ccpa-cpra-compliance
CCPA/CPRA Compliance
Overview
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), establishes comprehensive consumer privacy rights under California Civil Code §1798.100-199. The CPRA, approved by voters on November 3, 2020 (Proposition 24), substantially amended the CCPA effective January 1, 2023, with a lookback period to January 1, 2022. The California Privacy Protection Agency (CPPA) was established as the first dedicated state privacy enforcement agency in the United States.
The CPRA replaced the California Attorney General as the primary enforcement body with the CPPA, added the category of sensitive personal information, created new consumer rights (correction and limit use of sensitive PI), expanded the definition of "sharing" for cross-context behavioral advertising, and introduced requirements for data processing agreements.
Applicability (§1798.140(d))
A business is subject to CCPA/CPRA if it:
- Has annual gross revenues exceeding $25,000,000 in the preceding calendar year (adjusted by the CPPA for inflation starting January 1, 2024)
- Annually buys, sells, or shares the personal information of 100,000 or more consumers or households (CPRA increased from 50,000)
- Derives 50% or more of its annual revenues from selling or sharing consumers' personal information
Liberty Commerce Inc. Assessment: Liberty Commerce Inc., with annual revenues of $48 million and processing personal information of approximately 320,000 California consumers through its e-commerce platform, meets threshold (1) and threshold (2). Liberty Commerce Inc. is classified as a "business" under §1798.140(d).