CCPA/CPRA Compliance for Startups: Complete Guide (2025)

Quick Overview

CCPA (California Consumer Privacy Act) and its amendment CPRA (California Privacy Rights Act) are California's comprehensive data privacy laws that give consumers control over their personal information.

Key facts:

Applies to: Businesses meeting revenue ($26.6M+) OR data volume (100K+ CA consumers) thresholds
Penalties: Up to $7,988 per intentional violation, $2,663 per unintentional violation
Enforcement: California Privacy Protection Agency (CPPA) + private right of action for data breaches
2025 major update: New cybersecurity audit, risk assessment, and automated decision-making requirements (effective Jan 1, 2026)

Bottom line: If you process significant California consumer data, CCPA/CPRA likely applies—even if you're not based in California.

CCPA vs CPRA: What's the Difference?

Timeline

CCPA (California Consumer Privacy Act)

Passed: June 2018
Effective: January 1, 2020
Scope: Original California privacy law giving consumers rights over their data

CPRA (California Privacy Rights Act)

Passed: November 2020 (ballot initiative)
Effective: January 1, 2023
Scope: Amendment to CCPA that strengthened and expanded privacy protections

Important: CPRA didn't replace CCPA—it amended it. Today, when people say "CCPA," they usually mean "CCPA as amended by CPRA."

Key Differences: CCPA → CPRA

Feature	CCPA (Original)	CPRA (Amendment)
Consumer threshold	50,000+ consumers/households	100,000+ consumers/households
Revenue threshold	$25M+ (2018)	$26.6M+ (2025, inflation-adjusted)
Enforcement agency	CA Attorney General	CA Privacy Protection Agency (CPPA)
Cure period	30-day automatic cure	Discretionary (case-by-case)
Sensitive PI	No special category	New category with enhanced protections
Right to correct	No	✓ Yes
Right to limit SPI use	No	✓ Yes
Contractor liability	Limited	Expanded (contractors liable for violations)
Data minimization	No explicit requirement	✓ Explicit requirement
Cybersecurity audits	No	✓ Yes (2025 regulations, effective 2026)
Risk assessments	No	✓ Yes (2025 regulations, effective 2026)

In this guide, we'll refer to the combined law as "CCPA/CPRA" or just "CCPA" for simplicity.

Does CCPA/CPRA Apply to Your Startup?

Applicability Thresholds (2025)

CCPA/CPRA applies if you meet ANY ONE of these criteria:

1. Revenue threshold

Annual gross revenue exceeds: $26,625,000

Notes:
├── Adjusted annually for inflation (was $25M in 2020)
├── Global revenue (not just CA revenue)
├── Includes all revenue sources (B2B, B2C, services, products)
└── Calculated on trailing 12-month basis

Most pre-Series B startups don't meet this threshold.

2. Data volume threshold

Process personal information of 100,000+ California consumers or households per year

"Process" includes:
├── Website visitors (any interaction with site)
├── App users
├── Email subscribers
├── Customers and prospects
├── Employees and contractors (if CA residents)
└── Business contacts

"Per year" = trailing 12 months

Example calculations:
├── Website: 10K unique CA visitors/month × 12 = 120K ✓ (meets threshold)
├── SaaS app: 8K CA users = 8K ✗ (doesn't meet threshold)
├── E-commerce: 50K CA customers + 60K CA email subs = 110K ✓ (meets threshold)

3. Revenue from selling/sharing threshold

Derive 50%+ of annual revenue from selling or sharing personal information

"Selling" includes:
├── Selling email lists
├── Selling customer data to data brokers
├── Monetizing data through third parties

"Sharing" includes:
├── Behavioral advertising (Facebook Pixel, Google Ads)
├── Cross-context behavioral advertising
├── Retargeting campaigns
└── Sharing data for third-party marketing

Most startups don't meet this threshold (unless you're in AdTech or data brokerage).

Do You Meet the Thresholds?

Common startup scenarios:

Scenario 1: Early-stage SaaS ($2M revenue, 15K users, 20% CA)

Revenue: $2M ✗ (well below $26.6M)
Data volume: 3,000 CA users ✗ (well below 100K)
Selling/sharing revenue: 0% ✗

CCPA/CPRA applies? ✗ NO

Scenario 2: Growth-stage consumer app ($10M revenue, 500K users, 30% CA)

Revenue: $10M ✗ (below $26.6M)
Data volume: 150,000 CA users ✓ (exceeds 100K)
Selling/sharing revenue: 0%

CCPA/CPRA applies? ✓ YES (meets data volume threshold)

Scenario 3: E-commerce site ($30M revenue, 80K customers, 25% CA)

Revenue: $30M ✓ (exceeds $26.6M)
Data volume: 20,000 CA customers ✗ (below 100K)
Selling/sharing revenue: 0%

CCPA/CPRA applies? ✓ YES (meets revenue threshold)

Scenario 4: High-traffic content site ($5M revenue, 2M monthly visitors, 40% CA)

Revenue: $5M ✗ (below $26.6M)
Data volume: 800K CA visitors/month × 12 = 9.6M ✓ (far exceeds 100K)
Selling/sharing revenue: 80% (display ads, retargeting) ✓

CCPA/CPRA applies? ✓ YES (meets data volume AND selling/sharing thresholds)

Additional Applicability Factors

Geographic scope:

CCPA/CPRA applies if:
├── You do business in California (any physical presence, customers, sales)
└── AND meet one of the three thresholds

Location of company doesn't matter:
✓ Delaware corporation selling to CA consumers → CCPA applies
✓ UK company with CA customers → CCPA applies
✗ NY-based B2B selling only to NY businesses → CCPA doesn't apply

Entity types covered:

Covered:
├── For-profit businesses
├── Sole proprietorships
├── Partnerships
├── LLCs
├── Corporations
└── Any for-profit entity collecting personal information

Exempt:
├── Nonprofits
├── Government agencies
└── Certain HIPAA-covered entities (for PHI only)

Borderline Cases

Close to 100K threshold:

If you're at 80K-90K CA consumers:
├── Be conservative (assume you'll hit 100K within 12 months)
├── Start implementing compliance now
└── Monitor monthly to track when you cross threshold

**Don't wait until you hit 100K—compliance takes 3-6 months.**

B2B vs B2C:

B2B exemption:
├── CCPA exempts most B2B communications (until 2023, now expired)
├── As of Jan 1, 2023, B2B contacts are covered
└── Employee/contractor data covered from the start

Example:
├── SaaS selling to businesses: Employee users at customer companies = CA consumers
├── Count all individual users, not just companies

CCPA/CPRA Penalties & Enforcement

Fine Structure

Civil penalties (enforced by CPPA or AG):

Unintentional violations:

Fine: Up to $2,663 per violation (2025 amount, adjusted for inflation)
Examples:
- Missing "Do Not Sell" link
- Incomplete privacy notice
- Delayed response to consumer request

Intentional violations:

Fine: Up to $7,988 per violation (2025 amount)
Examples:
- Knowingly selling data after consumer opted out
- Intentionally ignoring consumer rights requests
- Deliberate misrepresentation in privacy notice

"Per violation" means per consumer affected:

Example: 1,000 consumers affected by intentional violation
├── Penalty: 1,000 × $7,988 = $7,988,000 (nearly $8M)
└── This can be existential for startups

**Regulators consider:**
├── Severity of violation
├── Number of consumers affected
├── Company's efforts to comply
├── Company size and revenue
└── Whether violation was cured

Private Right of Action (Data Breaches)

Consumers can sue directly for data breaches:

Covered breaches:

Only applies to breaches of specific categories:
├── Social Security numbers
├── Driver's license or state ID numbers
├── Financial account numbers + security/access codes
├── Medical information
└── Health insurance information

Not all breaches trigger private right of action (e.g., email/password breach may not).

Damages:

Statutory damages: $100-$750 per consumer per incident
OR
Actual damages (if higher)

Plus: Attorney's fees, injunctive relief

Example: Breach affecting 50,000 CA consumers
├── Minimum damages: 50K × $100 = $5M
├── Maximum damages: 50K × $750 = $37.5M
└── Plus: Legal fees, remediation costs

30-day cure period (for breaches only):

Consumers must:
1. Notify business of alleged violation
2. Give 30 days to cure
3. Only sue if business doesn't cure

**This cure period only applies to private actions (breaches), not CPPA enforcement.**

Enforcement Activity (2025)

California Privacy Protection Agency (CPPA):

Created: July 1, 2020 (by CPRA)
Operational: July 1, 2023 (full enforcement authority)

Enforcement priorities (2024-2025):
├── Businesses selling minors' data
├── Violations of "Do Not Sell" rights
├── Sensitive personal information misuse
├── Automated decision-making (new 2025 regulations)
└── Cybersecurity failures (new 2025 regulations)

Enforcement actions to date:
├── 12+ formal enforcement actions (2023-2024)
├── Fines ranging from $50K-$1.2M
├── Increasing focus on startups and mid-market companies

Notable CCPA enforcement examples:

Company	Fine	Violation	Year
Sephora	$1.2M	No "Do Not Sell" link, unlawful data sharing	2022
Retail company	$350K	Privacy notice violations, delayed consumer requests	2023
Tech startup	$150K	Missing opt-out mechanisms, incomplete disclosures	2024
Healthcare app	$275K	Selling sensitive health data without disclosure	2024

Risk Factors for Enforcement

High-risk activities:

More likely to face enforcement:
├── Processing children's data (<16 years old)
├── Selling or sharing personal information (especially without disclosure)
├── Collecting sensitive personal information (health, biometric, precise geolocation)
├── Using automated decision-making that affects consumers significantly
├── Large-scale data breaches
└── Complaints from consumer advocacy groups (CPPA investigates complaints)

Consumer Rights Under CCPA/CPRA

CCPA/CPRA gives California consumers 8 key rights:

1. Right to Know (Article 1798.110, 1798.115)

What it is: Consumers can request to know what personal information you've collected about them.

Two types of requests:

A. Categories request (less detailed):

Consumers can request (for preceding 12 months):
├── Categories of personal information collected
├── Categories of sources
├── Business purpose for collecting
├── Categories of third parties you shared with
└── Specific pieces of information collected (optional)

Response deadline: 45 days (extendable to 90 days)
Format: Can respond with general descriptions

B. Specific pieces request (more detailed):

Consumers can request:
└── Specific pieces of personal information you have about them

Response deadline: 45 days (extendable to 90 days)
Format: Must provide portable, machine-readable format (JSON, CSV)

Exceptions:
├── SSN, driver's license, financial account numbers (can redact)
├── Data that creates security or fraud risks

Implementation:

Typical response:
{
  "user_id": "12345",
  "email": "[email protected]",
  "name": "Jane Doe",
  "created_at": "2023-05-15",
  "purchase_history": [...],
  "browsing_history": [...],
  "data_shared_with": ["Google Analytics", "Stripe", "Mailchimp"]
}

2. Right to Delete (Article 1798.105)

What it is: Consumers can request deletion of their personal information.

Requirements:

Must delete:
├── Data collected directly from consumer
├── Data from service providers (instruct them to delete)
├── Data from all systems (production, backups, archives, logs)

Timeline: 45 days to respond
Verification: Must verify identity before deleting

Exceptions (you can refuse deletion if needed for):

Don't have to delete if necessary to:
├── Complete the transaction/provide service
├── Detect/prevent security incidents or fraud
├── Debug/repair functionality
├── Exercise free speech or ensure others can exercise free speech
├── Comply with California Electronic Communications Privacy Act
├── Engage in public or peer-reviewed scientific research (with consumer consent)
├── Enable solely internal uses reasonably aligned with consumer expectations
├── Comply with legal obligation
└── Otherwise use internally in lawful manner compatible with context provided

Most common exceptions for startups:
├── Active customer (can't delete while providing service)
├── Fraud prevention (need to retain for security)
├── Legal obligations (tax records, financial records)

Implementation:

Deletion process:
1. Verify consumer identity
2. Check if any exceptions apply
3. If no exceptions:
   ├── Delete from production database
   ├── Delete from backups (or mark for deletion on next backup cycle)
   ├── Instruct service providers to delete (Stripe, analytics, CRM)
   ├── Remove from marketing lists
   └── Anonymize in analytics (if possible)
4. Respond to consumer: "Your data has been deleted"
5. Document the request and actions taken

3. Right to Correct (Article 1798.106) [New under CPRA]

What it is: Consumers can request correction of inaccurate personal information.

Requirements:

Must correct inaccurate data
Timeline: 45 days to respond
Verification: Verify identity before correcting

Implementation:

Typical flow:
1. Consumer: "My address is listed as 123 Main St, but it should be 456 Oak Ave"
2. Business: Verify identity
3. Business: Update address in all systems (CRM, shipping, billing)
4. Business: Notify service providers of correction (if shared with them)
5. Business: Respond to consumer: "Your address has been corrected"

4. Right to Opt-Out of Sale/Sharing (Article 1798.120)

What it is: Consumers can opt-out of the sale or sharing of their personal information.

"Sale" definition (broad):

Selling = Disclosing personal information to third party for monetary or other valuable consideration

Examples:
├── Selling email lists to marketers
├── Selling customer data to data brokers
├── Receiving payment for providing customer data

"Sharing" definition (even broader):

Sharing = Disclosing personal information for cross-context behavioral advertising

Examples:
├── Facebook Pixel (cross-site tracking for retargeting)
├── Google Ads retargeting
├── Third-party ad networks
├── Any cross-site behavioral tracking for advertising

Requirements:

If you sell or share:
1. Provide "Do Not Sell or Share My Personal Information" link
   └── Must be on homepage and in privacy policy
2. Honor opt-out requests within 15 business days
3. Don't require account creation to opt-out
4. Wait 12 months before asking consumer to opt back in
5. Don't discriminate against consumers who opt out

Implementation:

Typical "Do Not Sell" link:
├── Link text: "Do Not Sell or Share My Personal Information"
├── Location: Website footer (visible on every page)
├── Destination: Opt-out page or cookie settings
├── Action: Disable Facebook Pixel, Google Ads, retargeting cookies
└── Confirmation: "Your preference has been saved. We will not sell or share your data."

5. Right to Limit Use of Sensitive Personal Information (Article 1798.121) [New under CPRA]

What it is: Consumers can limit how you use their sensitive personal information (SPI).

Applies only if you use SPI for purposes other than:

Permitted uses:
├── Performing services/providing goods reasonably expected
├── Detecting security incidents, fraud
├── Resisting malicious/illegal activity
├── Short-term, transient use (e.g., displaying SPI back to consumer)
├── Performing services on behalf of business
└── Quality/safety verification

If you use SPI for other purposes (marketing, profiling, etc.):
└── Consumers can limit use to only permitted purposes above

Implementation:

If you use SPI for non-permitted purposes:
1. Provide "Limit the Use of My Sensitive Personal Information" link
   └── Next to "Do Not Sell or Share" link
2. Honor requests within 15 business days
3. Stop using SPI for non-permitted purposes (e.g., marketing)

6. Right to Opt-In for Sale of Minors' Information (Article 1798.120)

What it is: Can't sell or share personal information of consumers under 16 without opt-in.

Age requirements:

Under 13:
└── Requires opt-in from parent/guardian (verifiable parental consent)

13-15 years old:
└── Requires opt-in from minor themselves

16+ years old:
└── Can sell/share unless consumer opts out (standard "Do Not Sell" applies)

Implementation:

If you knowingly collect data from minors:
1. Age-gate your service (verify age at signup)
2. If under 16: Don't sell/share data (or get opt-in consent)
3. Use age-appropriate consent mechanisms (COPPA compliance)

7. Right to Non-Discrimination (Article 1798.125)

What it is: Can't discriminate against consumers who exercise their rights.

Prohibited discrimination:

Can't:
├── Deny goods or services
├── Charge different prices or rates
├── Provide different level or quality of service
├── Suggest consumer will receive different price or quality
└── Retaliate or harass

Permitted differences (with limitations):

Can offer:
├── Financial incentive for providing data (if not "unjust, unreasonable, coercive, or usurious")
├── Different price/service if difference is "reasonably related to value of consumer's data"

Must disclose:
├── Material terms of financial incentive program
├── How to opt-in
└── Right to withdraw at any time

8. Right to Data Portability (Implicit in Right to Know)

What it is: Consumers can receive their data in portable, machine-readable format.

Requirements:

Format: JSON, CSV, XML (not PDF)
Includes: All personal information you have about consumer
Use case: Allow consumer to transfer data to another service

Business Obligations

Core Obligations

1. Update Privacy Policy

Must disclose (at or before point of collection):
├── Categories of personal information collected
├── Purposes for collecting each category
├── Whether you sell or share personal information
├── Categories of third parties you disclose to
├── How long you retain each category
├── Consumer rights (all 8 rights)
├── How to exercise rights
└── Link to "Do Not Sell or Share My Personal Information" (if applicable)

Update frequency: Annually (or when practices change)

2. Provide "Do Not Sell or Share" Link (if applicable)

If you sell or share:
├── Add prominent link to homepage footer
├── Link text: "Do Not Sell or Share My Personal Information"
├── Destination: Opt-out mechanism (cookie settings or form)
├── Honor opt-outs within 15 business days
└── Don't require account creation to opt-out

3. Respond to Consumer Requests

Timelines:
├── Initial response: 10 business days (acknowledge receipt)
├── Full response: 45 days (extendable to 90 days if complex)

Verification:
├── Must verify consumer's identity before responding
├── Use reasonable methods (email confirmation, account login, ID verification)
├── Can request additional information if necessary

Tracking:
├── Log all consumer requests
├── Document verification steps taken
├── Record actions taken (data provided, deleted, corrected)

4. Train Employees

Employees who handle consumer requests must be trained on:
├── Consumer rights under CCPA/CPRA
├── How to verify consumer identity
├── How to process requests
├── Timelines for responding
└── Exceptions and limitations

5. Contract Requirements with Service Providers

Contracts with service providers must:
├── Specify that service provider can't sell personal information
├── Specify that service provider can't retain, use, or disclose PI except to perform services
├── Specify that service provider can't combine PI with other consumers' PI
├── Grant you right to audit service provider's compliance
└── Require service provider to delete or return PI at end of contract

Service Providers vs Third Parties vs Contractors

Service Provider:

Definition: Processes PI on your behalf per written contract

Example: AWS (hosting), Stripe (payments), Mailchimp (email)

Requirements:
├── Written contract with restrictions above
├── Can share data with service providers without violating "Do Not Sell"
└── Service provider's use is limited to providing service to you

Third Party:

Definition: Receives PI but not as service provider or contractor

Example: Marketing partner, data broker, affiliate

Requirements:
├── If you disclose PI to third party, it may be "selling" or "sharing"
├── Must disclose in privacy policy
└── Must honor "Do Not Sell or Share" requests

Contractor (new under CPRA):

Definition: Processes PI on your behalf, can also process for its own purposes (with restrictions)

Example: SaaS tool that uses your data to improve its service

Requirements:
├── Written contract with specific restrictions
├── Can use PI to improve service but only for you (not other clients)
├── More flexible than service provider but more restrictions than third party

Privacy Notice Requirements

Required Disclosures

At or before point of collection, must disclose:

1. Categories of personal information

Must use specific categories (not just "personal information"):

Categories:
├── Identifiers (name, email, IP address, device ID)
├── California Customer Records (name, address, SSN, payment info)
├── Protected classifications (age, race, gender, etc.)
├── Commercial information (purchase history, preferences)
├── Biometric information (fingerprints, facial recognition)
├── Internet activity (browsing history, search history)
├── Geolocation data (precise location from GPS)
├── Sensory information (audio, visual, thermal)
├── Professional/employment information (resume, job history)
├── Education information (school, degree, GPA)
└── Inferences (profiles, preferences, behavior predictions)

Example disclosure:
"We collect the following categories of personal information:
├── Identifiers: email address, name, IP address
├── Commercial information: purchase history, product preferences
└── Internet activity: pages viewed, links clicked"

2. Purposes for each category

❌ Bad: "We collect personal information to provide services"

✓ Good: Specific purposes for each category:
├── Identifiers (email): Create account, send order confirmations
├── Commercial information (purchase history): Fulfill orders, process returns
├── Internet activity (pages viewed): Improve website, show relevant products
└── Geolocation (city/state): Calculate shipping costs, show local inventory

**2025 update: General statements like "improve services" are no longer sufficient.**

3. Selling/sharing disclosure

Must disclose whether you sell or share PI:

If YES:
├── "We sell/share the following categories of personal information: [list]"
├── "We sell/share to the following categories of third parties: [list]"
└── Provide "Do Not Sell or Share My Personal Information" link

If NO:
└── "We do not sell or share personal information"

4. Retention periods

Must disclose how long you retain each category:

Example:
├── Account data: While account is active + 2 years after closure
├── Purchase history: 7 years (tax compliance)
├── Marketing consents: Until withdrawn + 3 years
└── Analytics data: 90 days (aggregated after that)

5. Consumer rights

Must describe all 8 rights:
├── Right to know
├── Right to delete
├── Right to correct
├── Right to opt-out of sale/sharing
├── Right to limit use of SPI
├── Right to opt-in (minors)
├── Right to non-discrimination
└── Right to data portability

Include:
├── How to exercise rights (email, web form, phone)
├── Timelines for response (45 days)
└── Verification process

Privacy Policy Updates (2025)

New specificity requirements (effective Jan 1, 2026):

Before 2025:
├── "We use personal information to improve services" ✓ (acceptable)
└── General descriptions were sufficient

After Jan 1, 2026:
├── "We use personal information to improve services" ✗ (too vague)
└── Must specify exact purposes for each category

Example compliant disclosure:
"We use identifiers (name, email) to:
├── Create and manage your account
├── Process your orders
├── Send transactional emails (order confirmations, shipping updates)
└── Respond to customer support inquiries

We use commercial information (purchase history) to:
├── Fulfill orders
├── Process returns and refunds
├── Recommend products based on past purchases
└── Analyze sales trends (aggregated data only)"

Do Not Sell or Share

When Required

Must provide "Do Not Sell or Share" mechanism if:

You sell or share personal information

"Selling" = Disclosing for monetary or other valuable consideration
"Sharing" = Disclosing for cross-context behavioral advertising

Common triggers:
├── Facebook Pixel (retargeting) → Sharing ✓
├── Google Ads (retargeting) → Sharing ✓
├── Third-party ad networks → Selling/Sharing ✓
├── Selling email lists → Selling ✓
├── Data partnerships (exchange data for services) → Selling ✓
└── Service providers (AWS, Stripe) → Not selling/sharing ✗

Implementation Requirements

1. "Do Not Sell or Share" link

Location:
├── Homepage footer (required)
├── Privacy policy (required)
├── Mobile app settings (if applicable)
└── Opt-out page

Link text:
├── "Do Not Sell or Share My Personal Information" (exact wording)
├── Or: "Do Not Sell My Personal Information" (shorter version acceptable)

Prominence:
├── Same size/visibility as other footer links
├── Not hidden or buried
└── Accessible on every page

2. Opt-out page

Must allow opt-out without:
├── Creating an account
├── Logging in
├── Providing excessive information
└── Navigating through multiple pages

Can use:
├── Simple toggle (opt-out / opt-in)
├── Cookie preference center
├── Email/form submission
└── Global Privacy Control (auto-honors browser signals)

3. Global Privacy Control (GPC)

What it is: Browser/device signal that tells websites "don't sell my data"

Support required:
├── Must honor GPC signals as opt-out requests
├── No user interaction required
├── Applies to all users who send GPC signal

How to implement:
1. Detect GPC header: `Sec-GPC: 1`
2. Treat as opt-out request
3. Disable selling/sharing mechanisms (ads, pixels, tracking)
4. Confirm opt-out in UI

Browsers supporting GPC:
├── Firefox (with privacy settings enabled)
├── DuckDuckGo Browser
├── Brave
├── Privacy Badger extension
└── Others adopting

What to Stop When User Opts Out

If user opts out, must stop:

Selling:
├── Stop selling email address to marketers
├── Stop sharing customer data with data brokers
├── Stop data partnerships involving personal information exchange

Sharing:
├── Disable Facebook Pixel for that user
├── Disable Google Ads retargeting for that user
├── Disable third-party ad network tracking
├── Stop cross-site behavioral advertising

Can continue:
├── Using service providers (AWS, Stripe, CRM)
├── First-party analytics (on your site only)
├── Contextual advertising (based on page content, not user behavior)
└── Sharing to complete transactions (shipping, payment processing)

Timeline and Re-solicitation

Opt-out timeline:

Must honor opt-out: Within 15 business days

After opt-out:
├── Must wait 12 months before asking user to opt back in
├── Can inform user of benefits of opting in (once)
└── Can't require opt-in to use service

Sensitive Personal Information

What is Sensitive Personal Information (SPI)?

CPRA created a new category: Sensitive Personal Information (SPI)

SPI includes:

1. Social Security, driver's license, state ID, passport numbers
2. Account login + security/access code/password
3. Precise geolocation (within 1,850 feet)
4. Racial or ethnic origin
5. Religious or philosophical beliefs
6. Union membership
7. Mail, email, text messages (unless you're the intended recipient)
8. Genetic data
9. Biometric information (fingerprints, faceprints, voiceprints)
10. Health information
11. Sex life or sexual orientation

Special Protections for SPI

Enhanced consumer rights:

If you use SPI for purposes beyond providing services:
├── Consumer can request you limit use to "permitted purposes" only
├── Must provide "Limit the Use of My Sensitive Personal Information" link
└── Must honor requests within 15 business days

Permitted purposes (can always use SPI for):
├── Performing services reasonably expected by consumer
├── Detecting security incidents, fraud
├── Resisting malicious/illegal activity
├── Short-term, transient use
├── Performing services on behalf of business
└── Quality/safety verification

Non-permitted purposes (require "Limit" right):
├── Marketing
├── Profiling
├── Inferring characteristics
└── Any use not reasonably expected

Disclosure Requirements for SPI

Must disclose in privacy policy:

If you collect SPI:
├── Categories of SPI collected
├── Purposes for collecting each category
├── How long you retain SPI
├── Whether you sell or share SPI (usually NO—selling SPI is risky)
└── Right to limit use of SPI (if you use for non-permitted purposes)

Example disclosure:
"We collect the following sensitive personal information:
├── Precise geolocation: To show nearby stores and calculate shipping
└── Health information: To provide personalized health recommendations

You have the right to limit our use of sensitive personal information to
only what's necessary to provide our services. To exercise this right,
visit [link]."

SPI Best Practices for Startups

Minimize SPI collection:

Avoid collecting SPI unless essential:
├── Don't collect SSN unless legally required (financial services)
├── Use approximate location (city/ZIP) instead of precise GPS
├── Don't infer religious/political beliefs from browsing data
├── Don't use biometric authentication unless necessary (high-security apps)
└── Don't collect health data unless you're a health app

**Collecting SPI increases compliance burden and risk.**

If you must collect SPI:

1. Disclose clearly at point of collection
2. Use only for stated purpose (don't repurpose for marketing)
3. Encrypt SPI (at rest and in transit)
4. Restrict employee access (need-to-know basis)
5. Delete SPI when no longer needed
6. Don't sell or share SPI (almost never acceptable)

Automated Decision-Making

What is Automated Decision-Making Technology (ADMT)??

2025 CCPA regulations define ADMT as:

Technology that processes personal information automatically to make or
facilitate decisions that produce legal or similarly significant effects
concerning a consumer.

Examples:
├── AI model that auto-approves/denies loan applications
├── Algorithm that filters job applicants (pass/fail)
├── Automated credit scoring without human review
├── Algorithmic insurance underwriting (set premiums)
└── Automated content moderation (ban/suspend users)

Not ADMT:
├── Product recommendations (no significant effect on consumer)
├── Spam filtering (not significant effect)
├── Fraud detection (with human review)
└── A/B testing (minimal impact)

ADMT Disclosure Requirements (Effective Jan 1, 2026)

If you use ADMT, must disclose:

In privacy policy:
├── That you use ADMT
├── Categories of personal information used in ADMT
├── Categories of personal information created by ADMT (inferences, scores)
├── Purpose of ADMT (what decisions does it make?)
├── How ADMT affects consumers (approve/deny loans, etc.)
└── Whether human is involved in decision

At point of decision:
├── Notify consumer that ADMT was used
├── Explain logic involved (how decision was made)
├── Inform consumer of right to:
   ├── Access information used in decision
   ├── Access decision and explanation
   ├── Correct inaccurate information
   └── Object to decision (or request human review)

ADMT Consumer Rights (Effective Jan 1, 2026)

Consumers have the right to:

1. Right to know about ADMT

Right to information about:
├── Logic involved in ADMT
├── Expected outcome or consequence
├── Categories of PI used to train algorithm
└── Third parties involved in developing algorithm

2. Right to access ADMT information

Right to access:
├── Personal information used in ADMT decision
├── Inferences/scores generated by ADMT
├── Decision made by ADMT (approve/deny, score, etc.)
└── Explanation of decision

3. Right to correct inaccurate information

If consumer believes data used in ADMT is inaccurate:
├── Consumer can request correction
├── Business must correct if inaccurate
├── Business must re-run ADMT with corrected data
└── Consumer receives updated decision

4. Right to opt-out or request human review

Consumer can request:
├── Human review of ADMT decision
├── Explanation from human (not just algorithm)
├── Ability to contest decision
└── Opt-out of ADMT (use manual review instead)

**Businesses don't have to eliminate ADMT, but must offer human alternative.**

ADMT Risk Assessments (Effective Jan 1, 2026)

If you use ADMT, must conduct risk assessments:

Requirement applies if:

You use ADMT AND meet revenue threshold:
├── $100M+ annual gross revenue: Must complete by April 1, 2028
├── $50M-$100M revenue: Must complete by April 1, 2029
└── <$50M revenue: Must complete by April 1, 2030

**Most startups won't meet revenue threshold (no risk assessment required).**

Risk assessment must evaluate:

1. How ADMT may:
   ├── Increase privacy risks to consumers
   ├── Increase risk of disparate impact (discrimination)
   └── Increase risk of inaccurate or biased decisions

2. Safeguards in place:
   ├── Data quality checks
   ├── Bias testing and mitigation
   ├── Human oversight
   ├── Appeal/review processes
   └── Regular audits of ADMT outcomes

3. Submit attestation to CPPA by deadline

ADMT Best Practices for Startups

Minimize ADMT use:

Avoid using ADMT for high-stakes decisions:
├── Always have human in the loop for:
   ├── Loan approvals/denials
   ├── Hiring decisions
   ├── Insurance underwriting
   ├── Account suspensions (fraud/abuse)
└── Use ADMT to assist humans (recommendations) not replace them

If you use ADMT:

1. Document logic and training data
2. Provide explanations to consumers
3. Allow human review/appeal
4. Test for bias and discrimination
5. Disclose clearly in privacy policy
6. Provide access to information used in decisions

2025 New Requirements

On July 24, 2025, California Privacy Protection Agency (CPPA) finalized sweeping new regulations. Key changes effective January 1, 2026:

1. Cybersecurity Audit Requirements

Who must conduct audits:

Businesses meeting revenue thresholds:
├── $100M+ annual gross revenue: First audit by April 1, 2028
├── $50M-$100M revenue: First audit by April 1, 2029
└── $25M-$50M revenue: First audit by April 1, 2030

**Most startups exempt (revenue too low).**

Audit requirements:

Must assess:
├── Security of personal information
├── Compliance with CCPA/CPRA security obligations
├── Effectiveness of security controls
└── Gaps and recommendations

Frequency:
├── Annually (or more often if high risk)

Must submit:
├── Attestation of completion to CPPA
├── Summary of findings
├── Remediation plans for gaps

2. Risk Assessment Requirements

Who must conduct risk assessments:

Same revenue thresholds as cybersecurity audits:
├── $100M+: By April 1, 2028
├── $50M-$100M: By April 1, 2029
└── $25M-$50M: By April 1, 2030

**Most startups exempt.**

Risk assessment must evaluate:

1. Privacy risks to consumers:
   ├── Data collection practices
   ├── Data sharing/selling activities
   ├── Use of sensitive personal information
   └── Retention periods

2. Safeguards in place:
   ├── Access controls
   ├── Encryption
   ├── Employee training
   ├── Data minimization
   └── Incident response

3. Gaps and remediation:
   ├── Identify gaps in privacy protections
   ├── Prioritize remediation
   └── Implement improvements

Frequency: Annually

3. Enhanced Automated Decision-Making Rules

Effective Jan 1, 2026 (all businesses, regardless of size):

If you use ADMT:
├── Disclose in privacy policy (with specificity)
├── Provide notice at point of decision
├── Allow consumers to:
   ├── Access information used in decision
   ├── Correct inaccurate information
   ├── Request human review
   └── Opt-out of ADMT

**This applies to ALL businesses using ADMT, not just large companies.**

4. Granular Privacy Notice Requirements

Effective Jan 1, 2026:

Old (pre-2026): "We use personal information to improve services" ✓

New (2026+): Must specify exact purposes for each category ✓

Example compliant notice:
"We use identifiers (email address) to:
├── Create and manage your account
├── Send order confirmations
├── Respond to customer support inquiries

We use commercial information (purchase history) to:
├── Fulfill orders
├── Process returns
├── Recommend products (you can opt-out)"

**No more general statements—must be specific.**

Implementation Timeline Summary

Requirement	Effective Date	Applies To
ADMT disclosures	Jan 1, 2026	All businesses using ADMT
Granular privacy notices	Jan 1, 2026	All businesses
Risk assessments	April 1, 2028	$100M+ revenue
Risk assessments	April 1, 2029	$50M-$100M revenue
Risk assessments	April 1, 2030	$25M-$50M revenue
Cybersecurity audits	April 1, 2028	$100M+ revenue
Cybersecurity audits	April 1, 2029	$50M-$100M revenue
Cybersecurity audits	April 1, 2030	$25M-$50M revenue

Bottom line: Most startups only need to worry about ADMT disclosures and granular privacy notices (both effective Jan 1, 2026). Risk assessments and cybersecurity audits don't apply until you reach $25M+ revenue.

CCPA/CPRA Compliance Checklist

Phase 1: Determine Applicability (Week 1)

☐ Calculate annual gross revenue (trailing 12 months)
☐ Estimate number of CA consumers/households processed (trailing 12 months)
   └── Include: website visitors, app users, customers, email subs, employees
☐ Calculate % of revenue from selling/sharing personal information
☐ Determine if you meet any threshold (revenue $26.6M+ OR 100K+ consumers OR 50%+ selling/sharing)
☐ Document decision (CCPA applies or doesn't apply)

Phase 2: Privacy Notice Update (Week 2-3)

☐ Review existing privacy policy
☐ Update or draft privacy policy to include:
   ☐ Categories of personal information collected (use specific categories)
   ☐ Specific purposes for each category (no general statements after Jan 1, 2026)
   ☐ Sources of personal information
   ☐ Categories of third parties you disclose to
   ☐ Retention periods for each category
   ☐ Whether you sell or share personal information
   ☐ Consumer rights (all 8 rights)
   ☐ How to exercise rights (email, form, phone)
   ☐ Non-discrimination policy
☐ Publish updated privacy policy on website
☐ Link privacy policy from footer (visible on every page)

Phase 3: "Do Not Sell or Share" Link (Week 3-4, if applicable)

☐ Determine if you sell or share personal information
   └── Check: Facebook Pixel, Google Ads retargeting, third-party ad networks, data partnerships
☐ If YES:
   ☐ Add "Do Not Sell or Share My Personal Information" link to footer
   ☐ Create opt-out page or cookie settings
   ☐ Implement mechanism to honor opt-outs (disable pixels, tracking)
   ☐ Implement Global Privacy Control (GPC) support
   ☐ Test opt-out functionality

Phase 4: Consumer Request Process (Week 4-5)

☐ Create consumer request intake method:
   ☐ Email: [email protected]
   ☐ Web form on privacy policy page
   ☐ Toll-free phone number (optional)
☐ Document process for handling requests:
   ☐ Right to know: Export data (JSON/CSV)
   ☐ Right to delete: Delete from all systems + notify service providers
   ☐ Right to correct: Update inaccurate data
   ☐ Right to opt-out: Disable selling/sharing
   ☐ Right to limit SPI: Limit use to permitted purposes
☐ Implement identity verification (email confirmation or account login)
☐ Set up tracking system (spreadsheet or compliance tool)
☐ Test request handling with dummy data

Phase 5: Service Provider Contracts (Week 5-6)

☐ List all service providers who receive personal information:
   ☐ AWS, Google Cloud (hosting)
   ☐ Stripe, PayPal (payments)
   ☐ Mailchimp, SendGrid (email)
   ☐ Google Analytics, Mixpanel (analytics)
   ☐ Zendesk, Intercom (customer support)
   ☐ Salesforce, HubSpot (CRM)
☐ Review contracts for CCPA-compliant provisions:
   ☐ Restrictions on selling, retaining, using, disclosing PI
   ☐ Requirement to delete/return PI at end of contract
   ☐ Audit rights
☐ Update contracts or obtain CCPA addendums
☐ Store signed contracts in compliance folder

Phase 6: Employee Training (Week 6)

☐ Create training materials (1-page doc or slide deck):
   ☐ What is CCPA/CPRA?
   ☐ Consumer rights overview
   ☐ How to handle consumer requests
   ☐ How to verify identity
   ☐ Timelines (45 days to respond)
   ☐ Who to escalate to (privacy lead)
☐ Train customer support team
☐ Train sales/marketing team (on opt-out rights)
☐ Train engineering team (on data deletion)
☐ Document training completion (sign-off)

Phase 7: Ongoing Compliance (Continuous)

☐ Monitor for changes in data practices:
   ☐ New data collected? Update privacy policy
   ☐ New service providers? Update contracts
   ☐ Selling/sharing personal information? Add "Do Not Sell" link
☐ Respond to consumer requests:
   ☐ Within 10 days: Acknowledge receipt
   ☐ Within 45 days: Provide full response (extend to 90 if complex)
☐ Review privacy policy annually
☐ Track compliance with consumer requests (log all requests)
☐ Monitor CPPA enforcement actions and guidance updates

Phase 8: 2026 Compliance Prep (If applicable)

☐ Review ADMT use (if using automated decision-making):
   ☐ Update privacy policy with ADMT disclosures (by Jan 1, 2026)
   ☐ Implement consumer rights for ADMT (access, correct, opt-out)
   ☐ Provide explanations of ADMT decisions
☐ Update privacy notices for granular purposes (by Jan 1, 2026)
☐ If revenue >$25M:
   ☐ Prepare for cybersecurity audits (2028-2030 deadline)
   ☐ Prepare for risk assessments (2028-2030 deadline)

Common Mistakes

1. "We're not in California, CCPA doesn't apply"

❌ Myth: "We're a Delaware corp based in NY, CCPA doesn't apply"

Reality:
├── CCPA applies based on where customers are (not where company is)
├── If you have ANY California customers, CCPA applies
├── Even if you don't actively target CA, processing 100K+ CA consumers triggers CCPA

Example:
├── NY-based e-commerce with 20% CA customers → CCPA applies
├── UK SaaS with 150K users (40% CA) → CCPA applies
└── Austin startup with 95K users (60% CA = 57K) → CCPA doesn't apply (below 100K)

2. Not counting website visitors in "100K consumers" threshold

❌ Mistake: "We only have 10K customers, CCPA doesn't apply"

Reality:
├── "Consumers" includes website visitors (not just customers)
├── If your site has analytics (Google Analytics, etc.), you're processing visitors' PI
├── High-traffic site with 10K visitors/month = 120K visitors/year ✓ (exceeds 100K)

Correct calculation:
├── Unique CA website visitors: 8K/month × 12 = 96K
├── CA customers: 3K
├── CA email subscribers: 2K
├── CA employees: 50
├── Total: 101,050 ✓ (exceeds 100K threshold)

3. Confusing "selling" with "service providers"

❌ Mistake: "We don't sell data to anyone, we're exempt from 'Do Not Sell'"

Reality:
├── "Selling" includes behavioral advertising (Facebook Pixel, Google Ads)
├── "Sharing" includes cross-site tracking for retargeting
├── If you use Facebook Pixel for retargeting, you're "sharing" data

Service providers (NOT selling/sharing):
├── AWS (hosting) → Service provider ✓
├── Stripe (payments) → Service provider ✓
├── Mailchimp (email to your own customers) → Service provider ✓

Selling/sharing:
├── Facebook Pixel (retargeting) → Sharing ✗
├── Google Ads (behavioral targeting) → Sharing ✗
├── Data broker partnerships → Selling ✗

**If you use pixels/retargeting, you must provide "Do Not Sell or Share" link.**

4. Missing "Do Not Sell or Share" link

❌ Mistake: Using Facebook Pixel but no "Do Not Sell" link on homepage

Reality:
├── If you sell or share, "Do Not Sell" link is mandatory
├── Must be in footer of homepage (and all pages)
├── Exact text: "Do Not Sell or Share My Personal Information"
└── Failure to provide link = violation (up to $7,988 per consumer)

Correct implementation:
├── Add link to footer (next to Privacy Policy link)
├── Link to opt-out page or cookie settings
├── Honor opt-outs within 15 business days
└── Support Global Privacy Control (GPC)

5. Ignoring employee data

❌ Mistake: "We're B2B, CCPA doesn't apply to our business data"

Reality:
├── CCPA covers employee/contractor data (as of Jan 1, 2023)
├── B2B exemption expired (was temporary exemption until 2023)
├── Employees and contractors are "consumers" under CCPA

What this means:
├── CA employees can request access to HR data
├── CA employees can request deletion (with exceptions)
├── Must include employees in "100K consumers" threshold calculation
└── Privacy policy must cover employee data

6. Not verifying consumer identity

❌ Mistake: Responding to deletion request without verifying identity

Reality:
├── Must verify consumer's identity before responding to requests
├── Failure to verify = security risk (malicious actor could request competitor's data)
├── Verification methods:
   ├── Email confirmation (for low-risk requests)
   ├── Account login (for medium-risk requests)
   ├── ID verification (for high-risk requests, e.g., SSN disclosure)

Example attack scenario:
├── Attacker emails: "Delete account for [email protected]"
├── Business deletes without verifying
├── Legitimate customer's account is deleted (service disruption)
└── Business liable for damages

7. Failing to respond within 45 days

❌ Mistake: Taking 60 days to respond to consumer request

Reality:
├── Must respond within 45 days
├── Can extend to 90 days if complex (must notify consumer within 45 days)
├── Failure to respond on time = violation

Best practices:
├── Acknowledge request within 10 days: "We received your request, will respond by [date]"
├── Set internal deadline of 40 days (buffer for delays)
├── Use compliance tool to track requests and deadlines
└── Automate reminders for approaching deadlines

CCPA vs GDPR

If you're subject to both CCPA/CPRA and GDPR, here are the key differences:

Feature	CCPA/CPRA	GDPR
Geography	California, USA	European Union (27 countries) + EEA
Threshold	$26.6M+ revenue OR 100K+ CA consumers OR 50%+ selling/sharing	Any processing of EU residents' data
Penalties	Up to $7,988 per intentional violation	Up to €20M or 4% global revenue
Consent	Not required for most processing (opt-out model)	Required for most processing (opt-in model)
Legal basis	Not required (opt-out model)	Required (must have legal basis)
Right to delete	Yes (with exceptions)	Yes ("right to erasure")
Right to access	Yes	Yes
Right to correct	Yes (CPRA added this)	Yes
Right to portability	Yes	Yes
Right to opt-out	Yes (selling/sharing)	Yes (direct marketing, profiling)
Sensitive data	Enhanced protections (SPI)	Special category data (strict rules)
Data breach notification	Private right of action (limited scope)	Mandatory notification (72 hours)
Enforcement	CPPA + AG + private actions	Supervisory authorities (DPAs)
DPO requirement	No	Yes (if large-scale processing)
DPA requirement	Service provider contracts	Data processing agreements

Compliance Strategy for Both

If subject to both CCPA and GDPR:

Highest common denominator approach:
├── Use GDPR as baseline (stricter law)
├── Add CCPA-specific requirements:
   ├── "Do Not Sell or Share" link (CCPA only)
   ├── Right to limit SPI use (CPRA only)
   ├── Financial incentive disclosures (CCPA only)
└── Result: Compliant with both laws

Example: Consent for marketing emails
├── GDPR: Requires opt-in consent
├── CCPA: Doesn't require opt-in (but requires "Do Not Sell" link)
└── Solution: Use opt-in consent (satisfies both)

Example: Data deletion
├── GDPR: Must delete when no longer necessary for purpose
├── CCPA: Must delete upon request (with exceptions)
└── Solution: Implement deletion upon request + automatic deletion when no longer needed (satisfies both)

FAQ

Does CCPA apply to my startup if I'm not based in California?

Yes, if you meet the thresholds and do business in California.

CCPA applies based on:

✓ Where your customers are located (not where your company is based)
✓ Whether you meet revenue ($26.6M+) OR data volume (100K+ CA consumers) thresholds

Examples:

NY-based e-commerce with CA customers → CCPA applies
UK SaaS with 150K users (40% CA) → CCPA applies
Texas startup with 5K users (all Texas) → CCPA doesn't apply

What are the revenue and data volume thresholds for CCPA?

CCPA applies if you meet ANY ONE threshold:

Revenue: $26,625,000+ annual gross revenue (2025, inflation-adjusted)
Data volume: Process PI of 100,000+ California consumers or households per year
Selling/sharing: Derive 50%+ of annual revenue from selling/sharing PI

Most early-stage startups hit the data volume threshold first (100K CA consumers = 8,333 CA website visitors/month).

What's the difference between CCPA and CPRA?

CPRA (California Privacy Rights Act) amended CCPA in 2023.

Key changes:

Increased threshold from 50K to 100K consumers
Added right to correct inaccurate information
Added right to limit use of sensitive personal information
Created new enforcement agency (CPPA)
Enhanced automated decision-making rules
Required cybersecurity audits and risk assessments (for large companies)

Today, "CCPA" usually refers to "CCPA as amended by CPRA."

What are the penalties for CCPA non-compliance?

Civil penalties:

Unintentional violations: Up to $2,663 per violation (2025)
Intentional violations: Up to $7,988 per violation (2025)
"Per violation" = per consumer affected (can add up quickly)

Private right of action (data breaches only):

Statutory damages: $100-$750 per consumer per incident
Only applies to breaches of SSN, driver's license, financial accounts, medical info, health insurance info

Example: 1,000 consumers affected by intentional violation = $7,988,000 fine

Do I need a "Do Not Sell My Personal Information" link?

Yes, if you sell or share personal information.

"Selling" includes:

Selling email lists, customer data
Data broker partnerships
Disclosing PI for monetary or other valuable consideration

"Sharing" includes:

Facebook Pixel (retargeting)
Google Ads (behavioral targeting)
Third-party ad networks
Cross-site behavioral tracking

If you use pixels or retargeting, you likely need the "Do Not Sell" link.

Link requirements:

Text: "Do Not Sell or Share My Personal Information"
Location: Homepage footer (visible on every page)
Action: Disable selling/sharing mechanisms

What's the difference between a service provider and a third party?

Service Provider:

Processes PI on your behalf per written contract
Examples: AWS (hosting), Stripe (payments), Mailchimp (email)
Not considered "selling" when you share data with service providers

Third Party:

Receives PI but not as service provider
Examples: Marketing partners, ad networks, affiliates
May be "selling" or "sharing" when you disclose data to third parties

Key difference: Service providers are contractually restricted from using your data for their own purposes. Third parties can use data more broadly.

How do I respond to consumer requests?

Timeline:

Acknowledge request: Within 10 business days
Provide full response: Within 45 days (extendable to 90 days if complex)

Verification:

Must verify consumer's identity before responding
Methods: Email confirmation, account login, ID verification

Right to Know:

Provide copy of PI (JSON, CSV, or user-friendly format)
Include categories, sources, purposes, third parties

Right to Delete:

Delete from all systems (production, backups, logs)
Notify service providers to delete
Document exceptions if you can't delete (legal obligation, fraud prevention, etc.)

Right to Correct:

Update inaccurate information
Notify service providers of correction

What are the 2025 new requirements?

Effective January 1, 2026 (all businesses):

Enhanced automated decision-making disclosures and consumer rights
Granular privacy notice requirements (must specify exact purposes for each category)

Effective 2028-2030 (only large companies):

Cybersecurity audits (if revenue >$25M)
Risk assessments (if revenue >$25M)
Phased deadlines based on revenue

Most startups only need to implement ADMT disclosures and granular privacy notices by Jan 1, 2026.

Is CCPA the same as GDPR?

No, but they have similarities.

Key differences:

CCPA = opt-out model (can process until consumer opts out)
GDPR = opt-in model (need legal basis before processing)
CCPA penalties lower ($7,988 per violation vs GDPR's €20M or 4% revenue)
CCPA applies only to California; GDPR applies to all EU

If subject to both: Use GDPR as baseline (stricter), add CCPA-specific requirements ("Do Not Sell" link, financial incentive disclosures).

Key Resources

Official CCPA/CPRA Resources

California Privacy Protection Agency (CPPA) – Official agency, regulations, guidance
CCPA Full Text – California Attorney General CCPA portal
CPPA Regulations – Official CCPA/CPRA regulations
CPPA FAQs – Common questions answered by CPPA

Privacy Policy Generators & Templates

TermsFeed CCPA Generator – Free CCPA-compliant privacy policy
Iubenda – Privacy policy + cookie consent ($25+/mo)
CCPA Privacy Policy Template – Customizable template

"Do Not Sell" Implementation Tools

Cookiebot – Cookie consent + "Do Not Sell" link ($10+/mo)
OneTrust – Enterprise privacy management ($$$$)
Osano – Privacy compliance platform ($50+/mo)

Global Privacy Control (GPC)

Global Privacy Control – Browser signal for opt-out
GPC Implementation Guide – Technical specification

Compliance Resources

IAPP CCPA Resource Center – News, articles, training
Cooley LLP CCPA Guide – Law firm practical guide
Transcend CPRA Guide – Comprehensive CPRA explainer

California Resources

California Legislative Information – CCPA bill text and amendments
California AG Privacy Resources – Attorney General privacy resources

Get Expert CCPA/CPRA Compliance Help

Confused about CCPA/CPRA requirements for your startup? We can help.

At Promise Legal, we help startups implement CCPA/CPRA compliance efficiently—from determining applicability to ongoing compliance.

How We Help Startups

☑ CCPA/CPRA applicability assessment (do the thresholds apply to you?)
☑ Privacy policy drafting and updates
☑ "Do Not Sell or Share" link implementation
☑ Consumer request processes (access, delete, correct, opt-out)
☑ Service provider contract review and updates
☑ Automated decision-making compliance (2026 requirements)
☑ Ongoing compliance support (policy updates, training, request handling)

Schedule a Consultation – Let's discuss your CCPA/CPRA compliance needs and create a practical implementation plan.

Questions? Email us: [email protected]

Last updated: January 2025

This guide provides educational information about CCPA/CPRA compliance and should not be construed as legal advice. CCPA/CPRA requirements vary by company and processing activities. Consult with a qualified attorney before making compliance decisions.