Home/Compliance/CCPA / CPRA Compliance
CCPA + CPRA · California Privacy

California reach makes CCPA your problem.

Sell to Californians? Process California consumer data? CCPA + CPRA apply regardless of where your business is. 5 consumer rights, mandatory opt-out, data inventory, vendor agreements, and $7,500/intentional violation. Here's what to do.

Part of your File.Business BOS · 51 jurisdictions · 220K+ businesses
CALIFORNIA · CCPA + CPRA5 CONSUMER RIGHTSCONSUMERRIGHT TO KNOWwhat data collectedRIGHT TODELETEerase dataRIGHT TOCORRECTfix inaccuraciesOPT-OUT OF SALEno resale to 3rd partiesNON-DISCRIMINATIONno penalty for exercisingCCPA + CPRA · $7,500/INTENTIONAL VIOLATION
What CCPA requires

California privacy, concrete steps.

Eligibility thresholds

Apply if: $25M+ annual revenue, OR buy/sell/share 100K+ CA consumer records, OR 50%+ revenue from selling/sharing CA consumer data.

5 consumer rights

Know, Delete, Correct (CPRA), Opt-out of Sale/Share, Non-Discrimination. Plus opt-out of sensitive data + automated decision-making.

Privacy notice required

Public-facing privacy policy listing categories of data collected, purposes, retention, third-party sharing, consumer rights, methods to exercise rights.

Vendor agreements

Contracts with all vendors processing CA consumer data must include CCPA-required terms: limit use, allow audit, return/delete on termination.

Do Not Sell / Share link

Required prominent homepage link letting consumers opt-out of sale + sharing. Global Privacy Control (GPC) signal must be honored.

Fines + private right of action

Civil penalty $2,500/violation, $7,500/intentional violation. Plus private right of action for data breaches under specific circumstances.

How it works

A clean handoff, in 4 steps.

1

Determine applicability

Revenue threshold, consumer data volume, % revenue from CA data sales. If any apply → CCPA applies regardless of your HQ location.

2

Data inventory + mapping

Inventory all personal info collected, sources, purposes, retention, third-party recipients. Foundation for everything else.

3

Privacy notice + rights flow

Public privacy notice + consumer request portal + "Do Not Sell" link + GPC signal handling. Implement intake + 45-day response.

4

Vendor remediation + train staff

Update vendor contracts with CCPA terms. Train customer support to handle requests + escalate properly.

Two ways to engage

One-time, or part of your BOS.

CCPA self-serve
Free guide
Eligibility checker + template privacy notice + vendor contract addendum.
  • Threshold checker
  • Privacy notice template
  • Vendor contract addendum
  • Consumer request log template
  • Training guide
Read free guide
RECOMMENDED
Compliance program
$2,499
Counsel-reviewed CCPA/CPRA compliance program tailored to your business.
  • Privacy attorney review
  • Custom privacy notice
  • Vendor agreement updates
  • Consumer request workflow
  • Staff training session
  • 60 days post-launch support
Build my program
FAQ

Common questions.

What are the CCPA and CPRA?

The California Consumer Privacy Act and its amendment, the California Privacy Rights Act, give California residents rights over their personal information and impose obligations on covered businesses, such as disclosures, opt-outs, and honoring data requests. They are among the strictest US privacy laws. We keep your entity organized and flag whether they apply.

Does my business have to comply with the CCPA/CPRA?

It depends on thresholds: the law covers businesses meeting certain revenue, data-volume, or data-sale criteria that handle California residents' personal information, so not every business is covered. We flag whether your business likely meets the thresholds so you build compliance where it is actually required.

What rights do the CCPA/CPRA give consumers?

California residents get rights to know what personal information is collected, to delete it, to opt out of its sale or sharing, to correct it, and to limit use of sensitive information, so covered businesses must honor these. We flag the rights so your business is set up to respond to consumer requests.

What must a covered business do?

Covered businesses generally must provide privacy notices, offer opt-out mechanisms, honor consumer requests, and put appropriate contracts and safeguards in place, so compliance is operational, not just a policy. We flag the obligations so a covered business builds the processes the law requires.

Do I need a privacy policy?

Covered businesses generally must maintain a compliant privacy policy disclosing their data practices and consumer rights, so a proper policy is a core requirement. We flag what the policy must cover and coordinate with privacy counsel so your disclosures meet the CCPA/CPRA standards.

How does this relate to other privacy laws?

The CCPA/CPRA is California's regime, while other states have their own laws and the EU has the GDPR, so a business serving multiple regions may face several privacy frameworks. We flag which apply to you so your privacy compliance covers the jurisdictions where you actually operate.

What are the penalties for non-compliance?

The CCPA/CPRA carries potential penalties and, in some cases, consumer statutory damages for certain breaches, so non-compliance has real exposure. We flag the stakes so a covered business treats privacy compliance as a genuine obligation rather than an afterthought.

Does handling sensitive data add requirements?

Yes: the CPRA adds protections and limits around sensitive personal information, so businesses handling it face additional obligations. We flag whether you handle sensitive data so your compliance addresses the heightened requirements that apply to it. See privacy assessments.

Can File.Business help with privacy compliance?

We keep your entity organized, flag whether the CCPA/CPRA and other privacy laws apply to your business, and coordinate with privacy counsel on policies and processes, so your business addresses its privacy obligations rather than overlooking them. See GDPR and data processing agreements.

Start your business in the next 5 minutes.

No state-fee markup. Pay only the state fee. 60-day money-back guarantee.

No state-fee markup 60-day money-back Cancel anytime