"Trusted by COOs at 200+ attorney firms and Series B SaaS teams."
CCPA and CPRA apply to any business that collects California consumer data — regardless of physical presence. If you have California customers, employees, or website visitors, documented training is the fastest way to prove your compliance programme exists and is operating. We built the playbook that shows your legal team exactly what's required, and your operations team exactly what to document.
$7,500 per intentional violation (CPRA §1798.155(a)) — violations where the business knew or should have known their conduct violated consumer rights.
$2,500 per unintentional violation (CPRA §1798.155(a)) — the floor for violations without intent. No cure window since January 1, 2023 — the 30-day safe harbor was removed by CPRA.
Private right of action under §1798.150: consumers can sue directly for $100–$750 per consumer per incident when a data breach involves unencrypted or unredacted personal information that was not protected by reasonable security measures. Class action exposure is existential for businesses at scale.
The CPPA (California Privacy Protection Agency) opened its first enforcement actions in 2024. The California AG has brought cases against Sephora ($1.2M settlement, 2023), DoorDash ($375K settlement, 2023), and Sephora again — demonstrating that first-party settlement does not prevent secondary enforcement. Train your team before you get a request letter.
These are the sections California regulators and plaintiff's attorneys examine first during enforcement or litigation discovery.
| Section | Topic | Key Obligation |
|---|---|---|
| §1798.100 | Right to Know | Consumers can request disclosure of collected data categories and sources. Businesses must respond within 45 days, verify identity to a reasonable degree of certainty, and provide categories or specific pieces of PI collected in the prior 12 months. |
| §1798.105 | Right to Delete | Consumers can request deletion of personal information. Verify identity before acting; cascade deletion to service providers; notify third parties who received the data. 45-day window, 15-day extension with written notice. |
| §1798.120 | Opt-Out of Sale/Share | "Do Not Sell or Share My Personal Information" link must appear on homepage and every interactive page. Must honour Global Privacy Control signals. Opt-out confirmation required within 15 days. Dark patterns in opt-out mechanisms are CPPA enforcement targets. |
| §1798.130 | Verifiable Consumer Request Workflow | Three-step process: receive request and log it, verify identity to a reasonable degree of certainty, respond within 45 days (+ 15-day extension with written notice of reasons for delay). Do not require account creation to process requests. |
| §1798.140 | Definitions — Service Provider vs Third Party | Service providers: contract-required limitation to processing per processor instructions only. Third parties: separate CCPA obligations apply. Misclassification of a third party as a service provider — or vice versa — creates a compliance gap and exposes the business to liability for the vendor's violations. |
| §1798.150 | Private Right of Action — Breach Threshold | Consumer right of action when breach involves unencrypted/unredacted personal information and failure to maintain reasonable security. $100–$750 per consumer per incident, or actual damages whichever greater. Class action risk scales with consumer count. "Reasonable security" is defined by the CPPA's regulations and enforcement history. |
Businesses that sell or share data with data brokers are in the highest-risk category — a single "opt-out of sale" request not honoured creates a direct CPRA §1798.135 violation with a $7,500 intentional fine. Your data broker agreements must be reviewed and your opt-out signals must propagate downstream to every recipient.
§1798.100 requests are being weaponised by plaintiff's attorneys building discovery records for downstream litigation. Each request must be logged, tracked, and closed with identity verification on file. A verified request not fulfilled within 45 days creates per-violation exposure — document every step.
§1798.140 defines service providers contractually. If vendors are processing California PI without proper service provider agreements in place, your business is liable for their violations. This includes your CRM, email platform, analytics suite, and any AI tool that touches consumer data. Update every contract.
CPRA amended CCPA to include employees and job applicants in the "personal information" definition. HR systems, payroll platforms, benefits administrators, and background check vendors are all in scope. Consumer rights requests can come from your own employees — your HR and legal teams need documented procedures.
The CPPA has issued enforcement advisories against dark patterns in opt-out mechanisms. The "Do Not Sell or Share My Personal Information" button cannot require account login, be visually obscured, or require navigation through multiple pages. Global Privacy Control signals must be honoured. Review your opt-out page against the CPPA's technical specifications.
Businesses with 100+ California consumers must notify the California AG within 72 hours of a qualifying data breach — the same clock as GDPR Article 33, but with different breach thresholds and no grace period extension. Your incident response plan must be operational before a breach occurs, not assembled after. Documented training is the evidence that your team knows what to do.
Verification workflow · 45-day clock management · Exemption decision tree · Vendor cascade checklist
Used by legal counsel, privacy teams, and operations managers at California-facing businesses preparing for CPPA enforcement actions or internal CCPA audits. Includes the printable playbook with all workflow checklists.
No spam. Unsubscribe any time. Playbook delivered as PDF via Postmark within seconds.
Our Business session ($900) delivers CCPA/CPRA awareness training for all personnel in a single 2-hour live webinar. Individual attendance records with timestamps — the documented evidence your legal team and CPPA reviewer expect to see. We provide an evidence packet including the session summary, curriculum outline, and attendance log.
Personal — $150 → Executive — $390 → Business — $900 flat →Every CCPA training engagement includes these artefacts for your compliance documentation:
Employee name, timestamp, session ID — evidence for your CPPA audit file.
Date, duration, topics covered, instructor name — §1798.130 consumer request workflow documentation.
CCPA consumer rights, opt-out procedures, data broker obligations, and §1798.150 breach response — satisfies the "reasonable security measures" documentation standard.
Versioned curriculum with date, suitable for California AG review or CPPA enforcement action response.
Yes — CCPA applies to any for-profit business that collects California residents' personal information and meets one of three thresholds: annual gross revenue exceeding $25 million; buys, sells, or shares personal information of 100,000+ California consumers annually; or derives 50% or more of annual revenue from selling or sharing California consumers' personal information. Physical presence in California is not required. If you have California customers, employees, or website visitors, CCPA likely applies.
CPRA expanded CCPA to cover "sharing" in addition to "sale." A "sale" means releasing personal information for monetary or other valuable consideration. "Sharing" means sharing personal information for cross-context behavioral advertising — even if no money changes hands. This means that targeted advertising using third-party cookies, pixel tags, or data broker arrangements can constitute "sharing" requiring opt-out treatment, regardless of whether revenue is received.
A verifiable consumer request is any request submitted by a California consumer (or an authorised agent on their behalf) that enables the business to reasonably verify the requestor's identity. Verification must be done to a "reasonable degree of certainty" — for sensitive data categories, this may require account authentication or government-issued ID. The three-step process: receive the request and log it, verify the identity, and respond within 45 days (extendable by 15 days with written notice). Failure to log requests or verify identity before acting creates exposure.
CPRA eliminated the 30-day cure window for unintentional violations effective January 1, 2023. Before CPRA, businesses had 30 days to cure a violation after receiving notice from the California AG. That safe harbor is gone. Unintentional violations now carry a floor of $2,500 per violation. Intentional violations carry $7,500 per violation. Every staff member handling consumer data needs documented training — the fine calculus makes it the cheapest risk mitigation available.
CCPA operates alongside Virginia's VCDPA, Colorado's CPA, and other state privacy laws. The key differences: CCPA applies at the 25M/100K/50% thresholds while VCDPA (Virginia) and CPA (Colorado) apply at 100K consumers or 25% revenue from data sales. GDPR covers EU residents regardless of revenue thresholds and has far more stringent obligations. Businesses operating in multiple jurisdictions need to maintain the highest standard across all applicable frameworks — generally GDPR — and build operational processes flexible enough to handle the specific requirements of each.
Yes — §1798.140(w) defines a service provider as a person that processes personal information on behalf of a business pursuant to a written contract. That contract must prohibit the service provider from retaining, using, or disclosing personal information outside the business relationship. If a vendor is processing California PI without a signed service provider agreement, the business is liable for any violations those vendors commit. This applies to your CRM, marketing automation, analytics platforms, cloud infrastructure, and any other vendor touching consumer data. Review your existing contracts and update or execute new ones for every vendor in scope.
No-form call. 30 minutes. We map your current consumer data practices to section gaps, identify your service provider contract obligations, and give you a structured remediation sequence — free.