--- title: "California CPRA FAQ" canonical_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/faq/items/page/2" source_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/faq/items/page/2" author: "Sorena AI" description: "Practical California CPRA FAQ guidance with implementation decisions, evidence, edge cases, and official California source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "California CPRA" - "California Privacy Rights Act" - "CCPA FAQ" - "California privacy compliance" - "CCPA" - "Privacy compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # California CPRA FAQ Practical California CPRA FAQ guidance with implementation decisions, evidence, edge cases, and official California source citations. *Artifact Guide* *California* *FAQ* ## California CPRA FAQ This FAQ answers recurring California CPRA implementation questions with source-linked operational guidance, clear owners, and reusable evidence. This page offers practical steps for implementation planning. Confirm legal and policy assumptions before implementation. This FAQ hub answers recurring questions in a California CPRA workstream. It turns the source material into decisions, evidence fields, and review steps that a product, legal, privacy, security, or compliance team can apply. ## Browse sub-FAQ modules ### [California Delete Act data broker registry and DROP guide](/artifacts/us/california-privacy-rights-act/faq/data-broker-registry-and-drop.md) California Delete Act guidance for the data broker registry and Delete Request and Opt-Out Platform (DROP), with owners, evidence, and official sources. - 3 items ### [CPRA enforcement advisories: CPPA investigations, fines, and risk mitigation](/artifacts/us/california-privacy-rights-act/faq/enforcement-advisories.md) US CPRA guidance for Enforcement Advisories, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [CPRA Global Privacy Control (GPC): opt-out requirements and enforcement FAQ](/artifacts/us/california-privacy-rights-act/faq/gpc.md) US CPRA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about ADMT under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/admt.md) US CPRA guidance for ADMT, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Contract Terms under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/contract-terms.md) US CPRA guidance for Contract Terms, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Correction Rights under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/correction-rights.md) US CPRA guidance for Correction Rights, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Cybersecurity Audits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/cybersecurity-audits.md) US CPRA guidance for Cybersecurity Audits, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about retention under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/retention.md) California CPRA guidance for retention, including data minimization, privacy policy disclosures, evidence records, and official source citations. - 3 items ### [What should teams do about Risk Assessments under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/risk-assessments.md) US CPRA guidance for Risk Assessments, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Sensitive Personal Information Limits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/sensitive-personal-information-limits.md) US CPRA guidance for Sensitive Personal Information Limits, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Sharing and Cross-Context Behavioral Advertising under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/sharing-and-cross-context-behavioral-advertising.md) California CPRA guidance for Sharing and Cross-Context Behavioral Advertising, with practical decisions, evidence, edge cases, and external source citations. - 3 items Browse all indexed questions: [/artifacts/us/california-privacy-rights-act/faq/items](/artifacts/us/california-privacy-rights-act/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 13 of 33 items.* ### [Which mistakes create risk when handling Cybersecurity Audits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/cybersecurity-audits.md#which-mistakes-create-risk-when-handling-cybersecurity-audits-under-the-us-cpra) *Module: [What should teams do about Cybersecurity Audits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/cybersecurity-audits.md)* The common failure pattern is treating Cybersecurity Audits as a generic privacy-policy exercise instead of checking the section 7120 trigger, using an independent auditor, and documenting the audit findings, gaps, and remediation plan required by the regulations. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/pdf/ccpa_updates_cyber_risk_admt_appr_text.pdf?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Privacy Framework](https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [What should teams do about retention under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/retention.md#what-should-teams-do-about-retention-under-the-california-cpra) *Module: [What should teams do about retention under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/retention.md)* Teams should treat retention under the California CPRA as a data-minimization decision: identify the personal-information category, the disclosed purpose, whether retention remains reasonably necessary and proportionate, and the point when deletion or de-identification should occur. - Write the retention decision by data category and purpose, not as one generic company-wide period. - Attach the official source URL, short quote, privacy-policy text, and system owner to the evidence record. - Route unclear retention exceptions, legal holds, or secondary uses to privacy counsel before launch. Sources for this answer: - [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.100&lawCode=CIV&ref=sorena.io) - Binding CCPA/CPRA data-minimization rule limiting retention to what is reasonably necessary and proportionate. - [California Consumer Privacy Act Regulations](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations page for current CCPA regulations implementing CPRA amendments and privacy-practice disclosures. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ explains the practical rule that collection, use, and retention must be limited to expected, compatible, or consented purposes. ### [What evidence should teams keep for retention under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/retention.md#what-evidence-should-teams-keep-for-retention-under-the-california-cpra) *Module: [What should teams do about retention under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/retention.md)* Useful evidence is not just a privacy policy. Keep the source, data inventory, retention schedule, deletion or de-identification control, exception logic, request logs where relevant, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.100&lawCode=CIV&ref=sorena.io) - Binding CCPA/CPRA data-minimization rule limiting retention to what is reasonably necessary and proportionate. - [California Consumer Privacy Act Regulations](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations page for current CCPA regulations implementing CPRA amendments and privacy-practice disclosures. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ explains the practical rule that collection, use, and retention must be limited to expected, compatible, or consented purposes. ### [Which mistakes create risk when handling retention under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/retention.md#which-mistakes-create-risk-when-handling-retention-under-the-california-cpra) *Module: [What should teams do about retention under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/retention.md)* The common failure pattern is publishing a retention statement without proving that each data category is retained only for a disclosed, reasonably necessary, and proportionate purpose. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [California Civil Code section 1798.100](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.100&lawCode=CIV&ref=sorena.io) - Binding CCPA/CPRA data-minimization rule limiting retention to what is reasonably necessary and proportionate. - [California Consumer Privacy Act Regulations](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations page for current CCPA regulations implementing CPRA amendments and privacy-practice disclosures. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ explains the practical rule that collection, use, and retention must be limited to expected, compatible, or consented purposes. ### [When must a business conduct a CPRA risk assessment?](/artifacts/us/california-privacy-rights-act/faq/risk-assessments.md#when-must-a-business-conduct-a-cpra-risk-assessment) *Module: [What should teams do about Risk Assessments under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/risk-assessments.md)* A business must conduct a risk assessment before it starts processing that presents significant risk to consumers' privacy. The draft CPPA regulations identify four triggers: selling or sharing personal information, processing sensitive personal information, using automated decisionmaking technology for a significant decision or extensive profiling, and processing personal information to train automated decisionmaking technology or artificial intelligence that can be used for those purposes. - Write the Risk Assessments decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - Primary CPPA rulemaking source for CPRA risk-assessment and cybersecurity-audit obligations, including the adopted regulations and effective date. - [NIST SP 800-122](https://csrc.nist.gov/pubs/sp/800/122/final?ref=sorena.io) - Supplemental privacy-engineering source for handling personally identifiable information in evidence and risk-control design; not a CPRA legal source. - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Official CPPA regulations source for operational CCPA/CPRA request, notice, opt-out, and service-provider requirements. ### [What evidence should teams keep for Risk Assessments under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/risk-assessments.md#what-evidence-should-teams-keep-for-risk-assessments-under-the-us-cpra) *Module: [What should teams do about Risk Assessments under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/risk-assessments.md)* Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [NIST SP 800-122](https://csrc.nist.gov/pubs/sp/800/122/final?ref=sorena.io) - Supplemental privacy-engineering source for handling personally identifiable information in evidence and risk-control design; not a CPRA legal source. - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Official CPPA regulations source for operational CCPA/CPRA request, notice, opt-out, and service-provider requirements. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling Risk Assessments under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/risk-assessments.md#which-mistakes-create-risk-when-handling-risk-assessments-under-the-us-cpra) *Module: [What should teams do about Risk Assessments under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/risk-assessments.md)* The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - Primary CPPA rulemaking source for CPRA risk-assessment and cybersecurity-audit obligations, including the adopted regulations and effective date. - [NIST SP 800-122](https://csrc.nist.gov/pubs/sp/800/122/final?ref=sorena.io) - Supplemental privacy-engineering source for handling personally identifiable information in evidence and risk-control design; not a CPRA legal source. - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Official CPPA regulations source for operational CCPA/CPRA request, notice, opt-out, and service-provider requirements. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [What should teams do about Sensitive Personal Information Limits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/sensitive-personal-information-limits.md#what-should-teams-do-about-sensitive-personal-information-limits-under-the-us-cpra) *Module: [What should teams do about Sensitive Personal Information Limits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/sensitive-personal-information-limits.md)* Under Section 1798.121, consumers have the right, at any time, to direct a business that collects sensitive personal information about them to limit its use to permitted purposes and to stop other uses or disclosures unless the consumer later consents. In plain English, the business must give consumers a way to limit how sensitive personal information is used and disclosed, and then follow that direction unless an exception applies. - Write the Sensitive Personal Information Limits decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Direct support for the FAQ answer on Sensitive Personal Information Limits. - [California legislative bill text](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362&ref=sorena.io) - Direct support for the FAQ answer on Sensitive Personal Information Limits. - [California Civil Code section group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Direct support for the FAQ answer on Sensitive Personal Information Limits. ### [What evidence should teams keep for Sensitive Personal Information Limits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/sensitive-personal-information-limits.md#what-evidence-should-teams-keep-for-sensitive-personal-information-limits-under-the-us-cpra) *Module: [What should teams do about Sensitive Personal Information Limits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/sensitive-personal-information-limits.md)* Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [California legislative bill text](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362&ref=sorena.io) - Evidence support for the FAQ answer. - [California Civil Code section group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Evidence support for the FAQ answer. - [Privacy Framework](https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling Sensitive Personal Information Limits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/sensitive-personal-information-limits.md#which-mistakes-create-risk-when-handling-sensitive-personal-information-limits-under-the-us-cpra) *Module: [What should teams do about Sensitive Personal Information Limits under the US CPRA?](/artifacts/us/california-privacy-rights-act/faq/sensitive-personal-information-limits.md)* The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [California legislative bill text](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB362&ref=sorena.io) - Risk and boundary support for the FAQ answer. - [California Civil Code section group](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Privacy Framework](https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [What should teams do about Sharing and Cross-Context Behavioral Advertising under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/sharing-and-cross-context-behavioral-advertising.md#what-should-teams-do-about-sharing-and-cross-context-behavioral-advertising-under-the-california-cpra) *Module: [What should teams do about Sharing and Cross-Context Behavioral Advertising under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/sharing-and-cross-context-behavioral-advertising.md)* Teams should first decide whether the business is 'sharing' personal information for cross-context behavioral advertising or otherwise selling or disclosing it in a way that triggers CPRA notice and opt-out duties. If the business shares personal information with third parties for cross-context behavioral advertising, it must provide the required opt-out path, notices, and supporting controls. - Write the Sharing and Cross-Context Behavioral Advertising decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [California Civil Code section 1798.185](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.185.&ref=sorena.io) - Official California statutory source for opt-out preference signals, sale or sharing opt-outs, and cross-context behavioral advertising rulemaking authority. - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Official CPPA regulations source for operational opt-out, sale, sharing, and consumer-right implementation requirements. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ source for consumer privacy rights, including sale or sharing opt-out context under California privacy law. ### [What evidence should teams keep for Sharing and Cross-Context Behavioral Advertising under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/sharing-and-cross-context-behavioral-advertising.md#what-evidence-should-teams-keep-for-sharing-and-cross-context-behavioral-advertising-under-the-california-cpra) *Module: [What should teams do about Sharing and Cross-Context Behavioral Advertising under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/sharing-and-cross-context-behavioral-advertising.md)* Useful evidence is not just a privacy policy. Keep the source, threshold notes, request logs, GPC test evidence, notice screenshots, vendor terms, retention logic, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Official CPPA regulations source for operational opt-out, sale, sharing, and consumer-right implementation requirements. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ source for consumer privacy rights, including sale or sharing opt-out context under California privacy law. - [Privacy Framework](https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks?ref=sorena.io) - Non-legal privacy-framework reference for evidence organization and privacy-control documentation patterns. ### [Which mistakes create risk when handling Sharing and Cross-Context Behavioral Advertising under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/sharing-and-cross-context-behavioral-advertising.md#which-mistakes-create-risk-when-handling-sharing-and-cross-context-behavioral-advertising-under-the-california-cpra) *Module: [What should teams do about Sharing and Cross-Context Behavioral Advertising under the California CPRA?](/artifacts/us/california-privacy-rights-act/faq/sharing-and-cross-context-behavioral-advertising.md)* The common failure pattern is treating every California privacy issue as a generic CCPA notice update instead of checking CPRA amendments, sharing, sensitive data, GPC, and phased CPPA rulemaking. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [California Civil Code section 1798.185](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.185.&ref=sorena.io) - Official California statutory source for opt-out preference signals, sale or sharing opt-outs, and cross-context behavioral advertising rulemaking authority. - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Official CPPA regulations source for operational opt-out, sale, sharing, and consumer-right implementation requirements. - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA FAQ source for consumer privacy rights, including sale or sharing opt-out context under California privacy law. - [Privacy Framework](https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks?ref=sorena.io) - Non-legal privacy-framework reference for evidence organization and privacy-control documentation patterns. ## FAQ Pagination - Canonical index (page 1): [/artifacts/us/california-privacy-rights-act/faq/items](/artifacts/us/california-privacy-rights-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/us/california-privacy-rights-act/faq/items.md) | [2](/artifacts/us/california-privacy-rights-act/faq/items/page/2.md) [Previous page](/artifacts/us/california-privacy-rights-act/faq/items.md) *Recommended next step* *Placement: after the practical guidance* ## Turn California CPRA FAQ into assigned work This California CPRA guide turns FAQ answers into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena. - [Open Assessment Autopilot for California CPRA](/solutions/assessment.md): Turn FAQ into scoped questions, evidence fields, and review tasks. - [Review California CPRA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through California CPRA implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/us/california-privacy-rights-act/faq/items/page/2