The California Consumer Privacy Act, as amended by the California Privacy Rights Act, is the most influential US state privacy law and the de facto baseline for many US-headquartered vendors. CPRA expanded CCPA's scope, created the California Privacy Protection Agency (CPPA) as a dedicated regulator, and added new categories — including the concept of sensitive personal information with its own opt-out / opt-in regime.
Who it applies to
A "business" subject to CCPA/CPRA is one that does business in California, collects California residents' personal information, and meets one of:
- $25 million in annual revenue (adjusted for inflation),
- Buys, receives, sells, or shares personal information of 100,000+ consumers or households, or
- Derives 50%+ of annual revenue from selling or sharing personal information.
The law applies to businesses, not individuals. Service providers and contractors have separate obligations.
Vendor categories
Unlike GDPR's binary controller/processor split, CPRA distinguishes:
- Service provider. Processes personal information on behalf of the business, under a contract restricting use to specified purposes.
- Contractor. Similar to a service provider but for a broader set of cases.
- Third party. Anything else. Disclosing personal information to a third party may constitute a sale or sharing under CCPA, triggering opt-out rights.
The contract requirements for service providers and contractors include:
- Specifying the purposes of processing.
- Prohibiting use of the information for any other purpose.
- Prohibiting selling or sharing the information.
- Requiring assistance with consumer rights requests.
- Allowing the business to monitor compliance.
- Requiring deletion or return at the end of the engagement.
The "allowing the business to monitor compliance" requirement is the operative one for vendor monitoring programs — the business has to be able to demonstrate active oversight, not just contractual fine print.
Consumer rights
CCPA/CPRA grants California residents:
- Right to know what personal information is collected.
- Right to delete personal information.
- Right to correct inaccurate personal information (CPRA addition).
- Right to opt out of sale or sharing of personal information.
- Right to limit use and disclosure of sensitive personal information (CPRA addition).
- Right to data portability.
- Right to non-discrimination for exercising rights.
Response is due within 45 days, extendable by another 45.
What vendor monitoring looks like under CCPA/CPRA
The compliance bar for vendor monitoring is somewhat looser than GDPR — there's no Article 30 record requirement for service providers — but the business is on the hook if a service provider acts beyond its contracted scope. Practical monitoring tasks:
- Watch the privacy notice for "selling" or "sharing" claims. A service provider that updates its privacy notice to disclose sales of personal information has, by definition, become a third party for that data — and may have contaminated your compliance posture.
- Watch for new sub-processor relationships. While CCPA doesn't formally regulate sub-processing the way GDPR does, sub-processors that are "third parties" relative to your service provider can introduce sale/sharing risk.
- Watch for opt-out signals (Global Privacy Control). Service providers must honour GPC; non-compliance is a vendor-level risk.
Enforcement
The CPPA, established by CPRA, took over rulemaking and enforcement responsibility from the Attorney General in 2023. Notable enforcement themes:
- Sephora $1.2M settlement (2022, AG). Failure to disclose sales and honour Global Privacy Control opt-outs.
- DoorDash $375K settlement (2024, AG). Sale of personal information without notice or opt-out.
- Increasing scrutiny of mobile SDKs and analytics tooling, both as vendors and as direct subjects of enforcement.