CPRA Compliance: A Step-by-Step Guide for 2026
The CPRA is fully enforceable and the CPPA is actively investigating. This guide walks through every compliance requirement — from data inventory and consumer rights to opt-out signals and risk assessments.
CPRA Compliance: What You Need to Know in 2026
The California Privacy Rights Act (CPRA) has been fully enforceable since 1 July 2023, and the California Privacy Protection Agency (CPPA) has been actively issuing guidance, conducting investigations, and bringing enforcement actions. If your organisation collects personal information from California residents and meets the applicability thresholds, CPRA compliance is not optional — and the enforcement landscape has matured significantly since the law took effect.
CPRA applies to for-profit businesses that do business in California and meet any one of three thresholds: annual gross revenue exceeding $25 million; buying, selling, or sharing personal information of 100,000 or more California consumers or households; or deriving 50% or more of annual revenue from selling or sharing personal information. If you meet any threshold, the full weight of CPRA obligations applies to your processing of California residents' data.
Step 1: Data Inventory and Classification
CPRA compliance begins with knowing what personal information you collect, where it lives, how it flows, and how long you keep it. Unlike the original CCPA, which primarily required disclosure, CPRA imposes substantive constraints on collection and retention — you cannot comply with data minimisation requirements if you do not have an accurate data inventory.
Your inventory must distinguish between 'personal information' and 'sensitive personal information' because each carries different obligations. Sensitive categories — government identifiers, financial credentials, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, health data, and communications content — trigger the right to limit use and require a separate disclosure mechanism. Map each data element to the purpose for which it was collected, the retention period justified by that purpose, and the categories of third parties with whom it is shared.
Step 2: Privacy Notices and Disclosures
CPRA requires specific disclosures that go beyond the original CCPA's notice requirements. Your privacy policy must now include: the categories of sensitive personal information collected; the purposes for which each category is used; retention periods or criteria for determining retention; and whether personal information is sold or shared for cross-context behavioural advertising.
You must also provide point-of-collection notices that inform consumers at or before the point of collection about the categories of personal information being collected, the purposes for collection, and whether it will be sold or shared. If you collect personal information for a purpose not disclosed in your notice, you cannot use it for that purpose without providing updated notice and obtaining fresh consent where required.
Step 3: Consumer Rights Infrastructure
CPRA requires you to honour seven distinct consumer rights: the right to know (access), the right to delete, the right to correct, the right to opt out of sale/sharing, the right to limit use of sensitive personal information, the right to data portability (in a structured, machine-readable format), and the right to non-discrimination. Your DSR intake and fulfilment infrastructure must handle all seven.
You must provide at minimum two methods for consumers to submit requests — typically a toll-free telephone number and a web form. Requests must be acknowledged within 10 business days and fulfilled within 45 calendar days, with a possible 45-day extension for complex requests if the consumer is notified. Verification must be completed before fulfilment, with the verification standard proportionate to the sensitivity of the request. For online-only businesses, an email address may substitute for a toll-free number.
Step 4: Opt-Out Mechanisms and Preference Signals
CPRA requires two distinct opt-out links on your website: 'Do Not Sell or Share My Personal Information' and 'Limit the Use of My Sensitive Personal Information'. These may be combined into a single clearly labelled link if both mechanisms are accessible from it.
Critically, CPRA requires businesses to honour opt-out preference signals — specifically the Global Privacy Control (GPC). When a consumer's browser sends a GPC signal, you must treat it as a valid opt-out of sale and sharing for that consumer. This means your systems must be capable of detecting GPC headers, mapping them to the relevant user or session, and suppressing downstream data sharing in real time. Failure to honour GPC has already been the basis of enforcement actions by the California AG and the CPPA.
For consumers who opt out, you must wait at least 12 months before asking them to opt back in. You cannot use dark patterns, confusing language, or unnecessary steps to subvert the opt-out process.
Step 5: Contracts and Third-Party Management
CPRA imposes specific contractual requirements on businesses that share personal information with service providers, contractors, and third parties. Every entity that receives personal information from you must be bound by a written contract that specifies the purposes for processing, prohibits selling or sharing the data further, requires the recipient to comply with CPRA, and grants you the right to audit compliance.
Service providers and contractors must additionally agree to notify you if they can no longer meet their CPRA obligations, and to allow you to take steps to stop and remediate unauthorised use. For third parties, you must ensure they use personal information only for the purposes disclosed in your privacy notice. Conducting due diligence on third parties is not optional — you are responsible for ensuring downstream compliance even after data leaves your systems.
Step 6: Data Minimisation and Retention
CPRA's data minimisation principle requires that collection, use, retention, and sharing of personal information be 'reasonably necessary and proportionate' to the purposes for which it was collected. This is an affirmative obligation — you must be able to justify why each category of data you collect is needed for the stated purpose.
Retention schedules must be disclosed in your privacy notice, and you must not retain personal information longer than reasonably necessary for the disclosed purpose. This means you need documented retention policies that specify, for each data category: the purpose for collection, the retention period, the justification for that period, and the deletion or de-identification mechanism that executes when the period expires. Organisations without retention schedules are in clear violation of CPRA regardless of their other compliance efforts.
Step 7: Risk Assessments and Audits
CPRA introduced a requirement for regular cybersecurity audits and risk assessments for businesses whose processing presents 'significant risk to consumers' privacy or security'. The CPPA has been developing regulations that define thresholds and methodologies for these assessments.
Risk assessments must weigh the benefits of processing against the risks to consumer privacy, identify whether processing involves sensitive personal information or data about minors, and document safeguards that mitigate identified risks. These assessments must be submitted to the CPPA upon request. While the final regulations are still being refined, forward-looking organisations are already conducting privacy impact assessments for high-risk processing activities — particularly those involving profiling, automated decision-making, or large-scale processing of sensitive data.
Enforcement Reality: What the CPPA Is Watching
The CPPA has signalled its enforcement priorities through public statements, investigative sweeps, and early actions. Key areas of focus include: failure to honour GPC signals; inadequate opt-out mechanisms or dark patterns in opt-out flows; insufficient data minimisation practices; non-compliant contracts with service providers; and inadequate protection of minors' data.
Penalties under CPRA reach $2,500 per unintentional violation and $7,500 per intentional violation or violation involving minors. Given that violations are assessed per consumer per instance, a systematic failure affecting thousands of consumers creates exposure in the millions. The CPPA also has the authority to require businesses to undergo audits at their own expense. Beyond formal enforcement, the private right of action for data breaches resulting from failure to implement reasonable security measures remains available to consumers, with statutory damages of $100 to $750 per consumer per incident.
Automate your privacy compliance
See how TruePrivacy can handle DSRs, consent, and breach response — all in one platform.