--- title: "CCPA vs CPRA" canonical_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/ccpa-vs-cpra" source_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/ccpa-vs-cpra" author: "Sorena AI" description: "A practical CCPA vs CPRA delta guide grounded in the current California statute, CPPA regulations, and official agency guidance." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "CCPA vs CPRA" - "CPRA changes" - "California privacy delta" - "sale vs sharing California" - "California privacy rights" - "CCPA" - "CPRA" - "California privacy" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # CCPA vs CPRA A practical CCPA vs CPRA delta guide grounded in the current California statute, CPPA regulations, and official agency guidance. *Deep Dive* *CCPA* ## California CCPA vs CPRA Use the actual legal and operational deltas when upgrading an older California privacy programme. Focused on scope, rights workflows, notices, adtech classification, vendor contracts, and enforcement using current California sources. The practical question is not whether California businesses comply with CCPA or CPRA as if they were two separate live regimes. The current compliance target is the CCPA as amended by Proposition 24, and the useful exercise is to find the legacy assumptions that still sit inside notices, request workflows, adtech architecture, and vendor contracts. ## Start with the current legal frame CPRA did not replace the CCPA with a separate standalone codebase. Proposition 24 amended Title 1.81.5, so the operative compliance target today is the CCPA as amended, read together with the current CPPA regulations and current agency guidance. That matters because many 2020-era California playbooks still rely on pre-2023 terminology, regulator assumptions, and request designs. A serious cleanup project should treat CCPA vs CPRA as a delta review for a legacy programme, not as a choice between two alternative laws. - Retire internal references that treat CPRA as future-dated or optional. - Base current implementation work on the live statute, current regulations, and current agency guidance rather than archived 2020 materials alone. - Keep a separate list of already-effective duties versus proposed or still-moving California rulemakings. - Audit privacy policies, training decks, ticket templates, and vendor guidance for stale pre-2023 language. Sources for this answer: - [California Attorney General CCPA overview and FAQs](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - Used for the current-against-legacy framing: the Attorney General states that the CPRA amendments to the CCPA are in effect as of January 1, 2023 and that the updated regulations were effective on March 29, 2023. - [Proposition 24 voter guide summary](https://vig.cdn.sos.ca.gov/2020/general/pdf/topl-prop24.pdf?ref=sorena.io) - Used for the voter-facing summary of the intended deltas: new rights, sharing restrictions, and creation of the CPPA. ## Scope, thresholds, and populations changed The threshold test now counts buying, selling, or sharing the personal information of 100,000 or more consumers or households. The old 50,000 threshold is a pre-CPRA number and should not still appear in scope memos, intake questionnaires, or customer-facing explanations. Legacy scoping errors also come from stale exemption assumptions. Employment-related and business-to-business carve-outs no longer rescue a programme that has ignored employee, applicant, vendor-contact, or business-customer data after the end of 2022. - Rerun threshold analysis using the 100,000 consumers-or-households test and the broader sale-or-sharing language. - Do not hard-code the historical $25 million threshold without checking the current CPI-adjusted amount published by California. - Bring employee, applicant, and B2B-related data flows back into your inventory, notices, and request-routing analysis. - Document whether each entity is acting as a business, service provider, contractor, or third party for the relevant flow. Sources for this answer: - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for the current threshold explanation, current CPI-adjusted revenue threshold example, and the statement that the CCPA imposes separate obligations on service providers and contractors. - [California Attorney General CCPA overview and FAQs](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - Used for the 100,000 threshold summary and the statement that employment-related and B2B exemptions expired on December 31, 2022. ## Rights, retention, and workflow logic changed CPRA added the right to correct inaccurate personal information and the right to limit certain uses and disclosures of sensitive personal information. It also made sharing for cross-context behavioral advertising a first-class concept, and it made retention disclosure, purpose limitation, and data minimization much more explicit than many original CCPA builds assumed. The practical consequence is workflow depth. Correction requests, SPI limitation, broader opt-out handling, retention schedules, and compatibility reviews now require routing, verification, logging, and downstream propagation to service providers and contractors. - Add a correction workflow that can intake supporting information, evaluate accuracy, and preserve an evidence trail. - Maintain a usable inventory of sensitive personal information so teams know when the right to limit is actually triggered. - Publish retention periods or retention criteria for each category of personal information and sensitive personal information collected. - Review new and secondary uses against the disclosed purpose, compatibility with context, or valid consumer consent rather than assuming old CCPA notice language is enough. - Review request-to-know tooling for the current rule that can require disclosure beyond 12 months for information collected on or after January 1, 2022. - Make sure delete and correct flows send instructions to service providers and contractors rather than stopping at the business boundary. Sources for this answer: - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Used for Sections 1798.100, 1798.105, 1798.106, and 1798.121, including retention disclosure, reasonably-necessary-and-proportionate use, correction rights, SPI limitation rights, and the requirement to notify service providers, contractors, and third parties in deletion workflows. - [CCPA Regulations effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - Used for operational detail on requests to delete, requests to correct, requests to know, and restrictions on incompatible uses, including downstream correction duties and the beyond-12-month request-to-know rule. - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for the consumer-facing explanation of correct, limit, opt-out, deletion, and the Agency's summary of purpose limitation and data minimization rules. ## Notices, links, and preference signals The amended regime changed the consumer-facing interface, not just the rights list. Businesses may need Do Not Sell or Share and Limit links, a combined alternative link, or a fully effective opt-out preference signal implementation depending on how the experience is built. This is where many legacy implementations fail. Teams keep old footer language, treat browser signals as optional, or add extra friction that the statute and regulations do not allow. - Provide Do Not Sell or Share and Limit links, or a combined Your Privacy Choices experience, if your data use triggers those rights. - Do not require account creation or extra information beyond what is necessary to submit opt-out or limit requests. - Honor opt-out preference signals at least for the browser or device, and apply them more broadly when the consumer is known to the business. - Work to California response timing: confirm delete, correct, and know requests within 10 business days, respond within 45 calendar days unless extended, and complete opt-out and limit requests within 15 business days. Sources for this answer: - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Used for Section 1798.135: link requirements, opt-out preference signal option, no-account-creation rule, and the 12-month wait before re-requesting authorization. - [CCPA Regulations effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - Used for regulations on opt-out preference signals, 15-business-day opt-out and limit execution, and the rule that an opt-out preference signal overrides conflicting business-specific settings unless the consumer later consents. - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for the practical consumer-facing explanation of footer links, OOPS/GPC handling, and response timing. ## Sale, sharing, and vendor classification One of the biggest practical deltas is that sharing now captures disclosures for cross-context behavioral advertising even when no money changes hands. That means pixels, audience matching, measurement, and activation flows should not be analyzed only through the older sale lens. California also narrows the service-provider and contractor safe zone. A recipient performing cross-context behavioral advertising is treated as a third party for that function, and a recipient without a compliant contract can push a disclosure back into sale-or-sharing territory. - Map each recipient by actual function rather than by the label in the MSA or DPA. - Do not treat a vendor that performs cross-context behavioral advertising as a service provider for that activity. - Update service provider and contractor addenda to include sale/share prohibitions, same-level-of-protection language, monitoring rights, notice of non-compliance, and request-support obligations. - Keep evidence that opt-out, deletion, correction, and limit instructions are propagated downstream and checked in practice. Sources for this answer: - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Used for definitions of share, cross-context behavioral advertising, contractor, service provider, business purpose, and the statutory contract obligations in Sections 1798.100 and 1798.140. - [CCPA Regulations effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - Used for Sections 7050 and 7051, including the rule that a person providing cross-context behavioral advertising is a third party rather than a service provider or contractor for that activity, and the due-diligence and audit-rights model for recipient contracts. ## Legacy CCPA remediation checklist If your California programme was built before January 1, 2023, the fastest practical approach is to run a focused remediation sprint against the highest-risk deltas rather than rewriting everything from scratch. The key is to test the actual control surfaces that regulators, consumers, and counterparties will touch first: notices, choice interfaces, rights workflows, vendor classification, and evidence. - Update privacy notices and footer links so they match the current rights set, including sale or sharing and sensitive personal information limitation where applicable. - Reclassify advertising, analytics, and activation vendors by actual behavior and contract structure, not by historical labels. - Add correction and SPI-limit handling to request intake, tracking, downstream instructions, and QA scripts. - Verify response timing, request confirmation, and downstream deletion or correction propagation in live systems instead of relying on policy text. - Refresh service provider, contractor, and third-party templates with current California restrictions, monitoring rights, and remediation rights. - Split incident playbooks so teams distinguish private breach claims under Section 1798.150 from regulator-driven enforcement under Sections 1798.155 and 1798.199.90. Sources for this answer: - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Used for the current rights, link obligations, contract restrictions, private-action section, and Attorney-General enforcement section. - [CCPA Regulations effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - Used for the practical request-handling, timing, opt-out preference signal, and service-provider implementation details that turn the statute into operating controls. - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for the public-facing workflow expectations on links, timing, requests, and complaints. ## Enforcement changed, but not in one simple way CPRA established the CPPA and moved California beyond the earlier Attorney-General-only model. For public enforcement, the live text uses administrative and civil enforcement mechanisms rather than the old shorthand assumption that every violation comes with a universal 30-day cure window. But the cure concept did not disappear everywhere. The private action section for certain security-breach claims still includes 30 days' written notice before statutory-damages litigation. Teams should stop teaching a blanket rule either way and instead separate public enforcement from private breach actions. - Do not tell stakeholders that every CCPA violation comes with a guaranteed public cure period. - Keep notices, request logs, suppression testing, vendor contracts, and governance records ready for regulator review rather than assuming remediation can wait. - Treat complaints against businesses, service providers, contractors, and third parties as potential enforcement inputs. - When discussing lawsuits or incidents, distinguish Section 1798.150 private breach claims from Section 1798.155 public enforcement. Sources for this answer: - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Used for Section 1798.150 on private breach actions and 30 days' written notice, Section 1798.155 on CPPA administrative enforcement, Section 1798.199.90 on Attorney-General civil enforcement, and the CPRA enforcement-start language tied to July 1, 2023. - [California Attorney General CCPA overview and FAQs](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - Used for the agency explanation that most CCPA violations are not privately actionable, that the 30-day notice appears in the private breach context, and that public complaints may go to the Attorney General and, for post-July-1-2023 violations, the CPPA. - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for the statement that businesses, service providers, third parties, and contractors may be the subject of a CPPA complaint under the CCPA. *Recommended next step* *Placement: after the enforcement section* ## Use California CCPA vs CPRA as a cited implementation workflow Research Copilot can take California CCPA vs CPRA from a legal delta page into a reusable implementation workflow inside Sorena. Teams can keep owners, evidence, and remediation steps aligned without rebuilding this guidance in separate documents. - [Open Research Copilot for California CCPA vs CPRA](/solutions/research-copilot.md): Start from California CCPA vs CPRA and answer scope, timing, enforcement, and implementation questions with cited outputs. - [Talk through California CCPA](/contact.md): Review your current California process, evidence gaps, and next steps for CCPA vs CPRA remediation. ## Primary sources - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Primary statutory source used for the current operative text on thresholds, definitions, correction, SPI limitation, link requirements, contracts, private actions, and public enforcement. - Quote: "whether or not for monetary or other valuable consideration" - [CCPA Regulations effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - Primary regulatory source used for request handling, opt-out preference signals, response timing, and the operational model for service providers and contractors. - Quote: "a third party and not a service provider" - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for current California rights summaries, threshold explanations, response timing, and complaint-routing guidance. - Quote: "Businesses must honor opt-out preference signals" - [California Attorney General CCPA overview and FAQs](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - Used for the practical public-facing explanation of what changed on January 1, 2023 and for the enforcement versus private-action distinction. - Quote: "You cannot sue businesses for most CCPA violations." - [Proposition 24 voter guide summary](https://vig.cdn.sos.ca.gov/2020/general/pdf/topl-prop24.pdf?ref=sorena.io) - Used for the original voter-facing summary of the CPRA deltas: sharing, correction, SPI limitation, and creation of the CPPA. - Quote: "Establishes California Privacy Protection Agency." ## Related Topic Guides - [CCPA Applicability Test | California Scope Test](/artifacts/us/california-consumer-privacy-act/applicability-test.md): Test whether a business is in scope under the current California threshold model. - [CCPA Checklist | California Privacy Compliance Checklist](/artifacts/us/california-consumer-privacy-act/checklist.md): Track the California controls that must actually exist in policy, product, and vendor operations. - [CCPA Compliance Program | California Operating Model](/artifacts/us/california-consumer-privacy-act/compliance.md): Build a California privacy programme that survives regulator questions and product change. - [CCPA Consumer Rights Workflow | 45 Day Request Handling](/artifacts/us/california-consumer-privacy-act/consumer-rights-workflow.md): Run California rights operations with clear timing, verification, and downstream instructions. - [CCPA Deadlines and Compliance Calendar](/artifacts/us/california-consumer-privacy-act/deadlines-and-compliance-calendar.md): Use the dates that actually shape California privacy work. - [CCPA Enforcement and Penalties | CPPA and AG Exposure Guide](/artifacts/us/california-consumer-privacy-act/enforcement-and-penalties.md): Understand how California enforcement usually starts and what evidence the agency will ask for. - [CCPA FAQ | Practical California Privacy Answers](/artifacts/us/california-consumer-privacy-act/faq.md): Answer the California privacy questions that usually stall implementation. - [CCPA Penalties and Fines | California Exposure Summary](/artifacts/us/california-consumer-privacy-act/penalties-and-fines.md): Know the penalty ranges, then work backward to the controls that reduce them. - [CCPA Privacy Notices and Disclosures | California Notice Architecture](/artifacts/us/california-consumer-privacy-act/privacy-notices-and-disclosures.md): Design the California notice stack so each disclosure appears in the right place and says the right thing. - [CCPA Privacy Policy Template | Required California Disclosures](/artifacts/us/california-consumer-privacy-act/ccpa-privacy-policy-template.md): Write a California privacy policy that actually matches the statute and regulations. - [CCPA Requirements | California Control Requirements](/artifacts/us/california-consumer-privacy-act/requirements.md): Translate California law into control statements that can be implemented, tested, and audited. - [CCPA Scope and Thresholds | California Business Threshold Guide](/artifacts/us/california-consumer-privacy-act/scope-and-thresholds.md): Use the real California threshold tests instead of rough privacy folklore. - [CCPA Service Provider and Contractor Contracts](/artifacts/us/california-consumer-privacy-act/service-provider-contractor-contracts.md): Draft California vendor contracts that work in practice, not only on paper. - [CCPA vs GDPR | California and EU Privacy Comparison](/artifacts/us/california-consumer-privacy-act/ccpa-vs-gdpr.md): Compare California CCPA obligations with the GDPR without assuming the two models are interchangeable. - [Do Not Sell or Share Implementation | CCPA and GPC Guide](/artifacts/us/california-consumer-privacy-act/do-not-sell-share-implementation.md): Implement California opt out controls that actually work across websites, apps, and partner pipelines. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/us/california-consumer-privacy-act/ccpa-vs-cpra