CCPA and CPRA Regulatory Overview
The California Consumer Privacy Act, as amended and expanded by the California Privacy Rights Act, creates comprehensive privacy obligations for businesses that collect personal information from California residents. CCPA/CPRA applies to for-profit businesses that meet any threshold: annual gross revenue exceeding 25 million dollars, buying or selling personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling or sharing personal information. The CPRA amendment, fully operative since January 2023 and enforced by the California Privacy Protection Agency, expanded rights to include correction, limitation of sensitive data use, and opt-out of automated decision-making. Marketing teams must understand that CCPA's definition of personal information is extraordinarily broad, encompassing IP addresses, browsing history, geolocation data, inferences drawn from profiling, and any data linked to a consumer or household.
Consumer Rights Impacting Marketing Operations
CCPA/CPRA grants California consumers rights that directly impact marketing operations and data strategies. The right to know requires businesses to disclose categories and specific pieces of personal information collected, the purposes for collection, categories of sources, and third parties with whom data is shared. The right to delete obligates businesses to erase consumer personal information upon request, with limited exceptions for completing transactions or maintaining security. The right to opt out of sale or sharing is particularly impactful for marketing — sharing personal information with advertising partners for cross-context behavioral advertising constitutes sharing under CPRA, even without monetary exchange. The right to correct inaccurate personal information requires businesses to implement correction processes. Marketing teams must build operational workflows that fulfill these rights across every system holding consumer data, coordinating between CRM platforms, email tools, analytics systems, and [technology services](/services/technology) infrastructure.
Data Mapping and Classification Requirements
Comprehensive data mapping is the foundational step for CCPA/CPRA compliance because you cannot protect, disclose, or delete data you have not identified. Document every system that collects, stores, processes, or transmits California consumer personal information, including marketing automation platforms, customer data platforms, analytics tools, advertising networks, and third-party data providers. Classify data into the CCPA categories: identifiers, commercial information, internet activity, geolocation, professional information, education information, inferences, and sensitive personal information. Map data flows showing how personal information moves between systems, to third parties, and across organizational boundaries. Identify the business purpose for each data collection and processing activity, as CCPA requires purpose limitation. Update data maps regularly because marketing technology stacks evolve constantly — new tools, integrations, and data sources create new compliance obligations that must be documented and managed proactively.
Opt-Out Mechanisms and Do Not Sell Implementation
The right to opt out of sale and sharing requires prominent, functional mechanisms that honor consumer choices across your entire marketing ecosystem. Display a clear Do Not Sell or Share My Personal Information link on your website homepage and in your privacy policy, accessible without requiring account creation or login. Implement the Global Privacy Control signal recognition — CPRA regulations require businesses to treat GPC browser signals as valid opt-out requests, which means your website must detect and honor these signals automatically. When a consumer opts out, cease sharing their data with advertising partners, retargeting platforms, data brokers, and any third party using the data for cross-context behavioral advertising. Propagate opt-out signals to downstream systems and partners within 15 business days. Maintain opt-out preference records and never require consumers to re-submit opt-out requests. Your [compliance services](/services/marketing) approach should include regular testing to verify opt-out mechanisms function correctly across all entry points.
Sensitive Personal Information Under CPRA
CPRA introduced the category of sensitive personal information, which receives heightened protection and gives consumers the right to limit its use. Sensitive personal information includes Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, union membership, mail or email content, genetic data, biometric information, health data, and sex life or sexual orientation data. Marketing teams that process sensitive personal information must provide a Limit the Use of My Sensitive Personal Information link and honor consumer requests to restrict processing to purposes necessary for providing requested goods or services. Avoid collecting sensitive personal information for marketing purposes unless absolutely necessary and legally justified. If your marketing involves location-based targeting using precise geolocation data, health-related audience segmentation, or financial product marketing using account details, implement additional safeguards and consumer controls specific to sensitive data categories.
Enforcement Preparation and Compliance Roadmap
Prepare for enforcement by building a compliance program that demonstrates good faith efforts and operational maturity. The California Privacy Protection Agency conducts audits and investigations, with penalties reaching 2,500 dollars per unintentional violation and 7,500 dollars per intentional violation, with no cap on total penalties across affected consumers. Consumers also have a private right of action for data breaches involving unencrypted personal information, with statutory damages of 100 to 750 dollars per consumer per incident. Build a compliance roadmap: complete data mapping, update privacy policies with required disclosures, implement consumer rights request workflows with 45-day response timelines, deploy opt-out mechanisms, train marketing staff on compliance obligations, and conduct regular audits. Establish vendor management procedures requiring data processing agreements with all marketing technology providers. Document compliance efforts thoroughly because demonstrating a systematic approach to privacy protection can influence enforcement outcomes when regulators evaluate potential violations.