guidance to legislature and other jurisdictions

The CPPA began enforcement in February 2024 after winning a court appeal that cleared the way for immediate enforcement of CPRA regulations.

8. Enforcement & Penalties

Penalty Structure (2025 Updated)

Administrative Fines (per violation):

$2,663 per unintentional violation

$7,988 per intentional violation OR violations involving minors

Amounts adjusted for CPI effective January 1, 2025. Previous amounts were $2,500/$7,500.

⚠️ No Cap on Penalties: Unlike GDPR's percentage-based cap, CCPA has no maximum on total penalties. Violations are counted per consumer, per incident. A data breach affecting 10,000 consumers could result in penalties of $26.6 million to $79.9 million.

Private Right of Action

California is the only state that provides consumers a private right of action for data breaches:

  • Scope: Limited to data breaches involving unencrypted/unredacted personal information
  • Cause: Business's failure to implement reasonable security measures
  • Damages: $107 to $799 per consumer per incident (statutory) OR actual damages
  • Pre-suit notice: 30-day written notice required; if business cures and provides written statement, no lawsuit can proceed

Cure Period

The CPRA eliminated the mandatory 30-day cure period that existed under the original CCPA. The CPPA may still grant cure opportunities at its discretion, but it's no longer automatic.

9. 2025 Regulations: ADMT, Risk Assessments, Cybersecurity Audits

On September 23, 2025, the California Office of Administrative Law approved the CPPA's comprehensive new regulations covering automated decision-making technology, risk assessments, and cybersecurity audits. These regulations take effect January 1, 2026.

Automated Decision-Making Technology (ADMT)

πŸ€– ADMT Regulations (Effective January 1, 2027)

Definition: Technology that processes personal information and uses computation to replace or substantially replace human decision-making.

Significant Decisions Include:

  • Financial services decisions (credit, loans)
  • Housing decisions
  • Employment eligibility screening
  • Healthcare treatment decisions
  • Education admissions

Business Obligations:

  • Provide clear pre-use notices explaining ADMT use
  • Offer consumers the right to opt out of ADMT for significant decisions
  • Respond to access requests with meaningful information about logic, key parameters, and effects
  • Provide plain-language explanations and disclose role of human involvement
  • Prohibit retaliation against consumers exercising rights

Note: Behavioral advertising was removed from the final definition of "significant decisions."

Risk Assessments

Businesses must conduct and maintain risk assessments before initiating "high-risk" processing activities:

  • Selling or sharing personal information
  • Processing sensitive personal information
  • Using ADMT for significant decisions
  • Profiling in education/employment contexts
  • Profiling based on presence at sensitive locations
  • Processing PI to train ADMT for significant decisions
  • Processing to train facial recognition or emotion recognition technology

Timeline: Initial assessments for ongoing processing due by December 31, 2027. Submissions to CPPA (summary information, not full assessments) due April 1, 2028.

Cybersecurity Audits

Annual independent cybersecurity audits required for businesses whose processing presents "significant risk" to consumer security:

Business Category Certification Due Date
Revenue >$100M + processing thresholds April 1, 2028
Revenue $50M-$100M + processing thresholds April 1, 2029
Revenue <$50M + processing thresholds April 1, 2030

Processing thresholds: Businesses that (1) derive 50%+ revenue from selling/sharing PI, OR (2) process PI of 250,000+ consumers OR sensitive PI of 50,000+ consumers.

10. Key Enforcement Cases

🏬 Sephora - $1.2 Million (2022)

First major CCPA enforcement action. Sephora failed to disclose the sale of consumer data, didn't provide proper opt-out mechanisms, and ignored Global Privacy Control signals. Required to implement comprehensive compliance program.

πŸš— Honda - Settlement (March 2025)

First CPPA Board decision. Honda required excessive personal information verification for consumers exercising privacy rights, including requiring online account creation when not necessary. Required to simplify verification processes.

πŸ• DoorDash - $375,000 (2024)

DoorDash shared customer personal information with a marketing cooperative without adequate disclosure or proper opt-out mechanisms. Highlighted that data "sharing" (not just "sale") triggers CCPA obligations.

πŸͺ Tractor Supply Co. - $1.35 Million (September 2025)

Largest CCPA fine to date. Nation's largest rural lifestyle retailer settled for CCPA violations. Demonstrated CPPA's willingness to pursue significant penalties against major retailers.

πŸ“± Tilting Point Media - $500,000 (2024)

Mobile game publisher collected and shared children's data without parental consent, violating both CCPA/CPRA and COPPA. Highlighted heightened penalties for violations involving minors.

11. CIPP/US Exam Tips for CCPA/CPRA

πŸ“ High-Yield CCPA/CPRA Exam Topics
  1. California distinctions: Only state with dedicated enforcement agency (CPPA), private right of action, employee/B2B coverage, and no cure period
  2. LOCKD rights: Limit, Opt-out, Correct, Know, Deleteβ€”know each in detail
  3. Sensitive PI categories: Memorize the list; neural data was added in 2025
  4. Sharing vs Selling: CPRA expanded "sale" to include "sharing" for behavioral advertising
  5. Thresholds: $26.625M revenue OR 100K consumers OR 50% revenue from data
  6. Penalties: $2,663 unintentional, $7,988 intentional/minors; NO cap on total
  7. Private right of action: Only for data breaches, $107-$799 per consumer
  8. Universal opt-out: Must honor GPC and similar signals
🎯 Practice Question Example

Q: A company has $30 million in annual revenue but processes data of only 50,000 California consumers. Is the company subject to CCPA?

A: YES. The company meets the revenue threshold ($30M > $26.625M). A business only needs to meet ONE threshold to be subject to CCPAβ€”meeting multiple thresholds is not required.

Master California Privacy Law with Practice Questions

Test your CCPA/CPRA knowledge with scenario-based questions covering consumer rights, enforcement actions, and the new 2025 regulations.

Additional Resources

πŸ“š Official Resources
  • California Privacy Protection Agency: cppa.ca.gov
  • California Attorney General CCPA Page: oag.ca.gov/privacy/ccpa
  • CCPA Text: California Civil Code §§ 1798.100-1798.199.100