Continue your mission
A technical breakdown of California Consumer Privacy Act and California Privacy Rights Act requirements for cybersecurity teams: scope thresholds, consumer rights requiring technical implementation, the "reasonable security" standard, and how to operationalize compliance through data mapping, automated deletion workflows, and service provider contract management.
The California Consumer Privacy Act (CCPA), effective January 1, 2020, and its successor the California Privacy Rights Act (CPRA), effective January 1, 2023, represent the most technically demanding consumer privacy framework in the United States. Together, they impose specific obligations on how organizations collect, store, process, share, and delete personal information belonging to California residents, and they create a private right of action for data breaches that is absent from most other U.S. privacy laws.
For cybersecurity teams, CCPA/CPRA is not a legal checkbox handled exclusively by counsel. It is an engineering and operational challenge. Honoring consumer rights at scale requires data inventories, automated workflows, access controls, encryption standards, and continuous monitoring. Organizations that treat it as purely a policy document will fail both the law and their customers.
CCPA/CPRA sits at the intersection of two PDM domains. Risk Governance and Assurance (RGA) governs the compliance posture, the policy framework, and the audit trail. Data Protection and Sovereignty (DPS) governs the technical controls: where personal information lives, who can reach it, how it is protected at rest and in transit, and how it is purged on demand. Both domains must operate simultaneously for compliance to be real rather than theatrical.
The law applies to personal information of California residents regardless of where the business is headquartered. A company based in North Carolina with customers in California is in scope. Personal information is defined broadly: it includes name, email, IP address, device identifiers, browsing history, purchase history, biometric data, geolocation data, inferences drawn from any of this data, and sensitive personal information (Social Security numbers, financial account credentials, precise geolocation, health data, sexual orientation, race, religion, and union membership, among others).
---
CCPA/CPRA applies to for-profit businesses that collect personal information of California residents and meet at least one of three thresholds:
The 100,000 consumer threshold is the one most organizations underestimate. A SaaS company with a modest revenue figure can easily process personal information for 100,000 users through analytics alone. Every IP address captured in a web log is personal information. Every cookie that links to an identifiable user counts.
Right to Know. Consumers may request disclosure of the categories and specific pieces of personal information collected about them, the sources from which it was collected, the purposes for collection, and the categories of third parties with whom it has been shared. Honoring this right requires a functioning data map. Without a complete inventory of where personal information flows across systems, databases, data lakes, third-party integrations, and backup archives, the organization cannot produce an accurate disclosure. The data map is not optional infrastructure; it is the prerequisite for every other right.
Right to Delete. Consumers may request deletion of personal information held by the business. The obligation extends beyond first-party systems: the business must direct service providers and contractors to delete the information as well. This means deletion must propagate through the entire data supply chain. Operationally, this requires automated deletion workflows that can accept a deletion request, identify all records associated with an individual across every system of record, queue deletion across each system, notify downstream service providers via API or contractual mechanism, and confirm completion with an audit log entry. Batch processing personal information in monolithic databases is not compatible with this requirement at scale.
Right to Opt-Out of Sale and Sharing. Businesses that sell or share personal information must provide a "Do Not Sell or Share My Personal Information" link, must recognize the Global Privacy Control (GPC) browser signal as a valid opt-out, and must halt the relevant data flows within 15 business days of receiving a request. The GPC requirement is an engineering requirement, not just a policy one: the web application must detect the GPC header and suppress any tracking or sharing activity accordingly.
Right to Correct. Consumers may request correction of inaccurate personal information. This requires the organization to have a mechanism for receiving correction requests, verifying the claimed inaccuracy, and propagating corrections across all systems that hold the affected record.
Right to Limit Use of Sensitive Personal Information. Added by CPRA, this right allows consumers to restrict the use of sensitive personal information to only the purposes necessary to provide the requested service. Organizations processing sensitive personal information for secondary purposes (targeted advertising, profiling, sale) must provide a separate "Limit the Use of My Sensitive Personal Information" mechanism.
CCPA section 1798.150 creates a private right of action for data breaches resulting from a business's failure to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information. This is significant: most U.S. data breach litigation requires proving negligence in tort; CCPA creates a statutory cause of action tied directly to the security program's adequacy.
The California Attorney General has consistently referenced the CIS Controls as a benchmark for what constitutes reasonable security in California. The full 18 CIS Controls are not all equally weighted, but the core controls relevant to CCPA reasonable security include:
Encryption of personal information at rest and in transit is not optional under the reasonable security standard. A breach of unencrypted personal information in California is close to per se unreasonable.
CPRA elevated the contract requirement for service providers (the CCPA/CPRA term for data processors). Contracts with service providers must specify the purpose of processing, prohibit the service provider from selling or sharing personal information, prohibit use of personal information for its own commercial purposes, and require the service provider to extend the same protections to any sub-processors. This is a data processing agreement (DPA) requirement equivalent in structure to the GDPR Article 28 processor agreement, though with California-specific carve-outs.
---
Unlike most U.S. state privacy laws, CCPA's private right of action for data breaches does not require a consumer to prove actual damages. The statutory damages range from $100 to $750 per consumer per incident. For a breach affecting 100,000 consumers, that floor is $10 million. The ceiling in the case of actual damages or willful violation is uncapped. Class action plaintiffs have used this provision aggressively since 2020.
CCPA/CPRA compliance does not exist in isolation. Meeting the reasonable security standard requires many of the same controls that SOC 2 Type II, ISO 27001, and NIST CSF require. Organizations building their security programs around those frameworks are largely building toward CCPA compliance simultaneously. The difference is that CCPA compliance has a statutory teeth: the California Privacy Protection Agency (CPPA), created by CPRA, has independent enforcement authority and has demonstrated willingness to investigate and fine organizations without waiting for a breach event.
The most dangerous misconception is that CCPA/CPRA is a marketing or legal problem rather than a security problem. The right to delete alone requires engineering investment that most organizations have not made. Another common error is treating the GPC signal as a nice-to-have: California enforcement has specifically cited failure to honor GPC as a violation. A third misconception is that B2B companies are exempt. CPRA extended full consumer rights to employees and B2B contacts effective January 1, 2023, eliminating the temporary exemptions that existed under original CCPA.
The CISO owns the reasonable security standard and the technical implementation of consumer rights. Legal owns the policy notices and the vendor contract language. Engineering owns the data map, the deletion workflows, the GPC signal detection, and the audit logging. Without all three functions coordinated, compliance is fragile. When a breach occurs, the question the plaintiff's attorney will ask is: who owned the obligation, and what did they do to meet it?
---
Organizations subject to CCPA/CPRA should assess their technical posture against the following implementation requirements:
Data Mapping and Inventory. A current, queryable data inventory covering all systems that collect, store, process, or transmit personal information. The inventory must be sufficient to answer: what data do we have about this person, where is it, who has access to it, and where has it been shared? This inventory must be maintained continuously, not produced ad hoc in response to a request.
Consumer Request Handling Infrastructure. A verified intake mechanism for consumer requests (identity verification without requiring personal information collection disproportionate to the request), a workflow engine capable of routing requests to all relevant systems, audit logging of all request actions and outcomes, and a 45-day response window (extendable by 45 days with notice). Businesses receiving 10 or more consumer requests per day must use an online intake method.
Deletion Workflow Architecture. Automated deletion pipelines that can reach every system of record holding personal information, including production databases, analytics platforms, CRM systems, data warehouses, backup systems, and third-party processors. Deletion must be confirmed and logged. Backup systems present a particular challenge: restoring a backup should not resurface deleted records, which requires either excluding deleted records from backups or maintaining a deletion manifest applied on restore.
GPC Signal Detection. Web applications must inspect the Sec-GPC: 1 HTTP header and suppress sharing activity for users who have set this preference. This requires coordination between the front-end request pipeline and any tag management or analytics infrastructure.
Encryption. Personal information must be encrypted at rest (minimum AES-256) and in transit (TLS 1.2 or higher, with TLS 1.3 preferred). Encryption keys must be managed separately from encrypted data. Key rotation must be documented and enforced.
Access Controls and MFA. Access to systems processing personal information must be role-based and least-privilege. Multi-factor authentication is required for any employee or contractor accessing personal information systems.
Incident Response and Breach Notification. A documented IR plan covering personal information breaches. CCPA breach notification to affected consumers must occur without unreasonable delay and in the most expedient manner possible. The CPPA expects timely notification consistent with California Civil Code 1798.29 and 1798.82.
Vendor DPA Coverage. A current data processing agreement in place with every service provider that receives personal information. The DPA must be reviewed and updated when data flows or service provider relationships change.
---
CDA positions CCPA/CPRA compliance not as a periodic audit exercise but as an operational state maintained continuously. This is the Perpetual Compliance Assurance (PCA) methodology at work: "Compliance is not an event. It is a state."
Within the PDM, CCPA/CPRA maps to two concentric domains operating simultaneously. RGA (Risk Governance and Assurance) owns the compliance posture, the vendor contract program, the consumer request management process, and the audit trail. DPS (Data Protection and Sovereignty) owns the technical architecture: encryption, access controls, data classification, deletion workflows, and the data inventory that makes every other obligation actionable.
CDA's Sovereign Data Protocol (SDP) operationalizes the DPS layer. The SDP tagline, "Your data lives where you decide. Period," reflects the same principle that CCPA/CPRA encodes in law: data subjects have rights over where their personal information goes and what happens to it. SDP-compliant architectures built for CDA clients include data residency controls, queryable data inventories, and deletion pipelines as baseline infrastructure, not retrofit features.
On the RGA side, PCA treats the CCPA/CPRA compliance state as a continuous measurement rather than an annual assessment. PCA dashboards track: consumer request intake and resolution rates, service provider DPA coverage percentage, encryption coverage across personal information datastores, access control audit findings, and breach response readiness. When any of these metrics degrades, PCA surfaces it as a compliance posture gap requiring remediation, not a finding to be addressed at the next annual review.
CDA advises that organizations beginning CCPA/CPRA compliance work prioritize the data inventory first. Every other obligation, including deletion, correction, and disclosure, is impossible to fulfill accurately without knowing where personal information lives. The data map is the foundation of the compliance program, and its absence is the single most common reason organizations fail to honor consumer rights in practice even when they intend to.
---
---
---
CDA Theater missions that address topics covered in this article.
A GRC platform is software that centralizes governance, risk, and compliance operations into a single system of record.
Internal audit is an independent, objective assurance function that evaluates whether an organization's controls are designed appropriately and operating effectively.
Board-level cybersecurity reporting is the practice of translating an organization's security posture, risk profile, and material incidents into the language of governance: financial exposure, liability, regulatory standing, and competitive position.
Written by Evan Morgan
Found an issue? Help improve this article.