Search every question across sub-FAQs

Teams should treat the California data broker registry and DROP as Delete Act operating duties, not as a generic CPRA privacy-notice update. Confirm whether the entity is a data broker, whether registration is required, and what DROP readiness work must be assigned.

Under the statute, a data broker means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. The statute also excludes entities covered by the federal Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Insurance Information and Privacy Protection Act, as well as some processing exempt under Section 1798.146.

The safest first step is to identify the broker status analysis, registration owner, annual filing evidence, deletion-request workflow, vendor dependencies, and review date before assigning implementation work.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.

Enforcement Advisories are CPPA guidance documents that address select provisions of the California Consumer Privacy Act and its implementing regulations. They are meant to help regulated businesses understand where the Enforcement Division sees risk and how it is thinking about compliance in practice.

Teams should treat Enforcement Advisories under the US CPRA as a source-linked operating decision: confirm whether the issue affects threshold status, sensitive personal information, sharing or cross-context advertising, GPC, correction rights, data-broker duties, ADMT, risk assessments, cybersecurity audits, or service-provider contracts, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the data category, consumer-facing interaction, sale/share status, sensitive-personal-information issue, and vendor role before assigning the CPRA action.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.

Teams should treat GPC under the US CPRA as a source-linked operating decision: confirm whether the issue affects threshold status, sensitive personal information, sharing or cross-context advertising, GPC, correction rights, data-broker duties, ADMT, risk assessments, cybersecurity audits, or service-provider contracts, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the data category, consumer-facing interaction, sale/share status, sensitive personal-information issue, and vendor role before assigning the CPRA action.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.

Teams should treat ADMT under the CPRA as an inventory and implementation question: identify where automated decisionmaking technology is used, what consumer effect it has, whether profiling or sensitive personal information is involved, and what notices, access rights, opt-out handling, risk assessment, and governance evidence are needed under the CPPA ADMT regulations.

The safest first step is to inventory the decision system, data categories, human-review path, consumer-facing impact, vendor role, and applicable ADMT right before promising an ADMT control in public copy.

Useful evidence is not just a privacy policy. Keep the ADMT inventory, decision purpose, data categories, model or rules documentation, notice copy, opt-out and access workflow design, human-review path, vendor terms, risk assessment, and approval trail together.

The common failure pattern is treating ADMT controls as either irrelevant or generic without checking the CPPA ADMT regulations, the specific decision use case, consumer-facing impact, and whether existing CCPA/CPRA notices and contracts match the actual automated decision process.

Teams should treat CPRA contract terms as a vendor-role decision: identify whether the recipient is a service provider, contractor, or third party; confirm whether personal information is sold, shared, or disclosed for a business purpose; then put the statutory use, retention, disclosure, combination, assistance, and audit restrictions into the agreement before data is made available.

The practical question is whether the contract actually limits the recipient to the permitted CPRA purpose and gives the business enough cooperation, notice, and evidence to honor consumer rights and verify compliance.

Useful evidence is not just a privacy policy. Keep the executed agreement, vendor role mapping, data categories, permitted business purpose, sale/share analysis, consumer-rights assistance terms, audit or monitoring evidence, and approval trail together.

The common failure pattern is reusing a generic vendor template without checking whether the recipient is a CPRA service provider, contractor, or third party and whether the agreement contains the required limits on using, retaining, disclosing, selling, sharing, or combining personal information.

A consumer has the right to request that a business correct inaccurate personal information, and the business must use commercially reasonable efforts to correct that information as directed by the consumer. The business should review the request in light of the nature of the information and the purposes of processing, then route the request to the team that can update the record or explain why correction is not required.

Businesses should provide a clear request path, respond within 45 days, and notify the consumer if they need more time. They may deny a request if they cannot verify the consumer, if the information is more likely than not accurate based on the totality of the circumstances, or if the information is exempt from the CPRA. Service providers and contractors must assist the business in correcting inaccurate information when they process the information for the business.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.

Teams should treat Cybersecurity Audits under the US CPRA as a specific annual compliance duty: every business whose processing of consumers' personal information presents significant risk to consumers' security must complete a cybersecurity audit, and the audit must assess the business's cybersecurity program, its controls, and any gaps or weaknesses that could increase the risk of unauthorized access, destruction, use, modification, or disclosure.

The first step is to confirm whether the business meets the section 7120 trigger, then assign the audit to a qualified, objective, independent auditor and keep the report, supporting evidence, and completion certification on a tracked schedule.

The audit is not just a policy review. The report must describe the business's information system, the criteria and evidence used, the applicable security components assessed, and the plan for fixing any gaps or weaknesses identified by the auditor.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.