California Consumer Privacy Act (CCPA): CCPA and CPRA, Simplified
On July 1, 2025, the California Attorney General settled with Healthline for $1.55 million, the highest CCPA-related fine to date, citing failure to limit data purpose and lack of sufficient disclosures under the purpose-limitation principle.Â
Imagine having complete insight and control over how your personal information is collected, shared, and sold. That’s what the California Consumer Privacy Act (CCPA) brought in 2020. Then came the California Privacy Rights Act (CPRA), effective January 2023, expanding those rights and establishing the California Privacy Protection Agency (CPPA) to enforce them. These laws together position California at the forefront of privacy regulation in the United States.
Who Must Comply With CCPA?
The law targets for‑profit businesses that collect personal information from California residents. You’re covered if you meet any of these thresholds:
- Over $25 million in gross revenue
- Data from 100,000+ consumers or households
- More than 50% of annual revenue comes from selling or sharing personal data
Even if your business is based outside California, if you collect data from Californians and hit one of these thresholds, you’re subject to CCPA/CPRA; location doesn’t matter.
There are exemptions for some entities regulated by laws like HIPAA or GLBA, though partial obligations may still apply.
Core Consumer Rights Under CCPA
Here’s what Californians can do under the law:
- Right to Know: Ask what personal data you’ve collected, where you got it, what it’s used for, and with whom it’s shared.
- Right to Delete: Request deletion – but exceptions apply (e.g., completing an order).
- Right to Opt-Out of Sale or Sharing: Must display a clear “Do Not Sell or Share My Personal Information” link if you sell or share data, especially for ads.
- Right to Correct & Limit Use of Sensitive Data (CPRA feature): Fix errors and control processing of sensitive info like precise geolocation, health, race, or religion.
- Right to Non-Discrimination: Consumers exercising their rights can’t be denied services or charged more for doing so.
Clarifying Key Terms
- Personal Information is broad: names, IP addresses, purchase history, browsing behavior, and even household characteristics.
- Sensitive Personal Information (added under CPRA) includes health data, biometrics, race, religion, sexual orientation, and precise geo-location. Consumers can limit their usage.
- Sale vs. Share: CPRA expanded the definition to cover sharing data for advertising—even without payment.
Major 2025 Regulatory Updates: What’s Changing?
In July 2025, the California Privacy Protection Agency (CPPA) finalized sweeping updates to the CCPA and CPRA regulations, marking one of the most ambitious expansions of U.S. privacy law enforcement to date. These updates primarily focus on Automated Decision-Making Technology (ADMT), Cybersecurity Audits, and Risk Assessments—and they come with complex new compliance requirements for businesses operating in California.
Let’s break them down:
1. Automated Decision-Making Technology (ADMT) Regulations
Automated decision-making refers to any system, like artificial intelligence or algorithmic tools, that makes decisions without human involvement in critical areas such as employment, finance, insurance, or healthcare.
New rights for California consumers include:
- Right to Opt-Out: Consumers can opt out of decisions made solely by automated technologies, especially when these decisions could significantly affect them (e.g., loan approvals, employment offers, or health care eligibility).
- Right to Access Explanations: Consumers can request detailed information about how automated decisions are made, what data was used, and how it impacted the decision.
- Right to Human Review: In sensitive cases, businesses must allow consumers to request that a human review the outcome instead of relying solely on the algorithm.
Business Obligations:
- Must provide notice at or before the point of data collection if ADMT will be used.
- Required to disclose whether the consumer has the right to opt out or request a meaningful explanation.
- Must implement internal safeguards to ensure the fairness and accuracy of ADMT systems.
- Have until January 1, 2027, to comply.
These rules aim to ensure transparency, prevent discrimination, and promote accountability in high-stakes automated systems.
2. Cybersecurity Audit Requirements
Businesses meeting certain thresholds will now be required to perform independent cybersecurity audits regularly.
Who is required:
- Businesses with $100 million+ annual gross revenue, or
- Those processing sensitive personal information on a large scale, or
- Companies whose processing presents a significant risk to consumers’ privacy or security
Requirements:
- Annual audits must assess the effectiveness of cybersecurity measures, including controls around access, encryption, and data loss prevention.
- Audits must be conducted by independent third-party professionals and cannot be internally managed.
- First audits must be completed by April 1, 2028, for large businesses. Smaller firms will be given additional time through 2030, depending on their processing volume and risk.
Audit findings must be documented, signed off by executive leadership, and retained for potential inspection by the CPPA.
3. Privacy Risk Assessments
The new rules also mandate periodic privacy risk assessments for businesses engaged in risky data processing activities.
When is it required:
- If your business processes sensitive personal information, such as racial or biometric data.
- If you use data for profiling, including behavior prediction or ad targeting.
- If you conduct automated decision-making that significantly affects individuals.
Key requirements:
- Must document each risk assessment with details about:
- The types of personal information processed.
- The business’s purpose for processing.
- The benefits of the processing to the business and consumers.
- Potential harms and how those are mitigated.
- The types of personal information processed.
- Assessments must show how privacy risks are being addressed relative to consumer expectations and legal obligations.
- First documented assessments must be completed and submitted by April 21, 2028.
- Any data processing initiated before December 31, 2025, must also be assessed and documented.
4. Insurance Sector Clarifications
The CPPA also introduced specific rules for the insurance industry due to its unique use of personal and sensitive data:
- Insurance companies must disclose their use of automated underwriting tools.
- They must align consent and notice practices with CPRA standards.
- Special attention is required for processing sensitive health or financial data.
5. Upcoming Delete Act Integration
Although not part of this specific rulemaking cycle, the CPPA is continuing to refine draft rules to support enforcement of the California Delete Act (SB 362), which will become fully enforceable on August 1, 2026. These rules will integrate tightly with broader CPRA enforcement protocols.
Timeline for Compliance
Requirement | Deadline |
Automated Decision-Making Rules | January 1, 2027 |
Cybersecurity Audits (large firms) | April 1, 2028 |
Privacy Risk Assessments | April 21, 2028 |
Broker Data Deletion Requests (Delete Act) | August 1, 2026 |
Key Compliance Steps Businesses Should Take
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) require more than just checking boxes; they demand a proactive, thoughtful, and structured approach. Businesses must build privacy into their core operations.
Here are the key steps that companies, both large and small, should take to ensure compliance in 2025 and beyond:
1. Update Your Privacy Policy Regularly
Ensure your website and mobile app privacy policies are up-to-date, transparent, and accessible. Under CPRA, the policy must clearly describe:
- Categories of personal and sensitive information collected
- Purpose of collection and use
- Categories of sources and third-party recipients
- Whether the information is sold or shared
- Data retention periods
- Consumer rights, including how to exercise them (opt-out, delete, correct, limit)
- How to submit data access requests
2. Provide Multiple Consumer Request Methods
Offer at least two methods for consumers to submit requests, such as:
- A toll-free telephone number
- A user-friendly online request form or portal
- A dedicated email address
- Global Privacy Control (GPC) signal recognition for opt-outs
3. Implement Strong Identity Verification Procedures
Develop robust protocols to verify the identity of anyone submitting data access, deletion, or correction requests. This may include:
- Asking for two or more pieces of data to confirm identity
- Using multi-factor authentication for registered users
- Leveraging secure platforms for sensitive communications
4. Conduct a Comprehensive Data Inventory and Mapping
Create and maintain a current data inventory showing:
- What personal and sensitive information you collect
- How it is collected and stored
- Who has access to it internally
- Where it is shared externally
- When and how long it is retained
5. Review and Update Vendor & Service Provider Agreements
Revise contracts to ensure vendors and third parties:
- Process data only for specified, documented purposes
- Do not sell or share data without authorization
- Provide similar levels of data protection
- Cooperate in responding to consumer requests (e.g., deletion, access)
You’re responsible not only for your own data practices but also those of your vendors. Poor vendor controls have led to numerous enforcement actions.
6. Train Employees on CCPA and CPRA Protocols
Implement a privacy training program for:
- Customer service teams that handle consumer requests
- Marketing departments working with personal data
- IT and security teams managing systems and audits
- HR teams processing employee data (now covered under CPRA)
Human error is one of the biggest risks in privacy compliance. Proper training reduces mistakes and ensures requests are handled correctly and promptly.
7. Monitor and Eliminate Dark Patterns
Review your website and app user interfaces to remove deceptive or manipulative tactics that make it difficult to:
- Opt out of data sales/sharing
- Submit requests
- Read disclosures
Ensure links like “Do Not Sell or Share My Personal Information” are clearly visible, accessible, and functional. The CPPA explicitly prohibits dark patterns. Noncompliance can lead to fines, consumer lawsuits, and reputational damage.
8. Prepare for CCPA Cybersecurity Audits and Risk Assessments
The 2025 CCPA/CPRA regulatory updates have made it clear, cybersecurity audits and privacy risk assessments are no longer optional for many businesses. Starting in 2027–2028, they will become mandatory for qualifying organizations. Preparing now will help avoid costly last-minute compliance scrambles.
Schedule Cybersecurity Audits by Independent Professionals
- Engage third-party security firms or certified auditors (such as ISO 27001-certified assessors, CISSP, or CISA professionals) to evaluate your systems.
- Focus areas should include:
- Network and endpoint security
- Data encryption in transit and at rest
- Access control and authentication protocols
- Incident response readiness
- Vendor and supply chain security
- Network and endpoint security
- Audits should follow recognized frameworks like NIST Cybersecurity Framework, ISO/IEC 27001, or CIS Controls to ensure best practices.
- Engage third-party security firms or certified auditors (such as ISO 27001-certified assessors, CISSP, or CISA professionals) to evaluate your systems.
Develop a Risk Assessment Protocol
- Establish a formal, repeatable process for evaluating privacy risks in all business activities that involve personal or sensitive data.
- Assessments should consider:
- The nature and volume of personal data processed
- The potential harm to consumers in case of a breach
- How data is shared, sold, or transferred to third parties
- Emerging threats such as ransomware, phishing, and AI-driven attacks
- The nature and volume of personal data processed
- Incorporate risk scoring to prioritize vulnerabilities needing urgent attention.
- Establish a formal, repeatable process for evaluating privacy risks in all business activities that involve personal or sensitive data.
Document Privacy Impacts and Mitigation Strategies
- For each business process that involves personal data, prepare a Privacy Impact Assessment (PIA) or Data Protection Impact Assessment (DPIA).
- These should outline:
- What data is collected and why
- Potential privacy risks for consumers
- Steps taken to reduce those risks (technical controls, policy changes, staff training)
- Residual risks and how they are monitored
- What data is collected and why
- Keep detailed records—regulators may request documentation during inspections or enforcement actions.
- For each business process that involves personal data, prepare a Privacy Impact Assessment (PIA) or Data Protection Impact Assessment (DPIA).
Track and Assess Use of Automated Decision-Making Systems
- If your business uses AI or algorithmic tools for decisions in hiring, lending, insurance, healthcare, or marketing, you must:
- Identify all systems in use and their decision-making criteria
- Test for bias, fairness, and accuracy
- Implement human oversight for high-impact decisions
- Document results and corrective measures
- Identify all systems in use and their decision-making criteria
- Prepare for consumer opt-out requests and right-to-explanation obligations under the ADMT provisions coming into force.
- If your business uses AI or algorithmic tools for decisions in hiring, lending, insurance, healthcare, or marketing, you must:
Starting in 2027 for Automated Decision-Making and 2028 for Cybersecurity Audits and Risk Assessments, qualifying businesses will be legally required to complete these tasks under the CPRA and CPPA’s updated regulations.
- Non-compliance risks include:
- Civil penalties of $2,500–$7,500 per violation
- Consumer lawsuits in case of data breaches
- Reputational damage from public enforcement actions
- Civil penalties of $2,500–$7,500 per violation
- Early preparation benefits:
- Gives you time to identify and fix vulnerabilities before audits are mandatory
- Demonstrates good-faith compliance to regulators, which may reduce penalties in case of violations
- Strengthens overall cybersecurity posture, reducing the likelihood of costly breaches
- Gives you time to identify and fix vulnerabilities before audits are mandatory
By starting now, you won’t just be “ready for the deadline”—you’ll have a mature privacy and security program that stands up to regulatory scrutiny and consumer expectations.
9. Establish a Governance Framework
Form a privacy governance committee or assign a Chief Privacy Officer (CPO) to:
- Oversee compliance activities
- Respond to enforcement inquiries
- Coordinate audits, assessments, and disclosures
- Report regularly to executive leadership
Without strong governance, privacy efforts can become fragmented or reactive. A formal structure ensures long-term accountability and readiness.
Bringing It All Together
CCPA and CPRA compliance in 2025 demands more than a written privacy policy and an opt-out button—it now requires continuous security validation, documented risk assessments, and demonstrable governance practices. The new rules around cybersecurity audits, privacy impact assessments, and automated decision-making oversight mean that compliance is as much about security testing as it is about privacy rights management.
This is where many businesses face their biggest challenge: closing the gap between privacy policy and security reality. You can promise strong consumer protections in your policy, but if your systems remain vulnerable, you risk non-compliance, penalties, and reputational damage.
How Strobes Fit Into the Compliance Equation?
Strobes bridges that gap by combining risk-based vulnerability management with Penetration Testing as a Service (PTaaS), giving organizations the tools they need to stay secure, compliant, and audit-ready.
With Strobes, you can:
- Conduct Continuous Penetration Testing (PTaaS) to uncover and fix exploitable vulnerabilities before they lead to breaches, meeting CPRA’s “reasonable security” expectations.
- Focus Testing on Sensitive Data Workflows, ensuring that systems holding consumer personal or sensitive information are hardened against attacks.
- Centralize Vulnerability Findings from scanners, pen tests, and bug bounty programs into a single, prioritized view.
- Produce Audit-Ready Security Reports to demonstrate proactive compliance during CPPA audits and privacy risk assessments.
- Integrate Security Results into Privacy Governance, directly linking test outcomes to privacy impact assessments (PIAs/DPIAs).
By embedding Strobes’ PTaaS and vulnerability management into your compliance strategy, you create a continuous feedback loop, detecting risks early, remediating them quickly, and proving your security posture to regulators and customers alike.
In short, CCPA/CPRA compliance in 2025 is no longer just about legal alignment—it’s about operational resilience. With the right combination of privacy governance and continuous security testing from Strobes, you can meet today’s requirements and confidently prepare for tomorrow’s challenges.
Frequently Asked Questions (FAQs)
- What is the main purpose of the CCPA and CPRA?
The CCPA and CPRA were designed to give California residents greater control over their personal data. They provide rights such as knowing what data is collected, requesting deletion, opting out of sales/sharing, correcting inaccuracies, and limiting use of sensitive personal information. - How do the 2025 updates change compliance requirements?
The 2025 updates go beyond disclosure requirements. They introduce mandatory cybersecurity audits, privacy risk assessments, and stricter governance over automated decision-making systems. Businesses will need to demonstrate ongoing security validation, not just publish a privacy policy. - What happens if my business fails to comply?
Non-compliance can lead to fines of $2,500–$7,500 per violation, enforcement actions by the California Privacy Protection Agency, and potential consumer lawsuits for breaches. Reputational damage from publicized violations can also be significant. - Does compliance also mean improving cybersecurity?
Yes. Many CCPA/CPRA enforcement actions begin with a data breach. Regulators expect companies to have “reasonable security measures” in place, which includes regular vulnerability testing, risk assessments, and remediation of weaknesses. - How can Strobes support my CCPA/CPRA compliance strategy?
Strobes provides Penetration Testing as a Service (PTaaS) and risk-based vulnerability management to continuously identify, prioritize, and fix security gaps. This directly supports CPRA’s security requirements, helps prepare for upcoming audits, and provides the documentation you’ll need to prove compliance.