California privacy compliance is no longer just a notice-and-checkbox exercise. The CPRA widened California’s privacy framework, added stronger consumer rights, and pushed businesses toward more disciplined data governance, retention, and security practices. In practice, that means the law affects legal review, product design, adtech, vendor management, and incident response all at once.
The main things to know before you turn CPRA into a compliance program
- The CPRA amended and expanded the CCPA and is enforced by the California Privacy Protection Agency.
- It applies to businesses that meet revenue, data-volume, or data-monetization thresholds.
- Consumers can delete, correct, access, and opt out of sale or sharing, and they can limit sensitive personal information use.
- In 2026, risk assessments, cybersecurity audits, and automated decision-making rules are part of the real compliance workload.
- The most common failures come from weak data mapping, unclear retention rules, and inconsistent opt-out handling.
What the CPRA is and how it changed California privacy law
The simplest way I explain the CPRA is this: it is California’s modern consumer privacy regime, not a standalone concept floating beside the CCPA. It amended the earlier law, created a stronger enforcement structure through the California Privacy Protection Agency, and gave consumers more control over how businesses collect, use, retain, and disclose personal information.
That matters because the law is not limited to a privacy policy update. It reaches the way a company classifies data, sets retention periods, manages third parties, and decides whether a product feature or advertising workflow is acceptable in the first place. I usually tell teams that CPRA is less about paperwork and more about operating discipline.
At a practical level, the law applies to businesses that do business in California and meet at least one of the coverage thresholds. Those thresholds now include annual gross revenue above $26.625 million, buying, selling, or sharing the personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling or sharing personal information.
Just as important, CPRA uses broad data categories. “Personal information” includes identifiers, browsing and interaction data, geolocation, employment-related data, inferences, and more. “Sensitive personal information” is narrower but more operationally risky, covering things like precise geolocation, account credentials, racial or ethnic origin, religion, genetic data, health-related information, and the contents of private communications. That classification is what turns CPRA from a legal label into a data inventory problem.
Once a company understands scope and data types, the next step is understanding the rights the law gives consumers and how those rights change the day-to-day compliance workload.
The rights consumers can actually use
The consumer side of CPRA is where most people first feel the law. I think of it as a control framework: the individual has the right to see what is collected, correct inaccuracies, delete data, stop certain disclosures, and limit how sensitive information is used. If a business cannot operationalize those rights cleanly, the legal theory does not matter much.
| Right | What it means in practice | Why it matters for compliance |
|---|---|---|
| Know and access | Consumers can request categories, sources, business purposes, categories of third parties, and specific pieces of personal information. | This drives DSAR workflows, identity verification, and data discovery across systems. |
| Delete | Consumers can request deletion of personal information collected from them, subject to statutory exceptions. | Teams must know what can be deleted, what must be retained, and what must be passed to vendors. |
| Correct | Consumers can ask a business to correct inaccurate personal information it maintains. | Data quality becomes a legal issue, not just an analytics issue. |
| Opt out of sale or sharing | Consumers can stop a business from selling or sharing their personal information, including for cross-context behavioral advertising. | Adtech, cookies, and preference signals must line up with the privacy notice and the site banner. |
| Limit sensitive personal information | Consumers can restrict use of sensitive data to what is necessary for expected services and specified permitted purposes. | This forces stricter controls around targeting, profiling, and internal secondary uses. |
| No retaliation | Businesses cannot punish consumers for exercising their rights, although certain financial incentives remain possible if handled correctly. | Pricing, loyalty programs, and consent flows need legal review before they ship. |
Timing also matters. For delete, correct, and know requests, businesses generally must confirm receipt within 10 business days and respond within 45 calendar days, with a possible extension. For opt-out of sale or sharing, and for requests to limit sensitive personal information, businesses must comply as soon as feasibly possible, up to 15 business days.
One detail I see companies miss again and again: the law also expects clear user-facing mechanisms, not just a buried support inbox. That brings us to the controls businesses have to build into the program itself.
What businesses have to build into their program
CPRA compliance only works when the consumer-facing rights are backed by actual operational controls. I would break the work into three layers: notice and collection, request handling, and downstream governance. If any one of those layers is weak, the program looks compliant on paper and fragile in reality.
Notice and collection
At or before collection, businesses have to explain what categories of personal information they collect, why they collect it, whether it is sold or shared, and how long they intend to retain it or what criteria they use to decide retention. The law also says collection, use, retention, and sharing must be reasonably necessary and proportionate to the disclosed purpose. That is a real data-minimization requirement, not a slogan.
In compliance terms, I read this as a demand for purpose-based governance. If a system keeps data indefinitely because no one has defined a retention rule, that is not a neutral gap. It is a violation waiting for a complaint, an audit, or both.
Request handling and user-facing links
Businesses generally need two or more request channels for delete, correct, and know requests, including a toll-free phone number if they are not exclusively online. For sale or sharing opt-outs, most businesses need a clear homepage link such as “Do Not Sell or Share My Personal Information”, and for sensitive personal information they may need a separate or combined link such as “Limit the Use of My Sensitive Personal Information.”
They also need to honor opt-out preference signals, including browser-based signals such as Global Privacy Control when they meet the legal requirements. That is where many sites fail in practice: the banner says one thing, the preference center does another, and the tracking stack keeps firing as if nothing changed.
Read Also: Regulatory Compliance - Build a Program That Works
Vendors and downstream control
CPRA is very explicit that businesses have to control what happens after data leaves the first party. Contracts with service providers, contractors, and third parties need to limit use to specified purposes, require equivalent privacy protection, and support deletion or remediation when a request comes in. If a vendor cannot meet those obligations, the problem is not only theirs. It is yours too.
I usually tell compliance teams that vendor review is where privacy becomes real. If the company cannot explain what its processors do with the data, the consumer rights are only half implemented. That leads directly into the risk picture, which is where CPRA gets much more serious for leadership teams.
Why risk and compliance teams should care now
I would not treat CPRA as a privacy office issue. In 2026, it is a risk-management issue because the law now reaches audits, assessments, automated decision-making, enforcement exposure, and operational reporting. That means privacy is no longer just about external trust; it is also about internal controls and evidence.
Here is the part that changes the conversation with leadership:
- Risk assessments for covered activities begin with compliance on January 1, 2026, and businesses must later provide an attestation and summary information to the CPPA by April 1, 2028.
- Cybersecurity audits also carry phased certification deadlines, with April 1, 2028 for businesses over $100 million in revenue, April 1, 2029 for businesses between $50 million and $100 million, and April 1, 2030 for smaller covered businesses.
- Automated decision-making technology rules for significant decisions begin on January 1, 2027.
- Administrative penalties can reach $2,663 per violation and $7,988 for intentional violations and certain children’s-data cases.
- Private breach exposure can create statutory damages of not less than $107 and not more than $799 per consumer per incident, or actual damages, whichever is greater, in qualifying cases.
That mix changes how I read the law internally. It is no longer enough to say, “We have a privacy policy.” Leadership needs to know whether the company can prove it has mapped its data, tested its controls, documented its risks, and coordinated security with product and legal teams.
In other words, CPRA turns privacy into a measurable control environment. Once that happens, the usual failure patterns become easier to spot, and also easier to prevent if you know where to look.
Where companies usually get tripped up
Most CPRA problems are not dramatic. They are ordinary operational mistakes that compound over time. I see the same patterns repeatedly, and they are usually preventable once someone owns them end to end.
- Misreading “sharing” as a narrow transfer concept instead of a cross-context behavioral advertising issue.
- Failing to honor opt-out preference signals consistently across tags, consent tools, and backend systems.
- Keeping retention rules vague, then storing data far longer than the disclosed purpose requires.
- Overlooking sensitive personal information in logs, support tickets, analytics tools, and HR workflows.
- Assuming vendor contracts solve everything without testing whether vendors actually delete, limit, or segregate data as required.
- Confusing deletion with limitation, when a consumer may only be asking to stop certain uses rather than erase every record.
There is also a strategic mistake I see often: companies try to solve CPRA with a privacy notice rewrite alone. That approach rarely survives contact with a real audit, because the audit questions are about evidence, not prose. If the workflows, vendor terms, and systems do not match the notice, the notice becomes a liability instead of a defense.
When several of these gaps show up together, the issue is usually not one broken control. It is a weak privacy operating model. That is why the final step is not a slogan; it is a short list of controls I would put in place first.
The controls I would prioritize before the next privacy review
If I were hardening a CPRA program from scratch, I would start with the controls that reduce the most risk for the least friction. The goal is not perfection on day one. The goal is a defensible system that can answer consumer requests, survive scrutiny, and scale with new rules.
- Build a data map that tracks collection purpose, retention, sharing, and downstream recipients for each major dataset.
- Classify personal information and sensitive personal information separately, then flag any flow used for profiling, ad targeting, or automated decision-making.
- Test consumer request paths from the website, support channel, and opt-out preference signal so the user experience and backend response actually match.
- Review service provider, contractor, and third-party contracts for deletion, use limitation, notice, and audit-right language.
- Assign ownership for risk assessments, cybersecurity audit readiness, and ADMT review instead of treating them as one-off legal tasks.
- Document what happens when a consumer opts out, limits sensitive data use, or corrects information, and verify that the instruction reaches every relevant system.
That is the practical answer to the CPRA question: it is California’s current privacy framework for putting consumer control, data minimization, and governance discipline into the same operating model. The companies that handle it well do not treat it as a single compliance update; they build it into how data is collected, shared, retained, and defended every day.
