// Glossary · compliance

CCPA / CPRA

Also: California Consumer Privacy Act · California Privacy Rights Act

California Consumer Privacy Act and successor CPRA. Grants California residents rights over their personal data including opt-out of sale, deletion, and access. Other US states have followed.

The California Consumer Privacy Act took effect in 2020 and granted California residents a defined set of rights over their personal data: the right to know what data is collected, the right to delete personal data, the right to opt out of sale, and the right to non-discrimination for exercising these rights. The California Privacy Rights Act, effective 2023, extended the original law with the right to correct inaccurate data, the right to limit use of sensitive personal information, and the creation of the California Privacy Protection Agency to enforce both. Any business with California consumers as customers is in scope if it meets revenue or data-volume thresholds, regardless of whether the business is physically located in California.

CCPA matters beyond California because it set the template that other US states have followed. Colorado, Virginia, Connecticut, Utah, Texas, and a dozen more have passed similar privacy laws over the past three years, each with slightly different definitions of personal data, slightly different opt-out mechanisms, and slightly different enforcement bodies. The net effect for any US-facing SaaS or e-commerce business is a patchwork of overlapping state-level privacy obligations that resembles GDPR in spirit but is harder to comply with because there is no single unified standard. Most funded teams treat the California requirements as the high-water mark and build to that standard nationally.

For operational compliance, the core requirements are a privacy policy disclosing data practices, a Do Not Sell or Share link in the website footer, a consumer rights request process with verified identity, and contractual data processing terms with vendors that handle personal data. The AI Ops Department handles the operational layer of request intake and tracking, paired with the DPA and vendor inventory work that supports both CCPA and GDPR. Penalties for violations run up to 7,500 dollars per intentional violation and 2,500 per unintentional, with the CPPA actively pursuing enforcement actions against businesses that ignore consumer rights requests or fail to honor opt-out signals.

// Examples
  • A Series A DTC brand adds a Do Not Sell or Share link, builds a consumer rights request portal handling 80 to 120 requests per month, and completes vendor data processing addendums with 14 vendors in one quarter.
  • A SaaS company unifies its CCPA, CPRA, Colorado, and Virginia privacy compliance into a single national privacy program, treating California as the floor rather than running separate playbooks per state.
  • A marketplace gets fined $1.2 million by the CPPA for failing to honor consumer opt-out requests over a 14-month period, triggering a full compliance rebuild and disclosure to investors.
// Common questions
Who has to comply with CCPA?
Businesses with at least 25 million dollars in annual revenue, or those handling personal data of 100,000+ California consumers per year, or those deriving 50 percent or more of revenue from selling personal data. Smaller businesses are technically exempt but most build to CCPA standards anyway because other state laws apply at lower thresholds.
What is the difference between CCPA and CPRA?
CPRA is the successor law passed by ballot initiative in 2020 and effective in 2023. It expanded CCPA with new rights (correction, sensitive data limits) and created a dedicated enforcement agency (CPPA). When people say CCPA today, they almost always mean the combined CCPA-CPRA framework as currently enforced.
How is CCPA different from GDPR?
GDPR is opt-in by default and applies to all EU residents with a broader definition of personal data. CCPA is opt-out by default and applies to California residents with narrower scope. GDPR penalties run up to 4 percent of global revenue. CCPA penalties run per violation at a much lower ceiling. Both require similar operational infrastructure for consumer rights requests.
Do I need separate compliance programs for each US state?
In practice, no. Most funded teams build a single privacy program to the strictest applicable standard (typically California or Colorado depending on data type) and apply it nationally. Running separate playbooks per state is operationally exhausting and provides little incremental protection. The unified approach is also easier to audit.
// Related terms
// Ready to ship?

EOI runs fractional AI departments for funded teams under 50. Sales, Content, Ops, Support. Live in 14 days on a monthly retainer.

Apply for a sprint See all departments