CCPA / CPRA Overview

The United States does not have a comprehensive federal data protection statute comparable to the EU's GDPR or India's DPDPA. Instead, privacy regulation in the US has historically been sector-specific — HIPAA for health data, GLBA for financial data, COPPA for children's online data, and FERPA for educational records. This patchwork left a significant gap: no general-purpose law governed how businesses collect, use, and sell the personal information of ordinary consumers.

California changed that calculus. The California Consumer Privacy Act (CCPA), signed into law on 28 June 2018 and effective from 1 January 2020, was the first comprehensive consumer privacy statute in the United States. It was driven in part by a ballot initiative — the California Consumer Privacy Act of 2018 (Proposition 24's predecessor) — and was adopted by the legislature as a compromise to avoid an even more restrictive ballot measure.

Two years later, California voters approved Proposition 24, enacting the California Privacy Rights Act (CPRA) in November 2020. The CPRA substantially amended the CCPA, introducing new consumer rights, a dedicated enforcement agency (the California Privacy Protection Agency, or CPPA), stricter rules on sensitive personal information, and requirements such as data minimisation and storage limitation. Most CPRA provisions took effect on 1 January 2023, with enforcement beginning on 1 July 2023.

The CCPA/CPRA is significant well beyond California's borders for several reasons:

• Market gravity: California has a GDP of approximately USD 4 trillion — the world's fifth-largest economy. Any business with a meaningful US consumer base almost certainly has California consumers.
• De facto federal standard: In the absence of federal legislation, the CCPA/CPRA sets the practical floor for US privacy compliance. Companies that comply with California law are substantially prepared for other state privacy statutes.
• Global reach: The statute applies to businesses that collect California consumers' personal information, regardless of where the business is incorporated or headquartered — including Indian companies providing IT services, SaaS products, or e-commerce to US consumers.
• Catalyst for state action: Since the CCPA, over 15 US states have enacted comprehensive privacy laws, creating a rapidly evolving patchwork. California remains the benchmark.

This guide provides a detailed examination of the CCPA/CPRA framework as amended through 2025, including its scope, consumer rights, business obligations, enforcement mechanisms, and practical compliance considerations — with particular attention to Indian companies that serve US consumers or process data on behalf of US businesses.

The CCPA/CPRA applies to for-profit entities that do business in California and meet any one of three threshold tests. It does not apply to non-profit organisations or government agencies.

Threshold Tests (Meet Any One)

Threshold	Criterion	Practical Implication
Revenue	Annual gross revenue exceeding USD 25 million (adjusted for inflation beginning 2030)	Covers most mid-to-large enterprises; small businesses are generally exempt unless they meet another threshold
Data Volume	Annually buys, sells, or shares the personal information of 100,000 or more consumers or households	CPRA raised this from the original 50,000; catches data-driven businesses even if revenue is below USD 25M
Revenue from Data	Derives 50% or more of annual revenue from selling or sharing consumers' personal information	Specifically targets data brokers and ad-tech companies

"Doing Business in California"

The CCPA does not define "doing business in California" with precision, but general California tax and regulatory principles apply. A business is likely "doing business" in California if it:

• Has a physical presence (office, employees, servers) in California;
• Is registered to do business in the state;
• Actively solicits California consumers through targeted marketing, California-specific pricing, or a .com website that serves California residents; or
• Has sufficient economic nexus through sales or transactions with California residents.

For Indian IT and SaaS companies, the "doing business" test is typically met if the company actively markets to US consumers, has US customers who include California residents, or processes personal information of California consumers on behalf of a US-based client.

Exemptions

Certain categories of data are partially or fully exempt from the CCPA/CPRA:

• HIPAA-regulated health information (protected health information under the Health Insurance Portability and Accountability Act);
• GLBA-regulated financial data (Gramm-Leach-Bliley Act);
• FCRA-regulated consumer report data (Fair Credit Reporting Act);
• DPPA-regulated vehicle data (Driver's Privacy Protection Act);
• Publicly available information from government records; and
• De-identified or aggregate consumer information (subject to specific statutory requirements for de-identification).

Note that the exemption applies to the data, not to the entity — a hospital may still be subject to the CCPA for non-health data it collects (e.g., employee personal information or website visitor data).

The CCPA/CPRA defines several key terms that differ materially from their counterparts in the GDPR and DPDPA. Understanding these definitions is critical to determining the scope of obligations.

Consumer

A consumer is a natural person who is a California resident, as defined by California tax law (generally, any individual who is in California for other than a temporary or transitory purpose, or who is domiciled in California). Unlike the GDPR, which applies to any "data subject" regardless of residency, the CCPA is explicitly residency-based. Importantly, the term includes California residents in their capacity as employees, job applicants, and B2B contacts — the earlier CCPA exemptions for employee and B2B data expired on 1 January 2023 when the CPRA took full effect.

Business

A business is a for-profit legal entity that collects consumers' personal information, determines the purposes and means of processing, does business in California, and meets at least one of the three threshold tests described above. This is roughly equivalent to the "data controller" under the GDPR or "data fiduciary" under the DPDPA.

Service Provider

A service provider is a legal entity that processes personal information on behalf of a business pursuant to a written contract. The contract must prohibit the service provider from retaining, using, or disclosing the personal information for any purpose other than performing services specified in the contract. This is analogous to the "data processor" under the GDPR.

Contractor (CPRA Addition)

The CPRA introduced the concept of a contractor — a person to whom a business makes personal information available for a business purpose pursuant to a written contract. The key distinction from a service provider is that a contractor may not be processing data "on behalf of" the business in the traditional sense but still receives personal information. Contractors are subject to similar contractual restrictions.

Personal Information

The CCPA defines personal information extremely broadly — as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Key features of this definition:

• Household-level data: The CCPA is unique in extending protection to household-level data, not just individual-level data. Information about a household (e.g., smart-home data, household energy consumption) is personal information even if it cannot be linked to a specific individual.
• Inferences: The definition explicitly includes "inferences drawn from any of the [listed categories] to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes." This captures algorithmic profiling and AI-derived data.
• Broad enumeration: The statute lists 11 categories of personal information, including identifiers (name, IP address, email), commercial information (purchasing history), biometric information, internet activity, geolocation data, audio/visual data, professional/employment information, and education information.

Sensitive Personal Information (CPRA Addition)

The CPRA created a new subcategory of sensitive personal information (SPI) that is subject to enhanced protections. SPI includes:

• Social Security number, driver's licence, state ID, or passport number;
• Account log-in credentials (username plus password or security questions);
• Financial account number with access codes;
• Precise geolocation (within a radius of 1,850 feet / approximately 560 metres);
• Racial or ethnic origin;
• Religious or philosophical beliefs;
• Union membership;
• Contents of mail, email, or text messages (where the business is not the intended recipient);
• Genetic data;
• Biometric information for unique identification;
• Health information; and
• Sex life or sexual orientation.

Consumers have the right to limit a business's use of SPI to purposes that are necessary to perform the services or provide the goods reasonably expected by the consumer.

The CCPA/CPRA grants California consumers a suite of actionable rights over their personal information. These rights have been expanded significantly by the CPRA amendments.

Right to Know (Access)

Consumers have the right to request that a business disclose: (a) the categories of personal information collected; (b) the specific pieces of personal information collected; (c) the categories of sources from which information was collected; (d) the business or commercial purpose for collecting, selling, or sharing the information; (e) the categories of third parties to whom information was disclosed; and (f) the categories of personal information sold or shared and the categories of recipients. Businesses must respond to verifiable consumer requests within 45 calendar days (extendable by an additional 45 days with notice).

Right to Delete

Consumers may request deletion of their personal information. Businesses must comply and must also direct service providers and contractors to delete the information. Exceptions include data needed for completing transactions, detecting security incidents, exercising free speech, complying with legal obligations, and internal uses reasonably aligned with consumer expectations.

Right to Correct (CPRA Addition)

Consumers may request that a business correct inaccurate personal information. The business must use commercially reasonable efforts to correct the information and must instruct service providers and contractors to make the same corrections.

Right to Opt-Out of Sale or Sharing

Consumers have the right to direct a business to stop selling or sharing their personal information. The CPRA expanded this right by adding "sharing" — defined as making personal information available for cross-context behavioural advertising — to the pre-existing right to opt out of "sale." Businesses must provide a clear and conspicuous "Do Not Sell or Share My Personal Information" link on their website.

Right to Limit Use of Sensitive Personal Information (CPRA Addition)

Consumers may direct a business to limit its use and disclosure of sensitive personal information to purposes that are necessary to perform the services or provide the goods reasonably expected by an average consumer. Businesses using SPI beyond these necessary purposes must provide a "Limit the Use of My Sensitive Personal Information" link.

Right to Non-Discrimination

Businesses may not discriminate against consumers who exercise their CCPA rights — for example, by denying goods or services, charging different prices, providing a different level of quality, or suggesting that exercising rights will result in adverse consequences. However, businesses may offer financial incentives for the collection, sale, or retention of personal information, provided those incentives are not unjust, unreasonable, coercive, or usurious, and the consumer provides opt-in consent.

Right to Data Portability

When a consumer exercises the right to know and requests specific pieces of personal information, the business must provide that information in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the information to another entity.

Right	Original CCPA (2020)	CPRA Enhancement (2023)
Right to Know	12-month lookback	Extended beyond 12 months (with exceptions)
Right to Delete	Direct deletion by business	Flow-down to service providers and contractors
Right to Correct	Not available	New right introduced
Opt-Out of Sale	Sale only	Sale and sharing (cross-context behavioural advertising)
Limit SPI Use	Not available	New right introduced
Non-Discrimination	Basic protection	Expanded; retaliatory actions explicitly prohibited

Businesses subject to the CCPA/CPRA must implement a range of operational and transparency measures. The obligations extend well beyond simply posting a privacy policy.

Privacy Notice (At or Before Collection)

Businesses must provide consumers with a notice at or before the point of collection that discloses: (a) the categories of personal information to be collected; (b) the purposes for which each category will be used; (c) whether the information is sold or shared; (d) the retention period for each category (CPRA addition); and (e) a link to the full privacy policy. For online collection, this notice must be accessible from the homepage. For offline collection (e.g., in-store), it must be provided via a printed notice, conspicuous signage, or similar mechanism.

"Do Not Sell or Share My Personal Information" Link

Businesses that sell or share personal information must provide a clear, conspicuous link on their homepage (and in their privacy policy) titled "Do Not Sell or Share My Personal Information." This link must enable consumers to opt out without requiring account creation. CPRA regulations also require businesses to honour opt-out preference signals (such as the Global Privacy Control or GPC browser signal) as valid opt-out requests.

"Limit the Use of My Sensitive Personal Information" Link

Businesses that use or disclose sensitive personal information for purposes beyond what is necessary to provide the goods or services requested must provide a separate link titled "Limit the Use of My Sensitive Personal Information." Alternatively, a single combined link may be used if it clearly addresses both functions.

Responding to Consumer Requests

• Verification: Businesses must verify the identity of the consumer making the request. The degree of verification should be proportionate to the sensitivity of the information and the nature of the request. For requests for specific pieces of personal information, a higher degree of verification is required.
• Timeline: Businesses must acknowledge receipt of a request within 10 business days and provide a substantive response within 45 calendar days. An extension of up to 45 additional days is permitted with notice to the consumer.
• Methods: Businesses must provide at least two methods for submitting requests, including at a minimum a toll-free telephone number and, if the business has a website, a web form. Businesses that operate exclusively online may provide only an email address.
• Format: Responses must be provided in a readily usable format. For access requests, the business must provide the information free of charge and in a portable format.
• Record-keeping: Businesses that buy, sell, or share the personal information of 10 million or more consumers must maintain records of consumer requests and responses for at least 24 months and report metrics annually.

Training and Compliance Infrastructure

Businesses must ensure that all individuals responsible for handling consumer inquiries are informed of the CCPA/CPRA requirements and know how to direct consumers to exercise their rights. Businesses must also designate methods for consumer contact and maintain internal processes to track and respond to requests.

Data Minimisation and Retention Limits (CPRA Addition)

The CPRA introduced a principle of data minimisation — businesses must not collect, use, retain, or share personal information beyond what is "reasonably necessary and proportionate" to achieve the purposes for which it was collected or processed. Businesses must also disclose retention periods for each category of personal information and must not retain data longer than is reasonably necessary for the disclosed purpose.

The CCPA/CPRA imposes specific requirements on entities that process personal information on behalf of businesses. For Indian IT companies, outsourcing firms, and SaaS providers, this is often the most immediately relevant aspect of the statute.

Contractual Requirements

Any entity acting as a service provider or contractor must enter into a written contract with the business that:

• Specifies the business purpose for which personal information is disclosed;
• Prohibits the service provider or contractor from selling or sharing the personal information;
• Prohibits retention, use, or disclosure of the information for any purpose other than performing the contracted services, including for the service provider's or contractor's own commercial purposes;
• Requires the service provider or contractor to comply with applicable CCPA/CPRA obligations and to provide the same level of privacy protection as required by the statute;
• Grants the business the right to take reasonable steps to ensure that the service provider or contractor uses the personal information consistently with the business's obligations; and
• Requires the service provider or contractor to notify the business if it can no longer meet its obligations and, in such case, grants the business the right to take reasonable and appropriate steps to stop and remediate unauthorised use.

Sub-processor Flow-Down

Service providers and contractors must ensure that any sub-processors (entities to whom they further disclose personal information) are also subject to equivalent contractual restrictions. This creates a flow-down obligation chain similar to the GDPR's sub-processor framework. For Indian IT companies that use third-party cloud infrastructure, analytics tools, or sub-contracted development teams, this means ensuring that each downstream entity is contractually bound.

Restrictions on Use

Service providers and contractors may not:

• Combine personal information received from different businesses (or collected on behalf of different businesses) unless expressly permitted to do so for a specific statutory purpose;
• Use personal information to build profiles about consumers for purposes unrelated to the contracted services; or
• Use personal information for targeted advertising to consumers based on data from other clients.

Due Diligence

Businesses have an obligation to conduct reasonable due diligence on their service providers and contractors. This is not a one-time exercise — businesses must take "reasonable and appropriate steps" on an ongoing basis to ensure that service providers use personal information in a manner consistent with the CCPA/CPRA. In practice, this means audit rights, periodic questionnaires, and certification requirements.

The CPRA was not merely an amendment to the CCPA — it was a substantial overhaul that brought California's privacy framework closer to GDPR-level protections in several respects. The key enhancements are summarised below.

California Privacy Protection Agency (CPPA)

The most significant structural change was the creation of the California Privacy Protection Agency (CPPA), a dedicated administrative agency with rulemaking, investigative, and enforcement authority. Before the CPRA, the CCPA was enforced solely by the California Attorney General. The CPPA is the first dedicated data protection authority in the United States and represents a significant step toward a European-style regulatory model. The CPPA has been actively issuing regulations since 2023, including detailed rules on opt-out preference signals, dark patterns, and cybersecurity audits.

Sensitive Personal Information

As discussed in Section 3, the CPRA introduced the category of sensitive personal information and gave consumers the right to limit its use. This mirrors (though does not replicate) the GDPR's "special categories of data" concept.

Opt-Out Preference Signals

The CPRA requires businesses to treat opt-out preference signals (such as GPC) as valid opt-out requests. This is a technology-forward approach that enables consumers to express their privacy preferences at the browser or device level rather than on a site-by-site basis.

Data Minimisation and Purpose Limitation

The CPRA introduced a data minimisation principle — businesses must collect, use, retain, and share personal information only as "reasonably necessary and proportionate" to achieve the disclosed purpose. This is a fundamental shift from the CCPA's largely disclosure-oriented model to a substantive limitation on data practices.

Retention Periods

Businesses must now disclose the retention period for each category of personal information (or the criteria used to determine the period) and must not retain data longer than reasonably necessary for the disclosed purpose.

Cybersecurity Audit and Risk Assessment Requirements

The CPRA authorised the CPPA to issue regulations requiring businesses whose processing presents significant risk to consumer privacy to: (a) perform annual cybersecurity audits; and (b) submit regular risk assessments to the CPPA. These regulations are under active development as of early 2026, with draft rules having been circulated in 2024 and 2025.

Automated Decision-Making

The CPRA granted the CPPA authority to issue regulations governing consumers' rights with respect to automated decision-making technology (ADM), including profiling. Proposed regulations would give consumers rights to: (a) opt out of ADM; (b) access information about the logic involved; and (c) request a review of significant decisions made by ADM. Final rules are expected in 2026.

Expanded Enforcement

The CPRA eliminated the 30-day cure period that existed under the original CCPA, meaning businesses no longer have an automatic right to fix violations before facing enforcement action. It also tripled the penalty for violations involving the personal information of minors (consumers under 16 years of age) to USD 7,500 per violation.

The concepts of "selling" and "sharing" personal information are central to the CCPA/CPRA's opt-out framework and are defined more broadly than many businesses expect.

Selling

The CCPA defines "selling" as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration." The critical phrase is "other valuable consideration" — this means that data exchanges where no money changes hands may still constitute a "sale" if the business receives something of value in return (e.g., enhanced analytics, free services, data enrichment).

Sharing (CPRA Addition)

The CPRA introduced the concept of "sharing" as a separate category: making personal information available to a third party for cross-context behavioural advertising, whether or not for monetary or other valuable consideration. Cross-context behavioural advertising means the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services. This definition is specifically aimed at the ad-tech ecosystem — programmatic advertising, retargeting pixels, and data management platforms.

Practical Implications

• Third-party cookies and pixels: Embedding third-party tracking pixels (e.g., Meta Pixel, Google Analytics with advertising features) on a website may constitute "sharing" personal information because data is being made available to a third party for cross-context behavioural advertising.
• Data enrichment: Sending consumer data to a third-party data broker for enrichment — even if the broker returns the enriched data — may constitute a "sale" because the broker derives value from the data it receives.
• Service provider exception: Disclosing personal information to a service provider for a business purpose (under a compliant contract) does not constitute a sale or sharing. Proper contractual structuring is therefore critical.

Opt-Out Mechanisms

Businesses that sell or share personal information must:

1. Provide a "Do Not Sell or Share My Personal Information" link on their website homepage;
2. Honour opt-out preference signals (GPC) as valid opt-out requests;
3. Wait at least 12 months before requesting that a consumer who has opted out re-consent to the sale or sharing of their personal information;
4. Not use dark patterns to subvert the consumer's opt-out choice; and
5. For consumers under 16 years of age, obtain affirmative opt-in consent before selling or sharing (with parental consent required for children under 13).

The CCPA/CPRA has a dual enforcement structure: administrative enforcement by regulators and a limited private right of action for consumers.

Administrative Enforcement

Enforcer	Authority	Key Actions
California Attorney General	Civil enforcement under the CCPA; injunctive relief; civil penalties	Brought first enforcement actions in 2021-2022 (e.g., Sephora settlement for USD 1.2 million in August 2022)
CPPA	Rulemaking, investigation, enforcement from 1 July 2023; full administrative authority	Actively issuing regulations on GPC, cybersecurity audits, ADM, dark patterns; initiated enforcement inquiries in 2024-2025

Civil Penalties

• Unintentional violations: Up to USD 2,500 per violation
• Intentional violations: Up to USD 7,500 per violation
• Violations involving minors (under 16): Up to USD 7,500 per violation (CPRA tripled the intentional violation penalty for minors and eliminated the distinction between intentional and unintentional for this category)

Penalties are assessed per violation, meaning that a single data practice affecting millions of consumers could theoretically result in penalties calculated on a per-consumer, per-violation basis. The Sephora enforcement action — USD 1.2 million for failing to honour opt-out requests and not disclosing that it was "selling" personal information — illustrates the practical risk.

Private Right of Action (Data Breaches Only)

The CCPA provides consumers with a private right of action — but only in the narrow context of data breaches resulting from a business's failure to implement and maintain reasonable security procedures. Consumers may seek:

• Statutory damages of not less than USD 100 and not more than USD 750 per consumer per incident, or actual damages, whichever is greater;
• Injunctive or declaratory relief; and
• Any other relief the court deems proper.

This private right of action has generated significant class action litigation. The "reasonable security" standard references California Civil Code section 1798.81.5, which the California Attorney General has interpreted by reference to the CIS Critical Security Controls. Businesses should ensure their security practices align with recognised frameworks (CIS, NIST, ISO 27001) to defend against such claims.

No Cure Period Under CPRA

The original CCPA provided a 30-day cure period — upon receiving notice of a violation from the Attorney General, the business had 30 days to cure the violation before penalties could be imposed. The CPRA eliminated this cure period effective 1 January 2023. Businesses now face immediate enforcement risk without any statutory grace period.

The CCPA/CPRA catalysed a wave of state privacy legislation across the United States. As of early 2026, over 15 states have enacted comprehensive consumer privacy statutes, with dozens more considering similar legislation. While each state law has unique features, they share a common core of consumer rights and business obligations influenced by the CCPA and, to varying degrees, the GDPR.

State	Law	Effective Date	Key Distinguishing Features
Virginia	Consumer Data Protection Act (CDPA)	1 Jan 2023	No private right of action; AG enforcement only; narrower definition of "sale" (monetary consideration only)
Colorado	Colorado Privacy Act (CPA)	1 Jul 2023	Universal opt-out mechanism; data protection assessments; recognises opt-out preference signals
Connecticut	Connecticut Data Privacy Act (CTDPA)	1 Jul 2023	Similar to Virginia; recognises universal opt-out; cure period (declining over time)
Utah	Utah Consumer Privacy Act (UCPA)	31 Dec 2023	Business-friendly; higher thresholds (USD 25M revenue + data processing); narrow scope
Texas	Texas Data Privacy and Security Act (TDPSA)	1 Jul 2024	Applies broadly to entities conducting business in Texas; no revenue threshold; AG enforcement
Oregon	Oregon Consumer Privacy Act (OCPA)	1 Jul 2024	Covers non-profits (unique); lower threshold for data volume
Montana	Montana Consumer Data Privacy Act (MTCDPA)	1 Oct 2024	Covers smaller businesses; population-adjusted thresholds
Delaware	Delaware Personal Data Privacy Act (DPDPA)	1 Jan 2025	Broad scope; covers non-profits (after initial period); low threshold (35,000 consumers for data-sale businesses)
Iowa	Iowa Consumer Data Protection Act (ICDPA)	1 Jan 2025	Business-friendly; 90-day cure period; no opt-out preference signal requirement
New Jersey	New Jersey Data Privacy Act (NJDPA)	15 Jan 2025	Broad scope; covers entities without revenue thresholds; heightened consent for sensitive data

Federal Privacy Legislation Outlook

Despite multiple attempts — most notably the American Data Privacy and Protection Act (ADPPA), which passed the House Energy and Commerce Committee in 2022 — comprehensive federal privacy legislation has not yet been enacted as of early 2026. Key sticking points include: (a) federal preemption of state laws (California opposes preemption of the CCPA); (b) a private right of action (business groups oppose it); and (c) the scope of FTC enforcement authority. Until federal legislation passes, the state patchwork will continue to expand, and the CCPA/CPRA will remain the practical compliance benchmark.

For companies operating nationally or globally, the compliance challenge is managing overlapping and occasionally inconsistent requirements across multiple state jurisdictions. Many companies adopt a "comply with California" strategy as a baseline, supplemented by state-specific adjustments where required.

Indian companies and multinational enterprises often need to navigate multiple privacy regimes simultaneously. The following table provides a structured comparison of the three most relevant frameworks: California's CCPA/CPRA, India's DPDPA 2023, and the EU's GDPR.

Dimension	CCPA / CPRA (California)	DPDPA 2023 (India)	GDPR (EU/EEA)
Effective Date	CCPA: 1 Jan 2020; CPRA amendments: 1 Jan 2023	Enacted Aug 2023; rules pending notification (expected 2025-2026)	25 May 2018
Territorial Scope	For-profit businesses doing business in California meeting revenue/data thresholds	Processing of digital personal data in India; or processing outside India if offering goods/services to data principals in India	Establishments in EU/EEA; or offering goods/services to, or monitoring behaviour of, EU/EEA data subjects
Legal Basis for Processing	No consent requirement for collection (notice-and-opt-out model); consent only for sale/sharing opt-in (minors), SPI use beyond necessity, and financial incentives	Consent or "legitimate uses" (enumerated: state functions, employment, medical emergencies, etc.)	Six legal bases: consent, contract, legal obligation, vital interests, public interest, legitimate interests
Key Rights	Know, delete, correct, opt-out of sale/sharing, limit SPI use, non-discrimination, portability	Access, correction, erasure, grievance redressal, nomination of representative	Access, rectification, erasure, restriction, portability, objection, rights related to automated decision-making
Sensitive Data	Sensitive Personal Information (SPI) — 12 categories; right to limit use	Not separately defined in statute; rules may specify additional protections for children's data	Special Categories — 10 types; requires explicit consent or specific legal basis
Children's Data	Opt-in consent for sale/sharing for under-16; parental consent for under-13; USD 7,500 per violation for minors	Verifiable parental consent required; restrictions on tracking/targeting/behavioural monitoring of children	Parental consent for information society services for under-16 (member states may lower to 13); child-specific DPIA
Cross-Border Transfers	No specific cross-border transfer restrictions (follows the data, not the location)	Permitted except to countries specifically restricted by Central Government notification	Restricted; adequacy decisions, SCCs, BCRs, or derogations required
Enforcement Authority	California AG + CPPA (dual enforcement)	Data Protection Board of India (DPBI)	National supervisory authorities (DPAs) + EDPB coordination
Penalties	USD 2,500 (unintentional) / USD 7,500 (intentional) per violation; private right of action for breaches (USD 100-750 per consumer per incident)	Up to INR 250 crore (approx. USD 30M) per instance; no private right of action	Up to EUR 20M or 4% of global annual turnover, whichever is higher; private right of action (compensation)
Data Minimisation	CPRA: reasonably necessary and proportionate	Collection limited to what is necessary for the stated purpose	Adequate, relevant, and limited to what is necessary (Article 5(1)(c))
DPO / Designated Officer	No DPO requirement; but must designate a contact for consumer requests	Significant Data Fiduciaries must appoint a Data Protection Officer based in India	DPO required for public authorities, large-scale special category processing, or large-scale systematic monitoring
Breach Notification	Not in CCPA itself; separate California data breach notification law (Civ. Code 1798.82) requires notification without unreasonable delay	Mandatory notification to DPBI; timelines to be specified in rules	72-hour notification to DPA; notification to data subjects if high risk

The most notable difference for Indian companies is the consent model. The GDPR and DPDPA are primarily consent-driven (though the GDPR provides alternative legal bases), while the CCPA/CPRA operates on a notice-and-opt-out model — businesses may collect and use personal information without affirmative consent, but consumers can opt out of sale, sharing, and certain uses of sensitive data. This means that consent management platforms designed for GDPR compliance may need significant reconfiguration for CCPA/CPRA purposes.

Indian companies are increasingly subject to the CCPA/CPRA — either as businesses in their own right (where they directly serve California consumers) or as service providers and contractors (where they process personal information on behalf of US-based clients). Understanding when and how the CCPA applies is essential for India's large IT services, SaaS, e-commerce, and BPO sectors.

When Does the CCPA Apply to Indian Companies?

An Indian company may be subject to the CCPA/CPRA in the following scenarios:

1. Direct-to-consumer SaaS or e-commerce: An Indian SaaS company that sells subscriptions to US consumers and has California users meeting any threshold test is a "business" under the CCPA. This includes companies offering B2B SaaS where the end users are employees of California-based companies.
2. IT outsourcing and BPO: An Indian IT services company that processes personal information of California consumers on behalf of a US client is a "service provider" under the CCPA. The US client (as the business) must ensure a compliant contract is in place, and the Indian company must adhere to the contractual restrictions.
3. Data analytics and ad-tech: Indian companies that provide analytics, data enrichment, or advertising technology services that involve accessing California consumer data may be classified as service providers, contractors, or even third parties — depending on their contractual and operational relationship with the data.
4. App developers: Indian companies that develop and publish mobile applications used by California residents and that collect personal information through those apps are likely "businesses" if they meet any threshold test.

Practical Compliance Steps

• Data mapping: Identify all data flows involving California consumer personal information — where it is collected, where it is stored, who has access, and to whom it is disclosed. Map these flows across your organisation and any sub-processors.
• Contract review: If you act as a service provider, review and update your service agreements to include all CCPA/CPRA-required provisions (purpose limitation, prohibitions on selling/sharing, sub-processor flow-down, compliance certification, and remediation obligations).
• Privacy notice: If you are a "business" under the CCPA (i.e., you directly serve California consumers), update your privacy policy to include all CCPA/CPRA-required disclosures: categories of PI collected, purposes, retention periods, sale/sharing practices, consumer rights, and request submission methods.
• Opt-out mechanism: Implement the "Do Not Sell or Share" link and configure your systems to honour GPC signals if you sell or share personal information.
• Request handling: Build or procure systems to receive, verify, and respond to consumer requests (know, delete, correct, opt-out, limit SPI) within the statutory timelines.
• Security measures: Implement and maintain "reasonable security procedures and practices" — the private right of action for data breaches applies to Indian companies that are custodians of California consumer data. Reference CIS Controls, ISO 27001, or NIST frameworks.
• Vendor management: If you engage sub-processors (e.g., cloud hosting providers, analytics platforms), ensure they are contractually bound to CCPA-equivalent restrictions and conduct periodic due diligence.
• Training: Train relevant staff (customer support, engineering, legal, product) on CCPA/CPRA requirements, consumer rights, and your internal processes for handling requests.

Common Pitfalls for Indian Companies

• Assuming "no US entity means no CCPA": The CCPA applies based on the "doing business in California" test, not on the basis of having a US subsidiary or office. Indian companies that market to US consumers or process their data are within scope.
• Conflating DPDPA consent with CCPA opt-out: The CCPA's notice-and-opt-out model is fundamentally different from the DPDPA's consent-first approach. Do not assume that a DPDPA-compliant consent flow will satisfy CCPA requirements (or vice versa).
• Inadequate service provider contracts: Using generic NDAs or data processing agreements drafted for GDPR compliance is insufficient. CCPA service provider contracts have specific requirements (prohibition on combining data from multiple clients, restrictions on commercial use) that differ from GDPR DPA terms.
• Ignoring the "sharing" concept: Many Indian companies use third-party analytics or advertising tools on their US-facing websites without recognising that this may constitute "sharing" under the CPRA.

Use this checklist to assess your organisation's readiness for CCPA/CPRA compliance. Each item represents a concrete step that businesses and service providers should address.

A. Threshold and Applicability Assessment

• Determine whether your organisation meets any of the three CCPA threshold tests (USD 25M revenue, 100K consumers/households, 50% data revenue).
• Assess whether your organisation "does business in California" — consider marketing activities, customer base, contracts with California entities, and web presence.
• Classify your organisation's role: business, service provider, contractor, or third party.
• Identify any sector-specific exemptions (HIPAA, GLBA, FCRA) that may apply to specific data categories.

B. Data Inventory and Mapping

• Catalogue all categories of personal information collected, including sources, purposes, and retention periods.
• Identify all categories of sensitive personal information (SPI) processed.
• Map data flows: collection points, storage locations, internal access, disclosures to service providers, contractors, and third parties.
• Identify all instances of "selling" or "sharing" personal information (including ad-tech integrations, data enrichment, and analytics services).

C. Privacy Notices and Disclosures

• Update privacy policy to include all CCPA/CPRA-required disclosures (categories of PI, purposes, retention periods, rights, request methods).
• Provide a notice at or before the point of collection.
• Include a "Do Not Sell or Share My Personal Information" link on homepage (if applicable).
• Include a "Limit the Use of My Sensitive Personal Information" link on homepage (if applicable).
• Ensure the privacy policy is updated at least every 12 months.

D. Consumer Rights Fulfilment

• Implement at least two methods for consumers to submit requests (toll-free number + web form or email).
• Build or procure a system for receiving, logging, verifying, and responding to consumer requests.
• Establish identity verification procedures proportionate to the sensitivity of the request.
• Ensure ability to respond within 45 calendar days (with 45-day extension if needed).
• Implement processes to flow deletion and correction requests to service providers and contractors.

E. Contracts and Vendor Management

• Review and update all service provider and contractor agreements to include CCPA/CPRA-required provisions.
• Ensure sub-processor flow-down clauses are in place.
• Conduct due diligence on service providers and contractors (questionnaires, audits, certifications).
• Maintain a register of all entities to whom personal information is disclosed, with their classification (service provider, contractor, third party).

F. Technical and Operational Measures

• Configure systems to detect and honour Global Privacy Control (GPC) opt-out preference signals.
• Implement data minimisation and retention controls aligned with disclosed purposes and retention periods.
• Maintain "reasonable security procedures and practices" — map controls to CIS, NIST, or ISO 27001 frameworks.
• Conduct or prepare for annual cybersecurity audits (where required by CPPA regulations).
• Conduct risk assessments for processing activities that present significant risk to consumer privacy.
• Implement age-gating and parental consent mechanisms if processing data of consumers under 16.

G. Training and Governance

• Train all personnel responsible for handling consumer inquiries on CCPA/CPRA requirements.
• Designate internal responsibility for CCPA/CPRA compliance (e.g., privacy office, DPO, or legal team).
• Establish an internal audit and review cycle (at least annual) for privacy practices.
• If processing 10M+ consumers' data: maintain request metrics records for 24 months and publish annual metrics.