Whether you're building your CCPA/CPRA compliance program from scratch or strengthening an existing one, Operlity gives California and global businesses a structured platform to manage consumer privacy rights, govern personal information, demonstrate accountability, and stay audit-ready — continuously, not just at assessment time.
The California Consumer Privacy Act, enhanced by the California Privacy Rights Act, is the United States' most comprehensive state-level privacy law — governing how businesses collect, use, share, and sell the personal information of California residents. The CPRA, which took full effect in January 2023, significantly expanded CCPA's original framework by introducing new consumer rights, establishing the California Privacy Protection Agency as a dedicated enforcement authority, and imposing additional obligations on businesses that handle sensitive personal information.
CCPA/CPRA applies to for-profit businesses that meet one or more of three thresholds: annual gross revenues exceeding $25 million, annual buying, selling, or sharing of personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenues from selling or sharing consumers' personal information. For businesses that meet these thresholds — whether based in California or operating from anywhere in the world — CCPA/CPRA compliance is not optional. The CPPA can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation, with no cap on the number of violations.
Understanding what personal information the business collects, where it lives, how it is used, how long it is retained, and who it is shared with is the foundation of CCPA/CPRA compliance and one of the most resource-intensive exercises to conduct and maintain.
CPRA introduced a new category of sensitive personal information — including Social Security numbers, precise geolocation, race, religion, health data, and sexual orientation — with heightened disclosure and opt-out rights that require specific governance controls.
Businesses must respond to rights requests covering access, deletion, correction, opt-out of sale or sharing, and limitation of sensitive personal information use — within statutory timeframes and with documented audit trails.
CPRA introduced new requirements for contracts with contractors and service providers governing their use of personal information — requiring businesses to audit and update vendor agreements across their ecosystem.
CPRA requires businesses to collect only what is necessary for disclosed purposes and retain it only as long as reasonably necessary — obligations that require structured data governance controls.
CPRA requires businesses to conduct annual cybersecurity audits and regular privacy risk assessments for high-risk processing activities — adding structured assessment obligations to the compliance program.
| CCPA / CPRA Obligation | Operlity Capability |
|---|---|
| Personal Information Inventory | Data classification and governance across all systems and environments |
| Processing Activity Records | Structured processing activity documentation with purpose, retention, and sharing details |
| Sensitive Personal Information Governance | Enhanced classification, access controls, and opt-out right management for sensitive categories |
| Consumer Rights (Access, Deletion, Correction, Opt-Out) | Rights request management with statutory deadline tracking and response documentation |
| Privacy Risk Assessments | Structured privacy risk assessment workflows with risk identification and mitigation tracking |
| Annual Cybersecurity Audit | Audit management with workpaper management, finding tracking, and corrective action workflows |
| Contractor & Service Provider Management | Third party risk management with CCPA/CPRA contract tracking and vendor due diligence |
| Data Minimization & Retention | Retention schedule management and data disposal workflow tracking |
| Privacy Notice Management | Policy lifecycle management with approval workflows and version control |
| Do Not Sell or Share Management | Opt-out request management with documented response workflows and audit trails |
Identify and document all personal information collected, used, shared, or sold by your business — where it exists, how it flows, who has access, and what systems process or store it — building the data map that underpins every CCPA/CPRA obligation.
Document all personal information processing activities in a structured format — with purpose, category, retention period, third party sharing details, and sale or sharing status — meeting CCPA/CPRA's disclosure and record-keeping requirements.
Implement structured consumer rights workflows — with documented response processes for access, deletion, correction, opt-out, and sensitive personal information limitation requests — meeting CCPA/CPRA's statutory response timeframes.
Conduct privacy risk assessments for high-risk processing activities and plan your annual cybersecurity audit — with structured workflows, finding management, and corrective action tracking meeting CPRA's mandatory assessment and audit requirements.
Audit your contractor and service provider ecosystem — updating agreements to meet CPRA's vendor contract requirements and conducting due diligence on how vendors handle personal information on your behalf.
Monitor your CCPA/CPRA compliance posture continuously — tracking obligation status, managing consumer rights requests, conducting annual audits, and maintaining the documentation that demonstrates accountability to the CPPA.