| Scope and covered activity | CCPA: define the exact products, services, processing, claims, entities, assets, or activities that bring this side into scope; record out-of-scope facts separately. | CPRA: test its own scope boundary, exclusions, and covered activity; do not copy the CCPA conclusion without a separate source-linked finding. | Write two scope findings first: where CCPA applies, where CPRA applies, and which facts are outside one side even if evidence can be reused. |
|---|
| Who must act | CCPA: identify the business that determines the purposes and means of processing, and map any service provider, contractor, third party, or consumer-facing business process that owns the duty. | CPRA: confirm whether the same entity is acting as a business, service provider, contractor, or third party under the amended CCPA, then assign each duty to that role. | Name each role separately because one entity can hold different obligations in different workflows. |
|---|
| Trigger or threshold | CCPA: state the fact that starts the obligation, such as meeting the business thresholds, collecting personal information, selling or sharing personal information, receiving a consumer request, or changing privacy-policy disclosures. | CPRA: identify amended-CCPA triggers such as sensitive personal information use, sharing for cross-context behavioral advertising, contractor/service-provider terms, opt-out preference signals, or updated consumer-right workflows. | Start with the trigger so teams do not apply the wrong regime to the wrong facts. |
|---|
| Core obligations | CCPA requires businesses meeting the size thresholds to disclose the categories of personal information collected and sold, provide a "Do Not Sell My Personal Information" opt-out link, honor consumer requests to know and delete within 45 days, and avoid retaliatory pricing or service differences for consumers who exercise rights. | CPRA adds to CCPA by creating a right to correct, expanding opt-out rights to cover sharing for cross-context behavioral advertising, introducing sensitive personal information restrictions and a separate opt-out right for SPI use, establishing the California Privacy Protection Agency as the independent enforcement body, and imposing data minimization and retention limit obligations. | Translate obligations into tickets, notices, records, controls, or contract terms. |
|---|
| Evidence and records | CCPA: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | CPRA: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep source links, factual analysis, owner approval, and implementation evidence together. |
|---|
| Timing and cadence | CCPA: track the current statutory and regulatory timing for privacy-policy updates, consumer-request response periods, opt-out mechanisms, and any applicable cure or remediation process. | CPRA: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use current source dates; do not reuse old project plans after amendments or guidance updates. |
|---|
| Enforcement or assurance route | CCPA: enforcement is handled by the California Privacy Protection Agency and the California Attorney General, with consumer lawsuits limited mainly to specified data-breach claims. | CPRA: account for the CPPA administrative enforcement role, California Attorney General authority, penalties, and regulator complaint or investigation pathways. | Escalate when enforcement exposure differs because the CPPA, California Attorney General, a consumer complaint, or a private data-breach claim may require different proof. |
|---|
| Overlap and reuse | CCPA: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | CPRA can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Document overlap explicitly instead of merging both tests into one vague compliance label. |
|---|
| Practical decision rule | CCPA: treat this as the controlling workstream when its scope trigger, deadline, regulator, or required artifact is the immediate blocker. | CPRA: run a parallel or follow-on workstream when this side adds separate actors, evidence, timing, penalties, customer assurances, or implementation constraints. | If the fact pattern only raises ordinary CCPA duties, follow CCPA; if the fact pattern includes CPRA amendments or added rights, follow CPRA; if both apply, do both and use the stricter rule. |
|---|