Data Protection in the USA (CCPA/CPRA) – Frequently Asked Questions

What is CCPA?

The California Consumer Privacy Act (CCPA) is California’s first comprehensive data privacy law, granting residents strong privacy rights. It applies to businesses that collect personal data from California residents, regardless of the business’s location.

What is CPRA?

The California Privacy Rights Act (CPRA) is an amendment to the CCPA that expanded consumer rights and strengthened data protection requirements. It took effect on January 1, 2023, and introduces significant new obligations for businesses.

What is the main difference between CCPA and CPRA?

The CPRA expands consumer rights beyond the CCPA, introduces the right to correct inaccurate data, extends rights to employees, and includes stricter enforcement penalties. It also removes blanket exemptions for employee and B2B data.

What personal information is covered under CCPA/CPRA?

Personal information includes:

• Identifiers (name, address, email, phone, IP address)

• Commercial information (purchase history, products considered)

• Biometric information

• Internet activity (browsing history, search history)

• Account logins and financial information

• Precise geolocation

• Racial and ethnic origin

• Religious beliefs

• Genetic data

• Personal communications

• Health information

• Sex life or sexual orientation

What is sensitive personal information (SPI) under CPRA?

SPI is a special category of personal information requiring enhanced protection. It includes:

• Social Security numbers, driver’s licenses, passport numbers

• Financial account details with login credentials

• Precise geolocation data

• Racial/ethnic origin

• Religious/philosophical beliefs

• Health information

• Sex life or sexual orientation data

• Genetic data

Who must comply with CCPA/CPRA?

Businesses must comply if they collect personal information from California residents and meet at least one of these criteria:

• Annual gross revenues exceed $25 million

• Buy, receive, sell, or share personal information of 100,000+ California residents or households

• Derive 50%+ of revenue from selling or sharing California residents’ personal information

What consumer rights does CCPA/CPRA provide?

Consumers have the right to:

• Know what personal information is collected

• Delete their personal information

• Opt out of the sale or sharing of personal information

• Correct inaccurate personal information (CPRA only)

• Limit the use of sensitive personal information (CPRA only)

• Not to be discriminated against for exercising their rights

Must I disclose if I collect personal information?

Yes. You must provide a privacy notice that discloses:

• Categories of personal information collected

• Purposes for collection

• Categories of third parties with whom data is shared

• If sensitive personal information is collected, a clear notice at the collection point

What is the data minimisation requirement?

CPRA mandates data minimisation, collecting and storing only necessary personal information. The collection, use, retention, and sharing must be reasonably required and proportionate to achieve stated purposes.

Do I need to provide consumers a way to opt out of data sales?

Yes. You must provide a precise mechanism for consumers to opt out of the sale or sharing of their personal information. The opt-out method should be conspicuous and easy to use.

What is the difference between “sale” and “sharing” under CPRA?

Sale: Selling consumers’ personal information to third parties in exchange for money.

Sharing: Disclosing, making available, or communicating personal information to a third party for cross-context behavioural advertising, regardless of whether money is exchanged.

Do I need to obtain parental consent before collecting data from children?

Yes. For consumers under 16, you must obtain parental consent before selling or sharing their personal information. For consumers under 13, the consent threshold is even stricter.

Do employee records fall under CCPA/CPRA?

Yes. The CPRA extends some privacy rights to employees, job applicants, and contractors. Employee data can now fall under the scope of the CCPA/CPRA, giving employees the right to know what data is collected and to request its deletion.

What happens if I violate CCPA/CPRA?

Violations result in:

• Fines of up to $2,500 per unintentional violation

• Fines of up to $7,500 per intentional violation

• Fines of up to $7,500 per violation involving minors under 16 (regardless of intent)

• Consumers can sue for data breaches ($100-$750 per person)

• The California Privacy Protection Agency (CPPA) can directly impose fines

Who enforces CCPA/CPRA?

The California Privacy Protection Agency (CPPA) and California’s Attorney General enforce the law. The CPPA can directly impose fines without a cure period for certain violations.

Is there a cure period for CPRA violations?

No. The CPRA removed the 30-day cure period that existed under CCPA for certain violations, particularly those involving minors’ data.

What privacy notice requirements does CPRA impose?

Your privacy notice must include:

• Specific categories of personal information collected

• Purposes for collection

• Sensitive personal information categories and intended use (if applicable)

• Consumer rights and how to exercise them

• Right to limit sensitive personal information use

• Third parties with whom data is shared

Do I need Data Protection Impact Assessments (DPIAs)?

Yes. For high-risk processing, you must conduct DPIAs and submit risk assessments to the California Privacy Protection Agency regularly. Assessments must indicate whether sensitive personal information is processed.

What steps should I take to comply with the CCPA/CPRA?

Key steps include:

• Conduct data mapping to identify all personal information collected

• Update privacy policies to reflect consumer rights

• Implement processes to handle consumer requests

• Ensure third-party contracts include data protection provisions

• Train employees on data privacy practices

• Establish a data minimisation strategy

• Create mechanisms for consumers to opt out of data sales/sharing

• Document all processing activities

What is the look-back period for consumer requests?

Under CPRA, consumers can request information about personal data collected beyond the standard 12-month look-back period, as long as the data was collected on or after January 1, 2022, and fulfilling the request does not require disproportionate effort.

Do I need to respond to all consumer requests?

Yes. You must respond to verified consumer requests within 45 days (extendable by 45 days for complex requests). Requests include:

• Right to know what data you collect

• Right to delete data

• Right to correct inaccurate data

• Right to opt out of data sales/sharing

• Right to limit sensitive data use

Can I refuse a consumer request?

You can refuse if the request is frivolous, repetitive, or manifestly unfounded. You may also refuse if fulfilling the request would require disproportionate effort or if you are unable to verify the consumer’s identity.

What verification requirements apply to consumer requests?

You must verify consumer identity using reasonable methods. The CPPA advisory highlights improper practices of asking for excessive personal information during verification. Balance verification with data minimisation principles.

Do I need to delete data when a consumer requests deletion?

Yes, with limited exceptions. You must delete personal information upon verified request unless:

• The data is necessary to complete a transaction

• Legal obligations require retention

• You need data for security purposes

• The data enables internal uses reasonably aligned with consumer expectations

Must I instruct third parties to delete consumer data?

Yes. If a consumer requests deletion of data you’ve sold or shared, you must instruct third parties to delete that information as well, with certain exceptions.

What is cross-context behavioural advertising?

Cross-contextual behavioural advertising tracks a consumer’s behaviour across unrelated contexts to target advertising. Under CPRA, consumers can opt out of having their data shared for this purpose, and “service provider” arrangements don’t exempt sharing for cross-context behavioural advertising.

What is GDPRLocal’s approach to CCPA/CPRA compliance?

GDPRLocal guides CCPA/CPRA compliance, helping businesses:

• Map and classify data flows

• Implement safeguards for sensitive personal information

• Develop compliant privacy notices

• Build strong privacy programs

• Understand consumer rights and business obligations

• Navigate evolving CPPA enforcement guidance

Does CCPA/CPRA apply to B2B data?

The CPRA now extends some privacy rights to business data. Previously, B2B data was largely exempt under CCPA. Specific business contacts and employees now have privacy rights under the CPRA.

What is the relationship between CCPA/CPRA and GDPR?

CCPA/CPRA is California’s state law. GDPR applies to EU residents. If your business processes data from both California and EU residents, you must comply with both laws. They have different requirements but share core principles, such as transparency and data minimisation.

Are other US states passing similar laws?

Yes. Multiple states have adopted or are considering privacy laws, including VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), and UTDPA (Utah). The CPRA is among the most stringent, so compliance with the CPRA often helps with other state laws.

Must I implement data minimisation for existing practices?

Yes. The CPPA enforcement advisory emphasises data minimisation as a foundational principle. Audit your existing data practices and eliminate unnecessary collection and retention.