:PROPERTIES:
:ID:       auto-ccpa-cpra
:CREATED:  [2026-05-23 Sat]
:END:
#+title: 
#+filetags: :passepartout:compliance:framework:ccpa:


California's comprehensive privacy law — the closest US analogue to GDPR.
CPRA (effective 2023) amended and strengthened CCPA. Key rights: right to
know, delete, opt out of sale/sharing, correct inaccurate data, limit use
of sensitive PI. Private right of action for data breaches.

Who must comply: For-profit businesses with >$25M revenue, or handling >100K
consumer records, or deriving >50% revenue from selling PI. Extraterritorial —
applies to any business collecting CA resident data.

Penalties: $2,500 per violation (intentional: $7,500). Private right of action
for breaches: $100-$750 per incident per consumer. CPRA created the California
Privacy Protection Agency (CPPA) for enforcement.

Why it matters: The opt-out/sale/sharing requirements create complex data flow
gate rules. The gate stack can encode "this data flow crosses a CCPA boundary"