California Privacy Act (CCPA/CPRA) Overview
A comprehensive overview of the California Consumer Privacy Act and CPRA updates, with practical compliance steps.
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), require clear disclosures, rights handling, and opt-outs for sale or sharing of data. This guide delivers a full overview with H2 and H3 sections, tables, step-by-step actions, common mistakes, and enforcement examples. Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator to keep your compliance pages synchronized.
Core requirements
Notice at collection
Inform users at or before collection about categories, purposes, retention, and sharing. Link to your privacy policy and include a clear Do Not Sell/Share option if applicable.
Rights handling
Support access, deletion, correction, portability, and opt-out of sale/share. Provide at least two request methods (for example, web form and email) and verify identity.
Selling, sharing, and ad tech
What triggers opt-outs
Cross-context behavioral advertising often counts as sharing. Selling includes exchanging data for value. If you run ad pixels, treat them as sale/share unless exempt.
Implementing opt-outs
Add a Do Not Sell/Share link and honor Global Privacy Control signals. Update your Cookie Policy to explain how opt-outs work.
Step-by-step compliance plan
- Map data categories, purposes, and recipients.
- Update your Privacy Policy with CPRA-required disclosures, retention, and rights.
- Configure a Do Not Sell/Share link and preference center; honor GPC.
- Update your Cookie Policy to classify ad/analytics cookies and link opt-outs.
- Implement request intake, verification, and tracking.
- Train teams on response timelines and exemptions.
- Maintain contracts with service providers and contractors that meet CPRA requirements.
- Review sensitive data handling and offer limitation options where required.
- Add CTA banners under intro and near conclusion for consistent UX.
- Archive policies, request logs, and opt-out evidence.
Table: rights and timelines
| Right | Timeline | Notes | Owner |
|---|---|---|---|
| Access/Deletion | 45 days (extendable) | Verify identity and log requests | Privacy |
| Correction | 45 days | Apply across systems | Privacy/IT |
| Opt-out sale/share | Immediate | Honor GPC; update cookies | Marketing/Privacy |
| Limit sensitive data | Promptly | Offer clear toggle | Product |
| No retaliation | Ongoing | Do not reduce service for exercising rights | All teams |
Data transfers and processors
Contracts and service providers
Use CPRA-compliant contracts with service providers and contractors. Limit use to specified purposes and require assistance with rights requests.
International considerations
If you also serve the EU/UK, align CPRA notices with GDPR disclosures and SCCs. Keep a single, clear privacy notice where possible.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowCommon mistakes to avoid
- Treating ad tech as exempt from sale/share.
- Missing or hard-to-find Do Not Sell/Share links.
- Ignoring GPC signals.
- Vague retention statements without timeframes.
- Untrained teams causing delayed responses.
- Missing service provider language in contracts.
Enforcement examples and lessons
Sephora CPRA settlement (2022)
The 1.2 million USD settlement described in the AG press release shows the risk of ignoring GPC and hiding Do Not Sell links.
FTC actions on dark patterns
The FTC warns against deceptive opt-outs. Make your links and banners clear and balanced.
Meta GDPR fine (2023)
While under GDPR, the 1.2 billion EUR fine reported by Reuters reinforces scrutiny on transfers, relevant if California and EU data share infrastructure.
Publication QA
- Privacy policy updated with CPRA sections.
- Do Not Sell/Share link live and tested.
- Cookie banner aligned and honors GPC.
- CTA banners placed.
- FAQ schema enabled.
- Screenshots and logs stored.
Metrics to monitor
- Number of opt-out requests and GPC signals processed.
- Request response times.
- Bounce rates after banner updates.
- Contract coverage with service providers/contractors.
Notice templates
At collection notice example
We collect personal information (identifiers, usage data, and device data) to provide and improve our services. We may share certain data for cross-context advertising. See our Privacy Policy for categories, purposes, retention, and your rights. Manage cookies and opt-outs in our Cookie Policy and Do Not Sell/Share link.
Do Not Sell/Share link language
“Do Not Sell or Share My Personal Information” – opens preference center with advertising/sharing toggle and GPC acknowledgment.
Data inventory starter table
| Category | Example data | Purpose | Shared/sold? | Retention |
|---|---|---|---|---|
| Identifiers | Email, device ID | Account, security | No sale/share | Account life + 12 mo |
| Internet activity | Pages viewed, clicks | Analytics, product improvement | Sharing for ads | 13 months |
| Geolocation (coarse) | Region | Content localization | No sale/share | Session |
| Purchase data | Transaction history | Billing, support | No sale/share | 7 years |
| Inferences | Interest segments | Personalization | Sharing for ads | 12 months |
Service provider and contractor contracts
- Include CPRA-required terms: limited use, assistance with rights requests, subprocessor controls, and deletion on request.
- Require notification before adding subprocessors and maintain a public list when possible.
- Verify data security commitments and breach notification timelines.
Sensitive personal information
- Identify SPI (for example, precise geolocation, health data).
- Offer “Limit the Use of My Sensitive Personal Information” where applicable.
- Avoid using SPI for cross-context advertising without explicit alignment to user expectations.
Expanded common mistakes
- Assuming legitimate interest-like reasoning applies; CPRA requires explicit opt-outs for sale/share.
- Failing to classify ad tech partners correctly as service providers or third parties.
- Not updating privacy notices with retention schedules.
- Ignoring employee/applicant data if covered by your scope.
- Overlooking offline collection notices for events or phone sales.
Evidence and audit kit
| Artifact | Purpose | Owner |
|---|---|---|
| Policy versions and timestamps | Show what users saw | Legal/Privacy |
| Opt-out/GPC logs | Prove compliance | Engineering/Privacy |
| Request tickets and timelines | Demonstrate SLA adherence | Support/Privacy |
| Service provider contracts | Show required clauses | Legal/Procurement |
| Banner/preference screenshots | Prove link placement | Marketing/Privacy |
Enforcement workflow
- Intake complaints via support or privacy email.
- Triage whether it is a rights request, opt-out issue, or general complaint.
- Respond within statutory timelines; document actions taken.
- Escalate systemic issues (for example, missing GPC honoring) to engineering with a fix SLA.
- Record remediation and verify with regression tests.
Review cadence
- Monthly: test Do Not Sell/Share links and GPC handling.
- Quarterly: refresh data inventories and retention schedules; audit vendors.
- Semiannual: legal review of notices and contracts.
- After product changes: confirm new data uses are disclosed and covered by contracts.
Alignment with other laws
- If you serve EU/UK users, ensure GDPR notices and SCCs align with CPRA disclosures.
- If you use HIPAA-covered data, keep it segregated with separate BAAs.
- For children’s data, assess COPPA requirements and avoid sale/share without proper consent.
Sensitive data handling table
| SPI type | Use | Allowed? | Controls |
|---|---|---|---|
| Precise geolocation | Personalization/ads | Generally avoid without clear user intent | Opt-in, easy opt-out, short retention |
| Health-related data | Product features | Limit to necessary features | Encryption, access control, explicit notice |
| Financial data | Payments | Yes, for transactions | PCI-compliant processors, minimize storage |
| Government IDs | Verification | Only if required | Secure storage, strict access |
Testing and validation plan
- Run monthly GPC tests from multiple browsers and regions.
- Test Do Not Sell/Share link on desktop and mobile; capture screenshots.
- Verify that opt-outs propagate to ad platforms and that cookies are suppressed.
- Conduct mock rights requests to ensure SLAs are met.
Communication templates
- Rights request confirmation: “We received your request regarding your personal information. We will respond within 45 days. For details, see our Privacy Policy.”
- Opt-out confirmation: “We have recorded your Do Not Sell/Share preference and will honor GPC signals on this browser.”
- Policy update notice: “We updated our privacy and cookie policies to clarify categories, retention, and opt-out options. Review the changes here.”
KPIs and reporting
- Rights request volume by type and completion time.
- Opt-out and GPC signals processed vs. failed.
- Percentage of vendors with current CPRA-compliant contracts.
- Time from policy change to site update (banner, links, preference center).
- Number of complaints related to sale/share or opt-out placement.
Service provider vs. third party decisions
- Classify vendors carefully: if they use data beyond your purposes, they may be third parties requiring opt-outs.
- For service providers, ensure contracts forbid secondary use, combining data, and sale/share.
- Update your public vendor list or policy disclosures when classifications change.
Consumer education tips
- Add a short explainer next to the Do Not Sell/Share link describing what it does.
- Include visuals or tooltips in the preference center to show which tags are disabled.
- Provide a mini FAQ about rights and expected response timelines.
- Remind users in confirmation emails that preferences can be updated anytime.
Quick checklist
- Privacy policy updated with categories, purposes, retention, rights, and opt-out links.
- Do Not Sell/Share link live; GPC honored.
- Cookie banner aligned with opt-outs and preference center.
- Contracts updated with CPRA language for service providers and contractors.
- Logs and screenshots saved for requests, banners, and preferences.
Key takeaways
- Provide notice at collection, clear rights instructions, and visible Do Not Sell/Share links.
- Honor GPC and align cookie preferences with opt-outs.
- Keep CPRA-ready contracts and vendor classifications up to date.
- Log requests, opt-outs, and banner states for evidence.
- Review inventories, policies, and banners on a set schedule.
Post-release review
- Test Do Not Sell/Share links and GPC handling after each update.
- Verify that privacy and cookie pages reflect the latest data categories and retention.
- Confirm preference center toggles match tag manager behavior.
- Save screenshots and changelog entries for the release.
- Remind support teams of any wording or process changes.
- Set a reminder for the next CPRA audit so opt-outs and notices stay current.
- Record any contract updates or vendor classification changes in your compliance log.
Conclusion and next steps
CPRA compliance depends on clear notices, opt-outs, and disciplined request handling. Use this guide to update your privacy and cookie pages with the Privacy Policy Generator and Cookie Policy Generator, align terms with the Terms of Service Generator, and log every change. Continuous tuning keeps you ready for audits and user trust intact.