---
title: "California CPRA FAQ"
canonical_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/faq/items"
source_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/faq/items"
author: "Sorena AI"
description: "Practical California CPRA FAQ guidance with implementation decisions, evidence, edge cases, and official California source citations."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "California CPRA"
  - "California Privacy Rights Act"
  - "CCPA FAQ"
  - "California privacy compliance"
  - "CCPA"
  - "Privacy compliance"
  - "Regulatory guidance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# California CPRA FAQ

Practical California CPRA FAQ guidance with implementation decisions, evidence, edge cases, and official California source citations.

*Artifact Guide* *California* *FAQ*

## California CPRA FAQ

This FAQ answers recurring California CPRA implementation questions with source-linked operational guidance, clear owners, and reusable evidence.

This page offers practical steps for implementation planning. Confirm legal and policy assumptions before implementation.

This FAQ hub answers recurring questions in a California CPRA workstream. It turns the source material into decisions, evidence fields, and review steps that a product, legal, privacy, security, or compliance team can apply.

## Browse sub-FAQ modules

### [California Delete Act data broker registry and DROP guide](/artifacts/us/california-privacy-rights-act/faq/data-broker-registry-and-drop.md)

California Delete Act guidance for the data broker registry and Delete Request and Opt-Out Platform (DROP), with owners, evidence, and official sources.

- 3 items

### [CPRA enforcement advisories: CPPA investigations, fines, and risk mitigation](/artifacts/us/california-privacy-rights-act/faq/enforcement-advisories.md)

US CPRA guidance for Enforcement Advisories, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [CPRA Global Privacy Control (GPC): opt-out requirements and enforcement FAQ](/artifacts/us/california-privacy-rights-act/faq/gpc.md)

US CPRA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about ADMT under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/admt.md)

US CPRA guidance for ADMT, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Contract Terms under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/contract-terms.md)

US CPRA guidance for Contract Terms, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Correction Rights under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/correction-rights.md)

US CPRA guidance for Correction Rights, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Cybersecurity Audits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/cybersecurity-audits.md)

US CPRA guidance for Cybersecurity Audits, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about retention under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/retention.md)

California CPRA guidance for retention, including data minimization, privacy policy disclosures, evidence records, and official source citations.

- 3 items

### [What should teams do about Risk Assessments under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/risk-assessments.md)

US CPRA guidance for Risk Assessments, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Sensitive Personal Information Limits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/sensitive-personal-information-limits.md)

US CPRA guidance for Sensitive Personal Information Limits, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

### [What should teams do about Sharing and Cross-Context Behavioral Advertising under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/sharing-and-cross-context-behavioral-advertising.md)

California CPRA guidance for Sharing and Cross-Context Behavioral Advertising, with practical decisions, evidence, edge cases, and external source citations.

- 3 items

Browse all indexed questions: [/artifacts/us/california-privacy-rights-act/faq/items](/artifacts/us/california-privacy-rights-act/faq/items.md)

## All FAQ items

*Page 1 of 2. Showing 20 of 33 items.*

### [What should teams do about the California data broker registry and DROP?](/artifacts/us/california-privacy-rights-act/faq/data-broker-registry-and-drop.md#what-should-teams-do-about-the-california-data-broker-registry-and-drop)

*Module: [California Delete Act data broker registry and DROP guide](/artifacts/us/california-privacy-rights-act/faq/data-broker-registry-and-drop.md)*

Teams should treat the California data broker registry and DROP as Delete Act operating duties, not as a generic CPRA privacy-notice update. Confirm whether the entity is a data broker, whether registration is required, and what DROP readiness work must be assigned.

- Write the registry or DROP decision in one sentence before drafting controls.
- Attach the CPPA registry or DROP source URL and a short source quote to the evidence record.
- Route unclear broker-status, exemption, or deletion-platform questions to privacy counsel before filing.

Sources for this answer:

- [California Privacy Protection Agency - data broker registry](https://cppa.ca.gov/data_broker_registry/?ref=sorena.io) - Official CPPA registry page supporting public registration checks and registry evidence for California data brokers.
- [California Privacy Protection Agency - Accessible Deletion Mechanism (DROP) regulations](https://cppa.ca.gov/regulations/drop.html?ref=sorena.io) - Official CPPA rulemaking page for DROP requirements and the accessible deletion mechanism regulations.
- [California Data Broker Registry / Delete Act statute](https://cppa.ca.gov/regulations/pdf/data_broker_reg_delete_act_statute_eff_20260101.pdf?ref=sorena.io) - Official CPPA statutory text for Delete Act amendments affecting data broker registration and deletion duties.

### [What evidence should teams keep for California data broker registry and DROP under the California Delete Act?](/artifacts/us/california-privacy-rights-act/faq/data-broker-registry-and-drop.md#what-evidence-should-teams-keep-for-california-data-broker-registry-and-drop-under-the-california-delete-act)

*Module: [California Delete Act data broker registry and DROP guide](/artifacts/us/california-privacy-rights-act/faq/data-broker-registry-and-drop.md)*

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [California Privacy Protection Agency - data broker registry](https://cppa.ca.gov/data_broker_registry/?ref=sorena.io) - Official CPPA registry page supporting public registration checks and registry evidence for California data brokers.
- [California Privacy Protection Agency - Accessible Deletion Mechanism (DROP) regulations](https://cppa.ca.gov/regulations/drop.html?ref=sorena.io) - Official CPPA rulemaking page for DROP requirements and the accessible deletion mechanism regulations.
- [California Data Broker Registry / Delete Act statute](https://cppa.ca.gov/regulations/pdf/data_broker_reg_delete_act_statute_eff_20260101.pdf?ref=sorena.io) - Official CPPA statutory text for Delete Act amendments affecting data broker registration and deletion duties.

### [Which mistakes create risk when handling California data broker registry and DROP under the California Delete Act?](/artifacts/us/california-privacy-rights-act/faq/data-broker-registry-and-drop.md#which-mistakes-create-risk-when-handling-california-data-broker-registry-and-drop-under-the-california-delete-act)

*Module: [California Delete Act data broker registry and DROP guide](/artifacts/us/california-privacy-rights-act/faq/data-broker-registry-and-drop.md)*

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exclusion as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [California Privacy Protection Agency - data broker registry](https://cppa.ca.gov/data_broker_registry/?ref=sorena.io) - Official CPPA registry page supporting public registration checks and registry evidence for California data brokers.
- [California Privacy Protection Agency - Accessible Deletion Mechanism (DROP) regulations](https://cppa.ca.gov/regulations/drop.html?ref=sorena.io) - Official CPPA rulemaking page for DROP requirements and the accessible deletion mechanism regulations.
- [California Data Broker Registry / Delete Act statute](https://cppa.ca.gov/regulations/pdf/data_broker_reg_delete_act_statute_eff_20260101.pdf?ref=sorena.io) - Official CPPA statutory text for Delete Act amendments affecting data broker registration and deletion duties.

### [What enforcement and penalty risks should teams plan for under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/enforcement-advisories.md#what-enforcement-and-penalty-risks-should-teams-plan-for-under-the-us-cpra)

*Module: [CPRA enforcement advisories: CPPA investigations, fines, and risk mitigation](/artifacts/us/california-privacy-rights-act/faq/enforcement-advisories.md)*

Enforcement Advisories are CPPA guidance documents that address select provisions of the California Consumer Privacy Act and its implementing regulations. They are meant to help regulated businesses understand where the Enforcement Division sees risk and how it is thinking about compliance in practice.

- Write the Enforcement Advisories decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.

Sources for this answer:

- [California Privacy Protection Agency Announces 2025 Increases for CCPA Fines and Penalties](https://cppa.ca.gov/announcements/2024/20241217.html?ref=sorena.io) - Official CPPA source for current administrative fine and civil-penalty amounts that drive CPRA enforcement-risk planning.
- [CPPA Enforcement Division Issues First Advisory](https://cppa.ca.gov/announcements/2024/20240402.html?ref=sorena.io) - Official CPPA source explaining that enforcement advisories share observations with regulated businesses and encourage CCPA compliance.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Direct support for the FAQ answer on Enforcement Advisories.

### [What evidence should teams keep for Enforcement Advisories under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/enforcement-advisories.md#what-evidence-should-teams-keep-for-enforcement-advisories-under-the-us-cpra)

*Module: [CPRA enforcement advisories: CPPA investigations, fines, and risk mitigation](/artifacts/us/california-privacy-rights-act/faq/enforcement-advisories.md)*

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [CPPA Enforcement Division Issues First Advisory](https://cppa.ca.gov/announcements/2024/20240402.html?ref=sorena.io) - Official CPPA source explaining that enforcement advisories share observations with regulated businesses and encourage CCPA compliance.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Evidence support for the FAQ answer.
- [California legislative bill text](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362&ref=sorena.io) - Evidence support for the FAQ answer.

### [Which mistakes create risk when handling Enforcement Advisories under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/enforcement-advisories.md#which-mistakes-create-risk-when-handling-enforcement-advisories-under-the-us-cpra)

*Module: [CPRA enforcement advisories: CPPA investigations, fines, and risk mitigation](/artifacts/us/california-privacy-rights-act/faq/enforcement-advisories.md)*

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [California Privacy Protection Agency Announces 2025 Increases for CCPA Fines and Penalties](https://cppa.ca.gov/announcements/2024/20241217.html?ref=sorena.io) - Official CPPA source for current administrative fine and civil-penalty amounts that drive CPRA enforcement-risk planning.
- [CPPA Enforcement Division Issues First Advisory](https://cppa.ca.gov/announcements/2024/20240402.html?ref=sorena.io) - Official CPPA source explaining that enforcement advisories share observations with regulated businesses and encourage CCPA compliance.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Risk and boundary support for the FAQ answer.
- [California legislative bill text](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362&ref=sorena.io) - Risk and boundary support for the FAQ answer.

### [What should teams do about GPC under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/gpc.md#what-should-teams-do-about-gpc-under-the-us-cpra)

*Module: [CPRA Global Privacy Control (GPC): opt-out requirements and enforcement](/artifacts/us/california-privacy-rights-act/faq/gpc.md)*

Teams should treat GPC under the US CPRA as a source-linked operating decision: confirm whether the issue affects threshold status, sensitive personal information, sharing or cross-context advertising, GPC, correction rights, data-broker duties, ADMT, risk assessments, cybersecurity audits, or service-provider contracts, assign the team that can change the process, and keep evidence showing the action and review trigger.

- Write the GPC decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.

Sources for this answer:

- [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Official CPPA regulations source for opt-out preference signal processing, privacy-choice links, and related CPRA implementation requirements.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official CPPA consumer guidance confirming that businesses must honor qualifying opt-out preference signals, including Global Privacy Control, for sale/sharing opt-outs.
- [CPPA privacy rights guidance](https://globalprivacycontrol.org/?ref=sorena.io) - Direct support for the FAQ answer on GPC.

### [What evidence should teams keep for GPC under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/gpc.md#what-evidence-should-teams-keep-for-gpc-under-the-us-cpra)

*Module: [CPRA Global Privacy Control (GPC): opt-out requirements and enforcement](/artifacts/us/california-privacy-rights-act/faq/gpc.md)*

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official CPPA consumer guidance confirming that businesses must honor qualifying opt-out preference signals, including Global Privacy Control, for sale/sharing opt-outs.
- [CPPA privacy rights guidance](https://globalprivacycontrol.org/?ref=sorena.io) - Evidence support for the FAQ answer.
- [California legislative bill text](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362&ref=sorena.io) - Evidence support for the FAQ answer.

### [Which mistakes create risk when handling GPC under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/gpc.md#which-mistakes-create-risk-when-handling-gpc-under-the-us-cpra)

*Module: [CPRA Global Privacy Control (GPC): opt-out requirements and enforcement](/artifacts/us/california-privacy-rights-act/faq/gpc.md)*

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Official CPPA regulations source for opt-out preference signal processing, privacy-choice links, and related CPRA implementation requirements.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official CPPA consumer guidance confirming that businesses must honor qualifying opt-out preference signals, including Global Privacy Control, for sale/sharing opt-outs.
- [CPPA privacy rights guidance](https://globalprivacycontrol.org/?ref=sorena.io) - Risk and boundary support for the FAQ answer.
- [California legislative bill text](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362&ref=sorena.io) - Risk and boundary support for the FAQ answer.

### [How should teams inventory and govern ADMT under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/admt.md#how-should-teams-inventory-and-govern-admt-under-the-us-cpra)

*Module: [What should teams do about ADMT under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/admt.md)*

Teams should treat ADMT under the CPRA as an inventory and implementation question: identify where automated decisionmaking technology is used, what consumer effect it has, whether profiling or sensitive personal information is involved, and what notices, access rights, opt-out handling, risk assessment, and governance evidence are needed under the CPPA ADMT regulations.

- Write the ADMT decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.

Sources for this answer:

- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ confirms that the CPRA amended the CCPA and added obligations businesses must reflect in privacy operations and vendor governance.
- [CPPA CCPA updates, cybersecurity audits, risk assessments, ADMT, and insurance regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - CPPA source for the ADMT regulations package approved in September 2025 and effective January 1, 2026, including access and opt-out rights.
- [California Civil Code section 1798.185](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.185.&ref=sorena.io) - Statutory CPRA source authorizing regulations for access and opt-out rights tied to automated decisionmaking technology.

### [What evidence should teams keep for ADMT under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/admt.md#what-evidence-should-teams-keep-for-admt-under-the-us-cpra)

*Module: [What should teams do about ADMT under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/admt.md)*

Useful evidence is not just a privacy policy. Keep the ADMT inventory, decision purpose, data categories, model or rules documentation, notice copy, opt-out and access workflow design, human-review path, vendor terms, risk assessment, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [CPPA CCPA updates, cybersecurity audits, risk assessments, ADMT, and insurance regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - CPPA source for the ADMT regulations package approved in September 2025 and effective January 1, 2026, including access and opt-out rights.
- [California Civil Code section 1798.185](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.185.&ref=sorena.io) - Statutory CPRA source authorizing regulations for access and opt-out rights tied to automated decisionmaking technology.
- [California Consumer Privacy Act Regulations (CPPA)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations support the operational contract review because they implement CCPA/CPRA rules for service providers, contractors, third parties, notices, and request handling.

### [Which mistakes create risk when handling ADMT under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/admt.md#which-mistakes-create-risk-when-handling-admt-under-the-us-cpra)

*Module: [What should teams do about ADMT under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/admt.md)*

The common failure pattern is treating ADMT controls as either irrelevant or generic without checking the CPPA ADMT regulations, the specific decision use case, consumer-facing impact, and whether existing CCPA/CPRA notices and contracts match the actual automated decision process.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ confirms that the CPRA amended the CCPA and added obligations businesses must reflect in privacy operations and vendor governance.
- [CPPA CCPA updates, cybersecurity audits, risk assessments, ADMT, and insurance regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - CPPA source for the ADMT regulations package approved in September 2025 and effective January 1, 2026, including access and opt-out rights.
- [California Civil Code section 1798.185](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.185.&ref=sorena.io) - Statutory CPRA source authorizing regulations for access and opt-out rights tied to automated decisionmaking technology.
- [California Consumer Privacy Act Regulations (CPPA)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations support the operational contract review because they implement CCPA/CPRA rules for service providers, contractors, third parties, notices, and request handling.

### [What should teams do about Contract Terms under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/contract-terms.md#what-should-teams-do-about-contract-terms-under-the-us-cpra)

*Module: [What should teams do about Contract Terms under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/contract-terms.md)*

Teams should treat CPRA contract terms as a vendor-role decision: identify whether the recipient is a service provider, contractor, or third party; confirm whether personal information is sold, shared, or disclosed for a business purpose; then put the statutory use, retention, disclosure, combination, assistance, and audit restrictions into the agreement before data is made available.

- Write the Contract Terms decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.

Sources for this answer:

- [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.100.&ref=sorena.io) - Statutory CPRA source for requiring businesses that sell, share, or disclose personal information to bind recipients by contract.
- [California Civil Code section 1798.140](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140.&ref=sorena.io) - Statutory CPRA definitions source for service-provider, contractor, and third-party contract restrictions on retaining, using, or disclosing personal information.
- [California Consumer Privacy Act Regulations (CPPA)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations support the operational contract review because they implement CCPA/CPRA rules for service providers, contractors, third parties, notices, and request handling.

### [What evidence should teams keep for Contract Terms under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/contract-terms.md#what-evidence-should-teams-keep-for-contract-terms-under-the-us-cpra)

*Module: [What should teams do about Contract Terms under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/contract-terms.md)*

Useful evidence is not just a privacy policy. Keep the executed agreement, vendor role mapping, data categories, permitted business purpose, sale/share analysis, consumer-rights assistance terms, audit or monitoring evidence, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.100.&ref=sorena.io) - Statutory CPRA source for requiring businesses that sell, share, or disclose personal information to bind recipients by contract.
- [California Civil Code section 1798.140](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140.&ref=sorena.io) - Statutory CPRA definitions source for service-provider, contractor, and third-party contract restrictions on retaining, using, or disclosing personal information.
- [California Consumer Privacy Act Regulations (CPPA)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations support the operational contract review because they implement CCPA/CPRA rules for service providers, contractors, third parties, notices, and request handling.

### [Which mistakes create risk when handling Contract Terms under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/contract-terms.md#which-mistakes-create-risk-when-handling-contract-terms-under-the-us-cpra)

*Module: [What should teams do about Contract Terms under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/contract-terms.md)*

The common failure pattern is reusing a generic vendor template without checking whether the recipient is a CPRA service provider, contractor, or third party and whether the agreement contains the required limits on using, retaining, disclosing, selling, sharing, or combining personal information.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.100.&ref=sorena.io) - Statutory CPRA source for requiring businesses that sell, share, or disclose personal information to bind recipients by contract.
- [California Civil Code section 1798.140](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140.&ref=sorena.io) - Statutory CPRA definitions source for service-provider, contractor, and third-party contract restrictions on retaining, using, or disclosing personal information.
- [California Consumer Privacy Act Regulations (CPPA)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations support the operational contract review because they implement CCPA/CPRA rules for service providers, contractors, third parties, notices, and request handling.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ confirms that the CPRA amended the CCPA and added obligations businesses must reflect in privacy operations and vendor governance.

### [How should a business handle a correction request under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/correction-rights.md#how-should-a-business-handle-a-correction-request-under-the-us-cpra)

*Module: [What should teams do about Correction Rights under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/correction-rights.md)*

A consumer has the right to request that a business correct inaccurate personal information, and the business must use commercially reasonable efforts to correct that information as directed by the consumer. The business should review the request in light of the nature of the information and the purposes of processing, then route the request to the team that can update the record or explain why correction is not required.

- Confirm whether the consumer identified the record that is inaccurate and what correction they want.
- Check whether the request can be verified using commercially reasonable methods.
- Document the decision, the correction made, or the reason for denial so the response is auditable.

Sources for this answer:

- [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Verifies the CPRA correction-request handling rule in section 7023, including accuracy review, denial explanations, and service-provider correction instructions.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Direct support for the FAQ answer on Correction Rights.
- [California Civil Code section 1798.106](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.106.&ref=sorena.io) - Direct statutory source for the California consumer right to request correction of inaccurate personal information.

### [What evidence should teams keep for Correction Rights under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/correction-rights.md#what-evidence-should-teams-keep-for-correction-rights-under-the-us-cpra)

*Module: [What should teams do about Correction Rights under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/correction-rights.md)*

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Evidence support for the FAQ answer.
- [California Civil Code section 1798.106](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.106.&ref=sorena.io) - Evidence support for the correction-rights intake and response record.
- [Privacy Framework](https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks?ref=sorena.io) - Evidence support for the FAQ answer.

### [Which mistakes create risk when handling Correction Rights under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/correction-rights.md#which-mistakes-create-risk-when-handling-correction-rights-under-the-us-cpra)

*Module: [What should teams do about Correction Rights under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/correction-rights.md)*

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.

- Using an old threshold, deadline, source page, or contract template without checking current source text.
- Treating a source-linked exception as a general exemption for every product or data flow.
- Publishing notices, controls, or answers that do not match the actual product behavior.

Sources for this answer:

- [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Risk and boundary support for the FAQ answer.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Risk and boundary support for the FAQ answer.
- [California Civil Code section 1798.106](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.106.&ref=sorena.io) - Risk and boundary support for confirming the correction right comes from California statute, not a dark-pattern or data-broker provision.
- [Privacy Framework](https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks?ref=sorena.io) - Risk and boundary support for the FAQ answer.

### [What should teams do about Cybersecurity Audits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/cybersecurity-audits.md#what-should-teams-do-about-cybersecurity-audits-under-the-us-cpra)

*Module: [What should teams do about Cybersecurity Audits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/cybersecurity-audits.md)*

Teams should treat Cybersecurity Audits under the US CPRA as a specific annual compliance duty: every business whose processing of consumers' personal information presents significant risk to consumers' security must complete a cybersecurity audit, and the audit must assess the business's cybersecurity program, its controls, and any gaps or weaknesses that could increase the risk of unauthorized access, destruction, use, modification, or disclosure.

- Confirm whether the business meets the section 7120 trigger for a cybersecurity audit.
- Use a qualified, objective, independent auditor and keep the auditor free from management influence.
- Retain the audit report, supporting documents, and certification records for the required period and submit the completion certification to the Agency by the deadline in section 7124.

Sources for this answer:

- [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - Direct CPPA regulations text for the annual cybersecurity audit requirement, timing, scope, and certification requirements in sections 7120 through 7124.
- [Privacy Framework](https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks?ref=sorena.io) - Direct support for the FAQ answer on Cybersecurity Audits.
- [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Direct support for the FAQ answer on Cybersecurity Audits.

### [What evidence should teams keep for Cybersecurity Audits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/cybersecurity-audits.md#what-evidence-should-teams-keep-for-cybersecurity-audits-under-the-us-cpra)

*Module: [What should teams do about Cybersecurity Audits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/cybersecurity-audits.md)*

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

- Source URL and quote used for the decision.
- Scope notes, screenshots, data-flow or system references, and role mapping.
- Implementation ticket, approval record, exception notes, and review date.

Sources for this answer:

- [Privacy Framework](https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks?ref=sorena.io) - Evidence support for the FAQ answer.
- [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Evidence support for the FAQ answer.
- [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Evidence support for the FAQ answer.

## FAQ Pagination

- Canonical index (page 1): [/artifacts/us/california-privacy-rights-act/faq/items](/artifacts/us/california-privacy-rights-act/faq/items.md)
- Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL.
- Current page: 1 of 2

Pages: [1](/artifacts/us/california-privacy-rights-act/faq/items.md) | [2](/artifacts/us/california-privacy-rights-act/faq/items/page/2.md)

[Next page](/artifacts/us/california-privacy-rights-act/faq/items/page/2.md)

*Recommended next step*

*Placement: after the practical guidance*

## Turn California CPRA FAQ into assigned work

This California CPRA guide turns FAQ answers into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.

- [Open Assessment Autopilot for California CPRA](/solutions/assessment.md): Turn FAQ into scoped questions, evidence fields, and review tasks.
- [Review California CPRA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material.
- [Talk through California CPRA implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/us/california-privacy-rights-act/faq/items