Deep DiveCCPA

California CCPA vs CPRA

Use the actual legal and operational deltas when upgrading an older California privacy programme.

Focused on scope, rights workflows, notices, adtech classification, vendor contracts, and enforcement using current California sources.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
7

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

The practical question is not whether California businesses comply with CCPA or CPRA as if they were two separate live regimes. The current compliance target is the CCPA as amended by Proposition 24, and the useful exercise is to find the legacy assumptions that still sit inside notices, request workflows, adtech architecture, and vendor contracts.

Section 2

Scope, thresholds, and populations changed

The threshold test now counts buying, selling, or sharing the personal information of 100,000 or more consumers or households. The old 50,000 threshold is a pre-CPRA number and should not still appear in scope memos, intake questionnaires, or customer-facing explanations.

Legacy scoping errors also come from stale exemption assumptions. Employment-related and business-to-business carve-outs no longer rescue a programme that has ignored employee, applicant, vendor-contact, or business-customer data after the end of 2022.

  • Rerun threshold analysis using the 100,000 consumers-or-households test and the broader sale-or-sharing language.
  • Do not hard-code the historical $25 million threshold without checking the current CPI-adjusted amount published by California.
  • Bring employee, applicant, and B2B-related data flows back into your inventory, notices, and request-routing analysis.
  • Document whether each entity is acting as a business, service provider, contractor, or third party for the relevant flow.
Sources for this answer
CPPA FAQs
Used for the current threshold explanation, current CPI-adjusted revenue threshold example, and the statement that the CCPA imposes separate obligations on service providers and contractors.
California Attorney General CCPA overview and FAQs
Used for the 100,000 threshold summary and the statement that employment-related and B2B exemptions expired on December 31, 2022.
Section 3

Rights, retention, and workflow logic changed

CPRA added the right to correct inaccurate personal information and the right to limit certain uses and disclosures of sensitive personal information. It also made sharing for cross-context behavioral advertising a first-class concept, and it made retention disclosure, purpose limitation, and data minimization much more explicit than many original CCPA builds assumed.

The practical consequence is workflow depth. Correction requests, SPI limitation, broader opt-out handling, retention schedules, and compatibility reviews now require routing, verification, logging, and downstream propagation to service providers and contractors.

  • Add a correction workflow that can intake supporting information, evaluate accuracy, and preserve an evidence trail.
  • Maintain a usable inventory of sensitive personal information so teams know when the right to limit is actually triggered.
  • Publish retention periods or retention criteria for each category of personal information and sensitive personal information collected.
  • Review new and secondary uses against the disclosed purpose, compatibility with context, or valid consumer consent rather than assuming old CCPA notice language is enough.
  • Review request-to-know tooling for the current rule that can require disclosure beyond 12 months for information collected on or after January 1, 2022.
  • Make sure delete and correct flows send instructions to service providers and contractors rather than stopping at the business boundary.
Sources for this answer
California Civil Code - Title 1.81.5 (current CCPA text)
Used for Sections 1798.100, 1798.105, 1798.106, and 1798.121, including retention disclosure, reasonably-necessary-and-proportionate use, correction rights, SPI limitation rights, and the requirement to notify service providers, contractors, and third parties in deletion workflows.
CCPA Regulations effective January 1, 2026
Used for operational detail on requests to delete, requests to correct, requests to know, and restrictions on incompatible uses, including downstream correction duties and the beyond-12-month request-to-know rule.
CPPA FAQs
Used for the consumer-facing explanation of correct, limit, opt-out, deletion, and the Agency's summary of purpose limitation and data minimization rules.
Section 5

Sale, sharing, and vendor classification

One of the biggest practical deltas is that sharing now captures disclosures for cross-context behavioral advertising even when no money changes hands. That means pixels, audience matching, measurement, and activation flows should not be analyzed only through the older sale lens.

California also narrows the service-provider and contractor safe zone. A recipient performing cross-context behavioral advertising is treated as a third party for that function, and a recipient without a compliant contract can push a disclosure back into sale-or-sharing territory.

  • Map each recipient by actual function rather than by the label in the MSA or DPA.
  • Do not treat a vendor that performs cross-context behavioral advertising as a service provider for that activity.
  • Update service provider and contractor addenda to include sale/share prohibitions, same-level-of-protection language, monitoring rights, notice of non-compliance, and request-support obligations.
  • Keep evidence that opt-out, deletion, correction, and limit instructions are propagated downstream and checked in practice.
Sources for this answer
California Civil Code - Title 1.81.5 (current CCPA text)
Used for definitions of share, cross-context behavioral advertising, contractor, service provider, business purpose, and the statutory contract obligations in Sections 1798.100 and 1798.140.
CCPA Regulations effective January 1, 2026
Used for Sections 7050 and 7051, including the rule that a person providing cross-context behavioral advertising is a third party rather than a service provider or contractor for that activity, and the due-diligence and audit-rights model for recipient contracts.
Section 6

Legacy CCPA remediation checklist

If your California programme was built before January 1, 2023, the fastest practical approach is to run a focused remediation sprint against the highest-risk deltas rather than rewriting everything from scratch.

The key is to test the actual control surfaces that regulators, consumers, and counterparties will touch first: notices, choice interfaces, rights workflows, vendor classification, and evidence.

  • Update privacy notices and footer links so they match the current rights set, including sale or sharing and sensitive personal information limitation where applicable.
  • Reclassify advertising, analytics, and activation vendors by actual behavior and contract structure, not by historical labels.
  • Add correction and SPI-limit handling to request intake, tracking, downstream instructions, and QA scripts.
  • Verify response timing, request confirmation, and downstream deletion or correction propagation in live systems instead of relying on policy text.
  • Refresh service provider, contractor, and third-party templates with current California restrictions, monitoring rights, and remediation rights.
  • Split incident playbooks so teams distinguish private breach claims under Section 1798.150 from regulator-driven enforcement under Sections 1798.155 and 1798.199.90.
Sources for this answer
California Civil Code - Title 1.81.5 (current CCPA text)
Used for the current rights, link obligations, contract restrictions, private-action section, and Attorney-General enforcement section.
CCPA Regulations effective January 1, 2026
Used for the practical request-handling, timing, opt-out preference signal, and service-provider implementation details that turn the statute into operating controls.
CPPA FAQs
Used for the public-facing workflow expectations on links, timing, requests, and complaints.
Section 7

Enforcement changed, but not in one simple way

CPRA established the CPPA and moved California beyond the earlier Attorney-General-only model. For public enforcement, the live text uses administrative and civil enforcement mechanisms rather than the old shorthand assumption that every violation comes with a universal 30-day cure window.

But the cure concept did not disappear everywhere. The private action section for certain security-breach claims still includes 30 days' written notice before statutory-damages litigation. Teams should stop teaching a blanket rule either way and instead separate public enforcement from private breach actions.

  • Do not tell stakeholders that every CCPA violation comes with a guaranteed public cure period.
  • Keep notices, request logs, suppression testing, vendor contracts, and governance records ready for regulator review rather than assuming remediation can wait.
  • Treat complaints against businesses, service providers, contractors, and third parties as potential enforcement inputs.
  • When discussing lawsuits or incidents, distinguish Section 1798.150 private breach claims from Section 1798.155 public enforcement.
Sources for this answer
California Civil Code - Title 1.81.5 (current CCPA text)
Used for Section 1798.150 on private breach actions and 30 days' written notice, Section 1798.155 on CPPA administrative enforcement, Section 1798.199.90 on Attorney-General civil enforcement, and the CPRA enforcement-start language tied to July 1, 2023.
California Attorney General CCPA overview and FAQs
Used for the agency explanation that most CCPA violations are not privately actionable, that the 30-day notice appears in the private breach context, and that public complaints may go to the Attorney General and, for post-July-1-2023 violations, the CPPA.
CPPA FAQs
Used for the statement that businesses, service providers, third parties, and contractors may be the subject of a CPPA complaint under the CCPA.
Recommended next step

Use California CCPA vs CPRA as a cited implementation workflow

Research Copilot can take California CCPA vs CPRA from a legal delta page into a reusable implementation workflow inside Sorena. Teams can keep owners, evidence, and remediation steps aligned without rebuilding this guidance in separate documents.

Research workflow
Open Research Copilot for California CCPA vs CPRA

Start from California CCPA vs CPRA and answer scope, timing, enforcement, and implementation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through California CCPA

Review your current California process, evidence gaps, and next steps for CCPA vs CPRA remediation.

Explore next step
Primary sources

References and citations

California Civil Code - Title 1.81.5 (current CCPA text)
leginfo.legislature.ca.gov6 citations
Referenced sections
  • Primary statutory source used for the current operative text on thresholds, definitions, correction, SPI limitation, link requirements, contracts, private actions, and public enforcement.
  • Used for Sections 1798.100, 1798.105, 1798.106, and 1798.121, including retention disclosure, reasonably-necessary-and-proportionate use, correction rights, SPI limitation rights, and the requirement to notify service providers, contractors, and third parties in deletion workflows.
  • Used for Section 1798.135: link requirements, opt-out preference signal option, no-account-creation rule, and the 12-month wait before re-requesting authorization.
Show 3 more
  • Used for definitions of share, cross-context behavioral advertising, contractor, service provider, business purpose, and the statutory contract obligations in Sections 1798.100 and 1798.140.
  • Used for the current rights, link obligations, contract restrictions, private-action section, and Attorney-General enforcement section.
  • Used for Section 1798.150 on private breach actions and 30 days' written notice, Section 1798.155 on CPPA administrative enforcement, Section 1798.199.90 on Attorney-General civil enforcement, and the CPRA enforcement-start language tied to July 1, 2023.
"whether or not for monetary or other valuable consideration"
CPPA FAQs
cppa.ca.gov6 citations
Referenced sections
  • Used for current California rights summaries, threshold explanations, response timing, and complaint-routing guidance.
  • Used for the current threshold explanation, current CPI-adjusted revenue threshold example, and the statement that the CCPA imposes separate obligations on service providers and contractors.
  • Used for the consumer-facing explanation of correct, limit, opt-out, deletion, and the Agency's summary of purpose limitation and data minimization rules.
Show 3 more
  • Used for the practical consumer-facing explanation of footer links, OOPS/GPC handling, and response timing.
  • Used for the public-facing workflow expectations on links, timing, requests, and complaints.
  • Used for the statement that businesses, service providers, third parties, and contractors may be the subject of a CPPA complaint under the CCPA.
"Businesses must honor opt-out preference signals"
CCPA Regulations effective January 1, 2026
cppa.ca.gov5 citations
Referenced sections
  • Primary regulatory source used for request handling, opt-out preference signals, response timing, and the operational model for service providers and contractors.
  • Used for operational detail on requests to delete, requests to correct, requests to know, and restrictions on incompatible uses, including downstream correction duties and the beyond-12-month request-to-know rule.
  • Used for regulations on opt-out preference signals, 15-business-day opt-out and limit execution, and the rule that an opt-out preference signal overrides conflicting business-specific settings unless the consumer later consents.
Show 2 more
  • Used for Sections 7050 and 7051, including the rule that a person providing cross-context behavioral advertising is a third party rather than a service provider or contractor for that activity, and the due-diligence and audit-rights model for recipient contracts.
  • Used for the practical request-handling, timing, opt-out preference signal, and service-provider implementation details that turn the statute into operating controls.
"a third party and not a service provider"
California Attorney General CCPA overview and FAQs
oag.ca.gov4 citations
Referenced sections
  • Used for the practical public-facing explanation of what changed on January 1, 2023 and for the enforcement versus private-action distinction.
  • Used for the current-against-legacy framing: the Attorney General states that the CPRA amendments to the CCPA are in effect as of January 1, 2023 and that the updated regulations were effective on March 29, 2023.
  • Used for the 100,000 threshold summary and the statement that employment-related and B2B exemptions expired on December 31, 2022.
Show 1 more
  • Used for the agency explanation that most CCPA violations are not privately actionable, that the 30-day notice appears in the private breach context, and that public complaints may go to the Attorney General and, for post-July-1-2023 violations, the CPPA.
"You cannot sue businesses for most CCPA violations."
Proposition 24 voter guide summary
vig.cdn.sos.ca.gov2 citations
Referenced sections
  • Used for the original voter-facing summary of the CPRA deltas: sharing, correction, SPI limitation, and creation of the CPPA.
  • Used for the voter-facing summary of the intended deltas: new rights, sharing restrictions, and creation of the CPPA.
"Establishes California Privacy Protection Agency."
Related guides

Explore more topics

CCPA Applicability Test | California Scope Test
Test whether a business is in scope under the current California threshold model.
CCPA Checklist | California Privacy Compliance Checklist
Track the California controls that must actually exist in policy, product, and vendor operations.
CCPA Compliance Program | California Operating Model
Build a California privacy programme that survives regulator questions and product change.
CCPA Consumer Rights Workflow | 45 Day Request Handling
Run California rights operations with clear timing, verification, and downstream instructions.
CCPA Deadlines and Compliance Calendar
Use the dates that actually shape California privacy work.
CCPA Enforcement and Penalties | CPPA and AG Exposure Guide
Understand how California enforcement usually starts and what evidence the agency will ask for.
CCPA FAQ | Practical California Privacy Answers
Answer the California privacy questions that usually stall implementation.
CCPA Penalties and Fines | California Exposure Summary
Know the penalty ranges, then work backward to the controls that reduce them.
CCPA Privacy Notices and Disclosures | California Notice Architecture
Design the California notice stack so each disclosure appears in the right place and says the right thing.
CCPA Privacy Policy Template | Required California Disclosures
Write a California privacy policy that actually matches the statute and regulations.
CCPA Requirements | California Control Requirements
Translate California law into control statements that can be implemented, tested, and audited.
CCPA Scope and Thresholds | California Business Threshold Guide
Use the real California threshold tests instead of rough privacy folklore.
CCPA Service Provider and Contractor Contracts
Draft California vendor contracts that work in practice, not only on paper.
CCPA vs GDPR | California and EU Privacy Comparison
Compare California CCPA obligations with the GDPR without assuming the two models are interchangeable.
Do Not Sell or Share Implementation | CCPA and GPC Guide
Implement California opt out controls that actually work across websites, apps, and partner pipelines.