CCPA and CPRA: California privacy guide 2025

  • Home
  • Blog
  • CCPA and CPRA: California privacy guide 2025

Contents

CCPA and CPRA: what companies must know about California privacy law

CCPA (California Consumer Privacy Act) and its amendment CPRA (California Privacy Rights Act) are the most comprehensive consumer data privacy laws in the United States. Together they give California residents the right to know what personal data businesses collect about them, to request deletion, to opt out of the sale or sharing of their data, and — under CPRA — to correct inaccurate information. Any company doing business with California consumers must comply, regardless of where the company is headquartered.

The US approach: no single federal privacy law

Unlike the European Union's GDPR, the United States has no single federal data protection law that applies across all industries and states. Instead, US privacy regulation is fragmented: sector-specific federal laws (HIPAA for healthcare, GLBA for financial services) coexist with a growing patchwork of state-level statutes. This fragmented approach places the compliance burden on companies to track multiple overlapping frameworks simultaneously.

California leads this patchwork. Its laws are often the de facto standard companies use to build baseline data practices, because California represents such a significant portion of the US market.

CCPA and CPRA: timelines and enforcement

California Consumer Privacy Act (CCPA) became effective January 1, 2020. It introduced foundational consumer rights: the right to know, the right to delete, and the right to opt out of the sale of personal information.

California Privacy Rights Act (CPRA) amended CCPA and became effective January 1, 2023, with enforcement beginning February 2024. CPRA created the California Privacy Protection Agency (CPPA) as a dedicated regulatory authority, expanded consumer rights, introduced the concept of "sensitive personal information" with additional protections, and added the right to correct inaccurate data.

Both laws apply to for-profit businesses that meet at least one threshold: annual gross revenues above $25 million, buying/selling/receiving personal information of 100,000+ consumers or households, or deriving 50%+ of annual revenues from selling consumers' personal information.

California Privacy Protection Agency: new rules effective 2025–2026

The CPPA has issued regulations that significantly expand compliance obligations beyond the original CCPA/CPRA text. These new rules became effective July 2025, with full compliance expected on a rolling basis through 2026–2027:

  • Mandatory cybersecurity audits — Companies whose data processing activities present significant risk to consumer privacy must undergo annual cybersecurity audits conducted by a qualified, independent auditor.
  • Risk assessments — Businesses must conduct privacy risk assessments before undertaking high-risk processing activities such as selling personal data, profiling consumers, or processing children's data.
  • Automated decision-making restrictions — Consumers gain the right to opt out of and receive explanations for automated decisions that significantly affect them (loan approvals, employment decisions, targeted advertising). Organizations that rely on algorithmic systems for these decisions must implement disclosure and opt-out mechanisms.

These requirements push CCPA/CPRA significantly closer to GDPR-level accountability. A strong cybersecurity posture is no longer optional — it is a documented, auditable requirement.

New state privacy laws effective January 1, 2025

California is not alone. A wave of US state privacy laws took effect on January 1, 2025:

  • Delaware — Delaware Personal Data Privacy Act
  • Iowa — Iowa Consumer Data Protection Act
  • Nebraska — Nebraska Data Privacy Act
  • New Hampshire — New Hampshire Privacy Act

These laws share structural similarities with CCPA/CPRA but differ in thresholds, consumer rights and enforcement mechanisms. Companies operating nationally face an increasingly complex compliance matrix that requires systematic data mapping and policy frameworks.

Sector-specific federal overlays: HIPAA and GLBA

Two federal laws add sector-specific requirements on top of state privacy obligations:

HIPAA (Health Insurance Portability and Accountability Act) applies to health fintech companies, digital health platforms, telehealth providers and any business handling protected health information (PHI). HIPAA sets minimum security and privacy standards that supersede state law in their domain.

GLBA (Gramm-Leach-Bliley Act) applies to financial services companies — including fintech platforms, payment processors and lending technology — and requires a formal information security program with penetration testing, encryption, multi-factor authentication and vendor management. For a full breakdown of GLBA requirements, see our article on the GLBA Safeguards Rule.

Companies operating in health tech or financial services must satisfy both the applicable federal law and any state privacy laws — whichever is more protective of the consumer prevails.

What companies doing business with California residents must implement

A practical CCPA/CPRA compliance baseline requires:

  1. Data inventory and mapping — Know what personal data you collect, where it is stored, who has access and how long you retain it.
  2. Updated privacy notices — Disclose categories of data collected, purposes for processing, retention periods and consumer rights in plain language.
  3. Consumer rights workflows — Build mechanisms to respond to access, deletion, correction and opt-out requests within 45 days (extendable once).
  4. Vendor contracts — Ensure data processing agreements with service providers include CCPA/CPRA-compliant provisions.
  5. Security controls — Implement reasonable security appropriate to the risk, including vulnerability management to continuously identify and remediate weaknesses.
  6. Cybersecurity audit readiness — Document your security program, maintain audit logs and retain records sufficient to demonstrate compliance to the CPPA under the 2025–2026 audit requirements.

Referencing the NIST Cybersecurity Framework is a recognized best practice for structuring the security program that underpins these obligations.


Need help mapping your current posture against CCPA/CPRA requirements? Talk to WhiteJaguars for a compliance-ready cybersecurity assessment.

Published on

Mario Robles

CEO & Founder

Ethical hacker with more than 20 years of experience, creator of cybersecurity tools, former leader of OWASP Costa Rica and active member of the Cybersec Cluster and the cybersecurity chapter of CAMTIC.

Need help?

Our team of specialists can help you implement cybersecurity best practices across your organization.

Free Consultation

Do you need to protect your company?

Free Consultation

You might also be interested in

PIPEDA Canada: data privacy compliance guide

PIPEDA is Canada's federal data privacy law. Key requirements: breach notification, 10 fair information principles, and 2-year breach records.

Read: PIPEDA Canada: data privacy complianc...

UK GDPR: data protection compliance guide

UK GDPR and Data Protection Act 2018 require breach notification, data protection by design, and ICO accountability for all UK businesses.

Read: UK GDPR: data protection compliance g...

GLBA Safeguards Rule: financial cybersecurity

GLBA Safeguards Rule (2023): US financial firms need a security program with MFA, encryption, vendor oversight and breach notification in 30 days.

Read: GLBA Safeguards Rule: financial cyber...
This website is using cookies for improving your experience, you can find more information in our privacy policy.