CCPA & CPRA Explained: California Privacy Laws Guide 2025
California leads the United States in consumer privacy protection, and understanding the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), is essential for CIPP/US certification. With the CPRA's September 2025 regulatory updates taking effect in January 2026, privacy professionals must stay current on California's evolving requirements.
This comprehensive guide covers everything you need to know about CCPA/CPRA for the CIPP/US exam, including the latest 2025-2026 updates, recent enforcement actions, and practical compliance guidance.
What is the CCPA/CPRA?
The California Consumer Privacy Act (CCPA) became effective on January 1, 2020, marking a watershed moment in U.S. privacy law. It was the first comprehensive state privacy law in the nation, granting California residents unprecedented rights over their personal information.
On November 3, 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which significantly amended and expanded the CCPA. The CPRA is not a separate law but rather a comprehensive amendment that took effect on January 1, 2023.
đź“‹ Key Concept for CIPP/US Exam
The CPRA is technically an amendment to the CCPA, not a separate law. You'll often see it referred to as "CCPA, as amended" or simply "CCPA" in official documents. The California Privacy Protection Agency (CPPA) uses "CCPA" to refer to the law with all CPRA amendments included.
Major CPRA Enhancements Over Original CCPA
- Created the CPPA: Established the first U.S. state agency dedicated solely to privacy enforcement
- Sensitive Personal Information: Introduced a new category of data requiring heightened protection
- Right to Correction: Added the ability for consumers to correct inaccurate information
- Right to Limit: Allowed consumers to limit use of sensitive personal information
- Sharing: Expanded beyond "sale" to include "sharing" for cross-context behavioral advertising
- Extended Coverage: Removed most B2B and employee exemptions
- Risk Assessments: Required comprehensive assessments for high-risk processing
- Cybersecurity Audits: Mandated independent audits for covered businesses
From CCPA to CPRA: Evolution Timeline
| Date | Milestone |
|---|---|
| June 28, 2018 | CCPA signed into law by Governor Brown |
| January 1, 2020 | CCPA becomes effective |
| July 1, 2020 | CCPA enforcement begins by Attorney General |
| November 3, 2020 | CPRA (Proposition 24) approved by voters |
| December 16, 2020 | CPRA becomes law |
| January 1, 2023 | CPRA amendments take effect |
| July 1, 2023 | CPPA enforcement authority begins |
| July 24, 2025 | CPPA approves major regulatory updates |
| September 23, 2025 | New regulations finalized by Office of Administrative Law |
| January 1, 2026 | September 2025 regulations take effect |
| January 1, 2027 | ADMT (Automated Decision-Making) obligations begin |
| April 1, 2028 | First cybersecurity audit deadlines (phased by revenue) |
Who Must Comply? Business Thresholds
The CCPA/CPRA applies to for-profit businesses that:
- Do business in California
- Collect personal information from California consumers
- Meet at least ONE of the following thresholds:
The Three Threshold Tests (2025)
đź’° Threshold #1: Annual Revenue
$26,625,000 or more in annual gross revenues in the preceding calendar year
- This is GLOBAL revenue, not just California revenue
- Updated for inflation effective January 1, 2025 (was $25 million)
- Adjusted every two years based on California Consumer Price Index
- Most common threshold that captures mid-size and large companies
đź‘Ą Threshold #2: Consumer/Household Volume
Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households
- Increased from 50,000 under original CCPA
- "Shares" added by CPRA—includes cross-context behavioral advertising
- Measured on a rolling 12-month basis, not calendar year
- Each website visitor using tracking cookies may count as "sharing"
- Even if you delete data regularly, the processing counts toward threshold
đź’µ Threshold #3: Revenue from Data Sales/Sharing
Derives 50% or more of annual revenues from selling or sharing consumers' personal information
- "Sharing" added by CPRA—originally only "selling"
- Includes revenue from interest-based/behavioral advertising
- Data brokers and ad-tech companies commonly meet this threshold
- If retargeting drives sales, that revenue may be "derived from" selling/sharing
⚠️ Common Threshold Mistakes for CIPP/US Exam
- Wrong: $26.6M only from California revenue → Right: Total global revenue
- Wrong: 50,000 consumers → Right: 100,000 consumers (CPRA change)
- Wrong: Thresholds reset January 1 → Right: Rolling 12-month measurement
- Wrong: Only "selling" counts → Right: Both "selling" AND "sharing"
Additional Coverage Rules
Controlled Entities: Any entity that controls or is controlled by a covered business, shares common branding, and shares consumer personal information is also covered.
Joint Ventures: Partnerships or joint ventures where each business has at least 40% interest and is composed of covered businesses.
Voluntary Certification: Any person can voluntarily certify to the CPPA that they comply with the CCPA.
Consumer Rights Under CCPA/CPRA
California residents have six major privacy rights. A helpful mnemonic for the CIPP/US exam is "LOCKD-N":
L - Right to Limit Use of Sensitive Personal Information
Consumers can direct businesses to limit the use and disclosure of their sensitive personal information to only:
- Providing goods or services requested by the consumer
- Purposes specified in CCPA regulations (security, fraud prevention, etc.)
- Short-term, transient use for non-personalized advertising
Implementation: Businesses must provide a "Limit the Use of My Sensitive Personal Information" link on their homepage.
Response time: 15 business days maximum
đź’ˇ CIPP/US Exam Tip
The right to limit applies only to SENSITIVE personal information, not all personal information. This is different from the right to opt-out, which applies to sale/sharing of any personal information.
O - Right to Opt-Out of Sale or Sharing
Consumers can direct businesses to stop selling or sharing their personal information to third parties.
Key points:
- "Sale" = exchanging personal information for monetary or other valuable consideration
- "Sharing" = disclosing for cross-context behavioral advertising (added by CPRA)
- Must honor Global Privacy Control (GPC) signals
- Must provide "Do Not Sell or Share My Personal Information" link
- Cannot require account creation to opt-out
Response time: 15 business days maximum
Minors: Different rules apply:
- Under 13: Cannot sell/share without opt-in consent from parent/guardian
- 13-15 years: Cannot sell/share without opt-in consent from the minor themselves
- 16+ years: Standard opt-out applies
C - Right to Correction
Consumers can request that businesses correct inaccurate personal information (added by CPRA).
Process:
- Consumer identifies inaccurate information and provides correction
- Business must correct and notify service providers and contractors
- Business can deny if information is accurate
Response time: 45 days (extendable to 90 days with notice)
K - Right to Know
Consumers can request disclosure of what personal information a business has collected about them.
Businesses must disclose:
- Categories of personal information collected
- Categories of sources from which information was collected
- Business or commercial purposes for collecting or selling
- Categories of third parties with whom information is shared
- Specific pieces of personal information collected (if requested)
- If information was sold or shared, categories and recipients
Response time: 45 days (extendable to 90 days with notice)
Frequency limit: Businesses need only respond twice within a 12-month period
Lookback period: Previously 12 months, but CPRA expanded: If business retains data longer than 12 months, consumers can request information back to January 1, 2022
D - Right to Delete
Consumers can request that businesses delete their personal information.
Process:
- Two-step process allowed for online deletion requests (submit, then confirm)
- Business must delete from its records
- Business must direct service providers and contractors to delete
- Business can deny if information falls under an exception
Response time: 45 days (extendable to 90 days with notice)
Nine Exceptions to Deletion:
- Complete the transaction or provide requested services
- Detect security incidents, protect against malicious/illegal activity
- Debug to identify and repair errors
- Exercise free speech or ensure another's exercise of free speech
- Comply with California Electronic Communications Privacy Act
- Engage in public or peer-reviewed scientific research
- Enable solely internal uses reasonably aligned with consumer expectations
- Comply with legal obligations
- Make other internal and lawful uses compatible with the context
N - Right to Non-Discrimination
Businesses cannot discriminate against consumers for exercising their CCPA rights.
Prohibited actions:
- Denying goods or services
- Charging different prices or rates
- Providing different level or quality of services
- Suggesting consumer will receive different price/level of service
Financial incentives allowed if:
- Consumer opts-in
- Reasonably related to value of consumer's data
- Terms clearly explained
- Consumer can opt-out at any time
- Not unjust, unreasonable, coercive, or usurious
🎯 ADMT Rights (Effective January 1, 2027)
New rights related to Automated Decision-Making Technology:
- Right to Opt-Out: Opt-out of automated decisions that significantly affect you
- Right to Access: Understand the logic, key parameters, and human involvement in ADMT decisions
- Pre-Use Notice: Be informed before ADMT is used for significant decisions
Business Obligations Under CCPA/CPRA
1. Provide Required Notices
Businesses must provide several types of notices:
Notice at Collection:
- Provided at or before the point of collection
- Lists categories of personal information being collected
- Lists purposes for collection
- If selling or sharing, must state that fact
- Link to full privacy policy
Privacy Policy:
- Must be updated at least annually
- Categories of personal information collected (last 12 months)
- Categories of sources
- Business/commercial purposes for collection
- Categories of third parties with whom information is shared
- Categories sold or shared (last 12 months) and to whom
- Data retention periods or criteria for determining them
- Consumer rights and how to exercise them
- If using sensitive personal information, disclosure of uses
Notice of Right to Opt-Out:
- "Do Not Sell or Share My Personal Information" link on homepage
- Must use this language or substantially similar
- Must be clear and conspicuous
- Cannot require account creation
Notice of Right to Limit:
- "Limit the Use of My Sensitive Personal Information" link if applicable
- Must be provided in same manner as collection of SPI
⚠️ 2025 Update: Enhanced Notice Requirements
Effective January 1, 2026:
- Vague disclosures like "to improve services" are no longer sufficient—must be specific
- Must indicate when opt-out signals are honored (e.g., "Opt-Out Request Honored")
- Cookie consent must require affirmative "I accept" button—no pre-checked boxes
2. Honor Consumer Requests
Methods for Submitting Requests:
- Must provide at least TWO methods
- Must include toll-free number and website (if business has one)
- Online-only businesses can provide just email and toll-free number
- Cannot require account creation for opt-out requests
Verification Requirements:
- Must verify identity using reasonable methods
- Level of verification should match sensitivity of information
- Account holders: Can verify through existing authentication
- Non-account holders: Match 2-3 data points previously collected
Response Timeframes:
| Request Type | Response Time |
|---|---|
| Acknowledge receipt | 10 business days |
| Know, Delete, Correct | 45 days (extendable to 90) |
| Opt-Out, Limit SPI | 15 business days |
3. Maintain Proper Contracts
Service Provider Contracts Must Include:
- Disclosure is for limited and specific purposes
- Service provider must comply with CCPA
- Service provider must provide same level of privacy protection
- Business has right to ensure compliance
- Service provider must notify business if unable to meet obligations
- Business has right to take steps to stop unauthorized use
⚠️ Recent Enforcement Focus: Contracts
Multiple 2025 enforcement actions (Tractor Supply, Healthline) involved inadequate service provider contracts. The CPPA emphasized that businesses cannot simply assume third parties comply—they must verify through proper contractual language.
4. Respect Opt-Out Preference Signals
Businesses must honor browser-based opt-out preference signals like Global Privacy Control (GPC).
- Must recognize GPC as valid opt-out request
- Must configure website to honor signals by default
- Must indicate when signal is processed (e.g., "Opt-Out Request Honored")
- Cannot require additional steps beyond the signal
5. Implement Security Measures
Businesses must implement reasonable security procedures and practices to protect personal information.
While specific measures aren't prescribed, enforcement actions show expectations:
- Encryption for sensitive data
- Access controls and authentication
- Regular security testing and assessments
- Incident response procedures
- Employee training on data protection
6. Keep Records
All Covered Businesses: Must keep records of consumer requests for at least 24 months, including:
- Date of request
- Method of request
- Date and nature of response
- Basis for any denial
High-Volume Businesses (4M+ consumers/year): Must additionally compile and disclose metrics:
- Number of requests received by type
- Number complied with and denied
- Median response time
- Must disclose these metrics in privacy policy
Sensitive Personal Information
The CPRA introduced "Sensitive Personal Information" (SPI) as a subset of personal information requiring heightened protection. Consumers have the right to limit the use and disclosure of SPI.
Categories of Sensitive Personal Information
| Category | Examples |
|---|---|
| Government Identifiers | Social security number, driver's license, state ID, passport number |
| Financial Account Information | Account number + security code/password/credentials |
| Precise Geolocation | Location within 1,850 feet radius |
| Racial or Ethnic Origin | Self-identified or inferred race/ethnicity |
| Religious or Philosophical Beliefs | Religious affiliation, spiritual beliefs, philosophical positions |
| Union Membership | Labor union affiliation |
| Mail/Email/Text Contents | Contents of messages not directed to the business |
| Genetic Data | DNA analysis, genetic testing results |
| Biometric Information | For unique identification: fingerprints, face prints, voiceprints, iris scans |
| Health Information | Medical conditions, diagnoses, treatments (unless already covered by HIPAA) |
| Sexual Orientation | Information about sexual preferences or orientation |
| Sex Life | Information about sexual activities or behavior |
| Neural Data (2025 Update) | Information from central or peripheral nervous system activity |
| Citizenship/Immigration Status (2024 Update) | Information about immigration status or citizenship |
đź’ˇ SPI Processing Limitations
When SPI use is limited by a consumer, businesses may only use it for:
- Performing services reasonably expected by the consumer
- Preventing, detecting, and investigating security incidents
- Resisting malicious, fraudulent, or illegal actions
- Ensuring physical safety
- Short-term, transient use (e.g., non-personalized ads during current visit)
- Quality control and service improvements
- Certain research purposes with additional protections
2025-2026 Major Updates
On July 24, 2025, the CPPA approved sweeping regulatory updates that were finalized by the Office of Administrative Law on September 23, 2025. These regulations represent the most significant expansion of CCPA/CPRA requirements since the law's inception.
1. Automated Decision-Making Technology (ADMT) Requirements
Effective Date: January 1, 2027
What is ADMT? Technology that replaces or substantially replaces human decision-making in significant decisions affecting consumers.
Significant Decisions Include:
- Employment eligibility, hiring, promotion, termination
- Credit or lending approval
- Healthcare diagnosis or treatment
- Housing eligibility
- Education admission or performance evaluations
- Insurance underwriting or pricing
Key Changes from Proposed Rules:
- Removed "AI" terminology to avoid ambiguity
- Removed behavioral advertising from "significant decisions"
- Narrowed to technologies that "replace or substantially replace" human decision-making
Business Obligations for ADMT:
- Pre-Use Notice: Inform consumers before using ADMT for significant decisions
- Opt-Out Right: Allow consumers to opt-out of ADMT decisions
- Access Rights: Upon request, explain in plain language:
- Specific purpose of the ADMT
- Logic and key parameters that affected the output
- How the output influenced the decision
- Role of any human involvement
- Data sources and assumptions used
- Opt-In for Sensitive Info: Must obtain opt-in consent when ADMT processes sensitive personal information or information about minors
- Human Review Exception: ADMT systems with meaningful human oversight or override are partially exempted
- 12-Month Wait: After consumer opts out, must wait 12 months before requesting consent to resume ADMT
2. Cybersecurity Audit Requirements
Who Must Audit: Businesses meeting specific risk-based thresholds (generally large businesses processing significant volumes of personal information)
Phased Implementation by Revenue:
| Annual Revenue | First Audit Deadline |
|---|---|
| $1 billion or more | April 1, 2028 |
| $500M - $999.9M | April 1, 2029 |
| $100M - $499.9M | April 1, 2030 |
After First Audit: Must complete annual audits every 12 months
Auditor Requirements:
- Independent third party (internal or external)
- Qualified to assess cybersecurity controls
- Must have appropriate expertise and credentials
Audit Must Assess:
- Security controls protecting personal information
- Compliance with CCPA security obligations
- Effectiveness of security program
- Incident response capabilities
3. Risk Assessment Requirements
Effective Date: January 1, 2026
Activities Requiring Risk Assessment:
- Processing any sensitive personal information (with limited employment exemption)
- Using ADMT for significant decisions
- Using personal information to train ADMT systems
- Using automated processing to infer sensitive information about consumers
- Profiling based on sensitive location activities (hospitals, places of worship, political offices, schools)
- Processing involving facial recognition, emotion recognition, or identity verification
Risk Assessment Must Include:
- Detailed description of processing purpose(s)
- Categories of personal information involved
- Assessment of benefits to business and consumers
- Assessment of potential risks to consumer privacy
- Safeguards in place to mitigate risks
- Consideration of less intrusive alternatives
Annual Attestation: Covered businesses must attest annually to completing required risk assessments
4. Insurance Clarifications
Regulations clarify when insurance companies must comply with CCPA:
- Exemptions for information subject to Gramm-Leach-Bliley Act (GLBA)
- But CCPA applies to information not covered by GLBA (e.g., website tracking, marketing)
- Specific guidance on employee benefits information
5. Enhanced Transparency Requirements
Prohibition on Vague Disclosures: No more general statements like "to improve services"—must specify exact categories of data and specific purposes
Cookie Consent Requirements:
- Cannot obtain consent without affirmative selection
- Must have "I accept" button or equivalent
- Pre-checked boxes not permitted
Opt-Out Signal Confirmation: Must provide visible confirmation when opt-out preference signals are honored (e.g., "Opt-Out Request Honored" message)
6. Extended Right to Know Lookback
If a business retains personal information for longer than 12 months, it must provide consumers a method to request information collected prior to the 12-month period, going back to January 1, 2022.
7. Data Broker Registration and DELETE Act
Effective Date: Various (DELETE Act fully effective August 1, 2026)
Data brokers must:
- Register annually with CPPA by January 31
- Pay annual registration fee
- Access centralized deletion mechanism every 45 days
- Process deletion requests within 45 days
- Undergo independent audit every three years (starting January 2028)
- Provide enhanced disclosures about privacy practices
Penalties for Non-Registration: $200 per day up to maximum fine
⚠️ CPPA Data Broker Enforcement Sweep 2024-2025
The CPPA launched an aggressive enforcement sweep in October 2024, resulting in settlements with multiple data brokers:
- National Public Data: $46,000 fine sought (registered 230 days late)
- Infillion: $54,200 settlement
- The Data Group: Settlement amount undisclosed
- Background Alert: Required to shut down or pay steep fine
Enforcement and Penalties
Enforcement Authorities
California Privacy Protection Agency (CPPA):
- Established by CPRA as first U.S. state agency dedicated solely to privacy
- Primary enforcement authority since July 1, 2023
- Can investigate violations, issue subpoenas, conduct audits
- Can bring administrative enforcement actions
- 5-member Board appointed by Governor and Legislature
California Attorney General:
- Retains concurrent enforcement authority
- Has brought several major settlements (Sephora, DoorDash, Healthline)
- Can bring civil enforcement actions in court
Administrative Fines and Civil Penalties (Updated January 2025)
Effective January 1, 2025, penalties adjusted for inflation:
| Violation Type | Prior Amount | 2025 Amount |
|---|---|---|
| Unintentional violation | Up to $2,500 | Up to $2,628 |
| Intentional violation OR violation involving minors | Up to $7,500 | Up to $7,884 |
Critical Points:
- NO CAP on total penalties (unlike GDPR's 4% of global revenue cap)
- Penalties are PER VIOLATION—can multiply quickly
- Each affected consumer can constitute a separate violation
- Penalties adjust every two years based on California CPI
⚠️ How Penalties Can Escalate
Example: A business fails to honor opt-out requests for 10,000 consumers. Each consumer's request could be a separate violation = $2,628 Ă— 10,000 = $26.28 million in potential fines
Private Right of Action
Consumers can bring civil lawsuits for data breaches involving:
- Non-encrypted and non-redacted personal information
- Unauthorized access and exfiltration, theft, or disclosure
- Resulting from business's failure to implement reasonable security
Damages:
- Between $100 and $750 per consumer per incident, OR
- Actual damages, whichever is greater
Class Action Risk: Can result in massive liability when thousands of consumers are affected
No Private Right for Other Violations: Consumers cannot sue for violations of rights (e.g., failure to honor deletion request)—only regulatory agencies can enforce
Cure Period
CCPA: 30-day cure period mandatory before penalties
CPRA: CPPA has discretion whether to provide cure period—no longer mandatory. In practice:
- CPPA has sometimes provided opportunities to remedy violations
- But no guarantee of cure period
- Intentional or egregious violations unlikely to receive cure opportunity
2024-2025 Enforcement Actions: Key Cases
Tractor Supply Company - $1.35 Million (September 2025)
Violations:
- Ineffective opt-out mechanisms—webform didn't actually stop tracking
- Failed to honor GPC signals until July 2024
- Failed to update privacy policy annually (updated Nov 2021, not again until after investigation)
- Inadequate job applicant privacy notices
- Insufficient service provider contracts with ad tech companies
Significance: Largest CPPA fine to date; first case addressing job applicant rights; established CPPA can investigate conduct back to January 1, 2020
Healthline Media - $1.55 Million (July 2025)
Violations:
- Sold/shared data showing consumers reading medical condition articles
- Inadequate service provider contracts—assumed compliance without verification
- Failed to provide clear notices about data sharing with ad networks
Significance: Settlement prohibits selling/sharing data showing someone is reading medical articles—stricter than CCPA baseline requirements
Honda - $632,500 (March 2025)
Violations:
- Inadequate privacy policy disclosures
- Failed to properly respond to consumer requests
- Insufficient notice about data collection and sharing
Todd Snyder - $345,178 (May 2025)
Violations:
- Opt-out and privacy request processes failed to meet CCPA standards
- Ineffective mechanisms for exercising consumer rights
Sephora - $1.2 Million (2022)
Violations:
- Failed to disclose selling personal information
- Did not honor GPC signals
- Did not cure within required period
Significance: First major CCPA enforcement action, set tone for future enforcement
DoorDash - $375,000 (2024)
Violations:
- Participated in marketing cooperative that shared customer data
- Inadequate notice to consumers
- Failed to provide opportunity to opt-out
Common Violation Patterns
Based on enforcement actions, businesses most commonly fail in these areas:
- Ineffective Opt-Out Mechanisms: Having a link/form that doesn't actually stop data sale/sharing
- GPC Non-Compliance: Not honoring browser-based opt-out signals
- Inadequate Contracts: Service provider agreements lacking required CCPA terms
- Insufficient Notices: Vague, incomplete, or outdated privacy policies
- Notice at Collection Failures: Not informing consumers at point of collection
- Annual Update Failure: Not updating privacy policy at least annually
- Dark Patterns: Using manipulative UI to discourage privacy choices
- Data Broker Non-Registration: Failing to register and pay annual fee
Steps to Compliance
1. Determine if CCPA/CPRA Applies
- Calculate annual revenue (global, not just California)
- Count California consumers/households whose data you buy/sell/share
- Calculate revenue derived from selling/sharing personal information
- Remember: Measured on rolling 12-month basis
- Consider controlled entity and joint venture rules
2. Conduct Data Inventory and Mapping
- Identify all personal information collected
- Document sources of collection
- Map data flows to third parties
- Identify sensitive personal information
- Determine what constitutes "sale" and "sharing"
- Document retention periods for each category
3. Update Privacy Notices
Privacy Policy must include:
- All required disclosures (see obligations section above)
- Consumer rights and how to exercise them
- Contact methods (toll-free number, website)
- If high-volume business: metrics on requests
- Specific purposes for each category of data
- Data retention periods or criteria
Notice at Collection must include:
- Categories being collected
- Purposes for collection
- Whether data will be sold or shared
- Link to privacy policy
Update frequency: At least annually, and whenever there's a material change
4. Implement Consumer Rights Mechanisms
- Create at least two methods for submitting requests
- Add "Do Not Sell or Share" link to homepage
- Add "Limit the Use of My Sensitive Personal Information" link if applicable
- Implement GPC signal recognition
- Develop verification procedures
- Create internal processes to respond within deadlines
- Train staff on handling requests
5. Review and Update Third-Party Contracts
- Ensure service provider agreements include all required terms
- Review contracts with advertising technology providers
- Verify third parties can support CCPA compliance
- Include audit rights
- Don't assume compliance—verify it
6. Implement Technical Controls
- Configure systems to honor opt-out requests
- Implement GPC signal processing
- Ensure opt-out mechanisms actually stop data sale/sharing
- Create ability to delete data upon request
- Implement data retention limits
- Use encryption for sensitive data
- Implement access controls
7. Prepare for 2026-2027 Requirements
Risk Assessments (By January 1, 2026):
- Identify processing activities requiring assessment
- Develop assessment templates and procedures
- Complete assessments for all applicable activities
- Prepare for annual attestation
ADMT Compliance (By January 1, 2027):
- Inventory all automated decision-making systems
- Determine which involve "significant decisions"
- Create pre-use notices
- Implement opt-out mechanisms
- Develop processes to explain ADMT logic and parameters
- Get opt-in consent for SPI processing by ADMT
Cybersecurity Audits (By April 2028-2030):
- Determine if your revenue triggers audit requirement
- Identify deadline based on revenue tier
- Select independent auditor (internal or external)
- Conduct security assessment and remediation now
- Prepare documentation and evidence
- Plan for annual audits going forward
8. Maintain Ongoing Compliance
- Monitor for threshold changes (revenue, consumer count)
- Track regulatory updates—CPPA regularly issues new guidance
- Keep records of all consumer requests for 24 months
- Update privacy policy at least annually
- Provide required training to staff
- Conduct periodic compliance audits
- Stay informed on enforcement actions to learn from others' mistakes
CIPP/US Exam Focus Areas
For the CIPP/US exam, California state privacy law typically represents 50% or more of the state privacy law questions (with the September 2026 exam update, state law questions increase from 6-8 to 13-17 questions total). Here's what to prioritize:
High-Priority Topics
🎯 Must Know Cold
- Three business thresholds: $26.625M revenue, 100K consumers, 50% revenue from sales/sharing
- Six consumer rights (LOCKD-N): Limit, Opt-Out, Correct, Know, Delete, Non-discrimination
- Difference between "sale" and "sharing"
- What constitutes sensitive personal information (11+ categories)
- Response timeframes: 10 days acknowledge, 45 days respond (extendable to 90), 15 days opt-out
- CPRA vs. CCPA key differences: SPI, correction right, CPPA, sharing, B2B/employee coverage
- Service provider contract requirements (6 elements)
Commonly Tested Concepts
- Global Privacy Control (GPC): Must honor, must indicate when honored
- Minor protections: Under 13 = parent opt-in required; 13-15 = minor's own opt-in
- Deletion exceptions: Know at least 5 of the 9
- Financial incentives: Allowed if opt-in, reasonably related to value, revocable
- Notice at collection vs. privacy policy: Different requirements and timing
- High-volume business obligations: 4M+ consumers = metrics disclosure
- Enforcement: Dual enforcement by CPPA and Attorney General
- Penalties: $2,628 unintentional, $7,884 intentional/minors, no cap
2025-2026 Update Areas
Newer material more likely to appear on exam:
- ADMT requirements (effective 2027)
- Risk assessment triggers and requirements
- Cybersecurity audit phasing
- Neural data as SPI (September 2025)
- Citizenship/immigration status as SPI (2024)
- DELETE Act and data broker obligations
- Recent enforcement actions and common violations
Comparison with Other State Laws
Exam may test your ability to compare California with other states:
| Feature | California (CCPA/CPRA) | Other Comprehensive State Laws |
|---|---|---|
| Revenue threshold | $26.625M (global) | Most: $25M (varies by state) |
| Consumer threshold | 100,000 | Virginia: 100K consumers OR 25K+50% revenue Colorado: 100,000 Connecticut: 100,000 |
| Sensitive data concept | Yes, extensive (11+ categories) | Most states have similar concept |
| Right to correction | Yes | Most states: Yes |
| Universal opt-out | Must honor (e.g., GPC) | Required in most states |
| Private right of action | Limited (data breach only) | Most states: None |
| Enforcement | Dedicated agency (CPPA) + AG | Most states: AG only |
| Risk assessments | Yes (high-risk processing) | Colorado, Connecticut, Virginia: Yes Others: Generally no |
| Employee/B2B data | Covered (CPRA removed exemptions) | Most states: Exempted or limited |
Study Tips for California Law
đź’ˇ Effective Study Strategies
- Create comparison tables: CCPA vs. CPRA, California vs. other states
- Use the LOCKD-N mnemonic: Makes six rights easier to remember
- Memorize numbers: Thresholds, deadlines, and penalties appear frequently
- Study recent enforcement: Tractor Supply and Healthline cases illustrate practical application
- Understand "why" not just "what": Know rationale behind requirements
- Focus on 2025-2026 updates: Newer material more likely to be tested
- Practice timeline questions: When did CPRA take effect? When does ADMT compliance begin?
Common Exam Traps
⚠️ Watch Out For
- 50,000 vs. 100,000: Original CCPA had 50K threshold, CPRA increased to 100K
- $25M vs. $26.625M: Threshold adjusted for inflation January 2025
- "Sale" vs. "Sharing": Different concepts with different scopes
- Personal info vs. Sensitive personal info: Different rights apply
- 45 days vs. 15 days: Different response times for different request types
- Opt-out vs. Opt-in: Different standards for different age groups
- CCPA vs. CPRA effective dates: Both are now effective, but implementation is phased
Key Takeaways
California's CCPA/CPRA represents the most comprehensive state privacy law in the U.S. and serves as a model for other states. For the CIPP/US exam:
- California dominates state law questions—expect it to represent ~50% of state privacy law content
- The CPRA is an amendment to CCPA, not a separate law—together they're referred to as "CCPA, as amended"
- Three business thresholds: $26.625M revenue, 100K consumers, or 50% revenue from sales/sharing
- Six consumer rights (LOCKD-N): Limit SPI, Opt-out, Correct, Know, Delete, Non-discrimination
- Sensitive personal information is a special category requiring heightened protection (11+ categories)
- Major 2025-2026 updates: ADMT requirements (2027), cybersecurity audits (2028+), risk assessments (2026)
- Enforcement is aggressive: CPPA and AG have brought numerous actions with millions in fines
- Common violations: Ineffective opt-out mechanisms, GPC non-compliance, inadequate contracts
- Penalties adjusted for inflation: $2,628 per violation (unintentional), $7,884 (intentional/minors)
- No cure period guarantee under CPRA—CPPA has discretion
Test Your CCPA/CPRA Knowledge
Ready to practice? Try our CIPP/US quiz covering California privacy law concepts.
Take the Practice Quiz