Introduction
The California Consumer Privacy Act (CCPA), as significantly amended and expanded by the California Privacy Rights Act (CPRA), is the most consequential state-level privacy law in the United States. Enacted originally in 2018 and effective from 1 January 2020, the CCPA established landmark rights for California residents over their personal information. The CPRA, approved by California voters as Proposition 24 in November 2020, took full effect on 1 January 2023 (with a look-back period to personal information collected from 1 January 2022) and substantially strengthened the regime by introducing new consumer rights, creating a dedicated enforcement authority, and importing several concepts from the EU General Data Protection Regulation (GDPR) such as purpose limitation, data minimisation, and storage limitation.
This auditor-grade guide provides a comprehensive, control-by-control examination of the combined CCPA/CPRA framework as codified in California Civil Code sections 1798.100 through 1798.199.100, together with the implementing regulations promulgated by the California Privacy Protection Agency (CPPA) at Title 11, Division 6 of the California Code of Regulations (11 CCR sections 7000 et seq.). It is written for privacy officers, data protection leads, legal counsel, and third-party assessors who must design, operate, and independently verify a CCPA/CPRA compliance programme. Throughout, the guide maps statutory requirements to verifiable evidence so that a readiness assessment or audit can be conducted with rigour and repeatability.
What is CCPA / CPRA
The CCPA/CPRA is a comprehensive consumer privacy statute that grants California residents (defined as natural persons who are 'consumers') a set of enforceable rights over the personal information that businesses collect, use, sell, and share about them. Unlike a prescriptive security standard, it is a rights-based, transparency-and-accountability law: it obliges qualifying businesses to disclose their data practices, honour consumer requests, limit their processing to disclosed and reasonably necessary purposes, implement reasonable security, and flow obligations down to service providers, contractors, and third parties through contract.
Key structural features distinguish CCPA/CPRA from earlier privacy laws:
- Broad definition of 'personal information' - any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This includes inferences drawn to create profiles.
- A new category of 'sensitive personal information' (SPI) introduced by CPRA, covering government identifiers, financial account credentials, precise geolocation, race/ethnicity, religious beliefs, union membership, contents of private communications, genetic data, biometric data for unique identification, health data, and data about sex life or sexual orientation.
- The concepts of 'sell' (disclosure for monetary or other valuable consideration) and, added by CPRA, 'share' (disclosure for cross-context behavioural advertising), each triggering opt-out rights.
- A dedicated regulator, the California Privacy Protection Agency (CPPA), with full administrative enforcement, investigation, and rulemaking authority, operating alongside the California Attorney General.
- A limited private right of action available to consumers for certain data breaches resulting from a failure to maintain reasonable security, with statutory damages of USD 100 to USD 750 per consumer per incident.
CPRA also created purpose limitation, data minimisation, and storage limitation duties, and established heightened obligations around automated decision-making technology and profiling, risk assessments, and cybersecurity audits - the detailed regulations for which the CPPA has been finalising through ongoing rulemaking.
Who must comply
CCPA/CPRA applies to a 'business' - a for-profit entity that does business in California, collects (or on whose behalf is collected) California residents' personal information, determines the purposes and means of processing, and meets at least one of the applicability thresholds below. It also reaches entities that control or are controlled by a covered business and share common branding, and joint ventures. Two other regulated actors - 'service providers'/'contractors' and 'third parties' - inherit obligations by contract even where they do not independently meet the thresholds.
| Actor / threshold | Applicability criterion |
|---|---|
| Business - revenue | Annual gross revenue exceeding USD 25 million (measured for the preceding calendar year). |
| Business - volume | Annually buys, sells, or shares the personal information of 100,000 or more consumers or households. |
| Business - data monetisation | Derives 50% or more of annual revenue from selling or sharing consumers' personal information. |
| Affiliates / common branding | Entities that control or are controlled by a business and share common branding, and to which the business discloses personal information. |
| Joint ventures / partnerships | A joint venture or partnership where each business has at least a 40% interest is itself a 'business'. |
| Service provider | Processes personal information on behalf of a business pursuant to a written contract; bound by contractual and statutory limits on use. |
| Contractor | A person to whom a business makes personal information available for a business purpose under a compliant contract; similar obligations to service providers. |
| Third party | Any recipient that is not the business, a service provider, or a contractor; receipt may constitute a 'sale' or 'share'. |
Certain exemptions apply. Data already regulated by federal statutes may be exempt at the data level, including protected health information under HIPAA, financial information under the Gramm-Leach-Bliley Act (GLBA), credit-reporting data under the Fair Credit Reporting Act (FCRA), and driver data under the Driver's Privacy Protection Act. Non-profit organisations and government agencies are generally outside scope. The formerly available B2B and employee (HR) data exemptions sunset on 1 January 2023, so employee, applicant, and business-contact personal information is now fully covered.
Structure of CCPA / CPRA
The framework can be organised into logical obligation domains that group the statutory sections. The table below maps each domain to its principal Civil Code anchors and to the regulatory provisions that operationalise it. These domains form the backbone of the master assessment checklist that follows.
| Domain | Principal statutory / regulatory anchors and scope |
|---|---|
| D1 - Transparency and notices | Civil Code 1798.100, 1798.130; Regs 7010-7013. Notice at collection, privacy policy, notice of right to opt-out, notice of financial incentive. |
| D2 - Consumer rights fulfilment | Civil Code 1798.100-1798.121, 1798.130. Right to know/access, delete, correct, opt-out of sale/share, limit use of SPI, non-discrimination, portability. |
| D3 - Request handling operations | Civil Code 1798.130, 1798.145; Regs 7020-7028. Methods for submitting requests, verification, timelines, authorised agents, record-keeping. |
| D4 - Purpose limitation and data minimisation | Civil Code 1798.100(c), 1798.100(a)(3). Collection limited to disclosed, reasonably necessary and proportionate purposes; storage limitation. |
| D5 - Opt-out preference signals | Civil Code 1798.135; Regs 7025. Global Privacy Control (GPC) recognition, opt-out link mechanics, symmetry in choice. |
| D6 - Sensitive personal information controls | Civil Code 1798.121, 1798.135. Right to limit use and disclosure of SPI; 'Limit the Use of My Sensitive Personal Information' link. |
| D7 - Service provider, contractor and third-party contracts | Civil Code 1798.100(d), 1798.140; Regs 7050-7053. Mandatory contract terms and downstream flow-down. |
| D8 - Security and breach | Civil Code 1798.81.5, 1798.100(e), 1798.150. Reasonable security duty and private right of action for breaches. |
| D9 - Accountability, governance and DPIA/audit | Civil Code 1798.185. Risk assessments, cybersecurity audits, automated decision-making rules (CPPA rulemaking). |
| D10 - Enforcement and remedies | Civil Code 1798.155, 1798.199.90; Regs 7300-7304. Administrative fines, AG civil penalties, CPPA investigations. |
Master assessment checklist
This is the core of the guide. Each domain below is broken into its constituent controls, expressed as 'What to verify' against 'Typical evidence'. An assessor should walk every row, gathering the stated artefacts, testing operating effectiveness through sampling where relevant, and recording exceptions. No control area is omitted.
D1 - Transparency and notices
| What to verify | Typical evidence |
|---|---|
| A notice at collection is provided at or before the point personal information is collected, listing categories collected, purposes, whether sold/shared, and retention periods. | Screenshots of web/app collection points, physical signage, call-centre scripts; the notice-at-collection text; retention schedule. |
| A comprehensive privacy policy exists, is dated within the last 12 months, and covers all statutorily required disclosures including categories collected/sold/shared/disclosed, sources, purposes, and consumer rights. | Published privacy policy URL, version history, change log, legal review sign-off. |
| Categories of personal information and sensitive personal information collected in the past 12 months are enumerated and accurate against the data map. | Data inventory/RoPA, privacy policy category tables, mapping to actual systems. |
| A clear description of each consumer right and the methods to exercise them is included. | Privacy policy rights section, links to request forms/toll-free number. |
| Notice of right to opt-out of sale/share and notice to limit SPI are present where those activities occur. | 'Do Not Sell or Share My Personal Information' link, 'Limit the Use of My Sensitive Personal Information' link, or the combined opt-out link. |
| Any financial incentive or price/service difference tied to data is disclosed with a good-faith value estimate and method of calculation. | Notice of financial incentive, loyalty programme terms, valuation methodology memo. |
| Notices are accessible to consumers with disabilities and available in the languages in which the business ordinarily conducts business. | Accessibility (WCAG) audit, translated notice versions. |
D2 - Consumer rights fulfilment
| What to verify | Typical evidence |
|---|---|
| Right to know/access: business can produce categories and specific pieces of personal information collected, sources, purposes, and recipients over the requested look-back period (12 months, extendable to beyond 12 months for post-Jan-2022 data on request). | Sample fulfilled access-request packages, DSAR system logs, look-back configuration. |
| Right to delete: deletion propagates to the business's own records and instructs service providers/contractors/third parties to delete, subject to enumerated exceptions. | Deletion workflow tickets, downstream deletion instructions, exception log with legal basis. |
| Right to correct: consumers can request correction of inaccurate personal information and the business uses commercially reasonable efforts to correct. | Correction request records, verification of accuracy, update confirmations. |
| Right to opt-out of sale/share: opt-out is honoured within 15 business days and communicated to third parties who received data in the prior 90 days. | Opt-out logs, third-party notification records, suppression list. |
| Right to limit use of SPI: consumer can restrict SPI to permitted business purposes only. | SPI limitation logs, downstream configuration proving restricted processing. |
| Right to opt-in for minors: affirmative consent obtained before selling/sharing data of consumers under 16 (opt-in for 13-15; parental consent under 13). | Age-gating design, consent capture records, parental verification method. |
| Data portability: information provided in a portable and, to the extent technically feasible, readily usable format. | Sample export files (CSV/JSON), format specification. |
| Non-discrimination: consumers exercising rights are not denied goods/services, charged different prices, or provided a different level of quality (except permitted financial incentives). | Pricing/service policies, incentive valuation, complaint records. |
D3 - Request handling operations
| What to verify | Typical evidence |
|---|---|
| At least two designated methods to submit right-to-know/delete requests (e.g., toll-free number plus web form); online-only businesses may use email/web. | Documented intake channels, phone-line test call, web-form screenshot. |
| Acknowledgement within 10 business days and substantive response within 45 calendar days, extendable once by a further 45 days with notice. | Timeline SLA dashboards, sample request timestamps, extension notices. |
| Verification of the requestor's identity to a reasonable/reasonably-high degree of certainty proportionate to the sensitivity of data. | Verification procedure document, matched data-point logs, denial records for unverifiable requests. |
| Authorised agent requests are accepted with proof of authorisation (e.g., power of attorney or signed permission plus consumer verification). | Authorised-agent policy, sample authorisations, verification evidence. |
| Opt-out requests do not require identity verification and any preference signals are honoured without unnecessary friction. | Opt-out flow with no verification barrier, GPC handling logs. |
| Records of consumer requests and responses are maintained for at least 24 months. | Request register/audit log, retention configuration. |
| Businesses handling 10 million+ consumers publish annual metrics on requests received, complied with, denied, and mean response time. | Published metrics report (where threshold met). |
D4 - Purpose limitation, data minimisation and retention
| What to verify | Typical evidence |
|---|---|
| Collection, use, retention, and sharing are limited to what is reasonably necessary and proportionate to the disclosed purpose (data minimisation). | Purpose register mapping each processing activity to a disclosed purpose; DPIA/necessity analysis. |
| Personal information is not used for materially different, incompatible purposes without fresh notice/consent (purpose limitation). | Change-management records for new purposes, consent/notice updates. |
| Retention periods are defined for each category and enforced; data is not kept longer than reasonably necessary (storage limitation). | Retention schedule, automated purge job logs, disposal certificates. |
| Sensitive personal information collection is likewise minimised and justified. | SPI necessity assessments. |
D5 - Opt-out preference signals and mechanics
| What to verify | Typical evidence |
|---|---|
| Opt-out link(s) are conspicuous on the homepage and pages where data is collected; a combined 'Your Privacy Choices' link may be used. | Homepage screenshots, link placement, mobile view. |
| The Global Privacy Control (GPC) or equivalent opt-out preference signal is detected and treated as a valid opt-out of sale/share. | GPC-detection code/tag, browser test evidence, opt-out logs triggered by signal. |
| Choice architecture is symmetrical - opting out is not more burdensome than opting in; no dark patterns. | UX review, click-count comparison, dark-pattern assessment. |
| Where a business does not sell or share and does not use SPI beyond permitted purposes, it states this in its privacy policy in lieu of links. | Privacy policy attestation clause. |
D6 - Sensitive personal information controls
| What to verify | Typical evidence |
|---|---|
| SPI categories collected are identified and mapped; consumer right to limit use to permitted business purposes is operational. | SPI data map, limitation-request workflow. |
| 'Limit the Use of My Sensitive Personal Information' link is provided where SPI is used beyond permitted purposes. | Link screenshot, or policy attestation that use stays within permitted purposes. |
| Downstream processors are contractually and technically restricted from using SPI beyond permitted purposes once a limitation request is honoured. | DPA clauses, system flags restricting SPI processing. |
D7 - Service provider, contractor and third-party contracts
| What to verify | Typical evidence |
|---|---|
| Every service provider/contractor is bound by a written contract containing all mandatory CPRA terms (limited purpose, no sale/share, no combining, compliance certification, audit rights, flow-down). | Executed DPAs/contracts, clause-by-clause compliance matrix. |
| Contracts prohibit retaining, using, or disclosing personal information for any purpose other than the specified business purpose. | Purpose-limitation clauses. |
| The business conducts appropriate due diligence and has the right to take reasonable steps to remediate unauthorised use by processors. | Vendor risk assessments, audit reports, remediation records. |
| Third-party recipients (non-service-provider) are identified and the disclosure is correctly classified as a sale or share where applicable. | Data-flow classification register, cookie/tag inventory. |
| Onward flow-down: service providers pass equivalent obligations to their sub-processors. | Sub-processor list, back-to-back contract terms. |
D8 - Security and breach
| What to verify | Typical evidence |
|---|---|
| Reasonable security procedures and practices appropriate to the nature of the information are implemented (Civil Code 1798.81.5), typically benchmarked to a recognised control set. | Security policy, control framework mapping (e.g., CIS Controls, ISO 27001, NIST CSF), risk assessment. |
| Access controls, encryption of specified data elements, and network safeguards protect personal information subject to the private right of action. | Encryption inventory, access-control matrix, penetration-test reports. |
| A breach response plan exists that addresses California breach-notification obligations (Civil Code 1798.82). | Incident response plan, breach notification templates, tabletop exercise records. |
| Cybersecurity audit obligations (per CPPA rulemaking for higher-risk processing) are met where applicable. | Independent cybersecurity audit report, scoping memo. |
D9 - Accountability, governance and DPIA/audit
| What to verify | Typical evidence |
|---|---|
| A privacy governance structure with clear ownership (e.g., privacy officer/lead) and board/executive oversight exists. | Org chart, RACI, governance charter, meeting minutes. |
| Risk assessments (DPIAs) are conducted for processing that presents significant risk to consumer privacy or security, per CPPA rules. | Completed risk-assessment records, methodology, submission evidence where required. |
| Automated decision-making technology (ADMT) and profiling are inventoried; opt-out and access rights are provided per applicable regulations. | ADMT inventory, meaningful-information disclosures, opt-out mechanism. |
| Staff handling personal information or consumer requests receive training on CCPA/CPRA obligations. | Training curriculum, completion records, attestation. |
| Policies and data inventories are reviewed and updated at least annually. | Review calendar, versioned policy set, inventory refresh evidence. |
D10 - Enforcement readiness and remedies
| What to verify | Typical evidence |
|---|---|
| The business can respond to CPPA/AG inquiries and produce records demonstrating compliance. | Evidence repository, audit trail, prior correspondence handling procedure. |
| Awareness that the 30-day cure period was eliminated by CPRA (AG cure discretion) and that administrative fines apply. | Legal briefing note, enforcement-risk register. |
| Data-breach private-right-of-action exposure is understood and mitigated through reasonable security. | Security posture assessment, cyber-insurance policy, breach-simulation results. |
Scoping
Accurate scoping determines both applicability and the boundary of the assessment. Scoping proceeds in layers:
- Entity applicability: confirm the entity is a for-profit 'business' doing business in California and meets at least one threshold (USD 25m revenue; 100,000 consumers/households; 50% revenue from selling/sharing). Assess affiliates and joint ventures for common-branding reach.
- Data scoping: identify all California-resident personal information and sensitive personal information across customer, prospect, employee, applicant, and business-contact populations (noting the sunset of HR/B2B exemptions).
- Exemption analysis: carve out data governed by HIPAA, GLBA, FCRA, and similar federal regimes at the data-element level, documenting the rationale.
- Processing scoping: enumerate collection points, purposes, sales/shares, cross-context behavioural advertising, ADMT/profiling, and SPI uses.
- Actor scoping: classify each downstream recipient as service provider, contractor, or third party, as this drives contract and opt-out obligations.
- System scoping: map the applications, databases, data lakes, cookies/SDKs, and vendors that store or transmit in-scope data to bound the technical assessment.
Implementation approach
A phased programme allows an organisation to reach and sustain compliance in a controlled manner. Each phase below lists indicative activities and deliverables.
Phase 1 - Discover and assess
- Activities: applicability determination; data mapping and inventory (RoPA); classification of PI and SPI; identification of sales/shares and third parties; gap assessment against the master checklist.
- Deliverables: applicability memo; data inventory and data-flow maps; PI/SPI classification; prioritised gap-remediation plan.
Phase 2 - Design and document
- Activities: draft/update privacy policy and notices at collection; design DSAR intake and verification processes; define retention schedules and minimisation rules; design opt-out and SPI-limit mechanisms including GPC handling.
- Deliverables: notice suite; DSAR procedure and verification standard; retention schedule; opt-out/GPC design specification.
Phase 3 - Build and integrate
- Activities: deploy consent/preference-management and DSAR tooling; implement GPC detection; instrument tag/cookie governance; configure downstream suppression; execute service-provider/contractor DPAs.
- Deliverables: live opt-out links and 'Your Privacy Choices' page; operational DSAR workflow; signed contract portfolio; cookie/tag register.
Phase 4 - Govern and operationalise
- Activities: stand up privacy governance and training; implement risk-assessment/DPIA and (where applicable) cybersecurity-audit processes; strengthen reasonable security; establish request-metrics reporting.
- Deliverables: governance charter and RACI; training records; DPIA methodology; security control mapping; metrics dashboard.
Phase 5 - Monitor, test and improve
- Activities: periodic control testing; DSAR SLA monitoring; annual policy/inventory refresh; vendor re-assessment; internal audit and management review.
- Deliverables: control-test reports; annual review evidence; corrective-action tracker; management-review minutes.
Maturity and capability model
While CCPA/CPRA is not itself a maturity model, assessors benefit from a capability scale to grade each domain and guide roadmap prioritisation. The five-level model below is adapted from common capability-maturity conventions.
| Level | Description and typical characteristics |
|---|---|
| Level 1 - Initial / Ad hoc | No formal privacy programme; notices absent or stale; DSARs handled reactively; unaware of thresholds. High enforcement exposure. |
| Level 2 - Developing | Basic privacy policy and opt-out link exist; DSAR process informal; partial data inventory; some vendor contracts lack CPRA terms. |
| Level 3 - Defined | Documented policies, notices, DSAR and verification procedures; complete data inventory; GPC recognised; DPAs in place; retention schedule defined. |
| Level 4 - Managed / Measured | Metrics tracked (SLA, volumes, denials); regular risk assessments; automated suppression and preference management; annual reviews performed; training embedded. |
| Level 5 - Optimising | Continuous improvement; privacy-by-design integrated into product; automated data mapping; proactive regulatory monitoring; independent audits; strong accountability culture. |
Assessment and audit approach
An independent CCPA/CPRA assessment should follow a structured, evidence-led methodology:
- Planning and scoping: confirm applicability, exemptions, and the in-scope entities, populations, and systems; agree the assessment period and criteria.
- Documentation review: examine notices, privacy policy, DSAR procedures, verification standards, retention schedules, DPAs, security policy, and governance artefacts.
- Data-mapping validation: reconcile the data inventory/RoPA against actual systems, cookies, and vendor lists through interviews and system inspection.
- Control walkthroughs: interview process owners for each domain to understand design and confirm the control operates as documented.
- Operating-effectiveness testing: sample fulfilled DSARs, opt-outs, deletions, and corrections; test GPC handling; verify timelines and verification; inspect suppression propagation.
- Contract and third-party testing: sample service-provider/contractor contracts against the mandatory-terms matrix; verify third-party classification.
- Security assessment: evaluate reasonable-security controls and breach-response readiness relative to the sensitivity of data.
- Gap analysis and rating: rate each domain against the maturity model, document exceptions, and quantify enforcement/private-action risk.
- Reporting and remediation: deliver findings, prioritised recommendations, and a remediation roadmap with owners and target dates.
- Follow-up: validate remediation of high-risk findings and reassess residual risk.
Evidence request list
The following categorised artefacts should be requested at the outset of an assessment.
- Governance and policy: privacy governance charter; org chart/RACI; privacy programme roadmap; internal privacy policies and standards; training materials and completion logs.
- Notices: notice at collection (all channels); public privacy policy with version history; notice of right to opt-out; notice to limit SPI; notice of financial incentive.
- Data mapping: data inventory / RoPA; PI and SPI classification; data-flow diagrams; cookie/SDK/tag register; system and application inventory.
- Consumer requests: DSAR intake channels and forms; verification procedure; sample fulfilled access/delete/correct request packages; request register (24-month); annual metrics (if 10m+ threshold).
- Opt-out mechanics: 'Your Privacy Choices' / opt-out link screenshots; GPC-detection implementation evidence; suppression-list and third-party notification records.
- Contracts: executed service-provider, contractor, and third-party agreements/DPAs; mandatory-terms compliance matrix; sub-processor list.
- Retention and minimisation: retention schedule; purge/disposal logs; purpose register and necessity/minimisation analyses.
- Security and breach: information-security policy; control-framework mapping; risk assessments; penetration-test and vulnerability-scan reports; incident-response plan; breach-notification templates; tabletop records; cyber-insurance policy.
- Accountability and audit: DPIA/risk-assessment records; ADMT/profiling inventory; annual review evidence; prior audit reports and remediation trackers; regulator correspondence.
Roles and responsibilities
| Role | Responsibilities |
|---|---|
| Board / executive sponsor | Sets privacy risk appetite, approves budget, provides oversight, and is accountable for the programme. |
| Privacy officer / lead | Owns the CCPA/CPRA programme; maintains policies, inventory, and notices; coordinates rights fulfilment and regulator engagement. |
| Legal counsel | Interprets statutory/regulatory obligations, drafts and negotiates DPAs, manages enforcement and litigation risk, tracks rulemaking. |
| DSAR / operations team | Receives, verifies, and fulfils consumer requests within statutory timelines; maintains the request register. |
| Information security (CISO) | Implements and tests reasonable security; leads breach response; supports cybersecurity audits and DPIAs. |
| Data / engineering teams | Implement data mapping, retention/purge, GPC detection, suppression, and portability exports; embed privacy-by-design. |
| Marketing / ad-tech | Manages cookies/tags, cross-context behavioural advertising, and opt-out/opt-in signals; ensures no unauthorised sale/share. |
| Procurement / vendor management | Ensures every processor is under a compliant contract and conducts vendor due diligence and re-assessment. |
| HR | Manages employee/applicant personal-information notices and rights following the exemption sunset. |
| Internal audit | Independently tests control effectiveness and reports to governance. |
KPIs to track
- DSAR volume by type (know/access, delete, correct, opt-out, limit-SPI) per period.
- Mean and 95th-percentile response time against the 45-day statutory deadline.
- Percentage of requests fulfilled, partially fulfilled, and denied (with denial reason breakdown).
- Percentage of opt-outs (including GPC signals) honoured within 15 business days.
- Third-party opt-out propagation completeness and latency.
- Number of service-provider/contractor contracts with all mandatory CPRA terms (target 100%).
- Data-inventory coverage and staleness (percentage of systems mapped; days since last refresh).
- Retention compliance: volume of data past its retention period awaiting purge.
- Training completion rate for staff handling personal information.
- Number and severity of privacy incidents / near-misses and mean time to notify.
- Number of DPIAs/risk assessments completed versus required.
- Percentage of high-risk audit findings remediated on schedule.
Readiness checklist
- Applicability and exemptions determined and documented.
- Complete data inventory covering PI and SPI across all consumer, employee, and B2B populations.
- Privacy policy updated within the last 12 months with all required disclosures.
- Notice at collection present at every collection point.
- 'Your Privacy Choices' / opt-out link and (where applicable) 'Limit the Use of My Sensitive Personal Information' link live and conspicuous.
- Global Privacy Control detected and honoured as a valid opt-out.
- DSAR intake (two methods), verification, and fulfilment processes operational within statutory timelines.
- Request register maintained for 24 months.
- Retention schedule defined and enforced with automated purge.
- Data minimisation and purpose-limitation controls in place.
- All service providers/contractors under contracts containing every mandatory CPRA term.
- Third-party recipients classified and sales/shares correctly identified.
- Reasonable security controls implemented and breach-response plan tested.
- Risk assessments/DPIAs conducted for higher-risk processing.
- ADMT/profiling inventoried with applicable rights honoured.
- Privacy governance, training, and annual review cycle established.
Common gaps
- Stale or generic privacy policy that omits categories sold/shared, retention periods, or SPI disclosures.
- Failure to recognise the Global Privacy Control signal, a frequent enforcement focus (e.g., regulator settlements).
- Treating disclosures to ad-tech and analytics vendors as service-provider relationships when they are in fact 'sales' or 'shares' requiring opt-out.
- Service-provider/contractor contracts missing one or more mandatory CPRA clauses (no-combining, certification, audit rights, flow-down).
- Ignoring employee, applicant, and B2B personal information after the HR/B2B exemption sunset.
- Opt-out propagation not communicated to third parties who received data in the prior 90 days.
- No defined retention schedule, leading to indefinite storage in breach of storage limitation.
- DSAR verification either too weak (identity risk) or too burdensome (unlawful friction).
- Under-counting consumers/households/devices and wrongly concluding the law does not apply.
- Dark patterns or asymmetric choice architecture making opting out harder than opting in.
- No risk-assessment/DPIA process for higher-risk processing or ADMT, ahead of CPPA rulemaking deadlines.
- Cookies and tags deployed without governance, causing unintended undisclosed sharing.
CCPA / CPRA mapped to other frameworks
CCPA/CPRA obligations overlap substantially with other privacy and security regimes, enabling control reuse for organisations operating multi-framework programmes.
| CCPA / CPRA obligation | Comparable requirement in other frameworks |
|---|---|
| Consumer rights (access, delete, correct, portability, opt-out) | GDPR Arts 15-21 (data subject rights); India DPDP Act 2023 rights of correction/erasure/grievance; Virginia VCDPA / Colorado CPA consumer rights. |
| Transparency / notice at collection and privacy policy | GDPR Arts 13-14; DPDP notice requirement; ISO/IEC 27701 privacy notice controls. |
| Purpose limitation, data minimisation, storage limitation | GDPR Art 5(1)(b),(c),(e); ISO/IEC 27701 8.x; NIST Privacy Framework CT.PO. |
| Sensitive personal information limits | GDPR Art 9 special categories; DPDP sensitive-data safeguards. |
| Service-provider/contractor contracts and flow-down | GDPR Art 28 processor contracts; ISO/IEC 27701 supplier controls; SOC 2 vendor management. |
| Opt-out of sale/share and preference signals (GPC) | GDPR consent/legitimate-interest and ePrivacy cookie consent; IAB TCF. |
| Reasonable security | GDPR Art 32; ISO/IEC 27001 Annex A; NIST CSF; CIS Controls; SOC 2 Security. |
| Risk assessments / DPIA | GDPR Art 35 DPIA; NIST Privacy Framework; ISO/IEC 29134. |
| Governance and accountability | GDPR Art 5(2) & Art 24; ISO/IEC 27701 management system; NIST Privacy Framework GV. |
| Breach notification | GDPR Arts 33-34; India DPDP breach reporting; state breach-notification laws. |
How CyberSigma helps
Frequently asked questions
Need help with CCPA / CPRA?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
