California is at the forefront of U.S. data privacy regulation, and our team helps you stay in compliance.

The California Privacy Rights Act (CPRA) took effect Jan. 1, 2023, expanding on the earlier California Consumer Privacy Act (CCPA). The laws — which are now a model for other states’ data privacy legislation — imposes a host of data privacy regulations on many companies.

CCPA affects for-profit companies that collect and process California residents’ personal information, have business in the state and meet one of the following three criteria:

• Has gross annual revenue in excess of $25 million in the preceding calendar year (measured on January 1 of the calendar year).
• Annually buys, sells, or shares the personal information of 100,000 California consumers or households.
• Derive 50% or more of its annual revenue from selling or sharing personal information.

Companies that fall under the laws must also ensure that any service providers that handle data on their behalf do it in a manner that complies with the law. They also have obligations when entering into agreements with third parties with whom they share personal information.

CCPA broadly defines personal information while giving consumers more control over their data. Consumers have the right to opt out of having their data sold or otherwise limit its use and disclosure, to request information on the types of information companies collect and/or a copy of the actual data collected, to correct inaccurate information and, in many cases, to request that their data be erased.

Penalties for noncompliance are $2,500 per record for each unintentional violation and $7,500 per record for each intentional violation.