The California Model: CCPA & CPRA

California's law is the anchor of Domain five, both because it came first and because it's the most heavily tested single state. The California Consumer Privacy Act, the C-C-P-A, was enacted in twenty-eighteen and took effect in twenty-twenty; the California Privacy Rights Act, the C-P-R-A, amended and expanded it and created a dedicated regulator. Together they form the first U.

S. comprehensive consumer-privacy regime, applying to for-profit businesses that handle California residents' personal information and meet certain thresholds. Every later state law borrowed from California in some way, but California also diverges from the others in important respects, so the exam wants you to know California on its own terms first, then contrast it with the Virginia-style template in the next lecture.

Coverage turns on thresholds the exam tests. A business must be for-profit, do business in California, and process California residents' personal information, and it must meet at least one threshold: gross annual revenue above a set dollar amount, processing the personal information of a large number of California consumers, or deriving a majority of revenue from selling or sharing personal information. California's vocabulary matters: a service provider or contractor processes data on the business's behalf under a contract that restricts its use, similar to a processor, while a third party is anyone else who receives the data.

Correctly labeling an actor, business, service provider, or third party, often decides which obligations apply, so learn those three roles precisely.

California gives consumers a robust set of rights, and you should be able to list them fast. The right to know, what categories and specific pieces of personal information a business collects, uses, and discloses. The right to delete personal information, with exceptions.

The right to correct inaccurate information, added by the C-P-R-A. The right to opt out of the sale of personal information and, importantly, the sharing of it for cross-context behavioral advertising, that sharing concept is a California signature. And the C-P-R-A added a right to limit the use and disclosure of sensitive personal information, a category that includes things like precise geolocation, race, health, and account credentials.

California also bars discrimination against consumers who exercise these rights. Notice California opts out of sale and sharing rather than requiring opt-in for most processing.

Enforcement is a California distinctive. The C-P-R-A created the California Privacy Protection Agency, the C-P-P-A, the first dedicated state privacy regulator, which enforces the law and writes implementing regulations alongside the attorney general. Unlike most states, California also gives consumers a limited private right of action, but only for certain data breaches of specified personal information caused by a failure to maintain reasonable security, not for general violations.

And a heavily tested operational point: businesses must honor opt-out preference signals sent automatically by a consumer's browser or device, most notably the Global Privacy Control, the G-P-C, so a business can't ignore a G-P-C signal and insist the consumer click an opt-out link. That signal-honoring requirement is the kind of concrete detail the exam loves.

The concept that trips people up most in California is when a data transfer counts as a sale or a share, and it turns on the contract. Handing personal information to another company is not a sale if that company is a genuine service provider, bound by a contract that limits it to processing the data only for the business's specified purposes and bars it from using the data for its own ends. Get that contract right and the transfer escapes the sale rules and the opt-out.

Sharing is California's narrower, advertising-specific concept: disclosing personal information for cross-context behavioral advertising, even without money changing hands, and consumers can opt out of it. The classic failure, and a favorite exam trap, is a business that calls a partner a service provider but lets it use the data to build its own profiles or run its own ad targeting, that's really a third party, and the transfer is a sale or share that requires an opt-out. So always check the contract restrictions, not just the label.

Let's lock in what makes California different, because the exam contrasts it with the other states. California uniquely covers both sale and sharing for cross-context advertising, adds a right to limit sensitive personal information, has its own regulator in the C-P-P-A, and gives a private right of action, but only for qualifying data breaches. It also requires honoring the Global Privacy Control.

The most common distractor frames California as a consent-first, opt-in regime like the GDPR, it isn't, for most processing California runs on opt-out, with opt-in mainly for minors and certain sensitive contexts. So when a scenario is set in California, reach for opt-out of sale-and-share, the sensitive-info limit, the C-P-P-A, the G-P-C signal, and breach-only private suits. Recap: thresholds and roles, the rights list, and California's enforcement quirks.

Now go test yourself, then we tackle the Virginia-style template the other states share.