---
title: "CCPA Timeline and Decision Flow"
canonical_url: "https://www.sorena.io/artifacts/us-ccpa"
source_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act"
author: "Sorena AI"
description: "California CCPA compliance hub for scope thresholds, notice at collection, privacy policy disclosures, consumer rights, do not sell or share controls."
published_at: "2026-02-21"
updated_at: "2026-02-21"
keywords:
  - "CCPA compliance"
  - "California Consumer Privacy Act"
  - "CCPA requirements"
  - "CCPA checklist"
  - "CCPA privacy policy"
  - "do not sell or share"
  - "Global Privacy Control"
  - "CCPA penalties"
  - "CCPA service provider contracts"
  - "CCPA"
  - "CPRA"
  - "California privacy law"
  - "Consumer rights"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# CCPA Timeline and Decision Flow

California CCPA compliance hub for scope thresholds, notice at collection, privacy policy disclosures, consumer rights, do not sell or share controls.

![California CCPA compliance artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-us-ccpa-timeline-small.jpg?v=cheatsheets%2Fprod)

*CCPA and CPRA* *Free Resource*

## California Consumer Privacy Act Timeline and Decision Flow

Translate the California Consumer Privacy Act into an operating model for threshold analysis, notice design, consumer rights handling, do not sell or share controls, and vendor contract enforcement.

Built from the current California statute and CPPA regulations, including the rules effective January 1, 2026. This is implementation guidance, not legal advice.

[Get a CCPA review](/contact.md)

## What teams can decide faster

- **Whether the business is in scope**: Test the 25 million dollars, 100,000 consumers or households, and 50 percent sale or sharing revenue thresholds.
- **What disclosures are required**: Operationalize notice at collection, privacy policy, opt out notices, and financial incentive notices.
- **How to honor consumer choice**: Run 45 day rights workflows, process GPC, and push opt out instructions to vendors.

By Sorena AI | Updated 2026 | No signup required

### Quick scan

*CCPA*

- **Scope**: Validate threshold and business-role applicability with evidence.
- **Consumer rights**: Run know, delete, correct, and opt-out workflows at scale.
- **Contracts and disclosures**: Align service provider contracts and privacy notices to legal requirements.

Open each subpage to execute requirements with advanced, role-specific guidance.

| Value | Metric |
| --- | --- |
| CPRA | Current regime |
| GPC | Signal support |
| DSAR | Rights ops |
| CPPA | Regulator |

**Key highlights:** Scope-ready | Rights-ready | Enforcement-aware

## Topic Guides

- [CCPA Applicability Test | California Scope Test](/artifacts/us/california-consumer-privacy-act/applicability-test.md): Test whether a business is in scope under the current California threshold model.
- [CCPA Checklist | California Privacy Compliance Checklist](/artifacts/us/california-consumer-privacy-act/checklist.md): Track the California controls that must actually exist in policy, product, and vendor operations.
- [CCPA Compliance Program | California Operating Model](/artifacts/us/california-consumer-privacy-act/compliance.md): Build a California privacy programme that survives regulator questions and product change.
- [CCPA Consumer Rights Workflow | 45 Day Request Handling](/artifacts/us/california-consumer-privacy-act/consumer-rights-workflow.md): Run California rights operations with clear timing, verification, and downstream instructions.
- [CCPA Deadlines and Compliance Calendar](/artifacts/us/california-consumer-privacy-act/deadlines-and-compliance-calendar.md): Use the dates that actually shape California privacy work.
- [CCPA Enforcement and Penalties | CPPA and AG Exposure Guide](/artifacts/us/california-consumer-privacy-act/enforcement-and-penalties.md): Understand how California enforcement usually starts and what evidence the agency will ask for.
- [CCPA FAQ | Practical California Privacy Answers](/artifacts/us/california-consumer-privacy-act/faq.md): Answer the California privacy questions that usually stall implementation.
- [CCPA Penalties and Fines | California Exposure Summary](/artifacts/us/california-consumer-privacy-act/penalties-and-fines.md): Know the penalty ranges, then work backward to the controls that reduce them.
- [CCPA Privacy Notices and Disclosures | California Notice Architecture](/artifacts/us/california-consumer-privacy-act/privacy-notices-and-disclosures.md): Design the California notice stack so each disclosure appears in the right place and says the right thing.
- [CCPA Privacy Policy Template | Required California Disclosures](/artifacts/us/california-consumer-privacy-act/ccpa-privacy-policy-template.md): Write a California privacy policy that actually matches the statute and regulations.
- [CCPA Requirements | California Control Requirements](/artifacts/us/california-consumer-privacy-act/requirements.md): Translate California law into control statements that can be implemented, tested, and audited.
- [CCPA Scope and Thresholds | California Business Threshold Guide](/artifacts/us/california-consumer-privacy-act/scope-and-thresholds.md): Use the real California threshold tests instead of rough privacy folklore.
- [CCPA Service Provider and Contractor Contracts](/artifacts/us/california-consumer-privacy-act/service-provider-contractor-contracts.md): Draft California vendor contracts that work in practice, not only on paper.
- [CCPA vs CPRA | What Actually Changed in California Privacy](/artifacts/us/california-consumer-privacy-act/ccpa-vs-cpra.md): A practical CCPA vs CPRA delta guide grounded in the current California statute, CPPA regulations, and official agency guidance.
- [CCPA vs GDPR | California and EU Privacy Comparison](/artifacts/us/california-consumer-privacy-act/ccpa-vs-gdpr.md): Compare California CCPA obligations with the GDPR without assuming the two models are interchangeable.
- [Do Not Sell or Share Implementation | CCPA and GPC Guide](/artifacts/us/california-consumer-privacy-act/do-not-sell-share-implementation.md): Implement California opt out controls that actually work across websites, apps, and partner pipelines.

## Key milestones for California privacy operations

*CCPA Timeline*

Track statutory, regulatory, and enforcement developments that affect privacy program decisions and implementation timing.

## How to operationalize CCPA and CPRA obligations

*CCPA Decision Flow*

Use the decision flow to sequence scope, rights, disclosures, sale and sharing controls, and contract updates with evidence outputs.

*Next step*

## Turn California Consumer Privacy Act Timeline and Decision Flow into a cited research workflow

California Consumer Privacy Act Timeline and Decision Flow should be the shared entry point for your team. Route execution into Research Copilot for live work and into SSOT when the artifact needs deeper research, evidence governance, or supporting analysis.

- Start from California Consumer Privacy Act Timeline and Decision Flow and route the work by entity, product, team, or control owner.
- Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs.
- Use SSOT to keep documents, evidence, and control records in one governed system.
- Move from artifact reading to accountable execution without rebuilding the guidance in separate files.

- [Open Research Copilot](/solutions/research-copilot.md): Answer scope, timing, and interpretation questions with cited outputs for California Consumer Privacy Act Timeline and Decision Flow.
- [Open SSOT](/solutions/ssot.md): Keep documents, evidence, and control records in one governed system from the same artifact.
- [Talk through California Consumer Privacy Act Timeline and Decision Flow](/contact.md): Review your current process, evidence model, and next steps for California Consumer Privacy Act Timeline and Decision Flow.

## Decision Steps

### STEP 1: Are you a for-profit business that collects California residents' personal information and does business in California?

*Reference: Civil Code 1798.140(d)*

- CCPA applies only to for-profit businesses that collect (or have others collect for them) consumers' personal information, determine why and how the information will be processed, and do business in California.
- The CCPA does not generally apply to nonprofit organizations or government agencies.
- A 'consumer' means a natural person who is a California resident.

- **NO** Out of Scope
- **YES** Does your business meet at least one of the CCPA thresholds?

### STEP 2: Does your business meet at least one of the CCPA thresholds?

*Reference: Civil Code 1798.140(d)(1)*

- (A) As of January 1 of the calendar year, had annual gross revenues in excess of $25,000,000 in the preceding calendar year, as adjusted pursuant to Civil Code 1798.199.95(d); OR
- (B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households; OR
- (C) Derives 50% or more of annual revenues from selling or sharing consumers' personal information.
- The CCPA also treats as a 'business' certain entities that control or are controlled by a covered business and share common branding, certain joint ventures or partnerships (40%+ interest), and entities that voluntarily certify to be bound.

- **NO** Out of Scope
- **YES** Are you a "business" under the CCPA (determining the purposes and means of collecting/processing personal information)?

### STEP 3: Are you a "business" under the CCPA (determining the purposes and means of collecting/processing personal information)?

- If yes: the primary CCPA obligations apply (notices, consumer rights, opt-out/limit mechanisms, contracts, training, and recordkeeping).
- If no: you may instead be acting as a service provider/contractor (processing on behalf of a business under a written contract) or as a third party (receiving PI but not as a service provider/contractor).
- Many entities may have more than one role.

- **YES** Business subject to CCPA
- **NO** If not a business: are you a service provider or contractor (processing personal information on behalf of a business under a written contract)?

### STEP 3A: If not a business: are you a service provider or contractor (processing personal information on behalf of a business under a written contract)?

*Reference: Civil Code 1798.140(ag), 1798.140(j)*

- Service providers and contractors have specific contractual restrictions and may only use PI for business purposes specified in the contract, subject to exceptions.
- If no: you are treated as a third party (additional use/disclosure restrictions can apply depending on how you receive PI).

- **YES** Service Provider / Contractor Obligations
- **NO** Third Party Obligations

### IN SCOPE: Business subject to CCPA

*Reference: Civil Code 1798.100 et seq.*

- You must comply with all CCPA requirements for businesses, including: Notice at Collection, Privacy Policy, consumer rights (know, delete, correct, opt out of sale/sharing, limit sensitive PI when applicable, ADMT rights when applicable, and non-discrimination/no retaliation), verification where required, authorized agents, contracts, record-keeping, and training.
- Additional obligations may apply if you sell or share personal information, process sensitive personal information, use ADMT for significant decisions, meet cybersecurity audit criteria, or are a data broker.

- -> Does your business sell or share personal information?

### STEP 4: Does your business sell or share personal information?

*Reference: Civil Code 1798.140(ad), (ah)*

- 'Sell' = selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration.
- 'Share' = sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
- Disclosures to service providers/contractors under written contracts are NOT sales or shares. Disclosures at the consumer's direction are NOT sales.
- If you sell or share PI, you must provide a 'Do Not Sell or Share My Personal Information' link and honor opt-out preference signals.

- **YES** Does your business use or disclose sensitive personal information for purposes beyond those permitted by Civil Code 1798.121(a)?
- **NO** Does your business use or disclose sensitive personal information for purposes beyond those permitted by Civil Code 1798.121(a)?

### STEP 5: Does your business use or disclose sensitive personal information for purposes beyond those permitted by Civil Code 1798.121(a)?

*Reference: Civil Code 1798.121*

- Permitted purposes (no opt-out required): performing services/providing goods reasonably expected by the consumer; preventing fraud/security incidents/illegal activities/physical safety; performing contracted services; short-term transient use (including non-personalized advertising); verifying/maintaining quality or safety; comply with legal obligations, exercise legal claims, or defend legal claims.
- If you use or disclose sensitive PI for other purposes, you must provide a 'Limit the Use of My Sensitive Personal Information' link.
- You may use a single combined link ('Your Privacy Choices' or 'Your California Privacy Choices') instead of separate 'Do Not Sell or Share' and 'Limit' links.

- **YES** Are you a data broker?
- **NO** Are you a data broker?

### DATA BROKER: Are you a data broker?

*Reference: Civil Code 1798.99.80 et seq.*

- A data broker is a business that knowingly collects and sells to third parties the personal information of consumers with whom the business does not have a direct relationship.
- Excludes entities covered by the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, Insurance Information and Privacy Protection Act, Confidentiality of Medical Information Act, and HIPAA.
- Data brokers must register with the California Privacy Protection Agency annually (January 1-31 deadline) and pay a registration fee.

- **YES** Data Broker Registration Required
- **NO** Does your business use Automated Decisionmaking Technology (ADMT) for significant decisions?

### ADMT: Does your business use Automated Decisionmaking Technology (ADMT) for significant decisions?

*Reference: 11 CCR 7200 et seq.*

- ADMT = any technology that processes personal information and uses computation to replace or substantially replace human decisionmaking (including profiling).
- A significant decision is a decision that results in the provision or denial of financial or lending services, housing, education enrollment or opportunities, employment or independent contracting opportunities or compensation, or healthcare services. Advertising is not a significant decision.
- Compliance deadline: January 1, 2027.
- Does not include web hosting, domain registration, networking, caching, data storage, firewalls, anti-virus, spam-filtering, spellchecking, calculators, databases, or spreadsheets (if they do not replace human decisionmaking).

- **YES** ADMT Requirements Apply (Compliance Deadline: January 1, 2027)
- **NO** ADMT Requirements Do Not Apply

### RISK ASSESSMENT: Must your business conduct a risk assessment?

*Reference: 11 CCR 7150 et seq.*

- Risk assessments are required for specific processing activities that present significant risk to consumers' privacy, including selling or sharing personal information, processing sensitive personal information (subject to limited employment administration exceptions), and using ADMT for significant decisions.
- Additional processing activities can also trigger a risk assessment, including certain automated processing to infer or extrapolate characteristics in employment/education contexts or based on a consumer's presence in a sensitive location, and processing PI intended to train certain ADMT or identity verification/profiling technologies.
- Timing: a business must conduct and document a risk assessment before initiating a covered processing activity. For covered processing initiated before January 1, 2026 and continuing after that date, the business must conduct and document a risk assessment no later than December 31, 2027.
- Updates and retention: review and update risk assessments at least once every three years (and within 45 calendar days of a material change). Retain risk assessments for as long as the processing continues or for five years after completion, whichever is later.
- Submissions: for risk assessments conducted in 2026 and 2027, submit required risk assessment information to the Agency no later than April 1, 2028. For risk assessments conducted after 2027, submit no later than April 1 following any year during which the business conducted the risk assessments.

- **YES** Must your business complete a cybersecurity audit?
- **NO** CCPA Applies (Full Business Obligations)

### CYBERSECURITY AUDIT: Must your business complete a cybersecurity audit?

*Reference: 11 CCR 7120 et seq.*

- Cybersecurity audits are required if the business's processing presents significant risk to consumers' security as defined in 11 CCR 7120(b). This includes if the business meets the 50% revenue threshold in Civil Code 1798.140(d)(1)(C) in the preceding calendar year, or if the business meets the gross revenue threshold in Civil Code 1798.140(d)(1)(A) and processed the personal information of 250,000 or more consumers or households, or processed the sensitive personal information of 50,000 or more consumers, in the preceding calendar year.
- First cybersecurity audit report deadlines are phased: April 1, 2028 (based on 2026 revenue as of January 1, 2027), April 1, 2029 (based on 2027 revenue as of January 1, 2028), and April 1, 2030 (based on 2028 revenue as of January 1, 2029). After April 1, 2030, annual timing continues based on whether the criteria are met as of January 1 of a year for the preceding year.

- **YES** Cybersecurity Audit Required
- **NO** CCPA Applies (Full Business Obligations)

## Reference Information

### Categories of Personal Information

- Personal information = information that identifies, relates to, or could reasonably be linked to a particular consumer or household (name, email, purchase records, browsing history, geolocation, fingerprints, inferences about preferences/characteristics).
- Sensitive personal information = subset of PI that is more sensitive: SSN, driver's license, account credentials, precise geolocation, contents of mail/email/text (unless the business is the intended recipient), genetic data, neural data, biometric information used to uniquely identify a consumer, health information, and information about sex life or sexual orientation, as well as certain other sensitive attributes listed in the statute.
- Publicly available information is excluded from the definition of personal information.

### Consumer Rights Under CCPA

- Right to know: request disclosure of categories and specific pieces of personal information collected, categories of sources, purposes, and categories of third parties (including categories of personal information sold/shared and to whom).
- Right to delete: request deletion of personal information the business collected from the consumer, subject to statutory exceptions.
- Right to correct: request correction of inaccurate personal information maintained by the business.
- Right to opt out: opt out of sale and sharing (including sharing for cross-context behavioral advertising), including through opt-out preference signals where applicable.
- Right to limit: limit the use and disclosure of sensitive personal information to certain permitted purposes, when the business uses or discloses it for other purposes.
- ADMT rights (if applicable): right to opt out of ADMT (subject to exceptions) and right to access information about a business's use of ADMT for significant decisions.
- Non-discrimination and no retaliation: businesses must not discriminate or retaliate against consumers for exercising their CCPA rights.

### Notice at Collection Requirements

- Businesses must provide a Notice at Collection at or before the point of collection, describing: categories of personal information to be collected and purposes for which categories will be used; if selling or sharing PI, a notice of the right to opt-out; if using sensitive PI beyond permitted purposes, a notice of the right to limit; retention period for each category (or criteria used to determine retention).
- Disclosures and communications to consumers must be reasonably accessible to consumers with disabilities.
- Notice at Collection is separate from the Privacy Policy.

### Privacy Policy Requirements

- Businesses must post a Privacy Policy on their homepage and other webpages (using the word 'privacy' in the link). For mobile apps, link must be available on the download page or in the app's settings menu.
- The Privacy Policy must describe: categories of PI collected in the preceding 12 months and purposes for use; categories of sources; categories of PI sold/shared (if any) and categories of third parties; categories of PI disclosed for a business purpose and categories of recipients; consumer rights (know, delete, correct, opt out of sale/sharing, limit sensitive PI, ADMT rights when applicable, and no retaliation) and how to exercise them; methods for submitting requests; how long each category of PI is retained (or criteria used); and required information about any financial incentive or price/service difference.
- If you are a data broker, you must register with the Data Broker Registry and disclose additional information.

### Do Not Sell or Share My Personal Information Link

- If you sell or share personal information, you must provide a clear and conspicuous link on your website homepage (and other designated pages) titled 'Do Not Sell or Share My Personal Information' or 'Your Privacy Choices' or 'Your California Privacy Choices'.
- The link must enable consumers (or their authorized agents) to opt-out of the sale or sharing of their personal information.
- You must honor opt-out preference signals (OOPS) such as Global Privacy Control (GPC) as valid requests to opt-out of sale/sharing, and process them in a frictionless manner (without requiring consumers to take additional action).
- You must comply with opt-out requests as soon as feasibly possible, up to a maximum of 15 business days.

### Limit the Use of My Sensitive Personal Information Link

- If you use or disclose sensitive personal information for purposes outside those permitted by Civil Code 1798.121(a), you must provide a clear and conspicuous link on your website homepage (and other designated pages) titled 'Limit the Use of My Sensitive Personal Information' or 'Your Privacy Choices' or 'Your California Privacy Choices'.
- The link must enable consumers to limit the use and disclosure of their sensitive personal information to permitted purposes.
- You must comply with limit requests as soon as feasibly possible, up to a maximum of 15 business days.

### Verification of Requests

- Businesses must verify the identity of consumers making requests to know, delete, or correct personal information to prevent fraudulent requests.
- For password-protected accounts: verify the consumer through existing authentication practices (e.g., login credentials). For requests to know specific pieces of PI or delete/correct PI, use multi-factor authentication or another secure method if the request poses a risk of fraud.
- For non-accountholders: match at least two or three data points provided by the consumer with data points maintained by the business (depending on the request type and sensitivity). For requests to know specific pieces of PI, use a signed declaration under penalty of perjury.
- Businesses cannot require consumers to create an account to make a verifiable request.
- Opt-out and limit requests do NOT require identity verification (but businesses may deny requests they reasonably believe to be fraudulent).

### Authorized Agents

- Consumers may use an authorized agent (natural person or business entity) to submit requests on their behalf.
- Businesses may require: (1) proof that the agent is authorized to act on behalf of the consumer (e.g., power of attorney or signed written permission), and (2) verification of the consumer's identity directly with the business.
- If the consumer has provided the authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130, the business may not require additional proof that the agent is authorized to act on the consumer's behalf.

### Request Response Timelines

- Delete, Correct, or Know requests: Confirm receipt within 10 business days. Substantively respond within 45 calendar days (may extend by another 45 days if necessary, with notice to the consumer).
- Opt-out of Sale/Sharing or Limit Sensitive PI requests: Comply as soon as feasibly possible, up to a maximum of 15 business days.
- Businesses must provide at least two methods for submitting delete/correct/know requests (e.g., toll-free phone number and website form). If exclusively online, may provide only an email address.
- Businesses must not charge a fee for verifiable consumer requests unless manifestly unfounded or excessive (particularly if repetitive).

### Exceptions to Deletion Requests

- Businesses may deny deletion requests if retaining the PI is necessary to: complete the transaction for which the PI was collected, provide a reasonably anticipated good/service, or perform a contract; detect security incidents, protect against fraud/illegal activity, or ensure physical safety; debug to identify and repair errors; exercise free speech or ensure another consumer's right to free speech, or exercise another legal right; comply with the California Electronic Communications Privacy Act (Penal Code 1546 et seq.); engage in public or peer-reviewed scientific, historical, or statistical research in the public interest; enable solely internal uses reasonably aligned with consumer expectations or the context in which the PI was provided; comply with a legal obligation; or otherwise use the PI internally in a lawful manner compatible with the context in which the consumer provided the information.
- Businesses are not required to delete PI that was not collected directly from the consumer (though they must inform the consumer of the right to opt-out if they sell or share PI).
- Publicly available information, certain medical information, consumer credit reporting information, and other exempt categories are excluded from deletion requirements.

### Service Provider / Contractor Obligations

- Service providers and contractors process personal information on behalf of a business under a written contract.
- The contract must: prohibit the service provider/contractor from selling or sharing PI (unless authorized by the business); prohibit retention, use, or disclosure of PI for any purpose other than performing the specified services or as otherwise permitted by the CCPA; prohibit combining PI with information received from other sources (except as permitted by the CCPA); grant the business the right to take reasonable and appropriate steps to ensure the service provider/contractor uses PI consistently with the business's CCPA obligations; require the service provider/contractor to notify the business if it can no longer meet its CCPA obligations; and grant consumers, subject to certain conditions, the right to enforce the service provider/contractor obligations as third-party beneficiaries.
- Service providers/contractors must assist businesses with responding to consumer requests to the extent the service provider/contractor maintains the responsive information.
- Service providers/contractors may be directly liable for CCPA violations if they fail to comply with their contractual obligations.

### Third Party Obligations

- Third parties are persons or entities that receive personal information from a business but are not service providers or contractors.
- Third parties may use PI received from a business only for the specific purpose disclosed in the Privacy Policy or Notice at Collection (or as otherwise permitted by the CCPA).
- Third parties may not sell or share PI received from a business unless the consumer has received explicit notice and an opportunity to opt-out of further sales or shares.

### Data Broker Registration and Obligations

- Data brokers must register with the CPPA annually (by January 31) and provide: business name, primary physical address, website, email contact, whether they collect reproductive health care data, whether they collect precise geolocation, whether they collect PI of minors, and a link to the website where consumers may exercise their CCPA rights.
- Data brokers must disclose on their website privacy policy by July 1 each year (and report during registration): the number of consumer requests received in the previous calendar year (delete, access/know, know what is sold or shared and to whom, opt-out of sale/sharing, limit sensitive PI), whether they complied in part or in whole with each request, and the median and mean number of days to respond to each type of request.
- SB 362 (Delete Act) requires the CPPA to establish by January 1, 2026, a Delete Request and Opt-out Platform (DROP) that allows consumers to request deletion of all personal information from all registered data brokers through a single request to the Agency.
- Data brokers that fail to register by the statutory deadline may be liable for administrative fines and costs, including an administrative fine of $200 per day for each day they fail to register.

### Financial Incentives and Non-Discrimination

- Businesses may offer financial incentives (including payments to consumers, price differences, or service level differences) for the collection, retention, sale, or sharing of personal information.
- Businesses must provide a Notice of Financial Incentive describing: the material terms of the financial incentive; how to opt-in and withdraw (opt-in consent required for material financial incentives); a good-faith estimate of the value of the consumer's data that forms the basis for offering the incentive; and a description of the method used to calculate the value.
- Financial incentives must not be unjust, unreasonable, coercive, or usurious in nature.
- Businesses cannot discriminate against consumers for exercising CCPA rights (e.g., denying goods or services, charging different prices or rates, providing a different level or quality of goods or services), unless the difference is reasonably related to the value provided by the consumer's data.
- Value of consumer data may be calculated using a reasonable method aligned with the value of the offered incentive, such as: marginal value of data in the context of the product or service, average value of data across all consumers, or revenue or profit generated per consumer divided by the total number of consumers.

### Special Rules for Consumers Under 16

- Businesses may not sell or share the personal information of consumers under 16 years of age unless the consumer (if 13-15 years old) or the consumer's parent or guardian (if under 13 years old) has affirmatively authorized the sale or sharing.
- For consumers under 13: Businesses must comply with the Children's Online Privacy Protection Act (COPPA) and obtain verifiable parental consent before selling or sharing the child's PI.
- For consumers 13-15 years old: Businesses must obtain opt-in consent from the consumer before selling or sharing their PI.
- Businesses that willfully disregard the consumer's age must obtain affirmative authorization.
- Notices to consumers under 16 must be written in a manner tailored to the age of the consumer (e.g., age-appropriate language for children).

### ADMT Requirements (Effective January 1, 2027)

- Pre-use notice: provide a pre-use notice before using ADMT for a significant decision (and before repurposing previously collected PI for that ADMT use). The notice must describe the specific purpose, opt-out and access rights, and additional plain-language information about how the ADMT works and the alternative process if the consumer opts out (unless an exception applies).
- Opt-out of ADMT: provide methods for consumers to submit opt-out requests, and do not require a verifiable consumer request to opt out. Some exceptions apply, including when the business provides a human appeal process that meets the requirements in the regulations.
- Access ADMT: respond to requests to access ADMT with plain-language explanations of the specific purpose, the logic of the ADMT (including outputs/parameters as applicable), and the outcome of the decisionmaking process, plus required instructions and anti-retaliation information. Trade secrets and certain security-related information may be excluded.
- Risk assessments: ADMT for significant decisions is a processing activity that triggers the risk assessment requirements in Article 10.

### Risk Assessment Requirements

- Weigh benefits and risks: identify and weigh the benefits of the processing against the negative impacts to consumers' privacy, including sources and causes of those negative impacts, and identify safeguards to address them.
- Document the processing activity: describe categories of PI (including any sensitive PI), the specific purpose, the method of collecting/using/disclosing/retaining, sources, retention periods (or criteria), interaction context, approximate number of consumers, disclosures, and recipients (service providers, contractors, third parties) and purposes.
- Stakeholder involvement: include relevant employees whose job duties include participating in the covered processing, and the business may include external parties such as experts or consumers or stakeholder organizations.
- Update timing: review and update as necessary at least once every three years, and update within 45 calendar days of a material change.
- Retention: retain risk assessments (including original and updated versions) for as long as the processing continues or for five years after completion, whichever is later.
- Agency submissions: submit required risk assessment information to the Agency on the timelines set out in section 7157, and be prepared to submit full risk assessment reports within 30 calendar days if requested by the Agency or the Attorney General.

### Cybersecurity Audit Requirements

- Scope: assess how the cybersecurity program protects PI from unauthorized access, destruction, use, modification, or disclosure, and protects against unauthorized activity that results in loss of availability.
- Thoroughness and independence: use a qualified, objective, independent professional auditor, and follow accepted procedures and standards in the auditing profession. The auditor may be internal or external but must remain objective and independent.
- Audit report content: include detailed findings about gaps or weaknesses that increase risk, the plan and timeframe to address them, and required certifications and other required report components set out in the regulations.
- Certification to the Agency: for each calendar year a business is required to complete a cybersecurity audit, submit a written certification of completion to the Agency no later than April 1 following any year that the business is required to complete a cybersecurity audit.
- Retention: retain documents relevant to each cybersecurity audit for at least five years after completion.

### Training and Record-Keeping

- Training: Businesses must train all persons responsible for handling consumer requests or responding to consumer inquiries about the business's privacy practices. Training must cover: the requirements of the CCPA; the business's privacy practices; how to direct consumers to exercise their rights; and how to respond to consumer requests.
- Record-Keeping: Businesses must maintain records of consumer requests (including the date received, nature of the request, manner in which the request was submitted, date of the business's response, and the nature of the response). Records must be retained for at least 24 months.
- Businesses collecting PI of 10 million or more consumers in a calendar year must compile metrics on consumer requests (number of requests received, complied with in whole or in part, denied, median and mean response times) and disclose these metrics in the Privacy Policy by July 1 each year.

### Enforcement and Penalties

- Enforcement: The California Privacy Protection Agency (CPPA) and the California Attorney General can enforce the law. There is no general 30-day notice and cure requirement as of January 1, 2023.
- Administrative Penalties: Civil penalties of up to $2,500 per violation, or $7,500 per intentional violation or violation involving minors' PI.
- Private Right of Action: Consumers may sue businesses for data breaches involving certain categories of unencrypted or unredacted personal information (e.g., SSN, driver's license, financial account number, medical information, health insurance information, unique biometric data, email address + password or security question answer) if the breach results from the business's failure to implement and maintain reasonable security procedures and practices. Statutory damages of $100-$750 per consumer per incident, or actual damages, whichever is greater.
- Complaints: Consumers may file complaints with the CPPA online or by mail. The CPPA does not represent individual consumers but uses complaints to identify trends and inform enforcement actions.

### Key Exemptions

- HIPAA-covered entities and business associates (for protected health information).
- Medical information governed by the Confidentiality of Medical Information Act.
- Entities covered by the Gramm-Leach-Bliley Act (GLBA) for information collected, processed, sold, or disclosed pursuant to GLBA.
- Entities covered by the Fair Credit Reporting Act (FCRA) for information collected, processed, sold, or disclosed pursuant to FCRA.
- Entities covered by the Driver's Privacy Protection Act (for information governed by that Act).
- Nonprofit organizations (as the CCPA applies only to for-profit businesses).
- Government agencies (the CCPA does not apply to state or local government agencies).
- Employee and B2B exemptions (Civil Code 1798.145(m)-(n)) expired on December 31, 2022. Employee data and B2B data are now covered by the CCPA.
- De-identified or aggregate consumer information (if the business maintains reasonable security measures, prohibits re-identification, and makes no attempt to re-identify).

## Possible Outcomes

### [RESULT] Out of Scope

CCPA does not directly apply

- Your business is not subject to the CCPA because it either does not meet the definition of a 'business' or does not meet any of the threshold criteria.
- Even if not directly in scope, you may still be subject to contractual requirements if you act as a service provider, contractor, or third party for a CCPA-covered business.

### [RESULT] CCPA Applies (Full Business Obligations)

All CCPA requirements for businesses apply

- Implement Notice at Collection and Privacy Policy. Provide methods for consumers to exercise their rights (know, delete, correct, opt out of sale/sharing, limit sensitive PI when applicable, and ADMT rights when applicable). Respond to consumer requests within required timelines. Verify identity where required. Honor authorized agents.
- If you sell or share PI: provide 'Do Not Sell or Share My Personal Information' link and honor opt-out preference signals. If you use sensitive PI beyond permitted purposes: provide 'Limit the Use of My Sensitive Personal Information' link.
- Maintain contracts with service providers, contractors, and third parties. Train employees responsible for handling consumer requests. Maintain records of consumer requests for at least 24 months.
- Additional obligations may apply: data broker registration (if applicable), ADMT requirements (if using ADMT for significant decisions), risk assessments (if you perform any processing activities listed in 11 CCR 7150(b)), cybersecurity audits (if you meet the criteria in 11 CCR 7120(b)), and rules for consumers under 16 (opt-in for sale/sharing when applicable).

### [RESULT] Service Provider / Contractor Obligations

Contractual and operational requirements apply

- Ensure written contracts with businesses include all required CCPA provisions: prohibition on selling or sharing PI (unless authorized), prohibition on retention/use/disclosure of PI for unauthorized purposes, prohibition on combining PI with information from other sources (except as permitted), right for businesses to ensure compliance, notification to businesses if unable to meet CCPA obligations, and third-party beneficiary rights for consumers.
- Assist businesses with responding to consumer requests (to the extent you maintain the responsive information). Maintain reasonable security procedures and practices to protect personal information.
- You may be directly liable for CCPA violations if you fail to comply with your contractual obligations (e.g., if you sell or share PI received from a business without authorization).

### [RESULT] Third Party Obligations

Use restrictions and notice requirements apply

- Use personal information received from a business only for the specific purpose disclosed in the business's Privacy Policy or Notice at Collection (or as otherwise permitted by the CCPA).
- Do not sell or share PI received from a business unless the consumer has received explicit notice and an opportunity to opt-out of further sales or shares.
- Maintain reasonable security procedures and practices to protect personal information.

### [RESULT] Data Broker Registration Required

Annual registration with CPPA + all business obligations

- Register with the CPPA annually by January 31 and pay the registration fee. Provide required information (business name, address, website, contact, data collection practices, consumer rights link).
- Disclose consumer request metrics on your website privacy policy by July 1 each year (and report during registration): number of requests received (delete, know, opt-out, limit), compliance rate, and median/mean response times.
- The CPPA must establish an accessible deletion mechanism by January 1, 2026. Beginning August 1, 2026, data brokers must access it at least once every 45 days and process consumer deletion requests, subject to limited exceptions.
- All CCPA business obligations apply (Privacy Policy, Notice at Collection, Consumer Rights, Do Not Sell or Share link, Limit link if applicable, Verification, Contracts, Training, Record-keeping).

### [RESULT] ADMT Requirements Do Not Apply

Focus on other CCPA obligations

- You do not use ADMT for significant decisions, so ADMT-specific consumer rights and pre-use notice requirements do not apply.
- You must still comply with all other applicable CCPA requirements for businesses, including: Notice at Collection, Privacy Policy, Consumer Rights, Opt-out and Limit links (if applicable), Verification, Contracts, Training, and Record-keeping.
- Risk assessments may still be required if you perform any processing activities listed in 11 CCR 7150(b), including selling or sharing personal information or processing sensitive personal information.

### [RESULT] ADMT Requirements Apply (Compliance Deadline: January 1, 2027)

Pre-use notice, opt-out, access, and risk assessment required

- Provide a pre-use notice before using ADMT for a significant decision (including required information about the purpose, opt-out and access rights, and how the ADMT works and the alternative process if the consumer opts out, unless an exception applies).
- Provide consumers with the right to opt out of ADMT (subject to exceptions) and comply with opt-out requests within required timelines. Provide consumers with the right to access ADMT and respond with the required plain-language explanations and instructions.
- Conduct a risk assessment as required by 11 CCR 7150 et seq. Submit required risk assessment information to the Agency by the applicable deadlines, and be prepared to provide full reports if requested.
- All other CCPA business obligations apply (Privacy Policy, Notice at Collection, Consumer Rights, Opt-out and Limit links if applicable, Verification, Contracts, Training, Record-keeping).

### [RESULT] Cybersecurity Audit Required

Annual audit and certification to CPPA

- Complete a cybersecurity audit if you meet the criteria in 11 CCR 7120(b). Meet the phased first-report deadlines in 11 CCR 7121(a), and follow the annual timing in 11 CCR 7121(b) after April 1, 2030.
- Ensure the audit meets the thoroughness and independence requirements, and that the audit report includes the required content (including required certifications) under the regulations.
- Submit the required certification of completion to the Agency no later than April 1 following any year that you are required to complete a cybersecurity audit.
- Retain documents relevant to each cybersecurity audit for at least five years after completion.

## CCPA Timeline

| Date | Event | Reference |
| --- | --- | --- |
| 2020-01-01 | CCPA becomes operative (January 1, 2020) | Civil Code 1798.198 (operative date) |
| 2020-07-01 | CCPA enforcement begins (July 1, 2020) | California Attorney General enforcement materials |
| 2020-11-03 | California Privacy Rights Act (CPRA - Proposition 24) approved by voters | Proposition 24 |
| 2022-12-31 | Employee and B2B exemptions expire | CPPA FAQ timeline |
| 2023-01-01 | CPRA amendments take effect (January 1, 2023) | CPPA FAQ timeline |
| 2023-07-01 | CPRA civil and administrative enforcement begins | Proposition 24 (enforcement start) |
| 2023-10-10 | Delete Act (SB 362) approved by the Governor | SB 362 (Delete Act) |
| 2024-01-01 | CPPA takes over Data Broker Registry from Attorney General | SB 362 (Delete Act) and CPPA FAQ timeline |
| 2026-01-01 | CCPA regulations effective (Title 11, Division 6, Chapter 1) | CCPA Regulations effective date |
| 2026-08-01 | Data brokers begin required use of the accessible deletion mechanism (at least once every 45 days) | SB 362 (Delete Act) |
| 2027-01-01 | ADMT (Automated Decisionmaking Technology) compliance deadline | 11 CCR 7200(b) |

## Compliance Timeline

| Date | Event | Category | Reference |
| --- | --- | --- | --- |
| 2019-01-01 | CCPA added by AB 375 takes effect (January 1, 2019) | Legislation |  |
| 2020-01-01 | CCPA title becomes operative (January 1, 2020) | Legislation |  |
| 2020-01-16 | NIST Privacy Framework 1.0 published | Technical Standards |  |
| 2020-07-01 | Attorney General regulation adoption deadline (July 1, 2020) | Regulations |  |
| 2020-07-01 | CCPA enforcement begins (July 1, 2020) | Enforcement |  |
| 2020-08-14 | DOJ initial CCPA regulations promulgated (August 14, 2020) | Regulations |  |
| 2020-11-03 | Proposition 24 (CPRA) approved by voters | Legislation |  |
| 2021-03-15 | DOJ CCPA regulations amended (March 15, 2021) | Regulations |  |
| 2021-07-01 | Rulemaking authority transfers to CPPA (July 1, 2021) | Agency |  |
| 2022-01-01 | CPRA lookback applies to PI collected on or after January 1, 2022 | Legislation |  |
| 2022-07-01 | CPRA final regulations adoption deadline (July 1, 2022) | Regulations |  |
| 2022-07-08 | CPPA commences formal rulemaking (July 8, 2022) | Agency |  |
| 2022-08-24 | Sephora settlement announced | Enforcement |  |
| 2022-12-31 | Employee and B2B exemptions expire (December 31, 2022) | Legislation |  |
| 2023-01-01 | CPRA amendments take effect (January 1, 2023) | Legislation |  |
| 2023-01-01 | Notice and cure requirement ends (January 1, 2023) | Enforcement |  |
| 2023-03-29 | CPPA regulations approved by OAL and effective (March 29, 2023) | Regulations |  |
| 2023-07-01 | CPRA civil and administrative enforcement begins | Enforcement |  |
| 2023-10-10 | Delete Act (SB 362) signed into law | Data Brokers |  |
| 2024-01-01 | CPPA takes over Data Broker Registry management (January 1, 2024) | Data Brokers |  |
| 2024-03-08 | Draft risk assessment regulations published | Regulations |  |
| 2024-11-22 | Public notice of cybersecurity, risk, and ADMT rulemaking | Regulations |  |
| 2025-01-13 | Comment period extension notice published | Regulations |  |
| 2025-02-19 | Public comment hearing held | Regulations |  |
| 2025-07-24 | CPPA Board adopts cybersecurity, risk, and ADMT regulations | Regulations |  |
| 2025-09-22 | Final rulemaking documents published | Regulations |  |
| 2026-01-01 | CCPA regulations compilation effective (January 1, 2026) | Regulations |  |
| 2026-01-01 | Deletion mechanism deadline and DROP registration window opens | Data Brokers |  |
| 2026-01-31 | Data broker registration deadline (January 31, 2026) | Data Brokers |  |
| 2026-07-01 | Data broker metrics disclosure deadline (July 1, 2026) | Data Brokers |  |
| 2026-08-01 | Data brokers must use the deletion mechanism (August 1, 2026) | Data Brokers |  |
| 2027-01-01 | ADMT significant decision compliance deadline (January 1, 2027) | Regulations |  |
| 2027-12-31 | Risk assessment deadline for pre-2026 processing (December 31, 2027) | Regulations |  |
| 2028-01-01 | Data broker audits required (January 1, 2028) | Data Brokers |  |
| 2028-04-01 | First cybersecurity audit report deadline example (April 1, 2028) | Regulations |  |
| 2029-01-01 | Data broker audit disclosure requirement begins (January 1, 2029) | Data Brokers |  |

**Event details:**

- **2019-01-01 - CCPA added by AB 375 takes effect (January 1, 2019)**: Legislative history for the CCPA title notes it was added by Stats. 2018, Ch. 55, Sec. 3 (AB 375) and became effective January 1, 2019.
- **2020-01-01 - CCPA title becomes operative (January 1, 2020)**: Civil Code Title 1.81.5 (CCPA) is stated as operative January 1, 2020 (pursuant to Section 1798.198) in the code section group grounding materials.
- **2020-01-16 - NIST Privacy Framework 1.0 published**: NIST Privacy Framework v1.0 publication date shown as January 16, 2020 in the NIST Privacy Framework PDF.
- **2020-07-01 - Attorney General regulation adoption deadline (July 1, 2020)**: Proposition 24 ballot text and Civil Code legislative materials reference July 1, 2020 as a deadline for the Attorney General to solicit participation and adopt regulations for the CCPA.
- **2020-07-01 - CCPA enforcement begins (July 1, 2020)**: California Office of the Attorney General enforcement materials state CCPA enforcement began on July 1, 2020.
- **2020-08-14 - DOJ initial CCPA regulations promulgated (August 14, 2020)**: California Office of the Attorney General CCPA materials state the California Department of Justice promulgated an initial round of regulations implementing the CCPA on August 14, 2020.
- **2020-11-03 - Proposition 24 (CPRA) approved by voters**: Proposition 24 ballot text references approval by voters at the November 3, 2020 statewide general election and includes the CPRA enforcement commencement date.
- **2021-03-15 - DOJ CCPA regulations amended (March 15, 2021)**: California Office of the Attorney General CCPA materials state the initial regulations were further amended on March 15, 2021.
- **2021-07-01 - Rulemaking authority transfers to CPPA (July 1, 2021)**: Civil Code legislative materials and Proposition 24 text describe the transfer of regulation adoption authority from the Attorney General to the California Privacy Protection Agency beginning July 1, 2021 (subject to conditions described in the statute).
- **2022-01-01 - CPRA lookback applies to PI collected on or after January 1, 2022**: Proposition 24 ballot text states that a consumer right to request information beyond the 12-month period and the related business obligation only apply to personal information collected on or after January 1, 2022.
- **2022-07-01 - CPRA final regulations adoption deadline (July 1, 2022)**: Proposition 24 ballot text describes July 1, 2022 as the timeline for adopting final regulations required by the CPRA amendments.
- **2022-07-08 - CPPA commences formal rulemaking (July 8, 2022)**: CPPA consumer privacy act page timeline states the Agency commenced formal rulemaking to adopt CPRA implementing regulations on July 8, 2022.
- **2022-08-24 - Sephora settlement announced**: California Attorney General press release date for the Sephora CCPA settlement is August 24, 2022.
- **2022-12-31 - Employee and B2B exemptions expire (December 31, 2022)**: California Office of the Attorney General and CPPA materials state the employment-related and B2B exemptions described in Civil Code Section 1798.145(m)-(n) expired on December 31, 2022.
- **2023-01-01 - CPRA amendments take effect (January 1, 2023)**: CPPA FAQs and Office of the Attorney General materials state the CPRA amendments to the CCPA went into effect on January 1, 2023.
- **2023-01-01 - Notice and cure requirement ends (January 1, 2023)**: California Office of the Attorney General enforcement materials state that, as of January 1, 2023, the CCPA no longer requires notice of a violation or an opportunity to cure before filing an enforcement action.
- **2023-03-29 - CPPA regulations approved by OAL and effective (March 29, 2023)**: CPPA consumer privacy act page timeline states that on March 29, 2023 the Office of Administrative Law approved the CPPA regulations and filed them with the Secretary of State, and the regulations became effective on March 29, 2023.
- **2023-07-01 - CPRA civil and administrative enforcement begins**: Proposition 24 ballot text states civil and administrative enforcement of the CPRA-added or amended provisions does not commence until July 1, 2023 and applies only to violations occurring on or after that date.
- **2023-10-10 - Delete Act (SB 362) signed into law**: California legislative materials for SB 362 state the bill was approved by the Governor on October 10, 2023.
- **2024-01-01 - CPPA takes over Data Broker Registry management (January 1, 2024)**: CPPA FAQs timeline states that beginning on January 1, 2024 the Agency will take over management of the Data Broker Registry.
- **2024-03-08 - Draft risk assessment regulations published**: CPPA publishes draft risk assessment regulations dated March 8, 2024.
- **2024-11-22 - Public notice of cybersecurity, risk, and ADMT rulemaking**: CPPA updates page timeline lists a public notice of rulemaking and related documents dated November 22, 2024.
- **2025-01-13 - Comment period extension notice published**: CPPA updates page timeline lists a public notice extending the comment period dated January 13, 2025.
- **2025-02-19 - Public comment hearing held**: CPPA updates page timeline references a public comment hearing on February 19, 2025 for the cybersecurity, risk, and ADMT rulemaking.
- **2025-07-24 - CPPA Board adopts cybersecurity, risk, and ADMT regulations**: CPPA updates page timeline states the CPPA Board adopted regulations on July 24, 2025 covering updates to existing CCPA regulations, risk assessments, annual cybersecurity audits, ADMT rights, and insurance company clarifications.
- **2025-09-22 - Final rulemaking documents published**: CPPA updates page timeline lists final rulemaking documents dated September 22, 2025.
- **2026-01-01 - CCPA regulations compilation effective (January 1, 2026)**: CPPA regulations compilation PDF indicates an effective date of January 1, 2026.
- **2026-01-01 - Deletion mechanism deadline and DROP registration window opens**: CPPA FAQs and CPPA DROP materials describe a deadline to establish a single deletion mechanism by January 1, 2026 and describe a January 1 to January 31, 2026 registration and fee window for data brokers through DROP.
- **2026-01-31 - Data broker registration deadline (January 31, 2026)**: CPPA DROP materials state data brokers must register and pay the annual fee between January 1 and January 31, 2026 through DROP, and note consequences for missing the deadline.
- **2026-07-01 - Data broker metrics disclosure deadline (July 1, 2026)**: CPPA DROP materials state data brokers must disclose specified request metrics by July 1 (and that these disclosures are part of annual requirements).
- **2026-08-01 - Data brokers must use the deletion mechanism (August 1, 2026)**: SB 362 and CPPA DROP materials state that beginning August 1, 2026 data brokers must access the accessible deletion mechanism at least once every 45 days and process consumer deletion requests, subject to exceptions.
- **2027-01-01 - ADMT significant decision compliance deadline (January 1, 2027)**: CCPA regulations compilation timeline includes a compliance date stating a business that uses ADMT for a significant decision must be in compliance with Article 11 requirements no later than January 1, 2027.
- **2027-12-31 - Risk assessment deadline for pre-2026 processing (December 31, 2027)**: CCPA regulations compilation timeline includes a deadline stating that for processing initiated prior to January 1, 2026 and continuing after that date, the business must conduct and document a risk assessment no later than December 31, 2027.
- **2028-01-01 - Data broker audits required (January 1, 2028)**: SB 362 and CPPA DROP materials state that beginning January 1, 2028 and every three years thereafter, data brokers must undergo an independent third-party audit to determine compliance and must submit the audit report to the Agency upon written request.
- **2028-04-01 - First cybersecurity audit report deadline example (April 1, 2028)**: CCPA regulations compilation timeline includes an April 1, 2028 deadline for completing a first cybersecurity audit report for certain high revenue businesses (as described in the regulations timeline examples).
- **2029-01-01 - Data broker audit disclosure requirement begins (January 1, 2029)**: SB 362 and CPPA DROP materials state that beginning January 1, 2029 data brokers registering with the Agency must disclose whether they have undergone a required audit and, if so, the most recent year of submission to the Agency.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/us/california-consumer-privacy-act