This FAQ answers recurring California CPRA implementation questions with source-linked operational guidance, clear owners, and reusable evidence.
This page offers practical steps for implementation planning. Confirm legal and policy assumptions before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
This FAQ hub answers recurring questions in a California CPRA workstream. It turns the source material into decisions, evidence fields, and review steps that a product, legal, privacy, security, or compliance team can apply.
These focused FAQ modules break this artifact into narrower answer sets so teams can move straight to the right source-backed guidance.
California Delete Act guidance for the data broker registry and Delete Request and Opt-Out Platform (DROP), with owners, evidence, and official sources.
US CPRA guidance for Enforcement Advisories, with practical decisions, evidence, edge cases, and external source citations.
US CPRA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations.
US CPRA guidance for ADMT, with practical decisions, evidence, edge cases, and external source citations.
US CPRA guidance for Contract Terms, with practical decisions, evidence, edge cases, and external source citations.
US CPRA guidance for Correction Rights, with practical decisions, evidence, edge cases, and external source citations.
US CPRA guidance for Cybersecurity Audits, with practical decisions, evidence, edge cases, and external source citations.
California CPRA guidance for retention, including data minimization, privacy policy disclosures, evidence records, and official source citations.
US CPRA guidance for Risk Assessments, with practical decisions, evidence, edge cases, and external source citations.
US CPRA guidance for Sensitive Personal Information Limits, with practical decisions, evidence, edge cases, and external source citations.
California CPRA guidance for Sharing and Cross-Context Behavioral Advertising, with practical decisions, evidence, edge cases, and external source citations.
Start by deciding whether the issue affects threshold status, sensitive personal information, sharing or cross-context advertising, GPC, correction rights, data-broker duties, ADMT, risk assessments, cybersecurity audits, or service-provider contracts. The useful answer should name the exact trigger, affected product or process, required action, owner, evidence, and escalation point.
Keep the statutory/regulatory source, threshold calculation, data category, consumer-right workflow, opt-out signal handling, and contract evidence together so California privacy decisions are reviewable.
Ownership should sit with the team that can change notices, rights intake, consent/opt-out interfaces, data sharing, retention, vendor terms, or security evidence, with privacy counsel reviewing edge cases.
Evidence should show threshold calculations, privacy notice language, consumer request handling, GPC processing, sensitive personal-information controls, service-provider/contractor terms, and risk/cyber/ADMT readiness where applicable.
Most CPRA mistakes happen at the boundary between CCPA and CPRA terminology, sale versus sharing, sensitive personal information, data-broker duties, and draft or phased regulatory requirements.
Review this section before launching a data flow, ad-tech integration, consumer interface, vendor contract, retention rule, risk assessment, or cyber audit control.
Use a CPRA workflow that captures threshold status, data categories, consumer rights, opt-out signals, vendor role, retention logic, risk/cyber/ADMT trigger, owner, and review date.
The output should be a threshold memo, notice update, DSAR workflow, opt-out/GPC implementation record, vendor clause map, risk-assessment intake, or audit evidence pack.
This California CPRA guide turns FAQ answers into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.
Turn FAQ into scoped questions, evidence fields, and review tasks.
Use Research Copilot to answer follow-up questions with cited source material.
Review scope, evidence, owners, and the next compliance actions with Sorena.
"Global opt out from sale and sharing of personal information"
"On March 29, 2023, the Office of Administrative Law approved the California Privacy Protection Agency's regulations and filed"
"The previous data broker registries can be accessed at the"
"(ii) Does not make use of any dark patterns"
"The CPRA amended the CCPA by adding additional consumer privacy rights and obligations for businesses"