Certified Information Privacy Professional (CIPP): US - California Consumer Privacy Act, CCPA/CPRA, Rights, Opt-Out, Service Providers, Enforcement

CIPP/US – California Consumer Privacy Act (CCPA/CPRA) – Rights, Opt?out, Service Providers, Enforcement

What This Is

The California Consumer Privacy Act (CCPA) – amended by the California Privacy Rights Act (CPRA) – gives California residents a set of data?privacy rights (right to know, delete, and opt?out of sale) and imposes duties on “businesses” that collect, use, or share personal information. It is the first U.S.?state law that mirrors many GDPR concepts, and it applies to any for?profit entity that meets one of the statutory thresholds (e.g., $25?M annual gross revenue, or >?100?000 California consumers’ data).

Real?world example: A nationwide e?commerce retailer collects email addresses, purchase histories, and location data from shoppers on its website. Because it exceeds $25?M in revenue and processes data of more than 100?000 California residents, the retailer must provide a “Do Not Sell My Personal Information” link, honor deletion requests, and disclose what categories of data it sells to third?party ad networks.

Key Terms & Provisions

• Consumer (CCPA/CPRA): Any natural person who is a California resident, regardless of age.
• Personal Information (PI): Information that identifies, relates to, describes, or could be linked to a particular consumer (e.g., name, email, IP address, biometric data).
• Business (CCPA/CPRA): A for?profit entity that meets any of the three thresholds (revenue, data volume, or >?50% annual gross revenue from selling PI).
• Service Provider: A third party that processes PI on behalf of a business under a written contract prohibiting further disclosure or use. (Distinct from a “sale” – service?provider contracts are exempt from the “sale” definition.)
• Sale (CPRA): Broadly defined as “the exchange of PI for monetary consideration,” including data?brokering, targeted advertising, and even sharing for cross?border transfers if value is received.
• Opt?out (Right to Opt?Out of Sale): Consumer’s ability to direct a business not to sell their PI. Must be provided via a clear “Do Not Sell My Personal Information” link on the homepage.
• Right to Know: Consumer may request (in writing or electronically) a list of the categories of PI collected, the sources, the business purposes, and the categories of third parties with whom the data is shared.
• Right to Delete (Right to Erasure): Consumer may ask a business to delete their PI, subject to limited exceptions (e.g., for fraud detection, legal obligations).
• Right to Correct (CPRA): Consumers can request that inaccurate PI be corrected.
• Non?Discrimination: Businesses may not charge, deny services, or provide a different level of service because a consumer exercised any CCPA/CPRA right.
• Annual Compliance Report (CPRA): Businesses must submit a public report detailing privacy practices, data?sale disclosures, and risk?assessment activities.
• Enforcement Authority: The California Attorney General (AG) and, after 2023, the California Privacy Protection Agency (CPPA) can issue civil penalties up to $7,500 per intentional violation and $2,500 per unintentional violation.

Step?by?Step / Process Flow

1. Identify Applicability – Verify that the organization meets any CCPA/CPRA threshold (revenue, data volume, or % of revenue from sales).
2. Map Personal Information – Inventory all PI collected, stored, or transmitted; tag each data element with its source, purpose, and sharing partners.
3. Classify Third?Party Relationships – Distinguish “service providers” (contractual processing) from “sales” (data?broking, advertising). Draft or update contracts to include the required “no?sell” clause for service providers.
4. Implement Consumer?Facing Mechanisms –
5. Add a conspicuous “Do Not Sell My Personal Information” link on the homepage.
6. Provide a toll?free number or web form for Right?to?Know, Right?to?Delete, and Right?to?Correct requests.
7. Process a Consumer Request –
8. Verify the requestor’s identity (reasonable method).
9. Search all systems for the consumer’s PI.
10. Respond within 45?days (extendable up to 90?days with notice).
11. Document the request, actions taken, and any exemptions invoked.
12. Maintain Ongoing Compliance – Conduct annual privacy training, update the privacy notice, file the CPRA compliance report, and monitor for breach?notification obligations (within 72?hours of discovery).

Common Mistakes

• Mistake: Treating a service?provider contract as a “sale” and therefore offering an opt?out link for every vendor.
  Correction: Only data exchanges that meet the CPRA definition of “sale” trigger the opt?out requirement; service?provider contracts are exempt if they contain the required “no?sell” clause.

• Mistake: Assuming the Right?to?Delete applies to all data, including backups and logs.
  Correction: Deletion must be reasonable and practicable; retained backups for disaster recovery are permissible if they are not actively used to reconstruct the deleted record.

• Mistake: Relying on a single “Do Not Sell” link on a mobile app’s settings screen.
  Correction: The link must be conspicuous on the website’s homepage (or the app’s store listing) and must be accessible without requiring a login.

• Mistake: Believing that a business can avoid CPRA obligations by claiming “small business” status if it processes <?100?000 consumer records.
  Correction: The $25?M revenue threshold still applies; a company with $30?M revenue must comply even if it processes only 80?000 California records.

• Mistake: Ignoring the new CPRA “right to correct” because it only applies to “sensitive personal information.”
  Correction: The right to correct applies to any PI that is inaccurate, incomplete, or outdated, regardless of sensitivity.

CIPP Exam Insights

1. Threshold Traps – Exams love to ask which of the three thresholds does NOT trigger CCPA. Remember the $25?M revenue, >?100?000 consumers, and >?50?% of gross revenue from selling PI.
2. Opt?Out vs. Opt?In – CCPA/CPRA is opt?out for sales; GDPR is opt?in for processing special categories. Expect a question contrasting the two.
3. Service Provider vs. Sale – A common exam scenario: “A cloud?hosting provider processes data for a retailer. Does the retailer need to provide a Do?Not?Sell link for the cloud provider?” Correct answer: No, because the cloud provider is a service provider under a written contract.
4. Enforcement Body Shift – After 2023, the CPPA (California Privacy Protection Agency) shares enforcement with the AG. A question may ask which agency can issue fines for “intentional violations” – answer: Both AG and CPPA.

Quick Check Questions

1. Scenario: A California resident emails a retailer asking for a copy of all personal data the retailer holds about them. The retailer has a backlog and can only respond in 60 days.
   Answer: Yes – the retailer must respond within 45?days, but can extend to 90?days with a written notice.

2. Scenario: An online ad network receives a “Do Not Sell” request from a consumer. The network only receives hashed IDs from a publisher. Does the network have to stop using the IDs?
   Answer: Yes – hashed IDs that can be linked back to a consumer are still considered PI; the network must cease any sale or sharing that falls under the consumer’s opt?out.

3. Scenario: A SaaS vendor processes California consumer data on behalf of a client and signs a contract that includes a “no?sell” clause. The client later sells the same data to a third?party marketer. Who is liable for the sale?
   Answer: The client (the business) – the SaaS vendor is a service provider and is exempt; the client remains responsible for the sale.

Last?Minute Cram Sheet (10 One?Liners)

1. CCPA Thresholds: $25?M revenue or >?100?000 California consumers or >?50?% of gross revenue from selling PI.
2. Opt?Out Link Placement: Must be on the homepage (or mobile app store listing) and be conspicuous.
3. Sale Definition (CPRA): Any exchange of PI for monetary consideration, including data?brokering and targeted advertising.
4. Service Provider Exemption: Contracts must contain a “no?sell” clause; then the service provider is not a “sale.”
5. Right?to?Delete Deadline: 45?days (extendable to 90?days with notice).
6. Non?Discrimination Penalty: Up to $2,500 per violation for unintentional, $7,500 for intentional.
7. CPRA New Right: Right to Correct – consumers can demand inaccurate PI be corrected.
8. Enforcement Bodies: California Attorney General + California Privacy Protection Agency (CPPA) (post?2023).
9. Annual Report (CPRA): Public privacy compliance report due each year, detailing data?sale disclosures and risk?assessment activities.
10. Exam Trap: “Small Business” exemption applies only to the $25?M revenue threshold; it does not waive obligations if the other two thresholds are met.

Use this guide to cement the core mechanics of CCPA/CPRA, avoid common pitfalls, and ace the exam.