The terms a California privacy team actually uses, defined in plain language by practitioners. For the full walkthrough, read the CCPA / CPRA compliance guide.
The 2018 California law, effective 2020, that gives California consumers rights over their personal information and imposes obligations on covered businesses. It is the foundation of California state privacy law and is the statute the CPRA later amended.
The 2020 ballot measure (Proposition 24) that amended and expanded the CCPA, with most provisions operative from January 2023. It added the right to correct, the sensitive personal information category, the share concept, and the CPPA. It did not replace the CCPA.
Information that identifies, relates to, describes, or could reasonably be linked with a particular consumer or household. Defined broadly to cover identifiers, internet and device activity, geolocation, and inferences drawn to build a profile.
A defined subset of personal information that includes government ID numbers, financial account and login credentials, precise geolocation, race or ethnic origin, religion, union membership, the contents of private communications, genetic and biometric data, and data about health or sex life. Consumers can direct a business to limit its use.
A for-profit entity that does business in California, determines the purposes and means of processing consumers' personal information, and meets at least one of three thresholds: over 25 million dollars in annual revenue, the data of 100,000 or more consumers or households, or 50 percent or more of revenue from selling or sharing personal information.
A natural person who is a California resident. The CPRA extended coverage to include the employees and job applicants of covered businesses and business-to-business contacts, after an early exemption sunset.
A party that processes personal information on a business's behalf under a written contract that restricts use to a specified business purpose. A transfer to a properly contracted service provider is generally not a sale or a share.
A party a business makes personal information available to for a business purpose, bound by the required contract terms and certifications. Functionally close to a service provider for compliance purposes, since the contract carries the same use restrictions.
A party that is neither the business nor a service provider or contractor bound by the required contract terms. Disclosing personal information to a third party for value is a sale, and disclosing it for cross-context advertising is a share.
Disclosing a consumer's personal information to a third party for monetary or other valuable consideration. A disclosure can be a sale even when no money changes hands, if the business receives something of value in return.
Targeting advertising to a consumer based on personal information gathered from their activity across businesses, websites, or services other than the one they are currently interacting with. This is the activity that defines a share.
The consumer right to request the categories and specific pieces of personal information a business collected, along with the sources, the purposes for collecting it, and the categories of parties it was disclosed to.
The consumer right to request deletion of personal information a business collected from them, subject to statutory exceptions such as completing a transaction, security, or meeting a legal obligation.
The consumer right, added by the CPRA, to request correction of inaccurate personal information a business maintains about them.
The consumer right to direct a business to stop selling or sharing their personal information. It is exercised through the required link and through opt-out preference signals such as the Global Privacy Control.
The consumer right, added by the CPRA, to direct a business to limit its use and disclosure of sensitive personal information to what is necessary to provide the requested service.
The disclosure a business must give at or before the point it collects personal information. It states the categories collected, the purposes, whether the data is sold or shared, and how long each category is retained.
The clear and conspicuous link a business that sells or shares personal information must post so consumers can exercise the opt-out right without hunting for it.
An opt-out preference signal a browser or extension sends on a consumer's behalf. A business subject to the opt-out must treat a valid GPC signal as a request to opt out of sale and sharing.
A consumer rights request the business can reasonably verify came from the consumer it concerns. Required for know, delete, and correct requests, but not for opt-out or limit requests, so verification does not become a barrier to opting out.
The dedicated state agency created by the CPRA, with rulemaking, investigation, and administrative enforcement authority over California privacy law. It is the first standalone privacy regulator in the United States, and it enforces alongside the California Attorney General.
The window to fix a violation before enforcement. The original CCPA gave businesses an automatic 30-day cure period, which the CPRA removed as an automatic entitlement.
The consumer's ability to sue directly for certain data breaches that result from a business's failure to maintain reasonable security. It is a distinct exposure from the regulators' general enforcement authority.
Compliance Command Center turns these concepts into a defensible CCPA and CPRA program, run by practitioners and carried by software.
See Compliance Command Center Read the guide