California privacy, concrete steps.
Eligibility thresholds
Apply if: $25M+ annual revenue, OR buy/sell/share 100K+ CA consumer records, OR 50%+ revenue from selling/sharing CA consumer data.
5 consumer rights
Know, Delete, Correct (CPRA), Opt-out of Sale/Share, Non-Discrimination. Plus opt-out of sensitive data + automated decision-making.
Privacy notice required
Public-facing privacy policy listing categories of data collected, purposes, retention, third-party sharing, consumer rights, methods to exercise rights.
Vendor agreements
Contracts with all vendors processing CA consumer data must include CCPA-required terms: limit use, allow audit, return/delete on termination.
Do Not Sell / Share link
Required prominent homepage link letting consumers opt-out of sale + sharing. Global Privacy Control (GPC) signal must be honored.
Fines + private right of action
Civil penalty $2,500/violation, $7,500/intentional violation. Plus private right of action for data breaches under specific circumstances.
A clean handoff, in 4 steps.
Determine applicability
Revenue threshold, consumer data volume, % revenue from CA data sales. If any apply → CCPA applies regardless of your HQ location.
Data inventory + mapping
Inventory all personal info collected, sources, purposes, retention, third-party recipients. Foundation for everything else.
Privacy notice + rights flow
Public privacy notice + consumer request portal + "Do Not Sell" link + GPC signal handling. Implement intake + 45-day response.
Vendor remediation + train staff
Update vendor contracts with CCPA terms. Train customer support to handle requests + escalate properly.
One-time, or part of your BOS.
- Threshold checker
- Privacy notice template
- Vendor contract addendum
- Consumer request log template
- Training guide
- Privacy attorney review
- Custom privacy notice
- Vendor agreement updates
- Consumer request workflow
- Staff training session
- 60 days post-launch support
Common questions.
What are the CCPA and CPRA?
The California Consumer Privacy Act and its amendment, the California Privacy Rights Act, give California residents rights over their personal information and impose obligations on covered businesses, such as disclosures, opt-outs, and honoring data requests. They are among the strictest US privacy laws. We keep your entity organized and flag whether they apply.
Does my business have to comply with the CCPA/CPRA?
It depends on thresholds: the law covers businesses meeting certain revenue, data-volume, or data-sale criteria that handle California residents' personal information, so not every business is covered. We flag whether your business likely meets the thresholds so you build compliance where it is actually required.
What rights do the CCPA/CPRA give consumers?
California residents get rights to know what personal information is collected, to delete it, to opt out of its sale or sharing, to correct it, and to limit use of sensitive information, so covered businesses must honor these. We flag the rights so your business is set up to respond to consumer requests.
What must a covered business do?
Covered businesses generally must provide privacy notices, offer opt-out mechanisms, honor consumer requests, and put appropriate contracts and safeguards in place, so compliance is operational, not just a policy. We flag the obligations so a covered business builds the processes the law requires.
Do I need a privacy policy?
Covered businesses generally must maintain a compliant privacy policy disclosing their data practices and consumer rights, so a proper policy is a core requirement. We flag what the policy must cover and coordinate with privacy counsel so your disclosures meet the CCPA/CPRA standards.
How does this relate to other privacy laws?
The CCPA/CPRA is California's regime, while other states have their own laws and the EU has the GDPR, so a business serving multiple regions may face several privacy frameworks. We flag which apply to you so your privacy compliance covers the jurisdictions where you actually operate.
What are the penalties for non-compliance?
The CCPA/CPRA carries potential penalties and, in some cases, consumer statutory damages for certain breaches, so non-compliance has real exposure. We flag the stakes so a covered business treats privacy compliance as a genuine obligation rather than an afterthought.
Does handling sensitive data add requirements?
Yes: the CPRA adds protections and limits around sensitive personal information, so businesses handling it face additional obligations. We flag whether you handle sensitive data so your compliance addresses the heightened requirements that apply to it. See privacy assessments.
Can File.Business help with privacy compliance?
We keep your entity organized, flag whether the CCPA/CPRA and other privacy laws apply to your business, and coordinate with privacy counsel on policies and processes, so your business addresses its privacy obligations rather than overlooking them. See GDPR and data processing agreements.