What is CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)?
The CCPA, as amended by the CPRA, is California's comprehensive consumer privacy law granting residents the right to know, delete, and opt out of the sale or sharing of their personal information, enforced by the California Privacy Protection Agency.
The California Consumer Privacy Act (CCPA) was enacted in 2018 and significantly amended by the California Privacy Rights Act (CPRA) in 2020, with CPRA provisions taking effect January 1, 2023. Together they form the most robust state-level privacy law in the United States, applying to for-profit businesses that meet certain thresholds related to revenue, data volume, or revenue derived from selling personal information.
The CCPA/CPRA grants California residents several rights: the right to know what personal information is collected and how it is used; the right to delete personal information; the right to opt out of the sale or sharing of personal information; the right to correct inaccurate personal information; and the right to limit the use and disclosure of sensitive personal information. The law also introduces the concept of "sharing" personal information for cross-context behavioral advertising as a regulated activity separate from "selling."
The CPRA created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body and expanded requirements around data minimization, purpose limitation, and storage limitation. Businesses must provide privacy notices, honor consumer requests within specific timeframes, and implement reasonable security measures. Non-compliance can result in fines of up to $7,500 per intentional violation. ComplyIQ helps organizations manage CCPA/CPRA obligations while ConsentIQ automates consumer opt-out and consent preference handling.
How IQWorks Helps
Related Terms
Personally Identifiable Information (PII)
PII is any information that can be used to identify a specific individual, including names, addresses, email addresses, phone numbers, Social Security numbers, and biometric data.
Right to Erasure (Right to Be Forgotten)
The right to erasure, also known as the right to be forgotten, allows individuals to request that organizations delete their personal data when it is no longer necessary, consent is withdrawn, or processing is unlawful.
Consent Management
Consent management is the systematic process of obtaining, recording, tracking, and managing individuals' consent for the collection and processing of their personal data in compliance with privacy regulations.
Privacy Notice / Privacy Policy
A privacy notice is a public-facing document that informs individuals about how an organization collects, uses, stores, shares, and protects their personal data, as required by data protection regulations.
Data Subject Access Request (DSAR)
A Data Subject Access Request is a formal request made by an individual to an organization to obtain confirmation of whether their personal data is being processed and, if so, to receive a copy of that data along with details about how it is used.