CINXE.COM
The Expert's Guide to California Data Privacy Law | CCPA & CPRA | Osano
<!doctype html><html lang="en"><head> <meta charset="utf-8"> <title>The Expert's Guide to California Data Privacy Law | CCPA & CPRA | Osano</title> <link rel="shortcut icon" href="https://www.osano.com/hubfs/v2/icons/favicon/ms-icon-310x310.png"> <meta name="description" content="The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are important California Privacy Laws. Learn more about them here."> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta property="og:description" content="The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are important California Privacy Laws. Learn more about them here."> <meta property="og:title" content="The Expert's Guide to California Data Privacy Law | CCPA & CPRA"> <meta name="twitter:description" content="The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are important California Privacy Laws. Learn more about them here."> <meta name="twitter:title" content="The Expert's Guide to California Data Privacy Law | CCPA & CPRA"> <style> a.cta_button{-moz-box-sizing:content-box !important;-webkit-box-sizing:content-box !important;box-sizing:content-box !important;vertical-align:middle}.hs-breadcrumb-menu{list-style-type:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'›';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin:0 0 20px 20px;max-width:50%}@media (max-width: 568px){.hs-featured-image{float:none;margin:0;width:100%;max-width:100%}}.hs-screen-reader-text{clip:rect(1px, 1px, 1px, 1px);height:1px;overflow:hidden;position:absolute !important;width:1px} </style> <link rel="stylesheet" href="https://www.osano.com/hs-fs/hub/4785246/hub_generated/template_assets/107540355660/1728402644863/Osano/css/main.min.css"> <link rel="stylesheet" href="https://www.osano.com/hs-fs/hub/4785246/hub_generated/template_assets/107541060353/1715363946157/Osano/css/templates/blog.min.css"> <link rel="stylesheet" href="https://www.osano.com/hs-fs/hub/4785246/hub_generated/module_assets/112224055108/1706649595039/module_112224055108_Announcement_Bar.min.css"> <style> @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-500-MediumItalic.woff") format("woff"); font-display: swap; font-weight: 500; font-style: italic; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-100-HairlineItalic.woff") format("woff"); font-display: swap; font-weight: 200; font-style: italic; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-900-Black.woff") format("woff"); font-display: swap; font-weight: 900; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-800-HeavyItalic.woff") format("woff"); font-display: swap; font-weight: 800; font-style: italic; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-700-BoldItalic.woff") format("woff"); font-display: swap; font-weight: 700; font-style: italic; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-700-Bold.woff") format("woff"); font-display: swap; font-weight: 700; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-500-Medium.woff") format("woff"); font-display: swap; font-weight: 500; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-600-Semi.woff") format("woff"); font-display: swap; font-weight: 600; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-900-BlackItalic.woff") format("woff"); font-display: swap; font-weight: 900; font-style: italic; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-300-LightItalic.woff") format("woff"); font-display: swap; font-weight: 300; font-style: italic; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-400-BookItalic.woff") format("woff"); font-display: swap; font-weight: 400; font-style: italic; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-400-Book.woff") format("woff"); font-display: swap; font-weight: 400; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-100-Hairline.woff") format("woff"); font-display: swap; font-weight: 200; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-200-ThinItalic.woff") format("woff"); font-display: swap; font-weight: 100; font-style: italic; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-800-Heavy.woff") format("woff"); font-display: swap; font-weight: 800; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-300-Light.woff") format("woff"); font-display: swap; font-weight: 300; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-200-Thin.woff") format("woff"); font-display: swap; font-weight: 100; } @font-face { font-family: "Jost"; src: url("https://www.osano.com/hubfs/Jost-600-SemiItalic.woff") format("woff"); font-display: swap; font-weight: 600; font-style: italic; } </style> <link rel="stylesheet" href="https://www.osano.com/hs-fs/hub/4785246/hub_generated/module_assets/111415423003/1727864669955/module_111415423003_Header.min.css"> <link rel="stylesheet" href="https://www.osano.com/hs-fs/hub/4785246/hub_generated/module_assets/113269451948/1728404785229/module_113269451948_Hero_-_Blog_Detail.min.css"> <link rel="stylesheet" href="https://www.osano.com/hs-fs/hub/4785246/hub_generated/module_assets/112722358402/1706649589141/module_112722358402_Blog_Form.min.css"> <link rel="stylesheet" href="https://www.osano.com/hs-fs/hub/4785246/hub_generated/module_assets/113754010995/1706649588699/module_113754010995_Blog_Detail_-_Special_Modules.min.css"> <link rel="stylesheet" href="https://www.osano.com/hs-fs/hub/4785246/hub_generated/module_assets/113797666745/1725026884546/module_113797666745_Blog_-_Latest_Articles.min.css"> <link rel="stylesheet" href="https://www.osano.com/hs-fs/hub/4785246/hub_generated/module_assets/113743004473/1706649588360/module_113743004473_Blog_Detail_-_Conversion_Panel.min.css"> <link rel="stylesheet" href="https://www.osano.com/hs-fs/hub/4785246/hub_generated/module_assets/107544076640/1706649594681/module_107544076640_Site_Footer.min.css"> <script type="application/ld+json"> { "mainEntityOfPage" : { "@type" : "WebPage", "@id" : "https://www.osano.com/articles/california-privacy-laws-ccpa-cpra" }, "author" : { "name" : "Sam Pfeifle", "url" : "https://www.osano.com/articles/author/sam-pfeifle", "@type" : "Person" }, "headline" : "The Expert's Guide to California Data Privacy Law | CCPA & CPRA", "datePublished" : "2022-08-24T21:00:00.000Z", "dateModified" : "2024-12-13T11:08:06.852Z", "publisher" : { "name" : "Osano, Inc.", "logo" : { "url" : "https://www.osano.com/hubfs/assets/logos/logo_default.png", "@type" : "ImageObject" }, "@type" : "Organization" }, "@context" : "https://schema.org", "@type" : "BlogPosting", "image" : [ "https://www.osano.com/hubfs/CPRA.png" ] } </script> <meta charset="UTF-8"> <meta name="referrer" content="same-origin"> <meta http-equiv="Content-Security-Policy" content="default-src data: https:; script-src 'unsafe-inline' 'unsafe-eval' https:; worker-src blob: https:; object-src 'none'; style-src data: 'unsafe-inline' https:; img-src data: https:; media-src data: https: blob:; frame-src https:; font-src data: https:; connect-src data: https:"> <meta name="referrer" content="strict-origin-when-cross-origin"> <meta name="msapplication-TileColor" content="%23ffffff"> <meta name="msapplication-TileImage" content="https://www.osano.com/hubfs/v2/icons/favicon/ms-icon-144x144.png"> <meta name="theme-color" content="%23ffffff"> <link rel="apple-touch-icon" sizes="57x57" href="https://www.osano.com/hubfs/v2/icons/favicon/apple-icon-57x57.png"> <link rel="apple-touch-icon" sizes="60x60" href="https://www.osano.com/hubfs/v2/icons/favicon/apple-icon-60x60.png"> <link rel="apple-touch-icon" sizes="72x72" href="https://www.osano.com/hubfs/v2/icons/favicon/apple-icon-72x72.png"> <link rel="apple-touch-icon" sizes="76x76" href="https://www.osano.com/hubfs/v2/icons/favicon/apple-icon-76x76.png"> <link rel="apple-touch-icon" sizes="114x114" href="https://www.osano.com/hubfs/v2/icons/favicon/apple-icon-114x114.png"> <link rel="apple-touch-icon" sizes="120x120" href="https://www.osano.com/hubfs/v2/icons/favicon/apple-icon-120x120.png"> <link rel="apple-touch-icon" sizes="144x144" href="https://www.osano.com/hubfs/v2/icons/favicon/apple-icon-144x144.png"> <link rel="apple-touch-icon" sizes="152x152" href="https://www.osano.com/hubfs/v2/icons/favicon/apple-icon-152x152.png"> <link rel="apple-touch-icon" sizes="180x180" href="https://www.osano.com/hubfs/v2/icons/favicon/apple-icon-180x180.png"> <link rel="icon" type="image/png" sizes="192x192" href="https://www.osano.com/hubfs/v2/icons/favicon/android-icon-192x192.png"> <link rel="icon" type="image/png" sizes="32x32" href="https://www.osano.com/hubfs/v2/icons/favicon/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="96x96" href="https://www.osano.com/hubfs/v2/icons/favicon/favicon-96x96.png"> <link rel="icon" type="image/png" sizes="16x16" href="https://www.osano.com/hubfs/v2/icons/favicon/favicon-16x16.png"> <link rel="manifest" href="https://www.osano.com/hubfs/v2/icons/favicon/manifest.json"> <script> window.dataLayer = window.dataLayer ||[]; function gtag(){dataLayer.push(arguments);} gtag('consent','default',{ 'ad_storage':'denied', 'analytics_storage':'denied', 'ad_user_data':'denied', 'ad_personalization':'denied', 'personalization_storage':'denied', 'functionality_storage':'granted', 'security_storage':'granted', 'wait_for_update': 500 }); gtag("set", "ads_data_redaction", true); </script> <!-- domain: www.osano.com --><link rel="preload" as="script" href="https://cmp.osano.com/2sUBzx7wRdAfu6J2kkS/8e547744-886f-4a9b-a90f-7e96a47aa604/osano.js"><script src="https://cmp.osano.com/2sUBzx7wRdAfu6J2kkS/8e547744-886f-4a9b-a90f-7e96a47aa604/osano.js"></script> <script> var consentStatus = { "ESSENTIAL": "ACCEPT", "ANALYTICS": "DENY", "MARKETING": "DENY", "PERSONALIZATION": "DENY" }; var clearedCookies = false; function clearCookies(o){ if(typeof(o) === "object" && o.ANALYTICS == "DENY" && clearedCookies === false){ var _hsp = window._hsp = window._hsp || []; _hsp.push(['revokeCookieConsent']); var _paq = window._paq = window._paq || []; _paq.push(['disableCookies']); clearedCookies = true; console.log("Cleared Cookies"); } } if(typeof(window.Osano) === "object"){ window.Osano.cm.addEventListener("osano-cm-consent-saved", function (consent) { if(typeof(consent) === "object"){ consentStatus = consent; clearCookies(consent); } }); window.Osano.cm.addEventListener("osano-cm-initialized", function (consent) { if(typeof(consent) === "object"){ consentStatus = consent; clearCookies(consent);}}); } </script> <script> window.hsSetTimeout = window.setTimeout; window.setTimeout = function(func, delay) { if(delay === 99000){ delay = 0; } return window.hsSetTimeout(function() {try {func();} catch (e) {throw e;}}, delay);}; window.hsConversationsSettings = { loadImmediately: false }; window.addEventListener('load', function () { if (window.HubSpotConversations) { onConversationsAPIReady(); } else { window.hsConversationsOnReady = [onConversationsAPIReady]; } }); function onConversationsAPIReady() { window.HubSpotConversations.widget.load(); } </script> <script type="application/ld+json">{"@context": "https://schema.org","@type": "WebSite","url": "https://www.osano.com/","potentialAction": {"@type": "SearchAction","target": "https://www.osano.com/search?term={search_term_string}","query-input": "required name=search_term_string" } }</script> <style>@media print { div#hubspot-messages-iframe-container, .osano-cm-window { display: none!important; } }</style> <style> header { animation: leadinModal-dropin 0.5s; -webkit-animation: leadinModal-dropin 0.5s; -webkit-backface-visibility: hidden; top: 0px; } div.leadinModal.leadinModal-theme-top { z-index: 96; } div.leadinModal.leadinModal-theme-top.leadinModal-hidden { display: block; } div.leadinModal.leadinModal-theme-top.leadinModal-hidden > div.leadinModal-overlay, div.leadinModal.leadinModal-theme-top.leadinModal-hidden > div.leadinModal-content { animation: none; -webkit-animation:none; -moz-animation: none; -o-animation: none; } div.leadinModal.leadinModal-theme-top.leadinModal-closing { animation: leadinModal-dropout 0.5s; -webkit-animation: leadinModal-dropout 0.5s; -webkit-backface-visibility: hidden; } @keyframes bgPulse { 0% { background: inherit; } 40% { background: #7a3ff1; } 50% { background: inherit; } 70% { background: #7a3ff1; } 80% { background: inherit; } } div.leadinModal-theme-top > div.leadinModal-content > div.leadinModal-content-wrapper { animation: bgPulse 5s infinite linear; -webkit-animation: bgPulse 5s infinite linear; } </style> <link rel="amphtml" href="https://www.osano.com/articles/california-privacy-laws-ccpa-cpra?hs_amp=true"> <meta property="og:image" content="https://www.osano.com/hubfs/CPRA.png"> <meta property="og:image:width" content="1024"> <meta property="og:image:height" content="512"> <meta property="og:image:alt" content="California state flag"> <meta name="twitter:image" content="https://www.osano.com/hubfs/CPRA.png"> <meta name="twitter:image:alt" content="California state flag"> <meta property="og:url" content="https://www.osano.com/articles/california-privacy-laws-ccpa-cpra"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:creator" content="@SamPfeifle"> <link rel="canonical" href="https://www.osano.com/articles/california-privacy-laws-ccpa-cpra"> <style> table { font-size: 1rem; } table > thead > tr { background-color: #37cd8f; color: white; font-weight: bold; text-align: center; } .entry-content table:not(.wp-block-table) th:last-child { border-bottom: 2px solid #dee2e6; } </style> <meta property="og:type" content="article"> <link rel="alternate" type="application/rss+xml" href="https://www.osano.com/articles/rss.xml"> <meta name="twitter:domain" content="www.osano.com"> <meta name="twitter:site" content="@Osano"> <meta http-equiv="content-language" content="en"> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "FAQPage", "mainEntity": [{ "@type": "Question", "name": "Who Must Comply With the CPRA?", "acceptedAnswer": { "@type": "Answer", "text": "You must comply with the CPRA if you are a for-profit organizations that do business in California, collect the personal data of Californians or has it collected for them, and fits one or more of these criteria: Buys, sells, or shares the personal information of 100,000 people or households. Creates 50% or more of their revenue through the sale or sharing of personal information. Had $25 million in gross revenue in the preceding calendar year." } },{ "@type": "Question", "name": "When Did the CPRA Go Into Effect?", "acceptedAnswer": { "@type": "Answer", "text": "The CPRA came into force on January 1, 2023, but it also protects data collected starting January 1, 2022. The CPRA’s enforcement date is July 1, 2023." } },{ "@type": "Question", "name": "What Is the CPRA Definition of Personal Information?", "acceptedAnswer": { "@type": "Answer", "text": "The CPRA defines personal information as \"Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.\"" } },{ "@type": "Question", "name": "What Is the CPRA Definition of Sensitive Personal Information?", "acceptedAnswer": { "@type": "Answer", "text": "Sensitive personal information has extra requirements for its collection and processing. Sensitive personal information includes: A consumer’s social security, driver’s license, and similar identifiers. Account access information. Precise geolocation. Sexual identity, ethnicity, etc. Genetic and biometric data. And more." } },{ "@type": "Question", "name": "What Are the CPRA’s Requirements Around Data Collection Consent?", "acceptedAnswer": { "@type": "Answer", "text": "The CPRA requires businesses to accept opt-out requests, meaning that they can collect users’ personal information by default so long as they provide notice about the collection and means of opting out of it. Businesses must provide a \"Do not sell or share my personal information” link, which stops the share or sale of personal data to third parties, in particular for the purpose of targeted advertising. Businesses must also honor opt-out requests from authorized third-party signals, like the GPC. Businesses must also provide a “Limit the use of my sensitive personal information” link, which prevents any sale or share of sensitive personal information unless it's strictly necessary for the provision of your product or service, or for specific business purposes listed in the law (such as debugging purposes, providing customer service, and other purposes). While most personal data collection is opt-out, businesses must acquire opt-in consent (i.e., not collecting unless the user agrees first) in the following circumstances: When selling or sharing personal information of minors. When Offering participation in financial incentive programs. When selling or sharing the personal information of consumers who have previously opted out. When using personal information for a secondary purpose beyond the original stated purpose. When using personal information for scientific research." } },{ "@type": "Question", "name": "What Are the CPRA’s Requirements Around Data Subject Rights?", "acceptedAnswer": { "@type": "Answer", "text": "The CPRA provides consumers, employees, and other commercial partners with the following rights: Right to Access, Deletion, and Correction Right To Object to Sale or Share Right To Opt-out of Behavioral Profiling and Automated Decision-Making Right To Object to the Use of Sensitive Personal Information Right to Data Portability Subject rights requests must be fulfilled within a 45-day window, with the option for a 45-day extension for complex and/or high-volume requests. Businesses may refuse or charge a fee for subject rights request if they are manifestly unfounded or excessive. However, the onus is on the business to prove whether a request is manifestly unfounded or excessive." } },{ "@type": "Question", "name": "How Does CPRA Enforcement Work?", "acceptedAnswer": { "@type": "Answer", "text": "The state attorney general, district attorneys, and the California Privacy Protection Agency may enforce the CPRA. In some limited circumstances, private citizens may sue businesses for CPRA violations. Businesses that violate the CPRA may be penalized with: A $2.5k fine per negligent mistakes A $7.5k per willfully negligent violations" } }] } </script> <meta name="generator" content="HubSpot"></head> <body> <div class="body-wrapper hs-content-id-27824911813 hs-blog-post hs-blog-id-9895000587" data-page="articles/california-privacy-laws-ccpa-cpra"> <div data-global-resource-path="Osano/templates/partials/header.html"> <header class="header header-main"> <div class="container"> <div class="row mx-0 align-items-center"> <a class="d-inline-flex header__logo" href="https://www.osano.com"> <img src="https://www.osano.com/hubfs/Imported%20images/Logo.svg" alt="Logo" loading="lazy" width="142" height="32" style="max-width: 100%; height: auto;"> </a> <ul class="header__top-menu-wrapper header__menu-wrapper "> <li> <a href="javascript:void(0);" class="open-sub-menu"> <span> Platform </span> <svg xmlns="http://www.w3.org/2000/svg" width="12" height="8" viewbox="0 0 12 8" fill="none"> <path d="M1 1.5L6 6.5L11 1.5" stroke="white" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </a> <div class="header__submenu-wrapper"> <div class="platform_menu"> <ul> <li class="header__submenu-header hover-arrow "> <h5 class=""> <span> The Osano Platform Overview </span> <svg xmlns="http://www.w3.org/2000/svg" width="13" height="12" viewbox="0 0 13 12" fill="none"> <path d="M1.41699 6H11.917M11.917 6L6.66699 0.75M11.917 6L6.66699 11.25" stroke="white" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" /> </svg> </h5> <p> Get an overview of the simple, all-in-one data privacy platform </p> <a class="mask-link" href="https://www.osano.com/products"> </a> </li> <div class="platform"> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/header__icon-1.svg" alt="header__icon-1" loading="lazy" width="21" height="20" style="max-width: 100%; height: auto;"> <div> <h5> Cookie Consent </h5> <p> Manage consent for data privacy laws in 50+ countries </p> </div> <a class="mask-link" href="https://www.osano.com/cookieconsent"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/user-square.svg" alt="user-square" loading="lazy" width="24" height="24" style="max-width: 100%; height: auto;"> <div> <h5> Subject Rights Management </h5> <p> Streamline and automate the DSAR workflow </p> </div> <a class="mask-link" href="https://www.osano.com/products/subject-rights"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/marketing/assets/icons/assessments%20primary%20200.svg" alt="assessments primary 200" loading="lazy" width="24" height="24" style="max-width: 100%; height: auto;"> <div> <h5> Assessments </h5> <p> Efficiently manage assessment workflows using custom or pre-built templates </p> </div> <a class="mask-link" href="https://www.osano.com/products/privacy-assessments"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/marketing/assets/icons/Unified%20Consent%20primary%20200.svg" alt="Unified Consent primary 200" loading="lazy" width="24" height="24" style="max-width: 100%; height: auto;"> <div> <h5> Unified Consent & Preference Hub </h5> <p> Streamline consent, utilize non-cookie data, and enhance customer trust </p> </div> <a class="mask-link" href="https://www.osano.com/products/unified-consent-preference-hub"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/marketing/assets/icons/data%20mapping%20primary%20200.svg" alt="data mapping primary 200" loading="lazy" width="24" height="24" style="max-width: 100%; height: auto;"> <div> <h5> Data Mapping </h5> <p> Automate and visualize data store discovery and classification </p> </div> <a class="mask-link" href="https://www.osano.com/products/data-mapping"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/shield-tick.svg" alt="shield-tick" loading="lazy" width="24" height="24" style="max-width: 100%; height: auto;"> <div> <h5> Vendor Privacy Risk Management </h5> <p> Ensure your customers’ data is in good hands </p> </div> <a class="mask-link" href="https://www.osano.com/products/vendor-risk"> </a> </li> </div> </ul> <ul> <li class="header__submenu-header "> <h5 class=""> <span> Features & Integrations </span> </h5> <p> Key Features & Integrations </p> </li> <div class="features"> <li class="header__submenu-list-item"> <div> <h5> TrustHub </h5> </div> <a class="mask-link" href="https://www.osano.com/features/trusthub"> </a> </li> <li class="header__submenu-list-item"> <div> <h5> Privacy Templates </h5> </div> <a class="mask-link" href="https://www.osano.com/features/privacy-templates"> </a> </li> <li class="header__submenu-list-item"> <div> <h5> GDPR Representative </h5> </div> <a class="mask-link" href="https://www.osano.com/features/gdpr-representative"> </a> </li> <li class="header__submenu-list-item"> <div> <h5> Consult Privacy Team </h5> </div> <a class="mask-link" href="https://www.osano.com/features/privacy-experts"> </a> </li> <li class="header__submenu-list-item"> <div> <h5> Regulatory Guidance </h5> </div> <a class="mask-link" href="https://www.osano.com/features/regulatory-guidance"> </a> </li> <li class="header__submenu-list-item"> <div> <h5> Integrations </h5> </div> <a class="mask-link" href="https://developers.osano.com/integrations/" target="_blank" rel="noopener"> </a> </li> </div> </ul> </div> </div> </li> <li> <a href="javascript:void(0);" class="open-sub-menu"> <span> Solutions </span> <svg xmlns="http://www.w3.org/2000/svg" width="12" height="8" viewbox="0 0 12 8" fill="none"> <path d="M1 1.5L6 6.5L11 1.5" stroke="white" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </a> <div class="header__submenu-wrapper"> <ul class=" "> <li class="header__submenu-header "> <h5 class=""> <span> By Regulation </span> </h5> </li> <li class="header__submenu-list-item"> <div> <h5> CPRA </h5> <p> Discover how Osano supports CPRA compliance </p> </div> <a class="mask-link" href="https://www.osano.com/solutions/cpra-compliance-software"> </a> </li> <li class="header__submenu-list-item"> <div> <h5> CCPA </h5> <p> Learn about the CCPA and how Osano can help </p> </div> <a class="mask-link" href="https://www.osano.com/solutions/ccpa-compliance-software"> </a> </li> <li class="header__submenu-list-item"> <div> <h5> GDPR </h5> <p> Achieve compliance with one of the world’s most comprehensive data privacy laws </p> </div> <a class="mask-link" href="https://www.osano.com/solutions/gdpr-compliance-software"> </a> </li> </ul> <ul class=" "> <li class="header__submenu-header "> <h5 class=""> <span> By Organization Type </span> </h5> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(10).svg" alt="Icon (10)" loading="lazy" width="23" height="12" style="max-width: 100%; height: auto;"> <div> <h5> Start-Up </h5> <p> Don’t let data privacy compliance get in the way of growth </p> </div> <a class="mask-link" href="https://www.osano.com/solutions/start-up-privacy-software"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(11).svg" alt="Icon (11)" loading="lazy" width="21" height="20" style="max-width: 100%; height: auto;"> <div> <h5> Mid-Sized </h5> <p> Preserve your competitive edge </p> </div> <a class="mask-link" href="https://www.osano.com/solutions/mid-sized-privacy-software"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(12).svg" alt="Icon (12)" loading="lazy" width="23" height="20" style="max-width: 100%; height: auto;"> <div> <h5> Enterprise </h5> <p> Manage data privacy at scale </p> </div> <a class="mask-link" href="https://www.osano.com/solutions/enterprise-privacy-software"> </a> </li> </ul> <ul class=" "> <li class="header__submenu-header "> <h5 class=""> <span> By Use Case </span> </h5> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Path.svg" alt="Path" loading="lazy" width="21" height="22" style="max-width: 100%; height: auto;"> <div> <h5> Consent Management </h5> <p> Manage consent without the complexity </p> </div> <a class="mask-link" href="https://www.osano.com/solutions/consent-management-platform"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(14).svg" alt="Icon (14)" loading="lazy" width="21" height="22" style="max-width: 100%; height: auto;"> <div> <h5> DSAR Automation </h5> <p> Never miss a DSAR deadline again </p> </div> <a class="mask-link" href="https://www.osano.com/products/subject-rights"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(16).svg" alt="Icon (16)" loading="lazy" width="23" height="22" style="max-width: 100%; height: auto;"> <div> <h5> Privacy Program Management </h5> <p> Build and grow an end-to-end privacy program </p> </div> <a class="mask-link" href="https://www.osano.com/solutions/privacy-program-management-software"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(15).svg" alt="Icon (15)" loading="lazy" width="19" height="22" style="max-width: 100%; height: auto;"> <div> <h5> Vendor Risk Management </h5> <p> Regain insight and control over your customers’ data </p> </div> <a class="mask-link" href="https://www.osano.com/products/vendor-risk"> </a> </li> </ul> </div> </li> <li> <a href="javascript:void(0);" class="open-sub-menu"> <span> Resources </span> <svg xmlns="http://www.w3.org/2000/svg" width="12" height="8" viewbox="0 0 12 8" fill="none"> <path d="M1 1.5L6 6.5L11 1.5" stroke="white" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </a> <div class="header__submenu-wrapper"> <ul class=" reduced-size "> <li class="header__submenu-header "> <h5 class=""> <span> Resources </span> </h5> <p> Key resources on all things data privacy </p> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/book-open-01.svg" alt="book-open-01" loading="lazy" width="24" height="24" style="max-width: 100%; height: auto;"> <div> <h5> Articles </h5> <p> Expert insights on all things privacy </p> </div> <a class="mask-link" href="https://www.osano.com/articles"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(25).svg" alt="Icon (25)" loading="lazy" width="22" height="20" style="max-width: 100%; height: auto;"> <div> <h5> Resource Center </h5> <p> Key resources to further your data privacy education </p> </div> <a class="mask-link" href="https://www.osano.com/resources"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/marketing/assets/icons/hand%20a%20heart%20icon%20primary%20200.svg" alt="hand a heart icon primary 200" loading="lazy" width="23" height="22" style="max-width: 100%; height: auto;"> <div> <h5> Customer Stories </h5> <p> Meet some of the 5,000+ leaders using Osano to transform their privacy programs </p> </div> <a class="mask-link" href="https://www.osano.com/customers"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/marketing/assets/icons/globe%20icon%20primary%20200.svg" alt="globe icon primary 200" loading="lazy" width="21" height="22" style="max-width: 100%; height: auto;"> <div> <h5> U.S. Data Privacy Laws </h5> <p> A guide to data privacy in the U.S. </p> </div> <a class="mask-link" href="https://www.osano.com/us-data-privacy-laws"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/marketing/assets/icons/code%20icon%20primary%20200.svg" alt="code icon primary 200" loading="lazy" width="22" height="20" style="max-width: 100%; height: auto;"> <div> <h5> Product Updates </h5> <p> What's the latest from Osano? </p> </div> <a class="mask-link" href="https://www.osano.com/updates"> </a> </li> </ul> <ul class=" "> <li class="header__submenu-header "> <h5 class=""> <span> Become a Privacy Insider </span> </h5> <p> Data privacy is complex but you're not alone </p> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/marketing/assets/icons/envelope%20icon%20primary%20200.svg" alt="envelope icon primary 200" loading="lazy" width="22" height="18" style="max-width: 100%; height: auto;"> <div> <h5> The Newsletter </h5> <p> Join our weekly newsletter with over 35,000 subscribers </p> </div> <a class="mask-link" href="https://www.osano.com/newsletter"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(17).svg" alt="Icon (17)" loading="lazy" width="16" height="20" style="max-width: 100%; height: auto;"> <div> <h5> The Podcast </h5> <p> Global experts share insights and compelling personal stories about the critical importance of data privacy </p> </div> <a class="mask-link" href="https://www.osano.com/podcast"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/book-open-01.svg" alt="book-open-01" loading="lazy" width="24" height="24" style="max-width: 100%; height: auto;"> <div> <h5> The Book </h5> <p> Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program </p> </div> <a class="mask-link" href="https://www.osano.com/the-privacy-insider-book"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(30).svg" alt="Icon (30)" loading="lazy" width="23" height="20" style="max-width: 100%; height: auto;"> <div> <h5> Events </h5> <p> Upcoming webinars and in-person events designed for privacy professionals </p> </div> <a class="mask-link" href="https://www.osano.com/events"> </a> </li> </ul> <div class="header__navigation-card header__latest-post"> <h4> Latest Blog post </h4> <div class="header__latest-post-content"> <div class="d-flex"> <img class="blog-related-posts__image" src="https://www.osano.com/hs-fs/hubfs/Skye-McCullough-WIP-1024x512.png?width=352&name=Skye-McCullough-WIP-1024x512.png" loading="lazy" width="352" alt="Skye McCullough" srcset="https://www.osano.com/hs-fs/hubfs/Skye-McCullough-WIP-1024x512.png?width=176&name=Skye-McCullough-WIP-1024x512.png 176w, https://www.osano.com/hs-fs/hubfs/Skye-McCullough-WIP-1024x512.png?width=352&name=Skye-McCullough-WIP-1024x512.png 352w, https://www.osano.com/hs-fs/hubfs/Skye-McCullough-WIP-1024x512.png?width=528&name=Skye-McCullough-WIP-1024x512.png 528w, https://www.osano.com/hs-fs/hubfs/Skye-McCullough-WIP-1024x512.png?width=704&name=Skye-McCullough-WIP-1024x512.png 704w, https://www.osano.com/hs-fs/hubfs/Skye-McCullough-WIP-1024x512.png?width=880&name=Skye-McCullough-WIP-1024x512.png 880w, https://www.osano.com/hs-fs/hubfs/Skye-McCullough-WIP-1024x512.png?width=1056&name=Skye-McCullough-WIP-1024x512.png 1056w" sizes="(max-width: 352px) 100vw, 352px"> </div> <div class="header__latest-post-wrapper"> <h4> Osano’s Own Women in Privacy: Skye McCullough </h4> <p> Our showcase of Osano’s Women in Privacy continues with our third... </p> <span class="btn-inline"> <span> Read Now </span> <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewbox="0 0 14 14" fill="none"> <path d="M1.16699 6.99984H12.8337M12.8337 6.99984L7.00033 1.1665M12.8337 6.99984L7.00033 12.8332" stroke="white" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </span> </div> </div> <a class="mask-link" href="https://www.osano.com/articles/women-in-privacy-skye-mccullough" target="_blank"></a> </div> </div> </li> <li> <a href="javascript:void(0);" class="open-sub-menu"> <span> Company </span> <svg xmlns="http://www.w3.org/2000/svg" width="12" height="8" viewbox="0 0 12 8" fill="none"> <path d="M1 1.5L6 6.5L11 1.5" stroke="white" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </a> <div class="header__submenu-wrapper"> <ul class=" "> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Vector.svg" alt="Vector" loading="lazy" width="20" height="20" style="max-width: 100%; height: auto;"> <div> <h5> About Us </h5> <p> The Osano story </p> </div> <a class="mask-link" href="https://www.osano.com/company/about"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(25).svg" alt="Icon (25)" loading="lazy" width="22" height="20" style="max-width: 100%; height: auto;"> <div> <h5> Careers </h5> <p> Become an Osanian and help us build the future of privacy! </p> </div> <a class="mask-link" href="https://www.osano.com/company/careers"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(26).svg" alt="Icon (26)" loading="lazy" width="20" height="21" style="max-width: 100%; height: auto;"> <div> <h5> Contact </h5> <p> We’re eager to hear from you </p> </div> <a class="mask-link" href="https://www.osano.com/company/contact"> </a> </li> </ul> <ul class=" "> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/%EF%83%A3.svg" alt="" loading="lazy" width="19" height="19" style="max-width: 100%; height: auto;"> <div> <h5> Our Pledge </h5> <p> No fines, no penalties </p> </div> <a class="mask-link" href="https://www.osano.com/pledge"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(27).svg" alt="Icon (27)" loading="lazy" width="21" height="22" style="max-width: 100%; height: auto;"> <div> <h5> Data Licensing </h5> <p> Add Osano data privacy ratings and recommendations to your application </p> </div> <a class="mask-link" href="https://www.osano.com/company/data"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(28).svg" alt="Icon (28)" loading="lazy" width="21" height="22" style="max-width: 100%; height: auto;"> <div> <h5> Osano Swag Store </h5> <p> Increase Trust. Stay Compliant. Get Cool Swag. </p> </div> <a class="mask-link" href="https://shop.osano.com" target="_blank" rel="noopener"> </a> </li> </ul> <ul class=" "> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(29).svg" alt="Icon (29)" loading="lazy" width="21" height="21" style="max-width: 100%; height: auto;"> <div> <h5> Press & Media </h5> <p> Inquiries and Osano in the news </p> </div> <a class="mask-link" href="https://www.osano.com/pr"> </a> </li> <li class="header__submenu-list-item"> <img src="https://www.osano.com/hubfs/Imported%20sitepage%20images/Icon%20(30).svg" alt="Icon (30)" loading="lazy" width="23" height="20" style="max-width: 100%; height: auto;"> <div> <h5> Partners & Resellers </h5> <p> Interested in partnering with us? </p> </div> <a class="mask-link" href="https://www.osano.com/company/partners-resellers"> </a> </li> </ul> </div> </li> <li> <a href="https://www.osano.com/plans"> <span> Pricing </span> </a> </li> <li class="header__cta-wrapper ml-auto"> <a class="inline-btn" href="https://my.osano.com/" target="_blank" rel="noopener"> <span> Sign In </span> </a> <a class="primary-btn" href="https://www.osano.com/request/demo"> <span> Book a Demo </span> </a> </li> </ul> <button class="d-xxl-none menu-btn" id="menu-btn"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="20" viewbox="0 0 24 20" fill="none"> <path d="M1.30078 1.9668H22.6341" stroke="#ffffff" stroke-width="2.41667" stroke-linecap="round"></path> <path d="M1.30078 9.96704H22.6341" stroke="#ffffff" stroke-width="2.41667" stroke-linecap="round"></path> <path d="M1.30078 17.967H22.6341" stroke="#ffffff" stroke-width="2.41667" stroke-linecap="round"></path> </svg> </button> </div> </div> </header> <div class="header-divider"></div></div> <main id="main-content" class="body-container-wrapper"> <div class="body-container body-container--blog-post"> <section class="hero-blog-detail hero__dynamic hero-blog-detail_pb"> <div class="hero-blog-detail-wrapper hero__dynamic-padding"> <div class="container"> <div class="col-12 col-xl-8 mx-xl-auto hero-blog-detail__header text-center px-0"> <h5 class="eyebrow form-hero "> Essentials </h5> <h5 class="eyebrow form-hero ml-2 "> US Privacy Law </h5> <h1 class="hero-blog-detail__heading"> <span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text">The Expert's Guide to California Data Privacy Law | CCPA & CPRA</span> </h1> <div class="hero-blog-detail_author"> <img src="https://www.osano.com/hubfs/assets/avatars/sam-pfeifle.png"> <div> <h5> Sam Pfeifle </h5> <p class="hero-blog-detail_author-update"> Updated: December 13, 2024 </p> <p> Published: August 24, 2022 </p> </div> </div> </div> </div> </div> <div class="hero-blog-detail__image-wrapper container"> <img src="https://www.osano.com/hubfs/CPRA.png" alt="California state flag"> </div> </section> <div class="container post-content"> <div class="row"> <div class="col-12 col-lg-4"> <div class="blog-detail__sidebar"> <div class="blog-headings-nav"> <h5> In this article </h5> <ul class="blog-headings-list"> </ul> </div> <div class="blog-form-wrapper"> <h3> Sign up for our newsletter </h3> <div> <span id="hs_cos_wrapper_module_168295786820360_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="form"><h3 id="hs_cos_wrapper_form_837244757_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text"></h3> <div id="hs_form_target_form_837244757"></div> </span> </div> </div> <div class="post-share d-none d-lg-block"> <h5> Share this article </h5> <ul> <li> <span class="d-flex align-items-center share-clipboard" id="copy-url-btn" data-url="https://www.osano.com/articles/california-privacy-laws-ccpa-cpra"> <span class="tooltip-clipboard">Copy to clipboard</span> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none"> <path d="M10 13C10.4295 13.5742 10.9774 14.0492 11.6066 14.393C12.2358 14.7367 12.9315 14.9411 13.6467 14.9924C14.3618 15.0436 15.0796 14.9404 15.7514 14.6898C16.4231 14.4392 17.0331 14.0471 17.54 13.54L20.54 10.54C21.4508 9.59702 21.9548 8.334 21.9434 7.02302C21.932 5.71204 21.4062 4.45797 20.4791 3.53093C19.5521 2.60389 18.298 2.07805 16.987 2.06666C15.676 2.05526 14.413 2.55924 13.47 3.47003L11.75 5.18003M14 11C13.5706 10.4259 13.0227 9.95084 12.3935 9.60709C11.7643 9.26333 11.0685 9.05891 10.3534 9.00769C9.63822 8.95648 8.92043 9.05966 8.24867 9.31025C7.57691 9.56083 6.9669 9.95296 6.46002 10.46L3.46002 13.46C2.54923 14.403 2.04525 15.666 2.05665 16.977C2.06804 18.288 2.59388 19.5421 3.52092 20.4691C4.44796 21.3962 5.70203 21.922 7.01301 21.9334C8.32399 21.9448 9.58701 21.4408 10.53 20.53L12.24 18.82" stroke="#A8A0B1" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" /> </svg> </span> </li> <li> <a class="podcast-button-hover d-flex align-items-center podcast-share__btn" href="https://twitter.com/intent/tweet?url=https://www.osano.com/articles/california-privacy-laws-ccpa-cpra" target="_blank" rel="noopener"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none"> <path d="M7.55016 21.75C16.6045 21.75 21.5583 14.2468 21.5583 7.74192C21.5583 7.53098 21.5536 7.31536 21.5442 7.10442C22.5079 6.40752 23.3395 5.54432 24 4.55536C23.1025 4.95466 22.1496 5.21544 21.1739 5.3288C22.2013 4.71297 22.9705 3.74553 23.3391 2.60583C22.3726 3.17862 21.3156 3.58267 20.2134 3.80067C19.4708 3.01162 18.489 2.48918 17.4197 2.31411C16.3504 2.13905 15.2532 2.32111 14.2977 2.83216C13.3423 3.3432 12.5818 4.15477 12.1338 5.14137C11.6859 6.12798 11.5754 7.23468 11.8195 8.29036C9.86249 8.19215 7.94794 7.68377 6.19998 6.79816C4.45203 5.91255 2.90969 4.6695 1.67297 3.14958C1.0444 4.2333 0.852057 5.51571 1.13503 6.73615C1.418 7.9566 2.15506 9.02351 3.19641 9.72005C2.41463 9.69523 1.64998 9.48474 0.965625 9.10598V9.16692C0.964925 10.3042 1.3581 11.4066 2.07831 12.2868C2.79852 13.167 3.80132 13.7706 4.91625 13.995C4.19206 14.1932 3.43198 14.2221 2.69484 14.0794C3.00945 15.0575 3.62157 15.913 4.44577 16.5264C5.26997 17.1398 6.26512 17.4807 7.29234 17.5013C5.54842 18.8712 3.39417 19.6142 1.17656 19.6107C0.783287 19.6101 0.390399 19.586 0 19.5385C2.25286 20.9838 4.87353 21.7514 7.55016 21.75Z" fill="#A8A0B1" /> </svg> </a> </li> <li> <a class="podcast-button-hover d-flex align-items-center podcast-share__btn podcast-share__btn--2" href="http://www.linkedin.com/shareArticle?mini=true&url=https://www.osano.com/articles/california-privacy-laws-ccpa-cpra" target="_blank" rel="noopener"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none"> <g clip-path="url(#clip0_400_12823)"> <path d="M22.2234 0H1.77187C0.792187 0 0 0.773438 0 1.72969V22.2656C0 23.2219 0.792187 24 1.77187 24H22.2234C23.2031 24 24 23.2219 24 22.2703V1.72969C24 0.773438 23.2031 0 22.2234 0ZM7.12031 20.4516H3.55781V8.99531H7.12031V20.4516ZM5.33906 7.43438C4.19531 7.43438 3.27188 6.51094 3.27188 5.37187C3.27188 4.23281 4.19531 3.30937 5.33906 3.30937C6.47813 3.30937 7.40156 4.23281 7.40156 5.37187C7.40156 6.50625 6.47813 7.43438 5.33906 7.43438ZM20.4516 20.4516H16.8937V14.8828C16.8937 13.5562 16.8703 11.8453 15.0422 11.8453C13.1906 11.8453 12.9094 13.2937 12.9094 14.7891V20.4516H9.35625V8.99531H12.7687V10.5609H12.8156C13.2891 9.66094 14.4516 8.70938 16.1813 8.70938C19.7859 8.70938 20.4516 11.0813 20.4516 14.1656V20.4516Z" fill="#A8A0B1" /> </g> <defs> <clippath id="clip0_400_12823"> <rect width="24" height="24" fill="white" /> </clippath> </defs> </svg> </a> </li> </ul> </div> </div> </div> <div class="col-12 col-lg-8 blog-post-col"> <article class="blog-post"> <div class="blog-post__body"> <span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text"><p><span data-contrast="none" xml:lang="EN-US" lang="EN-US"><span>For a long time, California has been a leader in making sure its citizens’ privacy is protected. In the early days of the modern </span><span>i</span><span>nternet,</span><span> </span><span>California’s privacy policy law</span><span> </span><span>led the charge in making sure websites </span><span>didn’t</span><span> deceive visitors or otherwise use deceptive practices by collecting data without </span><span>a privacy</span><span> notice. Today, it is California</span><span> again</span><span>—with the California Privacy Rights Act (CPRA) building on the <a href="/articles/ccpa-compliance" rel="noopener" target="_blank">California Consumer Privacy Act (CCPA)</a>—that is leading the way in making sure consumers have control over how businesses collect and share their personal data. </span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <!--more--> <p><span data-contrast="none">As more states—like </span><a href="https://www.osano.com/articles/cdpa-vs-cpra-ccpa"><span data-contrast="none">Virginia</span></a><span data-contrast="none">, </span><a href="https://www.osano.com/articles/colorado-privacy-act-what-is-it"><span data-contrast="none">Colorado</span></a><span data-contrast="none">, </span><a href="https://www.osano.com/articles/iowa-consumer-data-protection-act-icdpa"><span data-contrast="none">Iowa</span></a><span data-contrast="none">, and more—join California in implementing comprehensive privacy legislation, it is vital to understand the requirements of California data privacy law. Not only will it allow you to continue to access what amounts to the world’s fifth largest economy, but it will also put you in good standing with the rest of the <a href="/us-data-privacy-laws" rel="noopener">U.S. state privacy laws</a> and prepare you for compliance with stricter global privacy laws, like the EU’s </span><a href="https://www.osano.com/gdpr"><span data-contrast="none">GDPR</span></a><span data-contrast="none"> or China’s </span><a href="https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/"><span data-contrast="none">PIPL</span></a><span data-contrast="none">.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">In this blog, we’ll take a look at:</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <ul> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="8" data-aria-level="1"><span data-contrast="none">Where California privacy law stands right now.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="9" data-aria-level="1"><span data-contrast="none">How <a href="/articles/ccpa-vs-cpra" rel="noopener" target="_blank">CPRA builds on CCPA</a>.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="10" data-aria-level="1"><span data-contrast="none">What steps to take to comply and avoid penalties and reputational harm.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="11" data-aria-level="1"><span data-contrast="none">What to look for in the future to remain in compliance.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="12" data-aria-level="1"><span data-contrast="none">Frequently asked questions regarding the CPRA.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> </ul> <p><span data-contrast="none">Let’s get started.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <a id="what-are-ccpa-cpra" data-hs-anchor="true"></a> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">CCPA vs. CPRA: How Are They Different?</span></h2> <p><span data-contrast="none" xml:lang="EN-US" lang="EN-US"><span>It’s</span><span> best to think of the </span><span>California</span><span> Consumer Protection Act (</span><span>CCPA</span><span>) and the </span><span>California</span><span> Privacy Rights Act (</span><span>CPRA</span><span>) as essentially the same thing. </span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">What is the California Consumer Privacy Act (CCPA)?</span> </h2> <p><span data-contrast="none" xml:lang="EN-US" lang="EN-US"><span>The CCPA passed through the California legislature and was signed by the governor in 2018, with an effective date of Jan</span><span>uary</span><span> 1, 2020. However, the Californians for Consumer Privacy (the group that pushed hardest for the CCPA) almost </span><span>immediately</span><span> felt it </span><span>wasn’t</span><span> strong enough. They started a campaign to make it stronger and more protective of consumer rights to control the collection and use of personal information. </span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">What is the California Privacy Rights Act (CPRA)?</span> </h2> <p><span data-contrast="none">The </span><a href="https://www.osano.com/ccpa"><span data-contrast="none">California Consumer Protection Act (CPPA) of 2018</span></a><span data-contrast="none"> is already in force, and now it has been updated by the </span><a href="https://www.osano.com/articles/how-to-comply-with-the-california-privacy-rights-act-cpra-a-transcript"><span data-contrast="none">California Privacy Rights Act</span></a><span data-contrast="none"> (CPRA)</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Because of the Californians for Consumer Privacy push, the California legislature added a citizen’s initiative ballot question in 2020 on whether or not an amendment to the CCPA should be created—the CPRA. The CPRA built upon the CCPA</span><span data-contrast="none"> text, changing some items, </span><span data-contrast="none">adding others, and clarifying some questions around enforcement and who’s actually covered by the law. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">At this point, for all intents and purposes, the CPRA is the only law you need to worry about. It’s like the CCPA+, or CCPA 2.0, and it covers everything you need to know to understand California </span><span data-contrast="none">data privacy law. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h3 style="font-weight: normal;" aria-level="3">CPRA Enforcement Date </h3> <p><span data-contrast="none">The vast majority of the CPRA came into force on January 1, 2023, but the CPRA also regulates data collected starting January 1, 2022. </span></p> <p><span data-contrast="none">The initial CPRA enforcement date was July 1, 2023, but due to <a href="/newsletter/cpra-enforcement-update" rel="noopener" target="_blank">a challenge from the California Chamber of Commerce</a>, which argued that since the CPPA didn't finalize the CPRA's requirements until March of 2023, the date was pushed to March 29, 2024. However, <a href="https://cppa.ca.gov/announcements/2024/20240209.html" rel="noopener" target="_blank">on February 9, 2024, the CPPA won its appeal</a>, immediately allowing enforcement of the initial CPRA regulations and retroactively setting the enforcement effective date to July 1, 2023. </span></p> <a id="who-complies-cpra-ccpa" data-hs-anchor="true"></a> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US"><span data-ccp-parastyle="heading 2">CPRA </span><span data-ccp-parastyle="heading 2">C</span><span data-ccp-parastyle="heading 2">ompliance</span><span data-ccp-parastyle="heading 2">: </span><span data-ccp-parastyle="heading 2">H</span><span data-ccp-parastyle="heading 2">ow </span><span data-ccp-parastyle="heading 2">D</span><span data-ccp-parastyle="heading 2">o </span><span data-ccp-parastyle="heading 2">Y</span><span data-ccp-parastyle="heading 2">ou </span><span data-ccp-parastyle="heading 2">K</span><span data-ccp-parastyle="heading 2">now if </span><span data-ccp-parastyle="heading 2">Y</span><span data-ccp-parastyle="heading 2">ou </span><span data-ccp-parastyle="heading 2">H</span><span data-ccp-parastyle="heading 2">ave to </span><span data-ccp-parastyle="heading 2">C</span><span data-ccp-parastyle="heading 2">omply </span><span data-ccp-parastyle="heading 2">W</span><span data-ccp-parastyle="heading 2">ith</span><span data-ccp-parastyle="heading 2"> the </span><span data-ccp-parastyle="heading 2">CCPA and CPRA?</span><span data-ccp-parastyle="heading 2"> </span></span><span data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h2> <p><span data-contrast="none">The CPRA changed the rules for</span><span data-contrast="none"> who has to comply only slightly. As of January 1, 2023, the CPRA applies if y</span><span data-contrast="none">ou are a for-profit organization that “does business” in the state of California, collects the personal data of Californians or has it collected for you, and fits one or more of these criteria:</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <ul> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><span data-contrast="none">Buys, sells, or shares the personal information of 100,000 people or households. The “shares” part was added with the CPRA, and the number of people was doubled.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="14" data-aria-level="1"><span data-contrast="none">Creates 50% or more of your revenue through the sale or sharing of personal information.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="15" data-aria-level="1"><span data-contrast="none">Had $25 million in gross revenue in the preceding calendar year. The “preceding calendar year” part was added with the CPRA to make it clear what they meant by $25 million in annual gross revenues. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> </ul> <p><span data-contrast="none">In theory, you could have to comply with CPRA one year and not the next, depending on your revenue mix and business initiatives. However, the CPRA is in line with many laws around the country and the world, and most of what it requires is considered general best practice, so it doesn’t make a lot of sense to try to figure out whether you can get out of CPRA compliance each year.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <a id="noncompliance-ccpa-cpra" data-hs-anchor="true"></a> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">What Happens if You Don’t Comply With the CPRA?</span> </h2> <p><span data-contrast="none">The penalties for not complying with the law haven’t changed much from the CCPA to the CPRA. However, the new CPRA empowers the Attorney General, California’s 62 different district attorneys and a brand-new </span><a href="https://www.osano.com/articles/california-privacy-protection-agency"><span data-contrast="none">California Privacy Protection Agency (CPPA)</span></a><span data-contrast="none"> to enforce it—the CPPA’s ability to CPRA enforcement powers begin on July 1, 2023. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">That means there are a lot more “cops on the beat,” so to speak, with the ability to investigate business practices and bring actions to penalize those organizations that are not in compliance.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h3 style="font-weight: normal;" aria-level="3">CPRA Penalties include: </h3> <ul> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="16" data-aria-level="1"><span data-contrast="none">$2500 per offense for negligent mistakes. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="17" data-aria-level="1"><span data-contrast="none">$7500 per offense for willful offenses. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> </ul> <p><span data-contrast="none">Each person affected in a violation constitutes an offense, so the fines can add up quickly, especially if you are willfully negligent. And the bad news: If you’re reading this and then decide not to bother with compliance, you’re being willfully negligent. Oops.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Is it likely that enforcers of California privacy law will look kindly on businesses that make small mistakes or have small oversights in their compliance plans, especially in the first few years? Absolutely. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Is it likely that “I had no idea I had to comply with this law,” will work as an excuse when a regulator comes calling? </span><span data-contrast="none">Absolutely not. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">How serious is California? In the CCPA, </span><span data-contrast="none">there was a 30-day grace period where you were offered a chance to fix your violations. </span><span data-contrast="none">In the CPRA, there is no such grace period.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <a id="ccpa-cpra-changed" data-hs-anchor="true"></a> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">CPRA Requirements: What’s Really Changed?</span></h2> <p><span data-contrast="none">First and most importantly, you need to make sure consumers can exercise their new rights to control the collection and use of their personal data, many of which have been augmented in some way. Note that the CPRA broadened the definition of “consumers” to include your employees—previously employees and other commercial partners were exempt from California privacy law protection, but no longer.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Remember: “Personal data” or “</span><a href="https://www.osano.com/articles/pii-vs-pi-vs-sensitive-information"><span data-contrast="none">personal information</span></a><span data-contrast="none">” is defined broadly in both the CCPA and the CPRA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Unless you take steps to de-identify data after you collect it, much of the data you collect from customers and employees is personal data </span><span data-contrast="none">according to California privacy law.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">The CPRA also now puts the onus on you to make sure consumers (and employees) know their privacy rights. That means you’ll need to explain their rights at the point of collection as part of the notice you provide.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">The CPRA Definition of Privacy Rights:</span> </h2> <ul> <li><strong><span data-contrast="none">Right to Access, Deletion, and Correction:</span></strong><span data-contrast="none"> Consumers must be able to obtain and delete their own personal information at any time and have it corrected if it is incorrect. If they ask you to delete it, you have to make anyone you’ve shared it with or sold it to delete it as well. The right to correction was introduced by the CPRA, as is the requirement to pass along deletion requests to third parties.</span></li> <li><span><br></span><span data-contrast="none">As part of sharing their personal data with them and in addition to the actual data you possess, you must provide consumers with a list of: </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559738":0,"335559739":0,"335559740":259}"> </span></li> </ul> <p style="padding-left: 80px;"><span data-contrast="none">• The categories of personal information you have collected.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559738":0,"335559739":0,"335559740":259}"> </span></p> <p style="padding-left: 80px;"><span data-contrast="none">• The categories of sources from which you collected their personal information.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559738":0,"335559739":0,"335559740":259}"> </span></p> <p style="padding-left: 80px;"><span data-contrast="none">• The business purpose for which you collected their data. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559738":0,"335559739":0,"335559740":259}"> </span></p> <ul> <li><span data-contrast="none">The Categories of Third Parties to Which You Sell or Share Their Data. Previously, the CCPA lacked language around the sharing of data and only regulated the sale of data.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li><strong><span data-contrast="none">Right to Object to Sale or Share:</span></strong><span data-contrast="none"> Consumers can prevent the sale or sharing of their information (and you need a “do not share” button on your website to make this easy). The right to object to sharing was added by the CPRA.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li><strong><span data-contrast="none">Right to Opt-Out of Behavioral Profiling and Automated Decision-Making:</span></strong><span data-contrast="none"> Consumers can ask you to stop profiling and serving ads based on behavior, and they can ask you not to use automated decision-making to provide them with offers, products, services, etc. This entire right is new with the CPRA.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li><strong><span data-contrast="none">Right to Object to the Use of Sensitive Personal Information:</span></strong><span data-contrast="none"> Consumers can stop you from using certain data at all, including data surrounding race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, and the contents of communications. This new piece in the CPRA also requires you to have a prominent button or link people can use to “limit the use of my sensitive personal information.”</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li><strong><span data-contrast="none">Right to Data Portability: </span></strong><span data-contrast="none">If asked, you must transfer any personal data you hold about a person to another organization, “to the extent technically feasible, in a structured, commonly used, machine-readable format.” This is new with the CPRA.</span><span> </span><br><span></span></li> </ul> <p style="text-align: center;"><span><a href="https://www.osano.com/cs/c/?cta_guid=c039475d-3d81-4a59-b1af-1a0fed5ac7c2&signature=AAH58kGw6A0xnPmoBH4TIJ40htlukl2eCA&pageId=27824911813&placement_guid=9619f2d1-2a05-4b89-b71f-7c501ab440e9&click=2cb4ad41-83a4-424c-9898-238cf36a4d53&hsutk=7663714cc6a14a978694aa1dc92a0811&canon=https%3A%2F%2Fwww.osano.com%2Farticles%2Fcalifornia-privacy-laws-ccpa-cpra&utm_referrer=https%3A%2F%2Fusc-word-edit.officeapps.live.com%2F&portal_id=4785246&redirect_url=APefjpEjVvEniHm-NP2_3EmCN6JaeFu3QHTCcIa-Pp0IidvrtdbHu9cc89MDXXxEvD4pemw0eYTM6NzQtgyvO2fWfeww5kYg4yzDnJxJaI0MQzDa8UcUrUMrGQealvEW1FDdS2M0VRIwURtfXbUm7srlHAGS7BEzVgi3eBaPLZEf6zEBwHPawu8ZaOxTNOLdU8APfplynxEqhSmBdiPvhpIebLQuYBWctk7PASH4lfjrSPe0qZal2DuWYgzPNUH6L3nRr7ESSsdmZxoBP9evyI_QMpAPAGInLQ&__hstc=106899676.7663714cc6a14a978694aa1dc92a0811.1673901573251.1685106171684.1685109496260.202&__hssc=106899676.2.1685109496260&__hsfp=556632128&contentType=blog-post" target="_blank" rel="noreferrer noopener"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">Break down the major tasks you need to complete for CPRA compliance - Download the Guide.</span></a></span></p> <br> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">Introduction of New Privacy Principles:</span> </h2> <p><span data-contrast="none">You also need to abide by a new set of “privacy principles” in all of your data-</span><span data-contrast="none">handling practices, many of which are new with the CPRA:</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <ul> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="18" data-aria-level="1"><strong><span data-contrast="none">Purpose Limitation:</span></strong><span data-contrast="none"> You can only use personal data for the purpose for which it was originally collected. This is new with the CPRA.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="19" data-aria-level="1"><strong><span data-contrast="none">Protection of Children’s Data:</span></strong><span data-contrast="none"> Compared to the CCPA, the CPRA tripled fines for violations associated with the data privacy of children under 16. Permission from a guardian is needed for the collection of a child’s data, too. Another new piece here is that if you don’t receive consent to collect a child’s data, you have to wait 12 months before asking again.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="20" data-aria-level="1"><strong><span data-contrast="none">Storage Limitation: </span></strong><span data-contrast="none">Data should be destroyed or deleted once the data has been used for its collected purpose.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="21" data-aria-level="1"><strong><span data-contrast="none">Reasonable and Appropriate Security:</span></strong><span data-contrast="none"> Security for personal data must be appropriate based on how sensitive the data is and the harm that would result because of unauthorized access. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> </ul> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">More Changes via CPPA Rulemaking</span> </h2> <p><span data-contrast="none">As if the change from the CCPA to the CPRA wasn’t enough, the law was further modified by the </span><a href="https://www.osano.com/articles/california-privacy-protection-agency"><span data-contrast="none">California Privacy Protection Agency</span></a><span data-contrast="none"> (known as the CPPA, which isn’t confusing at all, surely). After consulting with stakeholders, the CPPA created a number of “rules” that gave further guidance and specificity on how organizations should comply with the CPRA.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">On March 29, 2023, the CPPA finalized rulemaking for the CPRA.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Most notably, the CPPA codified the need for organizations to conduct risk assessments. Prior to certain “high-risk” collections and uses of personal information, you need to conduct an assessment. After completing the assessment, you must file it with the CPPA to prove you’ve considered the dangers surrounding the data collection and mitigated the risk of harm to the consumer. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Be prepared to create a process in your organization for conducting these risk assessments. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">The CPPA also clarified that organizations must honor authorized third-party opt-out signals. Essentially, certain entities can provide consent on behalf of an individual, such as the </span><a href="https://www.osano.com/articles/global-privacy-control"><span data-contrast="none">Global Privacy Control (GPC)</span></a><span data-contrast="none">. If a user adds the GPC to their browser and instructs it to send out an opt-out signal, businesses need to respond as though the user had opted out of data collection on their website.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h2 style="font-weight: normal;">CCPA vs. CPRA comparison chart</h2> <p style="font-weight: normal;">For a quick, at-a-glance look at other changes from CCPA to CPRA, here’s a handy chart:</p> <table style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2; height: 2172.32px; width: 684px;" width="687" height="1753"> <tbody> <tr style="height: 100.195px;"> <td style="width: 683px; padding: 4px; background-color: #37cd8f;" colspan="3" data-celllook="69905"> <p aria-level="4"><i><span data-contrast="none"><span data-ccp-parastyle="heading 4">What’s Changed Between </span><span data-ccp-parastyle="heading 4">the </span><span data-ccp-parastyle="heading 4">CCPA and CPRA?</span></span></i><span data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":40,"335559739":0,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 79px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="4369"> <p><span data-contrast="auto"><span> </span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>CCPA</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":2,"335551620":2,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>CPRA</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":2,"335551620":2,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 153.188px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="69905"> <p><span data-contrast="auto"><span>Enforcement</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>California</span><span> Attorney General’s Office </span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Newly created </span><span>California</span><span> Privacy Protection Agency, plus the AG and District Attorneys</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 128.391px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="69905"> <p><span data-contrast="auto"><span>Profiling </span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>N/A</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Consumers can opt out of automated decision-making. </span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 344px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="69905"> <p><span data-contrast="auto"><span>Sensitive data </span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>N/A</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>New definition of some data as “sensitive.”</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span><span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":0,"335559740":259}"> </span></p> <p><span data-contrast="auto"><span>Businesses must </span><span>disclose</span><span> how they collect, use, sell, and share sensitive data.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span><span></span></p> <p><span data-contrast="auto"><span>Consumers may opt out of the use, entirely, of their sensitive data.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 178px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="69905"> <p><span data-contrast="auto"><span>Data minimization </span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>N/A</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Businesses must only collect and </span><span>retain</span><span> what’s “reasonably necessary” and “proportionate” to the intended purpose.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 203px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="69905"> <p><span data-contrast="auto"><span>Consumer remedies</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Consumers may file a private right of action when a lack of reasonable security leads to a breach.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Expands the private right of action to include remedy for breached data that includes consumers' email address and password or security question.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 203px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="69905"> <p><span data-contrast="auto"><span>Risk Assessments</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>N/A</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>For certain collection and use of personal information, organizations will have to conduct risk assessments before beginning the collection or use process.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 153.188px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="69905"> <p><span data-contrast="auto"><span>Deletion</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Businesses must fulfill validated consumer requests to </span><span>delete</span><span> their data.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Companies fulfilling legitimate deletion requests must also notify third parties to </span><span>delete</span><span> such information.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 298.172px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="69905"> <p><span data-contrast="auto"><span>Third parties</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Not defined.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Third</span><span> </span><span>parties</span><span> defined, excludes service providers and contractors.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span><span> </span><br></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":0,"335559740":259}"> </span></p> <p><span data-contrast="auto"><span>Businesses must impose </span><span>CPRA</span><span>-level contractual obligations on third parties before sharing, selling, or </span><span>disclosing</span><span> personal data.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 178px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="69905"> <p><span data-contrast="auto"><span>Opt-out links on websites</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Businesses must have a “Do not sell my personal information” link.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Companies must have a “Do not </span><span>sell or </span><span>share my personal information” link and a “Limit the use of my sensitive personal information” link. </span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="auto"><span>Businesses must also honor opt-out signals such as the GPC.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> <tr style="height: 153.188px;"> <td style="width: 227.664px; padding: 4px; background-color: #eeeeee;" data-celllook="69905"> <p><span data-contrast="auto"><span>Fines</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.664px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Up to $7,500 per violation or $2,500 per unintentional violation.</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> <td style="width: 227.672px; padding: 4px;" data-celllook="4369"> <p><span data-contrast="auto"><span>Automatic $7,500 fine for violations of minors’ data (children under the age of 16).</span></span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":0,"335551620":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> </td> </tr> </tbody> </table> <a id="comply-ccpa-cpra" data-hs-anchor="true"></a> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">CPRA Checklist: How to Build Toward Compliance</span> </h2> <p><span data-contrast="none">CCPA and CPRA compliance is an a</span><span data-contrast="none">ll-hands-on-deck sort of thing, but will look different at every organization, depending on the type of personal information you’re collecting and your business plan. The following checklist</span><i><span data-contrast="none"> isn’t comprehensive </span></i><span data-contrast="none">(for a more comprehensive resource, check out our eBook </span><a href="https://www.osano.com/l/osano-cpra-compliance"><span data-contrast="none">CPRA Compliance How Osano Can Help</span></a><span data-contrast="none">), but it will help you build a strong foundation for CPRA compliance.</span></p> <h3 aria-level="3"><span data-contrast="none">1. </span><span data-contrast="none">Appoint a Responsible Party to Oversee Compliance</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><span data-contrast="none">CEOs and CIOs often lead the charge, but it may be worthwhile to appoint a chief privacy officer (CPO) or a privacy director of some kind, often in the legal or compliance time, who can be tasked with overseeing compliance.</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p> <h3 aria-level="3"><span data-contrast="none">2. </span><span data-contrast="none">Establish a Privacy Compliance Program</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><span data-contrast="none">Privacy compliance is an ongoing activity, so rather than kickoff a compliance project, you’ll really want to establish a </span><a href="https://www.osano.com/articles/privacy-program"><span data-contrast="none">privacy program</span></a><span data-contrast="none">. The program will be responsible for coordinating and launching compliance activities for the CPRA and any other privacy laws your business is subject to.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h3 aria-level="3"><span data-contrast="none">3. </span><span data-contrast="none">Audit How Personal Information Is Collected and Used</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><span data-contrast="none">Because so many departments collect and use consumer data, it’s important to record any data collecting and processing activities to make sure personal information is being handled appropriately.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Under the EU’s GDPR, this kind of auditing is formalized in a document known as a record of processing activities, or RoPA. Even though the CPRA doesn’t explicitly mention conducting a RoPA, doing so will set the stage for future compliance activities. Check out our article, </span><a href="https://www.osano.com/articles/what-is-a-ropa-gdpr-requirements-for-record-of-processing-activities"><span data-contrast="none">What Is a RoPA?,</span></a><span data-contrast="none"> to learn more. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h3 aria-level="3"><span data-contrast="none">4. Conduct Training</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":0,"335559739":360,"335559740":259}"> </span></h3> <p aria-level="3"><span data-contrast="none">Understanding where your organization collects personal data is important, but it’s even more important to ensure that your team mem</span><span data-contrast="none">bers who collect personal data know how to handle it compliantly.</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":40,"335559739":0,"335559740":259}"> </span></p> <p><span data-contrast="none">For example, marketers consistently rely on consumer data to influence their campaigns. Consumer data is precisely what makes companies able to effectively target their marketing efforts to the right people at the right time to increase sales. Every time a consumer is tracked with a website cookie, fills out a form, or makes a purchase online, they are giving the company their personal information, which is now protected by the CCPA and the CPRA.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">These marketers need to be trained in how to comply with the law and systems need to be put into place to make sure they follow policy. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">The same goes for your sales department. All of that customer data that's stored in systems such as Salesforce must be protected and only used appropriately. If it's shared with other departments, those departments now have some ownership. You can see how quickly and easily consumer data spread across the organization.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h3 aria-level="3"><span data-contrast="none">5. Manage Third-Party Relationships</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><span data-contrast="none">It’s not just other departments who will handle your consumers’ data; you likely have relationships with other organizations who may be processing consumer personal data.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">These third parties might do things like perform sophisticated data analytics, fill in profiles for people with only partial records, and other potentially privacy-invasive activities. These third-party relationships must be managed via contracts and audits, as you’ll be responsible for how they handle the data supplied to you by your customers and employees.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Given the volume of third-party relationships you may manage, this task can quickly become overwhelming. That’s why it’s important to identify a </span><a href="https://www.osano.com/products/vendor-risk"><span data-contrast="none">vendor privacy risk management solution</span></a><span data-contrast="none"> to streamline the vendor assessment process.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h3 aria-level="3"><span data-contrast="none">6. Establish a Means of Managing Consent</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><span data-contrast="none">On its face, allowing website visitors to opt out of data collection seems simple enough. But in reality, it can become technically complex very quickly. Consider cookies (just one of several data trackers on your website). Some cookies may be necessary to your website’s functionality; so, if you provide a “Do not sell or share my personal information” link on your website, it can’t just block all cookies.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Furthermore, you’ll need to record individual users’ consent preferences so you don’t accidentally collect data from them in the future, and so you can prove you gathered consent should the CPPA or attorney general come investigating.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Then, you need to provide a banner that discloses your privacy policy, and you need to do it in a way that complies with the CPRA in the user’s preferred language.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">We dive into the specifics of cookie consent in our blog, </span><a href="https://www.osano.com/articles/cookie-banner"><span data-contrast="none">Cookie Banners: How to Stay Compliant with Privacy Laws.</span></a><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h3 aria-level="3"><span data-contrast="none">7. Develop and Regularly Review Notices and Privacy Policies</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></h3> <p><span data-contrast="none">If you collect data from your consumers (or from your employees) and they aren’t aware of what you’re collecting and why, you’ll be out of compliance with the CPRA.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">A key part of CPRA compliance and data privacy compliance as a whole is transparency—that’s why you’ll need to develop and maintain a </span><a href="https://www.osano.com/articles/privacy-policy-checklist"><span data-contrast="none">privacy policy</span></a><span data-contrast="auto"> and present that policy at the point of collection. Since the data you collect from consumers and employees may be entirely distinct, it’s a good idea to craft a separate </span><a href="https://www.osano.com/articles/employee-privacy-policy"><span data-contrast="none">employee privacy policy</span></a><span data-contrast="auto"> as well.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}">You can also digest these steps towards compliance here: <a href="/articles/cpra-compliance-checklist" rel="noopener">CPRA compliance checklist</a></span></p> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">CPRA Solutions: Make Sure You Don’t Try to Do It Alone</span> </h2> <p><span data-contrast="none">Does compliance sound difficult? It is. The CPRA, especially, represents a major evolution in the responsibilities many companies have in regard to handling personal data. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Luckily, many companies, like</span><a href="https://www.osano.com/products"><span data-contrast="none"> Osano</span></a><span data-contrast="none">, have created software packages that allow you to:</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <ul> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="22" data-aria-level="1"><span data-contrast="none">Track and document consent.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="23" data-aria-level="1"><span data-contrast="none">Manage your contracts and third-party data sharing in a dashboard-like environment.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="24" data-aria-level="1"><span data-contrast="none">Manage and document consent for cookie placement.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="25" data-aria-level="1"><span data-contrast="none">Conduct and manage risk assessments.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="26" data-aria-level="1"><span data-contrast="none">Quickly respond to requests for access, deletion, and correction. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{"335552541":1,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="27" data-aria-level="1"><span data-contrast="none">Quickly produce privacy notices that are targeted toward the type of information you’re collecting.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":0,"335559740":259}"> </span></li> </ul> <h2 style="font-weight: normal;"><span data-contrast="none" xml:lang="EN-US" lang="EN-US">Wait. Cookies?! Does the CPRA Change the Rules Around Cookies?</span> </h2> <p><span data-contrast="none">Well, yes and no. The CCPA and CPRA don’t focus on the mechanisms involved with how personal data is collected and used, </span><span data-contrast="none">they just focus on the fact that personal data is actually being collected and used. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Thus, if your cookies don’t collect personal information, California data privacy law isn’t particularly worried about them. But, if your cookies do pass a</span><span data-contrast="none">long personal information to your organization or others, then all of the CCPA and CPRA rules apply. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Got it? Luckily, there are plenty of cookie consent managers out there to help make sur</span><span data-contrast="none">e you know the difference between essential cookies and those that collect data (and those that do both). </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <a id="california-consumer-privacy" data-hs-anchor="true"></a> <h2 style="font-weight: normal;">Protecting Californian Consumers' Privacy</h2> <p><span data-contrast="none">The people behind the CCPA, CPRA, and CPPA are first and foremost concerned with protecting the privacy of California consumers. They are </span><span data-contrast="none">very likely to prioritize enforcement against the most egregious violators of the law. </span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">However, that does not mean they don’t care about the little guys. While how the CPPA will act is somewhat unpredictable, you should expect audits of classes of websites, roundups of certain types of violations that include large groups of companies, and other enforcement action that seeks to prod large sections of the California marketplace into compliance.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <p><span data-contrast="none">Most especially, you don’t want to be caught looking like you don’t care. Good faith efforts will result in kind attention from the regulators; pleas of ignorance will result in much harsher treatment, indeed.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559738":0,"335559739":360,"335559740":259}"> </span></p> <h2 style="font-weight: normal;">CPRA FAQ </h2> <h3 aria-level="3"><span data-contrast="none">Who Must Comply With the CPRA?</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><span data-contrast="none">You must comply with the CPRA if you are a for-profit organizations that do business in California, collect the personal data of Californians or has it collected for them, and fits one or more of these criteria: </span><span data-ccp-props="{"201341983":0,"335559685":0,"335559739":160,"335559740":259}"> </span></p> <ul> <li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="28" data-aria-level="1"><span data-contrast="none">Buys, sells, or shares the personal information of 100,000 people or households. </span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="29" data-aria-level="1"><span data-contrast="none">Creates 50% or more of their revenue through the sale or sharing of personal information. </span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="3" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="30" data-aria-level="1"><span data-contrast="none">Had $25 million in gross revenue in the preceding calendar year.</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> </ul> <h3 aria-level="3"><span data-contrast="none">When Did the CPRA Go Into Effect?</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><span data-contrast="none">The CPRA came into force on January 1, 2023, but it also protects data collected starting January 1, 2022. The CPRA’s enforcement date is July 1, 2023.</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p> <h3 aria-level="3"><span data-contrast="none">What Is the CPRA Definition of Personal Information?</span><span data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><span data-contrast="none">The CPRA defines personal information as "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."</span><span data-ccp-props="{"201341983":0,"335559685":0,"335559739":160,"335559740":259}"> </span></p> <h3 aria-level="3"><span data-contrast="none">What Is the CPRA Definition of Sensitive Personal Information?</span><span data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><span data-contrast="none">Sensitive personal information has extra requirements for its collection and processing. Sensitive personal information includes:</span><span data-ccp-props="{"201341983":0,"335559685":0,"335559739":160,"335559740":259}"> </span></p> <ul> <li data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{"335552541":1,"335559682":7,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="31" data-aria-level="1"><span data-contrast="none">A consumer’s social security, driver’s license, and similar identifiers. </span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{"335552541":1,"335559682":7,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="32" data-aria-level="1"><span data-contrast="none">Account access information. </span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{"335552541":1,"335559682":7,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="33" data-aria-level="1"><span data-contrast="none">Precise geolocation. </span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{"335552541":1,"335559682":7,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="34" data-aria-level="1"><span data-contrast="none">Sexual identity, ethnicity, etc.</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{"335552541":1,"335559682":7,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="35" data-aria-level="1"><span data-contrast="none">Genetic and biometric data.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":720,"335559737":0,"335559738":0,"335559739":160,"335559740":259,"335559991":360}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{"335552541":1,"335559682":7,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="35" data-aria-level="1"><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":720,"335559737":0,"335559738":0,"335559739":160,"335559740":259,"335559991":360}">Neural data.</span></li> <li data-leveltext="" data-font="Symbol" data-listid="7" data-list-defn-props="{"335552541":1,"335559682":7,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="36" data-aria-level="1"><span data-contrast="none">And more.</span><span data-ccp-props="{"134233117":false,"134233118":false,"201341983":0,"335551550":1,"335551620":1,"335559685":720,"335559737":0,"335559738":0,"335559739":160,"335559740":259,"335559991":360}"> </span></li> </ul> <h3 aria-level="3"><span data-contrast="none">What Are the CPRA’s Requirements Around Data Collection Consent?</span><span data-ccp-props="{"134233117":false,"134233118":false,"134245418":true,"134245529":true,"201341983":0,"335551550":1,"335551620":1,"335559685":0,"335559737":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><strong><span data-contrast="none">The CPRA requires businesses to accept opt-out requests, meaning that they can collect users’ personal information by default so long as they provide notice about the collection and means of opting out of it.</span></strong><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p> <p><strong><span data-contrast="none">Businesses must provide a </span></strong><span data-contrast="none">"<a href="/articles/do-not-sell-my-personal-information" rel="noopener" target="_blank">Do not sell or share my personal information</a>” link, which stops the share or sale of personal data to third parties, in particular for the purpose of targeted advertising. Businesses must also honor opt-out requests from authorized third-party signals, like the GPC.</span><span data-ccp-props="{"201341983":0,"335559685":0,"335559739":160,"335559740":259}"> </span></p> <p><span data-contrast="none">Businesses must also provide a “<a href="/articles/limit-the-use-of-my-sensitive-personal-information" rel="noopener" target="_blank">Limit the use of my sensitive personal information</a>” link, which prevents any sale or share of sensitive personal information unless it's strictly necessary for the provision of your product or service, or for specific business purposes listed in the law (such as debugging purposes, providing customer service, and other purposes).</span><span data-ccp-props="{"201341983":0,"335559685":0,"335559739":160,"335559740":259}"> </span></p> <p><span data-contrast="none">While most personal data collection is opt-out, businesses must acquire opt-in consent (i.e., not collecting unless the user agrees first) in the following circumstances:</span><span data-ccp-props="{"201341983":0,"335559685":0,"335559739":160,"335559740":259}"> </span></p> <ul> <li data-leveltext="" data-font="Symbol" data-listid="14" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="37" data-aria-level="1"><span data-contrast="none">When selling or sharing personal information of minors.</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="14" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="38" data-aria-level="1"><span data-contrast="none">When Offering participation in financial incentive programs.</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="14" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="39" data-aria-level="1"><span data-contrast="none">When selling or sharing the personal information of consumers who have previously opted out.</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="14" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="40" data-aria-level="1"><span data-contrast="none">When using personal information for a secondary purpose beyond the original stated purpose.</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="14" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="41" data-aria-level="1"><span data-contrast="none">When using personal information for scientific research.</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> </ul> <h3 aria-level="3"><span data-contrast="none">What Are the CPRA’s Requirements Around Data Subject Rights?</span><span data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p style="font-weight: normal;">The CPRA provides consumers, employees, and other commercial partners with the following rights: </p> <ul> <li data-leveltext="" data-font="Symbol" data-listid="23" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="42" data-aria-level="1"><span data-contrast="none">Right to Access, Deletion, and Correction </span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="23" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="43" data-aria-level="1"><span data-contrast="none">Right To Object to Sale or Share </span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="23" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="44" data-aria-level="1"><span data-contrast="none">Right To Opt-out of Behavioral Profiling and Automated Decision-Making </span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="23" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="45" data-aria-level="1"><span data-contrast="none">Right To Object to the Use of Sensitive Personal Information </span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="23" data-list-defn-props="{"335552541":1,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="46" data-aria-level="1"><span data-contrast="none">Right to Data Portability</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> </ul> <p><span data-contrast="none">Subject rights requests must be fulfilled within a 45-day window, with the option for a 45-day extension for complex and/or high-volume requests. Businesses may refuse or charge a fee for subject rights request if they are manifestly unfounded or excessive. However, the onus is on the business to prove whether a request is manifestly unfounded or excessive.</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p> <h3 aria-level="3"><span data-contrast="none">How Does CPRA Enforcement Work?</span><span data-ccp-props="{"134245418":true,"134245529":true,"201341983":0,"335559738":40,"335559739":0,"335559740":259}"> </span></h3> <p><strong><span data-contrast="none">The state attorney general, district attorneys, and the California Privacy Protection Agency may enforce the CPRA. In some limited circumstances, private citizens may sue businesses for CPRA violations. </span></strong><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></p> <p><strong><span data-contrast="none">Businesses that violate the CPRA may be penalized with:</span></strong><span data-ccp-props="{"201341983":0,"335559685":0,"335559739":160,"335559740":259}"> </span></p> <ul> <li data-leveltext="" data-font="Symbol" data-listid="31" data-list-defn-props="{"335552541":1,"335559682":31,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="47" data-aria-level="1"><span data-contrast="none">A $2.5k fine per negligent mistakes</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> <li data-leveltext="" data-font="Symbol" data-listid="31" data-list-defn-props="{"335552541":1,"335559682":31,"335559683":0,"335559684":-2,"335559685":720,"335559991":360,"469769226":"Symbol","469769242":[8226],"469777803":"left","469777804":"","469777815":"hybridMultilevel"}" aria-setsize="-1" data-aria-posinset="48" data-aria-level="1"><span data-contrast="none">A $7.5k per willfully negligent violations</span><span data-ccp-props="{"201341983":0,"335559739":160,"335559740":259}"> </span></li> </ul></span> </div> </article> <a class="inline-btn" href="https://www.osano.com/solutions/cpra-compliance-software"> <span> See How Osano Solves for CPRA Compliance </span> <svg xmlns="http://www.w3.org/2000/svg" width="14" height="15" viewbox="0 0 14 15" fill="none"> <path d="M1.16667 7.51497H12.8333M12.8333 7.51497L7 1.68164M12.8333 7.51497L7 13.3483" stroke="#0E0416" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </a> <div class="post-conversion-panel"> <div class="row align-items-center"> <div class="col-12 col-md-7"> <h3> 7 Steps to CPRA Compliance </h3> <p> To track your journey to CPRA compliance, walk through this checklist. Here, we’ll delve into the basics of CPRA, explore its key principles, and outline the essential steps to achieve compliance. </p> <a class="inline-btn" href="https://www.osano.com/l/cpra-compliance-checklist"> <span> Download Now </span> <svg xmlns="http://www.w3.org/2000/svg" width="14" height="15" viewbox="0 0 14 15" fill="none"> <path d="M1.16667 7.51497H12.8333M12.8333 7.51497L7 1.68164M12.8333 7.51497L7 13.3483" stroke="#0E0416" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </a> </div> <div class="col-12 col-md-5 mt-4 mt-md-0"> <img src="https://www.osano.com/hs-fs/hubfs/Switchback%20-%20CPRA%20checklist.png?width=623&height=592&name=Switchback%20-%20CPRA%20checklist.png" alt="Switchback - CPRA checklist" loading="lazy" width="623" height="592" style="max-width: 100%; height: auto;" srcset="https://www.osano.com/hs-fs/hubfs/Switchback%20-%20CPRA%20checklist.png?width=312&height=296&name=Switchback%20-%20CPRA%20checklist.png 312w, https://www.osano.com/hs-fs/hubfs/Switchback%20-%20CPRA%20checklist.png?width=623&height=592&name=Switchback%20-%20CPRA%20checklist.png 623w, https://www.osano.com/hs-fs/hubfs/Switchback%20-%20CPRA%20checklist.png?width=935&height=888&name=Switchback%20-%20CPRA%20checklist.png 935w, https://www.osano.com/hs-fs/hubfs/Switchback%20-%20CPRA%20checklist.png?width=1246&height=1184&name=Switchback%20-%20CPRA%20checklist.png 1246w, https://www.osano.com/hs-fs/hubfs/Switchback%20-%20CPRA%20checklist.png?width=1558&height=1480&name=Switchback%20-%20CPRA%20checklist.png 1558w, https://www.osano.com/hs-fs/hubfs/Switchback%20-%20CPRA%20checklist.png?width=1869&height=1776&name=Switchback%20-%20CPRA%20checklist.png 1869w" sizes="(max-width: 623px) 100vw, 623px"> </div> </div> </div> <div class="post-author-biography"> <div class="row"> <div class="col-md-2 post-author-biography-avatar"> <img src="https://www.osano.com/hubfs/assets/avatars/sam-pfeifle.png"> <div class="d-md-none"> <h4> Sam Pfeifle </h4> <p class="post-author-biography-position"> </p> </div> </div> <div class="col-md-10 author-biography-wrapper"> <div class="d-none d-md-block"> <h4> Sam Pfeifle </h4> </div> <p class="post-author-biography-description"> Sam is a journalist and head of West Gray Creative, a content services firm based in Maine. In a former life, he was director of content at the IAPP and has run publications in the security, workboat, and 3D reality capture spaces. Currently, he serves as the chair of his local school board, fronts the World Famous Grassholes, and would like to be a professional baseball player when he grows up. </p> </div> </div> </div> <div class="post-share d-lg-none"> <h5> Share this article </h5> <ul> <li> <span class="d-flex align-items-center share-clipboard" id="copy-url-btn" data-url="https://www.osano.com/articles/california-privacy-laws-ccpa-cpra"> <span class="tooltip-clipboard">Copy to clipboard</span> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none"> <path d="M10 13C10.4295 13.5742 10.9774 14.0492 11.6066 14.393C12.2358 14.7367 12.9315 14.9411 13.6467 14.9924C14.3618 15.0436 15.0796 14.9404 15.7514 14.6898C16.4231 14.4392 17.0331 14.0471 17.54 13.54L20.54 10.54C21.4508 9.59702 21.9548 8.334 21.9434 7.02302C21.932 5.71204 21.4062 4.45797 20.4791 3.53093C19.5521 2.60389 18.298 2.07805 16.987 2.06666C15.676 2.05526 14.413 2.55924 13.47 3.47003L11.75 5.18003M14 11C13.5706 10.4259 13.0227 9.95084 12.3935 9.60709C11.7643 9.26333 11.0685 9.05891 10.3534 9.00769C9.63822 8.95648 8.92043 9.05966 8.24867 9.31025C7.57691 9.56083 6.9669 9.95296 6.46002 10.46L3.46002 13.46C2.54923 14.403 2.04525 15.666 2.05665 16.977C2.06804 18.288 2.59388 19.5421 3.52092 20.4691C4.44796 21.3962 5.70203 21.922 7.01301 21.9334C8.32399 21.9448 9.58701 21.4408 10.53 20.53L12.24 18.82" stroke="#A8A0B1" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" /> </svg> </span> </li> <li> <a class="podcast-button-hover d-flex align-items-center podcast-share__btn" href="https://twitter.com/intent/tweet?url=https://www.osano.com/articles/california-privacy-laws-ccpa-cpra" target="_blank" rel="noopener"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none"> <path d="M7.55016 21.75C16.6045 21.75 21.5583 14.2468 21.5583 7.74192C21.5583 7.53098 21.5536 7.31536 21.5442 7.10442C22.5079 6.40752 23.3395 5.54432 24 4.55536C23.1025 4.95466 22.1496 5.21544 21.1739 5.3288C22.2013 4.71297 22.9705 3.74553 23.3391 2.60583C22.3726 3.17862 21.3156 3.58267 20.2134 3.80067C19.4708 3.01162 18.489 2.48918 17.4197 2.31411C16.3504 2.13905 15.2532 2.32111 14.2977 2.83216C13.3423 3.3432 12.5818 4.15477 12.1338 5.14137C11.6859 6.12798 11.5754 7.23468 11.8195 8.29036C9.86249 8.19215 7.94794 7.68377 6.19998 6.79816C4.45203 5.91255 2.90969 4.6695 1.67297 3.14958C1.0444 4.2333 0.852057 5.51571 1.13503 6.73615C1.418 7.9566 2.15506 9.02351 3.19641 9.72005C2.41463 9.69523 1.64998 9.48474 0.965625 9.10598V9.16692C0.964925 10.3042 1.3581 11.4066 2.07831 12.2868C2.79852 13.167 3.80132 13.7706 4.91625 13.995C4.19206 14.1932 3.43198 14.2221 2.69484 14.0794C3.00945 15.0575 3.62157 15.913 4.44577 16.5264C5.26997 17.1398 6.26512 17.4807 7.29234 17.5013C5.54842 18.8712 3.39417 19.6142 1.17656 19.6107C0.783287 19.6101 0.390399 19.586 0 19.5385C2.25286 20.9838 4.87353 21.7514 7.55016 21.75Z" fill="#A8A0B1" /> </svg> </a> </li> <li> <a class="podcast-button-hover d-flex align-items-center podcast-share__btn podcast-share__btn--2" href="http://www.linkedin.com/shareArticle?mini=true&url=https://www.osano.com/articles/california-privacy-laws-ccpa-cpra" target="_blank" rel="noopener"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewbox="0 0 24 24" fill="none"> <g clip-path="url(#clip0_400_12823)"> <path d="M22.2234 0H1.77187C0.792187 0 0 0.773438 0 1.72969V22.2656C0 23.2219 0.792187 24 1.77187 24H22.2234C23.2031 24 24 23.2219 24 22.2703V1.72969C24 0.773438 23.2031 0 22.2234 0ZM7.12031 20.4516H3.55781V8.99531H7.12031V20.4516ZM5.33906 7.43438C4.19531 7.43438 3.27188 6.51094 3.27188 5.37187C3.27188 4.23281 4.19531 3.30937 5.33906 3.30937C6.47813 3.30937 7.40156 4.23281 7.40156 5.37187C7.40156 6.50625 6.47813 7.43438 5.33906 7.43438ZM20.4516 20.4516H16.8937V14.8828C16.8937 13.5562 16.8703 11.8453 15.0422 11.8453C13.1906 11.8453 12.9094 13.2937 12.9094 14.7891V20.4516H9.35625V8.99531H12.7687V10.5609H12.8156C13.2891 9.66094 14.4516 8.70938 16.1813 8.70938C19.7859 8.70938 20.4516 11.0813 20.4516 14.1656V20.4516Z" fill="#A8A0B1" /> </g> <defs> <clippath id="clip0_400_12823"> <rect width="24" height="24" fill="white" /> </clippath> </defs> </svg> </a> </li> </ul> </div> </div> </div> </div> <section class="latest-articles"> <div class="container"> <div class="row"> <div class="col-12 col-lg-8 latest-articles-header"> <h5 class="eyebrow form-hero"> Blog </h5> <h2> Check out some of our latest articles </h2> <p> Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance. </p> <div class="cta-wrapper mb-0 justify-content-start"> <a class="primary-btn" href="https://www.osano.com/articles"> <span> View All Blog Posts </span> </a> <a class="inline-btn" href="https://www.osano.com/resources"> <span> View All Resources </span> <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewbox="0 0 14 14" fill="none"> <path d="M1.16666 6.74984H12.8333M12.8333 6.74984L6.99999 0.916504M12.8333 6.74984L6.99999 12.5832" stroke="#0E0416" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </a> </div> </div> </div> <div class="row latest-articles-row"> <div class="col-12 col-md-6 col-lg-4"> <div class="blog-related-posts__card"> <div class="blog-related-posts__image-wrapper"> <img src="https://www.osano.com/hubfs/Skye-McCullough-WIP-1024x512.png" loading="lazy" alt="Skye McCullough"> </div> <div class="blog-related-posts__content"> <h5 class="eyebrow form-hero "> Featured </h5> <h3> Osano’s Own Women in Privacy: Skye McCullough </h3> <p class="mb-3"> Our showcase of Osano’s Women in Privacy continues with our third profile: Meet Skye... </p> <span class="inline-btn"> <span> Read Now </span> <svg xmlns="http://www.w3.org/2000/svg" width="14" height="15" viewbox="0 0 14 15" fill="none"> <path d="M1.16675 7.5H12.8334M12.8334 7.5L7.00008 1.66666M12.8334 7.5L7.00008 13.3333" stroke="#0E0416" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </span> </div> <a class="mask-link" href="https://www.osano.com/articles/women-in-privacy-skye-mccullough"></a> </div> </div> <div class="col-12 col-md-6 col-lg-4"> <div class="blog-related-posts__card"> <div class="blog-related-posts__image-wrapper"> <img src="https://www.osano.com/hubfs/APP%20Blog%20Img.png" loading="lazy" alt="Ask a Privacy Pro Graphic"> </div> <div class="blog-related-posts__content"> <h5 class="eyebrow form-hero "> Ask a Privacy Pro </h5> <h3> Introducing Osano's Ask a Privacy Pro Series </h3> <p class="mb-3"> There's a lot of uncertainty out there in the world of data privacy. Now, there's a... </p> <span class="inline-btn"> <span> Read Now </span> <svg xmlns="http://www.w3.org/2000/svg" width="14" height="15" viewbox="0 0 14 15" fill="none"> <path d="M1.16675 7.5H12.8334M12.8334 7.5L7.00008 1.66666M12.8334 7.5L7.00008 13.3333" stroke="#0E0416" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </span> </div> <a class="mask-link" href="https://www.osano.com/articles/ask-a-privacy-pro-series"></a> </div> </div> <div class="col-12 col-md-6 col-lg-4"> <div class="blog-related-posts__card"> <div class="blog-related-posts__image-wrapper"> <img src="https://www.osano.com/hubfs/Ashley-Fowler-WIP-1024x512.png" loading="lazy" alt="Graphic of Ashley Fowler"> </div> <div class="blog-related-posts__content"> <h5 class="eyebrow form-hero "> Featured </h5> <h3> Osano’s Own Women in Privacy: Ashley Fowler </h3> <p class="mb-3"> Welcome to the second installment of our three-part series profiling the Women in... </p> <span class="inline-btn"> <span> Read Now </span> <svg xmlns="http://www.w3.org/2000/svg" width="14" height="15" viewbox="0 0 14 15" fill="none"> <path d="M1.16675 7.5H12.8334M12.8334 7.5L7.00008 1.66666M12.8334 7.5L7.00008 13.3333" stroke="#0E0416" stroke-width="1.66667" stroke-linecap="round" stroke-linejoin="round" /> </svg> </span> </div> <a class="mask-link" href="https://www.osano.com/articles/women-in-privacy-ashley-fowler"></a> </div> </div> </div> </div> </section> <section class="conversion-panel "> <div class="conversion-panel-wrapper"> <div class="container"> <div class="col-12 col-xl-8 mx-xl-auto conversion-panel__header text-center px-0"> <h5 class="eyebrow form-hero"> </h5> <h2 class="conversion-panel__heading"> The CPRA Is Complex. Compliance Doesn’t Have to Be. </h2> <p> Simplify CPRA compliance with Osano. Let us show you exactly how easy meeting your CPRA obligations can be. </p> <div class="cta-wrapper mb-0 "> <a class="primary-btn btn-lg" href="https://www.osano.com/request/demo"> <span> Book a Demo </span> </a> <a class="secondary-btn btn-lg" href="https://www.osano.com/plans"> <span> Get Started </span> </a> </div> </div> </div> </div> </section> </div> <script type="text/javascript"> var classname = document.getElementsByClassName("share-clipboard"); var listenFunction = function() { const currentDom = this; currentDom.querySelector(".tooltip-clipboard").classList.add("tooltip-active"); setTimeout(function() { currentDom.querySelector(".tooltip-clipboard").classList.remove("tooltip-active"); }, 1000); }; for (var i = 0; i < classname.length; i++) { classname[i].addEventListener('click', listenFunction, false); } </script> <style> .share-clipboard { position: relative; } .tooltip-clipboard { position: absolute; top: -40px; border-radius: 6px; padding: 8px; background: #000; color: #fff; font-size: 12px; left: 0px; width: 110px; z-index: 2; transition: 200ms ease-in-out; opacity: 0; transform: translateY(10px); } .tooltip-clipboard:before { content: ''; width: 8px; height: 8px; transform: rotate(135deg); background: #000; position: absolute; bottom: -4px; left: 12px; } .tooltip-active { opacity: 1; transform: translateY(0px); } </style> </main> <div data-global-resource-path="Osano/templates/partials/footer.html"><div id="hs_cos_wrapper_module_16795059098115" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_module" style="" data-hs-cos-general-type="widget" data-hs-cos-type="module"><footer class="footer"> <div class="container"> <div class="footer-desktop-grid"> <div class="footer-grid-wrapper"> <div class="footer-logo-wrapper"> <div class="footer-logo-container"> <a class="footer-logo-link" href="https://www.osano.com/"> <img class="footer-logo-image" src="https://www.osano.com/hubfs/assets/logos/header%20logo%20vector.svg" alt="header logo vector"> </a> </div> <p class="footer-logo-tagline intro">The Simple, All-in-One Data Privacy Platform</p> </div> <div class="footer-form-wrapper"> <h4 class="footer-form-heading text-lg semibold-weight">Subscribe to Osano news & insights</h4> <span id="hs_cos_wrapper_module_16795059098115_" class="hs_cos_wrapper hs_cos_wrapper_widget hs_cos_wrapper_type_form" style="" data-hs-cos-general-type="widget" data-hs-cos-type="form"><h3 id="hs_cos_wrapper_form_710538491_title" class="hs_cos_wrapper form-title" data-hs-cos-general-type="widget_field" data-hs-cos-type="text"></h3> <div id="hs_form_target_form_710538491"></div> </span> </div> </div> <div class="footer-links-wrapper"> <div class="footer-grid"> <h4 class="footer-link-category text-md semibold-weight">Products</h4> <div class="footer-links-grid-container"> <a class="footer-link" href="https://www.osano.com/products"> The Osano Platform </a> <a class="footer-link" href="https://www.osano.com/cookieconsent"> Cookie Consent </a> <a class="footer-link" href="https://www.osano.com/products/unified-consent-preference-hub"> Unified Consent & Preference Hub </a> <a class="footer-link" href="https://www.osano.com/products/subject-rights"> Subject Rights Management </a> <a class="footer-link" href="https://www.osano.com/products/data-mapping"> Data Mapping </a> <a class="footer-link" href="https://www.osano.com/products/vendor-risk"> Vendor Management </a> <a class="footer-link" href="https://www.osano.com/products/privacy-assessments"> Assessments </a> <a class="footer-link" href="https://www.osano.com/features/trusthub"> TrustHub </a> <a class="footer-link" href="/features/privacy-templates"> Privacy Templates </a> <a class="footer-link" href="https://www.osano.com/features/gdpr-representative"> GDPR Representative </a> <a class="footer-link" href="https://www.osano.com/features/regulatory-guidance"> Regulatory Guidance </a> <a class="footer-link" href="https://www.osano.com/features/privacy-experts"> Consult Privacy Team </a> </div> </div> <div class="footer-grid"> <h4 class="footer-link-category text-md semibold-weight">Company</h4> <div class="footer-links-grid-container"> <a class="footer-link" href="https://www.osano.com/company/about"> About Us </a> <a class="footer-link" href="https://www.osano.com/company/careers"> Careers </a> <a class="footer-link" href="https://www.osano.com/company/contact"> Contact </a> <a class="footer-link" href="https://www.osano.com/pledge"> Our Pledge </a> <a class="footer-link" href="https://www.osano.com/pr"> Press & Media </a> <a class="footer-link" href="https://www.osano.com/company/data"> Data Licensing </a> <a class="footer-link" href="https://www.osano.com/company/partners-resellers"> Partners & Resellers </a> <a class="footer-link" href="https://www.osano.com/company/partners-resellers-gate" rel="nofollow"> Partner Resources </a> <a class="footer-link" href="https://shop.osano.com" target="_blank" rel="noopener"> Osano Swag Store </a> </div> </div> <div class="footer-grid"> <h4 class="footer-link-category text-md semibold-weight">Resources</h4> <div class="footer-links-grid-container"> <a class="footer-link" href="https://www.osano.com/articles"> Articles </a> <a class="footer-link" href="https://www.osano.com/podcast"> Podcast </a> <a class="footer-link" href="https://www.osano.com/customers"> Customer Stories </a> <a class="footer-link" href="https://www.osano.com/resources"> Resource Center </a> <a class="footer-link" href="https://www.osano.com/events"> Events </a> <a class="footer-link" href="https://www.osano.com/newsletter"> Newsletter </a> <a class="footer-link" href="https://www.osano.com/guide/privacy-program-maturity-model/introduction"> Privacy Program Maturity Model </a> <a class="footer-link" href="https://www.osano.com/faq"> FAQs </a> <a class="footer-link" href="https://www.osano.com/plans"> Plans & Pricing </a> <a class="footer-link" href="https://www.osano.com/request/demo"> Schedule a Demo </a> <a class="footer-link" href="https://www.osano.com/updates"> Product Updates </a> <a class="footer-link" href="https://docs.osano.com/"> Documentation </a> <a class="footer-link" href="https://developers.osano.com/" target="_blank" rel="noopener"> Developer Documentation </a> <a class="footer-link" href="https://status.osano.com/" target="_blank" rel="noopener"> System Status </a> <a class="footer-link" href="https://github.com/osano" target="_blank" rel="noopener"> Open Source </a> <a class="footer-link" href="/sitemap"> Sitemap </a> </div> </div> <div class="footer-grid"> <h4 class="footer-link-category text-md semibold-weight">Legal</h4> <div class="footer-links-grid-container"> <a class="footer-link" href="https://osano.trusthub.com/cookies"> Cookies </a> <a class="footer-link" href="https://osano.trusthub.com/dpa"> DPA </a> <a class="footer-link" href="https://osano.trusthub.com/gdpr"> GDPR </a> <a class="footer-link" href="https://osano.trusthub.com/privacy"> Privacy </a> <a class="footer-link" href="https://osano.trusthub.com/terms"> Terms </a> <a class="footer-link" href="https://www.osano.com/american-privacy-rights-act-apra"> APRA </a> </div> </div> </div> </div> <div class="footer-social-links-wrapper"> <div class="footer-social-links-container"> <a class="footer-social-link" href="https://twitter.com/Osano" data-icon="twitter" target="_blank" rel="noopener"> </a> <a class="footer-social-link" href="https://www.linkedin.com/company/osano/" data-icon="linkedin" target="_blank" rel="noopener"> </a> <a class="footer-social-link" href="https://www.facebook.com/osanoatx/" data-icon="facebook" target="_blank" rel="noopener"> </a> </div> <p class="footer-copyright-text text-md">© 2018 - 2025 · Osano, Inc., a Public Benefit Corp · Osano is a registered trademark of Osano, Inc. a Public Benefit Corporation · Nothing on the Osano website, platform, or services, nor any portion thereof constitutes actual legal or regulatory advice, opinion, or recommendation by Osano, Inc. a Public Benefit Corporation, Osano International Compliance Services LTD, or Osano UK Compliance LTD. If legal assistance is required, users should seek the services of an attorney.</p> </div> </div> </footer></div></div> </div> <!-- HubSpot performance collection script --> <script defer src="/hs/hsstatic/content-cwv-embed/static-1.1293/embed.js"></script> <script> var hsVars = hsVars || {}; hsVars['language'] = 'en'; </script> <script src="/hs/hsstatic/cos-i18n/static-1.53/bundles/project.js"></script> <script src="https://www.osano.com/hs-fs/hub/4785246/hub_generated/template_assets/107540964238/1713300295805/Osano/js/main.min.js"></script> <script src="https://www.osano.com/hs-fs/hub/4785246/hub_generated/template_assets/110533867323/1724946162125/Osano/js/jquery.min.js"></script> <script src="https://www.osano.com/hs-fs/hub/4785246/hub_generated/module_assets/111415423003/1727864669119/module_111415423003_Header.min.js"></script> <script src="https://www.osano.com/hs-fs/hub/4785246/hub_generated/template_assets/110826992732/1713300295779/Osano/js/gsap.min.js"></script> <script src="https://www.osano.com/hs-fs/hub/4785246/hub_generated/template_assets/110825589668/1713300297127/Osano/js/ScrollTrigger.min.js"></script> <script src="https://www.osano.com/hs-fs/hub/4785246/hub_generated/module_assets/113269451948/1728404784535/module_113269451948_Hero_-_Blog_Detail.min.js"></script> <!--[if lte IE 8]> <script charset="utf-8" src="https://js.hsforms.net/forms/v2-legacy.js"></script> <![endif]--> <script data-hs-allowed="true" src="/_hcms/forms/v2.js"></script> <script data-hs-allowed="true"> var options = { portalId: '4785246', formId: '162149ed-dd87-457a-9bc7-d18001586306', formInstanceId: '6027', pageId: '27824911813', region: 'na1', pageName: "The Expert\'s Guide to California Data Privacy Law | CCPA & CPRA", inlineMessage: "Thanks for submitting the form.", rawInlineMessage: "Thanks for submitting the form.", hsFormKey: "cb2bd2ddbc79dfa3373790106d8612c8", css: '', target: '#hs_form_target_form_837244757', contentType: "blog-post", formsBaseUrl: '/_hcms/forms/', formData: { cssClass: 'hs-form stacked hs-custom-form' } }; options.getExtraMetaDataBeforeSubmit = function() { var metadata = {}; if (hbspt.targetedContentMetadata) { var count = hbspt.targetedContentMetadata.length; var targetedContentData = []; for (var i = 0; i < count; i++) { var tc = hbspt.targetedContentMetadata[i]; if ( tc.length !== 3) { continue; } targetedContentData.push({ definitionId: tc[0], criterionId: tc[1], smartTypeId: tc[2] }); } metadata["targetedContentMetadata"] = JSON.stringify(targetedContentData); } return metadata; }; hbspt.forms.create(options); </script> <script data-hs-allowed="true"> var options = { portalId: '4785246', formId: '162149ed-dd87-457a-9bc7-d18001586306', formInstanceId: '3631', pageId: '27824911813', region: 'na1', pageName: "The Expert\'s Guide to California Data Privacy Law | CCPA & CPRA", inlineMessage: "<p>Thanks for subscribing.<\/p>", rawInlineMessage: "<p>Thanks for subscribing.<\/p>", hsFormKey: "b55adf6495feea36d4dc185626cb08e4", css: '', target: '#hs_form_target_form_710538491', contentType: "blog-post", formsBaseUrl: '/_hcms/forms/', formData: { cssClass: 'hs-form stacked hs-custom-form' } }; options.getExtraMetaDataBeforeSubmit = function() { var metadata = {}; if (hbspt.targetedContentMetadata) { var count = hbspt.targetedContentMetadata.length; var targetedContentData = []; for (var i = 0; i < count; i++) { var tc = hbspt.targetedContentMetadata[i]; if ( tc.length !== 3) { continue; } targetedContentData.push({ definitionId: tc[0], criterionId: tc[1], smartTypeId: tc[2] }); } metadata["targetedContentMetadata"] = JSON.stringify(targetedContentData); } return metadata; }; hbspt.forms.create(options); </script> <!-- Start of HubSpot Analytics Code --> <script type="text/javascript"> var _hsq = _hsq || []; _hsq.push(["setContentType", "blog-post"]); _hsq.push(["setCanonicalUrl", "https:\/\/www.osano.com\/articles\/california-privacy-laws-ccpa-cpra"]); _hsq.push(["setPageId", "27824911813"]); _hsq.push(["setContentMetadata", { "contentPageId": 27824911813, "legacyPageId": "27824911813", "contentFolderId": null, "contentGroupId": 9895000587, "abTestId": null, "languageVariantId": 27824911813, "languageCode": "en", }]); </script> <script type="text/javascript"> var hbspt = hbspt || {}; (hbspt.targetedContentMetadata = hbspt.targetedContentMetadata || []).push(...[]); var _hsq = _hsq || []; _hsq.push(["setTargetedContentMetadata", hbspt.targetedContentMetadata]); </script> <script type="text/javascript" id="hs-script-loader" async defer src="/hs/scriptloader/4785246.js?businessUnitId=0"></script> <!-- End of HubSpot Analytics Code --> <script type="text/javascript"> var hsVars = { render_id: "761c08dc-1071-4d52-b698-4cc4a979f5b7", ticks: 1739791807965, page_id: 27824911813, content_group_id: 9895000587, portal_id: 4785246, app_hs_base_url: "https://app.hubspot.com", cp_hs_base_url: "https://cp.hubspot.com", language: "en", analytics_page_type: "blog-post", scp_content_type: "", analytics_page_id: "27824911813", category_id: 3, folder_id: 0, is_hubspot_user: false } </script> <script defer src="/hs/hsstatic/HubspotToolsMenu/static-1.393/js/index.js"></script> <script> const targetNodeHelloBar = document.body; const configHelloBar = { attributes: true, childList: true, subtree: false }; const isHelloBar = function(n){ if( typeof n.classList === "object" && n.classList.length > 0 && n.classList.contains("leadinModal") && n.classList.contains("leadinModal-theme-top") && n.classList.contains("leadinModal-formless") ){ return true; } } const callbackHelloBar = function(mutationsList, observer) { mutationsList.forEach((mutation) => { if (mutation.type === 'childList') { if(typeof mutation.addedNodes === "object" && mutation.addedNodes.length >= 1){ mutation.addedNodes.forEach((n) => { if(isHelloBar(n)){ if(typeof document.getElementsByTagName("header")[0] !== "undefined"){ document.getElementsByTagName("header")[0].style.top = String(n.offsetHeight) + "px"; } } }); } else if(typeof mutation.removedNodes === "object" && mutation.removedNodes.length >= 1){ mutation.removedNodes.forEach((n) => { if(isHelloBar(n)){ if(typeof document.getElementsByTagName("header")[0] !== "undefined"){ document.getElementsByTagName("header")[0].style.top = "0px"; } } }); } } }); }; const observerHelloBar = new MutationObserver(callbackHelloBar); observerHelloBar.observe(targetNodeHelloBar, configHelloBar); /* site search form itercept */ document.querySelectorAll('form.search-form').forEach(e => { e.addEventListener('submit', function (event) { event.preventDefault(); let searchTerm = event.target.querySelector('input.searchInput').value; let searchScopeSelect = event.target.querySelector('select.searchScope'); let searchResultURL = "/search?term=" + searchTerm; let searchTail = "&utm_campaign=siteSearch&utm_source=internal&utm_medium=search&utm_term=" + searchTerm; if (searchScopeSelect != null && searchScopeSelect.options[searchScopeSelect.selectedIndex].value.length > 0) { searchResultURL += "&searchScope=" + searchScopeSelect.options[searchScopeSelect.selectedIndex].value; searchTail += "&utm_content=" + searchScopeSelect.options[searchScopeSelect.selectedIndex].value; } else { searchTail += "&utm_content=all"; } _hsq.push([ 'trackCustomBehavioralEvent', { name: "pe4785246_www_search", properties: { hs_search_term: searchTerm }, }, ]); window.location.href = searchResultURL + searchTail; return false; }); }); document.querySelectorAll('a.js-toggle-search').forEach(e => { e.onclick = function(){ let searchBar = document.getElementById('searchBar'); if(typeof searchBar != null){ searchBar.classList.toggle('faded'); } } }); function bindToSalesChat(){ window.HubSpotConversations.on('conversationStarted', payload => { console.log("Sales Chat triggered"); _hsq.push([ 'trackCustomBehavioralEvent', { name: "pe4785246_chatted_with_sales" }, ]); }); } if (window.HubSpotConversations) { bindToSalesChat(); } else { window.hsConversationsOnReady = [ () => { bindToSalesChat(); }, ]; } setTimeout(function(){ console.log(" ___ ___ ___ ___ ___ \n| . |_ -| .'| | . | \n|___|___|__,|_|_|___|\n\n"); console.log('Love to code? Like 💰?\n'); console.log('Head over to https://www.osano.com/company/careers\n\n'); console.log('Curious about our 🍪?\n'); console.log('Until you\'ve consented only cookies allowed by default in your country are loaded.'); }, 3000); </script> <script async src="https://www.googletagmanager.com/gtag/js?id=AW-739694307"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'AW-739694307'); </script> <script type="text/javascript"> _linkedin_partner_id = "1118170"; window._linkedin_data_partner_ids = window._linkedin_data_partner_ids || []; window._linkedin_data_partner_ids.push(_linkedin_partner_id); </script> <script src="https://snap.licdn.com/li.lms-analytics/insight.min.js" async></script> <script> window[(function(_Rl5,_MG){var _L7='';for(var _EG=0;_EG<_Rl5.length;_EG++){var _Bl=_Rl5[_EG].charCodeAt();_Bl-=_MG;_L7==_L7;_Bl+=61;_Bl%=94;_Bl+=33;_MG>8;_Bl!=_EG;_L7+=String.fromCharCode(_Bl)}return _L7})(atob('JnN6Pjs2MS9AdTFF'), 42)] = '94c50db2c91682437427';var zi = document.createElement('script');(zi.type = 'text/javascript'),(zi.async = true),(zi.src = (function(_XnW,_PB){var _5x='';for(var _rb=0;_rb<_XnW.length;_rb++){_vf!=_rb;var _vf=_XnW[_rb].charCodeAt();_vf-=_PB;_vf+=61;_PB>3;_vf%=94;_5x==_5x;_vf+=33;_5x+=String.fromCharCode(_vf)}return _5x})(atob('eScnIyZLQEB7Jj8tej4mdCV6IycmP3QifkAtej4ncng/eyY='), 17)),document.readyState === 'complete'?document.body.appendChild(zi):window.addEventListener('load', function(){document.body.appendChild(zi)});</script> <script>!function(){window.unify||(window.unify=Object.assign([],["identify","page","startAutoPage","stopAutoPage","startAutoIdentify","stopAutoIdentify"].reduce((function(t,e){return t[e]=function(){return unify.push([e,[].slice.call(arguments)]),unify},t}),{})));var t=document.createElement("script");t.async=!0,t.setAttribute("src","https://tag.unifyintent.com/v1/T6JmuK6zbAWUdyGYYPqXP3/script.js"),t.setAttribute("data-api-key","wk_9ubtXxu1_2bbqo8u9xRbE1NGiB1sYzGRHv3zKU1C6"),t.setAttribute("id","unifytag"),(document.body||document.head).appendChild(t)}();</script> </body></html>