A complete CCPA and CPRA compliance programme, from data inventory and opt-out mechanisms to consumer rights workflows and vendor contract management, covering obligations for businesses handling California consumer data.
CCPA/CPRA applies to any for-profit business that collects California consumer data and meets revenue, data volume, or data sales thresholds. The CPPA enforces the law with fines up to $7,500 per intentional violation. Beyond fines, CCPA compliance is now a standard requirement for enterprise contracts and demonstrates privacy maturity across US markets.
Map all personal information collected, sources, purposes, recipients, and retention periods per CCPA Section 1798.100.
Review current data practices against all CCPA/CPRA obligations; identify gaps and prioritise remediation by risk level.
Audit existing consumer rights processes against the 45-day statutory timeline; evaluate right to know, delete, correct, and opt-out capabilities.
Audit service providers and contractors for CCPA/CPRA compliance; review contract terms and data handling practices.
Determine CCPA/CPRA applicability against revenue, data volume, and data sales thresholds; assess scope of obligations.
Map all data sharing and sale activities; classify what constitutes a "sale" under CCPA and assess opt-out and disclosure requirements.
Draft CCPA-compliant privacy notices covering all required disclosures: categories collected, purposes, consumer rights, and contact details.
Deploy "Do Not Sell or Share My Personal Information" links and GPC signal recognition; implement opt-out preference management for targeted advertising.
Build verified response processes for all consumer rights within the 45-day statutory window; include identity verification, templates, and escalation paths.
Review and remediate service provider contracts; embed CPRA-required restrictions on onward use of personal information.
Configure systems to recognise and honour GPC signals as a valid opt-out per CPPA guidance and regulatory expectations.
Build CCPA-specific breach response procedures; implement consumer notification obligations for unauthorised access to non-encrypted personal information.
Conduct periodic reviews of data practices and new processing activities; monitor CPPA regulatory guidance for continuous compliance.
Deliver role-based CCPA/CPRA training for customer-facing, marketing, legal, and engineering teams; include annual refreshers and scenario-based exercises.
Assess privacy notices, opt-out mechanisms, and consumer rights processes annually against evolving CPPA regulations and enforcement guidance.
Track CPPA rulemaking, enforcement actions, and guidance updates affecting CCPA/CPRA compliance obligations and operational requirements.
Report consumer rights request volumes, response times, and completion rates; demonstrate compliance effectiveness to stakeholders.
Monitor service provider and contractor compliance with CPRA contract terms, data use restrictions, and breach notification obligations.
If you collect personal information from California consumers and meet any one revenue, data volume, or data sales threshold, CCPA/CPRA applies regardless of where you are headquartered.
Technology companies processing data on behalf of California-based businesses are classified as service providers and must execute CPRA-compliant contracts restricting data use.
Indian companies with US operations, US customers, or US cloud services processing California consumer data are in scope for CCPA/CPRA and must comply or risk CPPA enforcement action.
A structured six-phase process from initial data inventory and gap assessment through to ongoing CPPA regulatory monitoring and compliance maintenance.
Map all personal information flows and gap-assess current practices against CCPA/CPRA obligations across all processing activities and systems.
Draft CCPA-compliant privacy notices, implement opt-out links, and configure GPC signal recognition across all digital properties.
Deploy verified response processes for all consumer rights requests within the 45-day statutory window, including identity verification and response templates.
Review and remediate contracts with service providers, contractors, and third parties to include CPRA-required clauses restricting onward use of personal information.
Establish CCPA-specific breach response procedures including consumer notification obligations for unauthorised access to non-encrypted or non-redacted personal information.
Periodic review of data practices, new processing activities, CPPA regulatory guidance, staff training updates, and consumer request metrics reporting.