How CCPA and CPRA Requests Work in California

Taking Your Data Back

California's Consumer Privacy Act (CCPA), strengthened by the CPRA in 2023, gives California residents specific rights over their personal data. This topic explains what those rights are, how they compare to GDPR, and how the request process works — informing readers about the legal framework, not giving personalised advice.

1

Learning Material

4 pages

California's Privacy Revolution: The CCPA and CPRA

Seite 1 von 4

When the California Consumer Privacy Act came into force on 1 January 2020, it represented the most significant consumer privacy legislation in United States history up to that point. For the first time, residents of a US state had legally enforceable rights over the personal data that businesses collected about them — rights to know, to delete, to opt out of certain uses of their data, and to be free from discrimination for exercising those rights.

The CCPA did not emerge in a vacuum. Its passage in 2018 was, in part, a consequence of a ballot initiative that privacy advocates had placed before California voters — one sufficiently alarming to legislators that the California legislature rapidly passed a statutory version to head off the more prescriptive ballot measure. The result was a law that, despite its landmark status, contained gaps and ambiguities that businesses and advocates alike identified almost immediately (Schwartz & Solove, 2019, pp. 3–12).

Those gaps were substantially addressed by the California Privacy Rights Act (CPRA), passed by California voters as Proposition 24 in November 2020 and taking full effect on 1 January 2023. The CPRA did not replace the CCPA — it amended and strengthened it, adding new rights, tightening existing ones, closing the most criticised loopholes, and, critically, creating an entirely new regulatory body: the California Privacy Protection Agency (CPPA).

The legal foundation

The CCPA is codified at California Civil Code §1798.100 et seq. (California Civil Code, 2018). The CPRA amendments are woven into the same statutory text, with the CPRA adding a new section (§1798.185) establishing the CPPA and its rulemaking authority. The combined body of law — sometimes referred to as the CCPA/CPRA framework — is what governs California consumer privacy rights as of 2026.

Understanding who holds these rights, and against whom they apply, is the starting point for understanding how the framework operates in practice.

Who holds these rights?

Rights under the CCPA/CPRA are held by consumers — defined in the statute as natural persons who are California residents (California Civil Code §1798.140(g)). Residency, not citizenship, is the criterion. A person need not be a US citizen to hold these rights; they need only be a resident of California as determined by California tax law.

Significantly, the rights apply regardless of how a person interacts with a business. Whether as a customer purchasing goods, a website visitor, an employee rights were extended under CPRA (the employment exemption that existed under original CCPA was removed — verify current exemption status against CPPA regulations), or a job applicant, California residents are entitled to the protections the statute provides.

Which businesses must comply?

The CCPA/CPRA does not apply to every business that collects data from Californians. It applies to for-profit businesses that do business in California and meet at least one of the following thresholds (California Civil Code §1798.140(d)):

  • Annual gross revenues exceeding $25 million;
  • Buying, selling, or sharing the personal information of 100,000 or more California consumers or households per year (raised from 50,000 under the original CCPA);
  • Deriving 50% or more of annual revenues from selling or sharing consumers' personal information.

The revenue threshold catches large companies by default. The data-volume threshold is significant for businesses that may not be large in revenue terms but operate at scale — digital platforms, data brokers, and advertising technology companies are primary examples. Service providers acting on behalf of covered businesses are not themselves covered businesses, though they have obligations under the framework.

Non-profit organisations and government agencies are not covered by the CCPA/CPRA, though they may be subject to other California privacy laws.1

Footnotes#

  1. The California Privacy Protection Agency published its first set of final CPRA regulations in 2023, covering topics including how businesses must respond to opt-out preference signals. The CPPA's website at cppa.ca.gov is the authoritative source for current guidance documents and enforcement updates.

2

Flashcards

How CCPA and CPRA Requests Work in California13 Karten
3

Quiz

How CCPA and CPRA Requests Work in California8 Fragen

Want more?

Sign up for AI tutoring, study plans, exam prep, and more.

Sign up free