Question 1

What changed with CPRA compared to the original CCPA?

Accepted Answer

CPRA created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, introduced the right to correct inaccurate personal information, added data minimization and purpose limitation requirements, created a new category of sensitive personal information with additional protections, established requirements for automated decision-making, and extended the private right of action for data breaches involving email addresses combined with passwords or security questions.

Question 2

How does CCPA/CPRA interact with other state privacy laws?

Accepted Answer

Most US state privacy laws (Virginia, Colorado, Connecticut, Texas, Oregon, and others) were influenced by CCPA/CPRA and share similar concepts: consumer rights, opt-out mechanisms, data protection assessments, and vendor contractual requirements. A well-designed CCPA/CPRA program covers roughly 70-80% of what other state laws require. We help you identify the gaps and extend your California program to satisfy multi-state obligations without building separate programs for each state.

Question 3

What are the penalties for non-compliance?

Accepted Answer

The CPPA can impose administrative fines of up to $2,500 per violation and $7,500 per intentional violation or violations involving minors. These are per-violation amounts, so a systemic issue affecting thousands of consumers scales quickly. Consumers also have a private right of action for data breaches involving certain categories of personal information, with statutory damages of $100 to $750 per consumer per incident. The CPPA has been actively issuing enforcement advisories and investigative sweeps since 2024.

Question 4

Do we need to comply if we are not based in California?

Accepted Answer

CCPA/CPRA applies to for-profit businesses that collect personal information from California residents and meet any of the thresholds, regardless of where the business is physically located. If you have a website accessible to California residents and meet the thresholds, the law applies. The threshold most commonly triggered by technology companies is processing personal information of 100,000 or more California consumers or households annually.

CCPA / CPRA

Who This Is For

What You Get

Frequently Asked Questions

Strengthen Your CCPA / CPRA Compliance with Penetration Testing

Ready to Get Started?