Search every question across sub-FAQs

The common failure pattern is treating Cybersecurity Audits as a generic privacy-policy exercise instead of checking the section 7120 trigger, using an independent auditor, and documenting the audit findings, gaps, and remediation plan required by the regulations.

Teams should treat retention under the California CPRA as a data-minimization decision: identify the personal-information category, the disclosed purpose, whether retention remains reasonably necessary and proportionate, and the point when deletion or de-identification should occur.

The safest first step is to connect each retention period or retention criterion to a privacy-policy disclosure, system owner, legal hold or operational need, and dated review trigger.

Useful evidence is not just a privacy policy. Keep the source, data inventory, retention schedule, deletion or de-identification control, exception logic, request logs where relevant, and approval trail together.

The common failure pattern is publishing a retention statement without proving that each data category is retained only for a disclosed, reasonably necessary, and proportionate purpose.

A business must conduct a risk assessment before it starts processing that presents significant risk to consumers' privacy. The draft CPPA regulations identify four triggers: selling or sharing personal information, processing sensitive personal information, using automated decisionmaking technology for a significant decision or extensive profiling, and processing personal information to train automated decisionmaking technology or artificial intelligence that can be used for those purposes.

The business should have the relevant product, privacy, legal, security, compliance, or other responsible team identify the trigger and decide whether the processing falls into one of those categories before launch.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.

Under Section 1798.121, consumers have the right, at any time, to direct a business that collects sensitive personal information about them to limit its use to permitted purposes and to stop other uses or disclosures unless the consumer later consents. In plain English, the business must give consumers a way to limit how sensitive personal information is used and disclosed, and then follow that direction unless an exception applies.

Teams should treat Sensitive Personal Information Limits under the US CPRA as a source-linked operating decision: confirm whether the issue affects threshold status, sensitive personal information, sharing or cross-context advertising, GPC, correction rights, data-broker duties, ADMT, risk assessments, cybersecurity audits, or service-provider contracts, assign the team that can change the process, and keep evidence showing the action and review trigger.

The safest first step is to identify the data category, consumer-facing interaction, sale/share status, sensitive-personal-information issue, and vendor role before assigning the CPRA action.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.

Teams should first decide whether the business is 'sharing' personal information for cross-context behavioral advertising or otherwise selling or disclosing it in a way that triggers CPRA notice and opt-out duties. If the business shares personal information with third parties for cross-context behavioral advertising, it must provide the required opt-out path, notices, and supporting controls.

In practice, confirm the data flow, the third party's role, the consumer choice mechanism, and whether the page or workflow must honor an opt-out preference signal before launch.

Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together.

The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking.