---
title: "US CCPA Privacy Law FAQ"
canonical_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq/items/page/2"
source_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq/items/page/2"
author: "Sorena AI"
description: "Practical guidance for the US CCPA FAQ, with practical decisions, evidence, edge cases, and external source citations."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "US CCPA"
  - "FAQ"
  - "US CCPA FAQ"
  - "compliance checklist"
  - "practical guidance"
  - "Compliance"
  - "Regulatory guidance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# US CCPA Privacy Law FAQ

Practical guidance for the US CCPA FAQ, with practical decisions, evidence, edge cases, and external source citations.

*Artifact Guide* *US* *FAQ*

## US CCPA FAQ

Use this FAQ to answer recurring US CCPA implementation questions with source-linked operational guidance, clear owners, and reusable evidence.

This guide converts official requirements into scope, evidence, ownership, and review decisions for practical implementation, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

This FAQ hub answers the most common US CCPA questions with plain, direct guidance on scope, consumer rights, business obligations, request handling, and enforcement basics.

## Browse sub-FAQ modules

### [CCPA Global Privacy Control (GPC): team obligations and technical implementation](/artifacts/us/california-consumer-privacy-act/faq/gpc.md)

US CCPA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [How should teams decide whether US CCPA applies?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md)

US CCPA guidance for Thresholds, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about consumer request verification under the CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md)

US CCPA guidance for consumer request verification, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md)

US CCPA guidance for Dark Patterns, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md)

US CCPA guidance for Data Broker Crossover, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md)

US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Financial Incentives under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md)

US CCPA guidance for Financial Incentives, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Minors under the California CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md)

US CCPA guidance for Minors, with practical decisions, evidence, edge cases, and external source citations.

- 4 items

### [What should teams do about Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md)

US CCPA guidance for Notice at collection, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Personal And Sensitive Pi Categories under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md)

US CCPA guidance for Personal And Sensitive Pi Categories, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Privacy Policy under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md)

US CCPA guidance for Privacy Policy, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Risk And Cyber Audits under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits.md)

US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md)

US CCPA guidance for Service Provider And Contractor Contracts, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

Browse all indexed questions: [/artifacts/us/california-consumer-privacy-act/faq/items](/artifacts/us/california-consumer-privacy-act/faq/items.md)

## All FAQ items

*Page 2 of 2. Showing 20 of 40 items.*

### [Which mistakes create risk when handling Financial Incentives under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md#which-mistakes-create-risk-when-handling-financial-incentives-under-the-us-ccpa)

*Module: [What should teams do about Financial Incentives under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md)*

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [CPPA CCPA Regulations (effective January 1, 2026) - § 7016 Notice of Financial Incentive](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - CPPA regulation § 7016 sets what a Notice of Financial Incentive must explain before a consumer opts in.
- [CPPA CCPA Regulations (March 2023 final text)](https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf?ref=sorena.io) - CPPA final regulations define financial incentives and price or service differences for CCPA scoping.
- [California Consumer Privacy Act Regulations - CPPA](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations page is the official hub for the final CCPA regulation materials used for this FAQ.

### [What should teams do about Minors under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md#what-should-teams-do-about-minors-under-the-us-ccpa)

*Module: [What should teams do about Minors under the California CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md)*

Teams should treat Minors under the US CCPA as a source-linked operating decision: if a business has actual knowledge that it sells or shares personal information of a consumer less than 13 years of age, it must establish, document, and comply with a reasonable method for determining that the person consenting is the parent or guardian; if it has actual knowledge that it sells or shares personal information of consumers at least 13 years of age and less than 16 years of age, it must establish, document, and comply with a reasonable process for allowing those consumers to opt in to sale or sharing.

- Write the Minors decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.

Sources for this answer:

- [California Attorney General CCPA FAQ](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - California Attorney General FAQ used for the CCPA minors opt-in rule and parent or guardian authorization threshold.
- [CCPA Regulations](https://oag.ca.gov/privacy/ccpa/regs?ref=sorena.io) - Direct support for the FAQ answer on Minors.
- [California Attorney General CCPA rulemaking document](https://oag.ca.gov/privacy/ccpa/regs/sites/all/files/agweb/pdfs/privacy/ccpa-std399-signed.pdf?ref=sorena.io) - Direct support for the FAQ answer on Minors.

### [What FAQ answers should a visitor expect on a minors page?](/artifacts/us/california-consumer-privacy-act/faq/minors.md#what-faq-answers-should-a-visitor-expect-on-a-minors-page)

*Module: [What should teams do about Minors under the California CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md)*

A visitor would expect direct answers to questions like who counts as a minor under the CCPA, when affirmative authorization or opt-in is required, and what the business must disclose in its privacy policy.

- Who counts as a child under 13?
- When is affirmative authorization required for sale or sharing?
- What must the privacy policy say about consumers under 16?

Sources for this answer:

- [Chapter 1 - California Consumer Privacy Act Regulations](https://www.law.cornell.edu/regulations/california/title-11/division-6/chapter-1?ref=sorena.io) - Supports the minors-specific article and privacy policy disclosure structure.

### [What evidence should teams keep for Minors under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md#what-evidence-should-teams-keep-for-minors-under-the-us-ccpa)

*Module: [What should teams do about Minors under the California CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md)*

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [CCPA Regulations](https://oag.ca.gov/privacy/ccpa/regs?ref=sorena.io) - Evidence support for the FAQ answer.
- [California Attorney General CCPA rulemaking document](https://oag.ca.gov/privacy/ccpa/regs/sites/all/files/agweb/pdfs/privacy/ccpa-std399-signed.pdf?ref=sorena.io) - Evidence support for the FAQ answer.
- [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - Evidence support for the FAQ answer.

### [Which mistakes create risk when handling Minors under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md#which-mistakes-create-risk-when-handling-minors-under-the-us-ccpa)

*Module: [What should teams do about Minors under the California CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md)*

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, and privacy-policy disclosure against current source material.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [How to Implement Global Privacy Control (GPC) for Publishers](https://globalprivacycontrol.org/implementation?ref=sorena.io) - Risk and boundary support for the FAQ answer.
- [CCPA Regulations](https://oag.ca.gov/privacy/ccpa/regs?ref=sorena.io) - Risk and boundary support for the FAQ answer.
- [California Attorney General CCPA rulemaking document](https://oag.ca.gov/privacy/ccpa/regs/sites/all/files/agweb/pdfs/privacy/ccpa-std399-signed.pdf?ref=sorena.io) - Risk and boundary support for the FAQ answer.
- [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - Risk and boundary support for the FAQ answer.

### [What should teams do about Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md#what-should-teams-do-about-notice-at-collection-under-the-us-ccpa)

*Module: [What should teams do about Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md)*

Teams should treat Notice at collection under the US CCPA as a source-linked operating decision: confirm whether the issue affects business-threshold status, Notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.

- Write the Notice at collection decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.

Sources for this answer:

- [California Consumer Privacy Act Regulations - Notice at Collection](https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf?ref=sorena.io) - CPPA regulation source showing collection must stay within the categories disclosed in the notice at collection.

### [What evidence should teams keep for Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md#what-evidence-should-teams-keep-for-notice-at-collection-under-the-us-ccpa)

*Module: [What should teams do about Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md)*

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [California Consumer Privacy Act Regulations - Notice at Collection](https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf?ref=sorena.io) - CPPA regulation source for the categories, purposes, retention, sale/share status, and privacy-policy links required in the notice.
- [California Privacy Protection Agency - Avoiding Dark Patterns Enforcement Advisory](https://cppa.ca.gov/pdf/enfadvisory202402.pdf?ref=sorena.io) - CPPA advisory used for clear-language and choice-design evidence when notices link to consumer controls.

### [Which mistakes create risk when handling Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md#which-mistakes-create-risk-when-handling-notice-at-collection-under-the-us-ccpa)

*Module: [What should teams do about Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md)*

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [California Consumer Privacy Act Regulations - Notice at Collection](https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf?ref=sorena.io) - CPPA regulation source for notice duties when third parties control collection on another business's site or premises.
- [California Privacy Protection Agency - Avoiding Dark Patterns Enforcement Advisory](https://cppa.ca.gov/pdf/enfadvisory202402.pdf?ref=sorena.io) - CPPA advisory used for avoiding misleading notice and choice patterns in implementation reviews.

### [What counts as personal and sensitive personal information under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md#what-counts-as-personal-and-sensitive-personal-information-under-the-us-ccpa)

*Module: [What should teams do about Personal And Sensitive Pi Categories under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md)*

Personal information is information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household. It can include names, email addresses, browsing history, geolocation data, and inferences about a person's preferences or characteristics.

- Personal information includes sensitive personal information.
- Publicly available information is not personal information under the CCPA definition.
- The same data point can be personal information in one context and sensitive personal information in another depending on how it is collected and used.

Sources for this answer:

- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ source used for plain-language context on consumer privacy rights under the CCPA.
- [Code Section Group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - California Civil Code source defining personal information and sensitive personal information categories for the FAQ answer.

### [What evidence should teams keep for Personal And Sensitive Pi Categories under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md#what-evidence-should-teams-keep-for-personal-and-sensitive-pi-categories-under-the-us-ccpa)

*Module: [What should teams do about Personal And Sensitive Pi Categories under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md)*

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ source used for plain-language context on consumer privacy rights under the CCPA.
- [Code Section Group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - California Civil Code source defining personal information and sensitive personal information categories for the FAQ answer.
- [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - CPPA regulations update used to verify current sensitive-personal-information obligations and risk-assessment context.

### [Which mistakes create risk when handling Personal And Sensitive Pi Categories under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md#which-mistakes-create-risk-when-handling-personal-and-sensitive-pi-categories-under-the-us-ccpa)

*Module: [What should teams do about Personal And Sensitive Pi Categories under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md)*

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [Enforcement Advisory No. 2024-01 Applying Data Minimization to Consumer Requests](https://cppa.ca.gov/pdf/enfadvisory202401.pdf?ref=sorena.io) - CPPA advisory used to connect personal-information category handling with data-minimization expectations in consumer-request workflows.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ source used for plain-language context on consumer privacy rights under the CCPA.
- [Code Section Group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - California Civil Code source defining personal information and sensitive personal information categories for the FAQ answer.
- [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - CPPA regulations update used to verify current sensitive-personal-information obligations and risk-assessment context.

### [What a US CCPA privacy policy must include](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md#what-a-us-ccpa-privacy-policy-must-include)

*Module: [What should teams do about Privacy Policy under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md)*

Teams should make sure the privacy policy covers the disclosures the CCPA requires: the categories of personal information collected, the categories of sensitive personal information if collected, the purposes for collecting, selling, or sharing that information, the categories of sources, the categories of third parties, the consumer rights listed in Section 1798.130, and the required request methods.

- Document the required disclosures in the privacy policy or, if needed, on the business website.
- Review the disclosures at least every 12 months and update them when the business practices change.
- Make sure consumer-request methods are reasonably accessible and consistent with Section 1798.130.

Sources for this answer:

- [California Civil Code Section 1798.130](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.130.&ref=sorena.io) - California statute listing the required privacy-policy disclosures.

### [What evidence should teams keep for Privacy Policy under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md#what-evidence-should-teams-keep-for-privacy-policy-under-the-us-ccpa)

*Module: [What should teams do about Privacy Policy under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md)*

Useful evidence is not just a Privacy Policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ confirming that covered businesses must honor qualifying opt-out preference signals such as Global Privacy Control.
- [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - Evidence support for the FAQ answer.

### [Which mistakes create risk when handling Privacy Policy under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md#which-mistakes-create-risk-when-handling-privacy-policy-under-the-us-ccpa)

*Module: [What should teams do about Privacy Policy under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md)*

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [California Civil Code Section 1798.130](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.130.&ref=sorena.io) - California statute requiring covered businesses to disclose specified CCPA information in an online privacy policy and update it at least every 12 months.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ confirming that covered businesses must honor qualifying opt-out preference signals such as Global Privacy Control.
- [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - Risk and boundary support for the FAQ answer.

### [What should teams do about Risk And Cyber Audits under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits.md#what-should-teams-do-about-risk-and-cyber-audits-under-the-us-ccpa)

*Module: [What should teams do about Risk And Cyber Audits under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits.md)*

Teams should treat Risk And Cyber Audits under the US CCPA as an operating workflow, not a generic privacy note: identify whether the business must do a risk assessment before selling or sharing personal information, processing sensitive personal information, using ADMT for a significant decision, or using personal information to train ADMT or AI; identify whether the business must do a cybersecurity audit because its processing presents significant risk to consumers' security; then assign legal, privacy, security, compliance, and executive owners who can approve the work and preserve evidence.

- Write the Risk And Cyber Audits decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.

Sources for this answer:

- [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - The CPPA final rulemaking page confirms that the adopted CCPA regulations implement risk-assessment and annual cybersecurity-audit requirements for covered businesses.
- [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - The CPPA regulations page is the official hub for CCPA rulemaking materials, including the final cyber, risk, ADMT, and insurance regulation documents.
- [Final Regulations Text](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - The final CPPA regulations text contains the operative definitions and report requirements for CCPA cybersecurity audits and risk assessments.

### [What evidence should teams keep for Risk And Cyber Audits under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits.md#what-evidence-should-teams-keep-for-risk-and-cyber-audits-under-the-us-ccpa)

*Module: [What should teams do about Risk And Cyber Audits under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits.md)*

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notices, request logs, vendor terms, audit workpapers, approval trail, and submission records together so the team can show who made the decision, what triggered it, and when the report or certification was due.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - The CPPA regulations page is the official hub for CCPA rulemaking materials, including the final cyber, risk, ADMT, and insurance regulation documents.
- [Final Regulations Text](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - The CPPA regulations define the risk assessment report as the record used to document required risk-assessment information.

### [Which mistakes create risk when handling Risk And Cyber Audits under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits.md#which-mistakes-create-risk-when-handling-risk-and-cyber-audits-under-the-us-ccpa)

*Module: [What should teams do about Risk And Cyber Audits under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits.md)*

The common failure pattern is treating CCPA as one static notice instead of checking each trigger condition, deadline, and evidence requirement against current source material. Teams also create risk when they miss the specific owner for the audit or assessment, fail to preserve the required records, or assume a completed assessment can never need updating after a material change.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - The CPPA final rulemaking page confirms that the adopted CCPA regulations implement risk-assessment and annual cybersecurity-audit requirements for covered businesses.
- [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - The CPPA regulations page is the official hub for CCPA rulemaking materials, including the final cyber, risk, ADMT, and insurance regulation documents.
- [Final Regulations Text](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - The CPPA regulations define the risk assessment report as the record used to document required risk-assessment information.

### [What should teams do about Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md#what-should-teams-do-about-service-provider-and-contractor-contracts-under-the-us-ccpa)

*Module: [What should teams do about Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md)*

Teams should use section 7051 to check the contract before personal information is disclosed to a service provider or contractor. The agreement must prohibit selling or sharing personal information, identify the limited and specified business purpose with enough detail, limit use and disclosure to that purpose or another CCPA-permitted purpose, require the same level of privacy protection as businesses, and give the business the right to audit and remediate misuse.

- Check whether the agreement names a limited and specified purpose, not a generic description of the whole contract.
- Confirm the contract bars selling or sharing the data and limits use to the contract purpose or another CCPA-permitted purpose.
- Make sure the business can take reasonable and appropriate steps to test, audit, stop, and remediate misuse.
- If the vendor uses a subcontractor, require a downstream contract that follows the same CCPA rules.

Sources for this answer:

- [California Consumer Privacy Act Regulations - service providers and contractors](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - CPPA section 7051 supports the CCPA contract guidance for service providers and contractors.

### [What evidence should teams keep for Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md#what-evidence-should-teams-keep-for-service-provider-and-contractor-contracts-under-the-us-ccpa)

*Module: [What should teams do about Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md)*

Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [California Consumer Privacy Act Regulations - service providers and contractors](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - CPPA section 7051 supports the CCPA contract guidance for service providers and contractors.
- [California Consumer Privacy Act Regulations - subcontractor contracts](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - CPPA section 7051 supports requiring subcontractor contracts that comply with the same CCPA contract rules.

### [Which mistakes create risk when handling Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md#which-mistakes-create-risk-when-handling-service-provider-and-contractor-contracts-under-the-us-ccpa)

*Module: [What should teams do about Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md)*

The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [California Consumer Privacy Act Regulations - service providers and contractors](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - CPPA section 7051 supports the CCPA contract guidance for service providers and contractors.
- [California Consumer Privacy Act Regulations - subcontractor contracts](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - CPPA section 7051 supports requiring subcontractor contracts that comply with the same CCPA contract rules.

## FAQ Pagination

- Canonical index (page 1): [/artifacts/us/california-consumer-privacy-act/faq/items](/artifacts/us/california-consumer-privacy-act/faq/items.md)
- Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL.
- Current page: 2 of 2

Pages: [1](/artifacts/us/california-consumer-privacy-act/faq/items.md) | [2](/artifacts/us/california-consumer-privacy-act/faq/items/page/2.md)

[Previous page](/artifacts/us/california-consumer-privacy-act/faq/items.md)

*Recommended next step*

*Placement: after the practical guidance*

## Turn US CCPA FAQ into assigned work

This US CCPA guide turns FAQ into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.

- [Open Assessment Autopilot for US CCPA](/solutions/assessment.md): Turn FAQ into scoped questions, evidence fields, and review tasks.
- [Review US CCPA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material.
- [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq/items/page/2