---
title: "CCPA FAQ"
canonical_url: "https://www.sorena.io/artifacts/us/ccpa/faq"
source_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq"
author: "Sorena AI"
description: "Answer the California privacy questions that usually stall implementation."
published_at: "2026-02-21"
updated_at: "2026-02-21"
keywords:
  - "CCPA FAQ"
  - "California privacy FAQ"
  - "GPC FAQ"
  - "do not sell or share questions"
  - "CCPA"
  - "FAQ"
  - "California privacy"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# CCPA FAQ

Answer the California privacy questions that usually stall implementation.

*FAQ* *CCPA*

## California CCPA FAQ

Grounded in the California statute, CPPA regulations, and current California enforcement themes.

California privacy projects often stall on a small number of recurring questions. The safest approach is to answer them once, document the reasoning, and reuse the result consistently.

## Scope and threshold questions

Frequent questions include whether a company is a business, how the 100,000 consumer or household threshold is measured, and when exemptions actually apply.

- Which threshold is met and with what calculation method
- Whether any affiliate relationship affects business status
- Which data sets are exempt and which are not
- How the scope decision will be reviewed next year

## Rights and opt out questions

Teams often ask when identity verification is needed, how GPC works, whether a business must keep a do not sell or share link when GPC is supported, and how quickly downstream parties must be instructed.

- Requests to opt out of sale or sharing should not require identity verification
- GPC should be treated as a valid opt out preference signal
- The rights process must distinguish delete, correct, know, and opt out flows
- Request handling records should be kept for at least 24 months

## Vendor and enforcement questions

Another common question is whether signing the right contract is enough to claim service provider or contractor status. The regulations say no. Due diligence and the right to stop and remediate misuse matter too.

- Contract signatures are necessary but not sufficient
- Businesses should explain how they monitor vendor compliance
- Notice accuracy and GPC handling remain key enforcement themes
- The current California rule set should be treated as the live baseline

*Recommended next step*

*Placement: after the FAQ section*

## Use California CCPA FAQ as a cited research workflow

Research Copilot can take California CCPA FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on California CCPA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for California CCPA FAQ](/solutions/research-copilot.md): Start from California CCPA FAQ and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through California CCPA](/contact.md): Review your current process, evidence gaps, and next steps for California CCPA FAQ.

## Primary sources

- [CPPA regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - Official California regulations hub.
- [California privacy statute effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_2026.pdf?ref=sorena.io) - Current statutory text as reflected in CPPA materials.
- [CPPA FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official California FAQ.
- [CPPA CCPA updates](https://cppa.ca.gov/ccpa_updates.html?ref=sorena.io) - Rulemaking and effective date updates.

## Related Topic Guides

- [CCPA Applicability Test | California Scope Test](/artifacts/us/california-consumer-privacy-act/applicability-test.md): Test whether a business is in scope under the current California threshold model.
- [CCPA Checklist | California Privacy Compliance Checklist](/artifacts/us/california-consumer-privacy-act/checklist.md): Track the California controls that must actually exist in policy, product, and vendor operations.
- [CCPA Compliance Program | California Operating Model](/artifacts/us/california-consumer-privacy-act/compliance.md): Build a California privacy programme that survives regulator questions and product change.
- [CCPA Consumer Rights Workflow | 45 Day Request Handling](/artifacts/us/california-consumer-privacy-act/consumer-rights-workflow.md): Run California rights operations with clear timing, verification, and downstream instructions.
- [CCPA Deadlines and Compliance Calendar](/artifacts/us/california-consumer-privacy-act/deadlines-and-compliance-calendar.md): Use the dates that actually shape California privacy work.
- [CCPA Enforcement and Penalties | CPPA and AG Exposure Guide](/artifacts/us/california-consumer-privacy-act/enforcement-and-penalties.md): Understand how California enforcement usually starts and what evidence the agency will ask for.
- [CCPA Penalties and Fines | California Exposure Summary](/artifacts/us/california-consumer-privacy-act/penalties-and-fines.md): Know the penalty ranges, then work backward to the controls that reduce them.
- [CCPA Privacy Notices and Disclosures | California Notice Architecture](/artifacts/us/california-consumer-privacy-act/privacy-notices-and-disclosures.md): Design the California notice stack so each disclosure appears in the right place and says the right thing.
- [CCPA Privacy Policy Template | Required California Disclosures](/artifacts/us/california-consumer-privacy-act/ccpa-privacy-policy-template.md): Write a California privacy policy that actually matches the statute and regulations.
- [CCPA Requirements | California Control Requirements](/artifacts/us/california-consumer-privacy-act/requirements.md): Translate California law into control statements that can be implemented, tested, and audited.
- [CCPA Scope and Thresholds | California Business Threshold Guide](/artifacts/us/california-consumer-privacy-act/scope-and-thresholds.md): Use the real California threshold tests instead of rough privacy folklore.
- [CCPA Service Provider and Contractor Contracts](/artifacts/us/california-consumer-privacy-act/service-provider-contractor-contracts.md): Draft California vendor contracts that work in practice, not only on paper.
- [CCPA vs CPRA | What Actually Changed in California Privacy](/artifacts/us/california-consumer-privacy-act/ccpa-vs-cpra.md): A practical CCPA vs CPRA delta guide grounded in the current California statute, CPPA regulations, and official agency guidance.
- [CCPA vs GDPR | California and EU Privacy Comparison](/artifacts/us/california-consumer-privacy-act/ccpa-vs-gdpr.md): Compare California CCPA obligations with the GDPR without assuming the two models are interchangeable.
- [Do Not Sell or Share Implementation | CCPA and GPC Guide](/artifacts/us/california-consumer-privacy-act/do-not-sell-share-implementation.md): Implement California opt out controls that actually work across websites, apps, and partner pipelines.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq