TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. California Privacy Protection Agency (CPPA): Full Guide
Legal Compliance

California Privacy Protection Agency (CPPA): Full Guide

Learn what the California Privacy Protection Agency (CPPA) is, its enforcement powers, rulemaking authority, and how it affects your business compliance.

TermsBox Team|April 4, 202613 min read

The California Privacy Protection Agency (CPPA) is the first dedicated data privacy enforcement agency in the United States. Created by the California Privacy Rights Act (CPRA) in 2020, the CPPA holds rulemaking and enforcement authority over California's landmark consumer privacy laws, making it one of the most consequential regulatory bodies for any business that handles personal information from California residents.

This guide explains what the California Privacy Protection Agency does, how it enforces the law, what regulations it has adopted, and what your business needs to do to stay compliant. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.

What Is the California Privacy Protection Agency?

The California Privacy Protection Agency is an independent state agency established by Proposition 24, which California voters approved in November 2020. The agency's creation was codified in California Civil Code Section 1798.199.10 through 1798.199.100, and it began operations in 2021 with full enforcement authority taking effect on July 1, 2023.

Before the CPPA existed, enforcement of the CCPA fell entirely to the California Attorney General's office. The CPRA's authors recognized that privacy enforcement requires specialized expertise and dedicated resources, not a small team within a general law enforcement office handling dozens of other legal areas simultaneously. The CPPA was designed to fill that gap.

The agency is governed by a five-member board appointed by the Governor, the Attorney General, the Senate Committee on Rules, and the Speaker of the Assembly. Board members serve eight-year terms and must have expertise in privacy, technology, or consumer rights. This structure insulates the CPPA from short-term political pressure while maintaining democratic accountability.

CPPA Enforcement Powers and Authority

The California Privacy Protection Agency holds broad authority that goes well beyond what the Attorney General could do alone under the original CCPA. Understanding these powers is critical for any business subject to California privacy law.

Administrative enforcement

The CPPA can investigate potential violations, issue subpoenas, compel testimony, and impose administrative fines without going to court. This is a significant distinction from the Attorney General's enforcement model, which typically required filing a civil lawsuit. Administrative enforcement is faster, less expensive for the agency, and allows the CPPA to handle a higher volume of cases.

Penalty authority

Under Section 1798.155 of the Civil Code, the CPPA can impose the following penalties:

  • $2,500 per unintentional violation of the CCPA or CPRA
  • $7,500 per intentional violation of the CCPA or CPRA
  • $7,500 per violation involving a minor under 16, regardless of intent

These fines are assessed per violation, not per enforcement action. A company that improperly handles opt-out requests from 10,000 consumers could face exposure of $25 million to $75 million depending on the violation type.

Rulemaking authority

Unlike the Attorney General, the CPPA has the power to adopt, amend, and repeal regulations that implement the CCPA and CPRA. This rulemaking authority under Section 1798.185 allows the agency to:

  1. Define terms and clarify ambiguous provisions in the statute
  2. Establish technical requirements for opt-out mechanisms
  3. Create rules for automated decision-making technology
  4. Set standards for data processing agreements
  5. Update regulations as technology and business practices evolve

This rulemaking power makes the CPPA a living regulatory body. The rules it adopts carry the force of law, meaning businesses must comply with CPPA regulations in addition to the statutory text of the CCPA and CPRA.

Audit authority

The CPPA can conduct audits of businesses to assess compliance with privacy laws. Under Section 1798.185(a)(18), the agency can order businesses to submit to compliance audits, particularly those whose data processing activities present significant risk to consumer privacy. This proactive approach means the CPPA does not need to wait for a consumer complaint before investigating.

Key Regulations Adopted by the CPPA

The CPPA has used its rulemaking authority to adopt regulations that add substantial detail to the CCPA and CPRA framework. These regulations directly affect how businesses must operate.

Consumer opt-out mechanisms

The CPPA's regulations require businesses to honor opt-out preference signals, such as the Global Privacy Control (GPC). Under 11 CCR Section 7025, a business that receives an opt-out preference signal must treat it as a valid request to opt out of the sale and sharing of personal information. Businesses cannot require consumers to verify their identity before processing an opt-out signal, and they cannot display a pop-up asking the consumer to confirm the signal.

Data broker registration

The CPPA administers the data broker registration program under the Delete Act (SB 362, signed in 2023). Data brokers, defined as businesses that knowingly collect and sell consumer personal information without a direct relationship, must register with the CPPA annually and pay a registration fee. The agency maintains a public registry of registered data brokers.

Consumer request handling

The regulations specify detailed requirements for how businesses must respond to consumer requests:

  • Verification procedures: Businesses must verify the identity of consumers making requests using a reasonable method proportional to the sensitivity of the data
  • Response timelines: Businesses must confirm receipt of requests within 10 business days and respond substantively within 45 calendar days, with a possible 45-day extension
  • Authorized agents: Consumers may designate authorized agents to submit requests on their behalf, and businesses must establish clear processes for agent verification

Automated decision-making

The CPPA has proposed regulations governing automated decision-making technology (ADMT), including profiling. These rules would require businesses to inform consumers when they use ADMT to make significant decisions, provide access to the logic involved, and offer opt-out rights. While these regulations are still being finalized, they signal the CPPA's intent to regulate algorithmic processing.

How the CPPA Differs from the California Attorney General

Both the CPPA and the California Attorney General can enforce the CCPA and CPRA, but they operate differently in ways that matter for businesses.

The Attorney General brings enforcement actions through civil litigation in state court. This process is resource-intensive, takes months or years to resolve, and limits the number of cases the office can pursue. The Attorney General's privacy enforcement is also one priority among many competing demands.

The California Privacy Protection Agency, by contrast, uses administrative proceedings that are faster and more efficient. The CPPA has a dedicated staff focused exclusively on privacy. It can conduct investigations, hold hearings, and impose fines through its own administrative process without filing a lawsuit.

Key differences include:

  • Specialization: The CPPA focuses solely on privacy law, while the Attorney General handles all areas of law
  • Rulemaking: Only the CPPA can adopt new privacy regulations
  • Proactive audits: The CPPA can initiate audits without a complaint; the Attorney General typically acts on complaints or referrals
  • Concurrent jurisdiction: Both agencies can enforce the same laws, and they coordinate to avoid duplicative actions
  • Cure period: The CPRA eliminated the 30-day cure period that the original CCPA provided, meaning neither the CPPA nor the Attorney General is required to give businesses a chance to fix violations before imposing penalties

What Businesses Must Do to Comply with CPPA Requirements

Compliance with the California Privacy Protection Agency's requirements starts with understanding whether the CCPA applies to your business. If you meet any of the three applicability thresholds (over $25 million in annual gross revenue, handling data of 100,000 or more consumers, or deriving 50% or more of revenue from selling personal information), the CPPA's regulations apply to you.

Update your privacy policy

Your privacy policy must include specific disclosures required by both the CCPA statute and the CPPA's regulations. These include:

  • The categories of personal information collected in the preceding 12 months
  • The purposes for which each category is collected and used
  • Whether personal information is sold or shared, and the categories involved
  • Consumer rights under the CCPA and how to exercise them
  • The categories of personal information disclosed for a business purpose
  • Retention periods for each category of personal information (added by the CPRA)

A privacy policy generator can help you create a policy that covers these required disclosures, but you should have an attorney review the final document to confirm it reflects your actual data practices.

Implement opt-out mechanisms

Businesses that sell or share personal information must provide a "Do Not Sell or Share My Personal Information" link on their website. Under the CPPA's regulations, you must also honor Global Privacy Control signals and other opt-out preference signals. This means your website's consent management system needs to detect these signals and suppress the relevant data sharing automatically.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Respond to consumer requests properly

The CPPA has detailed rules about how quickly and thoroughly you must respond to requests to know, delete, correct, or opt out. Failure to meet the 10-business-day acknowledgment window or the 45-day response deadline can itself constitute a violation, separate from the substance of the response.

Maintain records

The CPPA expects businesses to maintain records of consumer requests and how they were handled for at least 24 months. Businesses that process the personal information of four million or more consumers must also compile and disclose metrics about the number of requests received, complied with, and denied.

Prepare for audits

If you operate in a high-risk processing area (large-scale profiling, processing sensitive personal information, handling children's data), you should be prepared for a CPPA compliance audit. Maintain documentation of your data processing activities, data protection impact assessments, and training records for employees who handle consumer requests.

CPPA Enforcement Actions and Investigations

The California Privacy Protection Agency has been actively exercising its enforcement authority since July 2023. While the agency's enforcement record is still developing compared to established regulators like the FTC or European data protection authorities, its early actions reveal clear priorities.

The CPPA has focused enforcement attention on:

  • Failure to honor opt-out signals: Businesses that ignore GPC signals or make opting out unreasonably difficult
  • Inadequate privacy policies: Companies whose disclosures do not meet the specificity requirements of the CCPA and CPPA regulations
  • Dark patterns in consent interfaces: User interface designs that manipulate consumers into making choices they would not otherwise make, such as making the "accept" button prominent while hiding the "decline" option
  • Children's data: Processing the personal information of minors without proper consent mechanisms

The CPPA has also conducted a series of investigative sweeps targeting specific industries and practices. These sweeps allow the agency to gather information about industry-wide compliance patterns and identify systemic issues.

For businesses concerned about enforcement, the most practical step is ensuring your website correctly handles opt-out signals and your privacy policy generator output accurately describes your data practices. Many early enforcement actions have targeted straightforward compliance failures rather than novel legal questions.

How the CPPA Compares to International Privacy Regulators

The California Privacy Protection Agency occupies a unique position in the global privacy enforcement landscape. It is not a national regulator, but it oversees compliance for a jurisdiction with an economy larger than most countries.

Compared to EU data protection authorities

European DPAs under the GDPR have been operating since 2018 and have issued fines exceeding 4 billion EUR collectively. The CPPA has similar administrative enforcement powers but operates under a different legal framework. Key differences include:

  • Scope: GDPR DPAs regulate all personal data processing; the CPPA regulates for-profit businesses meeting specific thresholds
  • Penalties: GDPR fines can reach 20 million EUR or 4% of global turnover; CPPA fines are capped at $2,500 to $7,500 per violation but without an aggregate cap
  • Cross-border coordination: EU DPAs coordinate through the European Data Protection Board; the CPPA operates independently
  • Rulemaking: Most EU DPAs interpret existing regulations through guidance; the CPPA can create binding regulations

Compared to the FTC

The Federal Trade Commission enforces privacy through its Section 5 authority against unfair or deceptive practices. The FTC does not have a comprehensive privacy statute to enforce (as of early 2026, no federal privacy law has been enacted). The CPPA operates under a detailed statutory framework, giving it clearer authority and more specific enforcement tools.

Implications for compliance

If your business operates internationally, CPPA compliance is one layer of a broader privacy program. The good news is that businesses already compliant with the GDPR will find many CPPA requirements familiar. The areas requiring additional attention include the specific opt-out mechanisms, the treatment of "sharing" for cross-context behavioral advertising, and the California-specific consumer request procedures.

Using tools like a compliance scanner to identify tracking technologies and cookies on your website can help you maintain accurate disclosures across multiple regulatory frameworks simultaneously.

What to Expect from the CPPA Going Forward

The California Privacy Protection Agency is still a relatively young institution, but its trajectory points toward increasingly active enforcement and expanded regulatory scope.

Several developments are worth monitoring:

  • Automated decision-making regulations: The CPPA's proposed ADMT rules would create new compliance obligations for businesses that use algorithms to make significant decisions about consumers
  • Cybersecurity audits: The CPRA requires the CPPA to issue regulations mandating risk assessments for processing that presents significant risk, which could create audit obligations similar to GDPR's Data Protection Impact Assessments
  • Children's privacy: The CPPA has signaled that protecting minors' data is a top enforcement priority, and additional regulations targeting age-appropriate design and consent mechanisms are likely
  • Federal preemption: If Congress enacts a federal privacy law, the relationship between that law and the CPPA's authority will become a critical legal question. California has historically resisted federal preemption of its consumer protection laws

For businesses, the practical takeaway is that CCPA and CPRA compliance is not a one-time project. The CPPA's ongoing rulemaking means that requirements will continue to evolve, and businesses need systems that can adapt. A terms of service generator and privacy policy should be reviewed regularly to ensure they reflect the latest regulatory requirements.

Frequently Asked Questions

What is the California Privacy Protection Agency?

The California Privacy Protection Agency (CPPA) is the dedicated state agency responsible for enforcing the CCPA and CPRA. It was created by Proposition 24 (the California Privacy Rights Act) in November 2020 and has full administrative authority to investigate violations, conduct audits, issue fines up to $7,500 per intentional violation, and adopt regulations that interpret and implement California's consumer privacy laws.

When did the CPPA start enforcing privacy laws?

The CPPA assumed full enforcement authority on July 1, 2023. Before that date, enforcement rested solely with the California Attorney General's office. The Attorney General retains concurrent enforcement power, meaning both agencies can bring actions against businesses that violate the CCPA or CPRA.

How is the CPPA different from the California Attorney General?

The California Attorney General is a general law enforcement office that handles privacy among many other legal matters. The CPPA is a specialized agency focused exclusively on data privacy. The CPPA has rulemaking authority to create new regulations, can conduct proactive audits and technical investigations, and operates with a dedicated staff of privacy experts. The Attorney General does not have rulemaking power under the CCPA and primarily pursues enforcement through litigation.

What penalties can the CPPA impose on businesses?

The CPPA can impose administrative fines of $2,500 per unintentional violation and $7,500 per intentional violation of the CCPA or CPRA. For violations involving minors under 16, every violation is treated as intentional, carrying the $7,500 maximum. These fines are assessed per violation, meaning a single compliance failure affecting thousands of consumers can result in penalties reaching millions of dollars.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Is the California Privacy Protection Agency?
  • CPPA Enforcement Powers and Authority
  • Administrative enforcement
  • Penalty authority
  • Rulemaking authority
  • Audit authority
  • Key Regulations Adopted by the CPPA
  • Consumer opt-out mechanisms
  • Data broker registration
  • Consumer request handling
  • Automated decision-making
  • How the CPPA Differs from the California Attorney General
  • What Businesses Must Do to Comply with CPPA Requirements
  • Update your privacy policy
  • Implement opt-out mechanisms
  • Respond to consumer requests properly
  • Maintain records
  • Prepare for audits
  • CPPA Enforcement Actions and Investigations
  • How the CPPA Compares to International Privacy Regulators
  • Compared to EU data protection authorities
  • Compared to the FTC
  • Implications for compliance
  • What to Expect from the CPPA Going Forward
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.