What Is CCPA / CPRA?
The California Consumer Privacy Act (CCPA) and its expansion under the California Privacy Rights Act (CPRA) establish data privacy rights for California residents and obligations for businesses that collect or process their personal information.
CPRA strengthens CCPA by expanding consumer rights, increasing enforcement authority, and introducing additional requirements around sensitive personal information, data minimization, and risk assessments.
Together, CCPA and CPRA regulate how organizations collect, use, disclose, retain, and secure personal data.
Why It Matters
CCPA/CPRA applies to businesses that meet revenue or data processing thresholds and operate in or target California residents.
The law grants consumers rights to:
- Know what personal information is collected
- Access and correct their data
- Request deletion
- Opt out of data sales or sharing
- Limit use of sensitive personal information
Organizations must also implement reasonable security procedures and practices to protect personal information from unauthorized access, disclosure, or misuse.
Regulatory enforcement and private rights of action make compliance both a legal and operational priority.
What It Requires
While CCPA/CPRA is privacy-focused rather than control-prescriptive, organizations must implement:
- Data inventory and mapping: Identify categories of personal information collected
- Consumer request workflows: Support access, deletion, and correction rights
- Data minimization and purpose limitation
- Vendor and service provider oversight
- Retention policies
- Reasonable security safeguards to protect personal information
Security expectations are risk-based and tied to protecting consumer data from breaches or unauthorized exposure.
CCPA / CPRA Implementation Guidance
Organizations subject to CCPA/CPRA should be able to demonstrate:
☐ Personal information categories are documented and mapped
☐ Consumer rights request processes are operational and auditable
☐ Data retention policies are defined and enforced
☐ Sensitive personal information is identified and handled appropriately
☐ Service provider agreements include required privacy clauses
☐ Access to personal information is restricted by role
☐ Security controls protect systems storing personal data
☐ Evidence supports that safeguards are actively maintained
Privacy compliance depends on both governance and enforceable technical safeguards.
How to Prepare for CCPA / CPRA Compliance
Preparation should focus on both privacy governance and enforceable security safeguards.
Organizations should:
- Maintain a current data inventory
- Operationalize consumer request handling
- Enforce access controls around personal information
- Monitor systems storing personal data
- Maintain evidence of security practices
Privacy compliance requires that safeguards remain effective as systems and data flows evolve.
What the Law Says About Security
From California Civil Code §1798.150(a):
A consumer whose nonencrypted and nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices may institute a civil action.
This establishes a legal duty to implement and maintain reasonable security safeguards.
Official source:
https://oag.ca.gov/privacy/ccpa
How CalCom Helps
Although CCPA/CPRA focuses on privacy rights, security controls remain critical to preventing unauthorized access to personal information.
CalCom Hardening Suite supports compliance efforts by:
- Enforcing secure configuration baselines for systems storing personal data
- Detecting unauthorized configuration changes
- Restricting access to configuration settings
- Maintaining audit trails to support incident investigation
- Reducing risk of breaches caused by misconfiguration
Strong configuration management supports the “reasonable security” requirement under California privacy law.
