Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
GRC Fundamentals

California Consumer Privacy Act / California Privacy Rights Act

In the era of data-driven trust, cybersecurity is privacy and privacy is compliance. CCPA and CPRA have established California’s position as a privacy leader in the United States, with sweeping implications for how businesses manage and protect consumer data.

Go to the SCF Download Page
Included Laws, Regulations & Frameworks
LAW OVERVIEW

CCPA / CPRA

While privacy and cybersecurity are often siloed organizationally, CPRA attempts to erase the distinction, demanding a unified, risk-based approach to data governance, security and accountability. For security and compliance teams, these laws represent more than legal risk — they require operational maturity.

Data discovery, access control, incident response and third-party oversight are no longer internal concerns, but are now statutory mandates. Those organizations that invest in structured cybersecurity programs, backed by quality documentation and integrated risk processes, will be better positioned to comply, respond and defend.

Name

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

Type

Statutory (State Law — California)

Authoritative
Source

California Privacy Protection Agency (CPPA)

CCPA Enacted

2018; effective January 1, 2020

CPRA Enacted

November 2020 (ballot initiative); effective January 1, 2023

Enforced By

California Attorney General; California Privacy Protection Agency (CPPA)

Applies To

For-profit businesses meeting revenue, data volume, or data-sale thresholds that handle California residents’ personal information

Certification
Available

No official government certification. The CPPA may conduct audits of covered businesses.

TL / DR — Too Long / Didn’t Read

In the era of data-driven trust, cybersecurity is privacy and privacy is compliance. CCPA and CPRA have established California’s position as a privacy leader in the United States, with sweeping implications for how businesses manage and protect consumer data. While privacy and cybersecurity are often siloed organizationally, CPRA attempts to erase the distinction, demanding a unified, risk-based approach to data governance, security and accountability.

For security and compliance teams, these laws represent more than legal risk, since they require operational maturity. Data discovery, access control, incident response and third-party oversight are no longer internal concerns, but are now statutory mandates. Those organizations that invest in structured cybersecurity programs, backed by quality documentation and integrated risk processes, will be better positioned to comply, respond and defend.

BACKGROUND

From CCPA to CPRA

The California Consumer Privacy Act (CCPA) was enacted in 2018 and went into effect on January 1, 2020, making California the first U.S. state to adopt a broad consumer privacy law modeled loosely on the EU’s General Data Protection Regulation (GDPR). CCPA was passed in response to public outcry over data misuse and lack of consumer control over personal information. Originally fast-tracked to prevent a more aggressive privacy ballot initiative, CCPA established consumer rights regarding personal information, including the right to know, the right to delete, the right to opt-out of sale, and the right to non-discrimination for exercising privacy rights.

Although its language is framed around privacy, the law’s operational impact has deep implications for cybersecurity teams, which must manage data flows, implement access restrictions, and respond to consumer requests at scale.

CPRA — California Privacy Rights Act

The CPRA was passed by voter initiative in November 2020 and became effective on January 1, 2023. It significantly amends and expands CCPA by establishing the California Privacy Protection Agency (CPPA) as a dedicated regulator; introducing a new category of sensitive personal information (SPI); adding rights to correct inaccurate personal information and to limit use of sensitive personal information; and introducing data minimization and purpose limitation requirements.

CCPA Applicability Thresholds

The CCPA applies to for-profit businesses that do business in California and meet any of the following: annual gross revenues exceeding $25 million; buy, sell, or share the personal information of 100,000 or more California residents or households; or derive 50% or more of annual revenue from selling or sharing California residents’ personal information. The CCPA generally does not apply to nonprofit organizations or government agencies.

CPRA Additions and Mandatory Cybersecurity Audits

CPRA removed the 30-day cure period previously available under CCPA, signaling that businesses are expected to be compliant at all times. CPRA also introduced mandatory cybersecurity audit obligations for businesses whose processing activities present significant risk to consumer privacy or security. As of CPRA enforcement, businesses must conduct and submit regular risk assessments to the CPPA, implement data minimization and purpose limitation practices, and ensure service providers and contractors comply with CCPA/CPRA requirements.

PENALTIES & ENFORCEMENT

Consequences of Non-Compliance

The consequences of failing to comply with CCPA / CPRA are real, not theoretical. Both regulatory and civil enforcement mechanisms create substantial risk for organizations that do not establish and maintain adequate cybersecurity and privacy safeguards.

Regulatory Fines

As of the implementation of the CPRA, the California Privacy Protection Agency (CPPA) has authority to audit, investigate and fine businesses that violate CCPA / CPRA requirements. Most importantly, CPRA removed the cure period, signaling that businesses are expected to be compliant at all times. Fines are up to $2,500 per violation or $7,500 per intentional violation or violation involving a child under 16. Each affected consumer counts as a separate violation — for large-scale breaches, penalties can scale quickly into the millions.

Civil Liability for Data Breaches

CCPA and CPRA include a private right of action for consumers in the event of a data breach involving certain categories of personal information due to the business’s failure to implement “reasonable security procedures and practices.” This is one of the most significant drivers behind cybersecurity investments in CCPA / CPRA compliance. Statutory damages: $100–$750 per consumer per incident, or actual damages if greater. Businesses can be held liable even without proof of actual harm.

Reputational Harm and Market Exposure

California’s laws are often viewed as a blueprint for other U.S. states (and even international partners), so reputational damage within California can ripple across broader markets. Even outside of fines and lawsuits, data breaches and compliance failures result in customer attrition, partner concerns, and regulatory scrutiny.

DOCUMENTATION VALUE

How the CCF™ Maps to CCPA / CPRA

The Common Controls Framework™ (CCF™) — the Secure Controls Framework — maps CCPA/CPRA requirements to its 1,400+ controls across 33 domains via Set Theory Relationship Mapping (STRM). This mapping is documented with transparency in NIST IR 8477, enabling organizations to address their California privacy obligations using a single, integrated control set.

The SCF is a Living Control Set (LCS), continuously updated by volunteer cybersecurity and GRC experts. It is available at no cost under a Creative Commons license and is importable into GRC platforms via .csv or NIST OSCAL JSON.

Data Inventory and Mapping Documentation

CCPA/CPRA compliance begins with knowing what personal information you collect, where it lives, how it flows, and who has access. Organizations must maintain data inventories and processing records that can be produced to regulators or used to respond to consumer requests accurately and within required timeframes.

Privacy Policies and Consumer Notices

Accurate, up-to-date privacy notices are both a legal requirement and a compliance record. Organizations need version-controlled privacy policies, records of when notices were provided, and evidence that opt-out and deletion request workflows are functioning as documented.

Vendor and Service Provider Agreements

CPRA requires that contracts with service providers, contractors, and third parties include specific data protection provisions. Maintaining a current registry of these agreements — with evidence of review and updates — demonstrates active vendor governance that regulators and courts expect.

Incident Response and Breach Records

In the event of litigation under CCPA’s private right of action, an organization’s ability to demonstrate that it had reasonable security procedures in place at the time of a breach is its primary defense. Incident response plans, test records, breach response logs, and remediation documentation are critical to this defense.

GET STARTED

See CCPA / CPRA Mapped in the SCF

CCPA / CPRA — and 80+ more laws, regulations, and frameworks — is mapped to specific SCF controls in the Common Controls Framework™. Download it free.

Go to the SCF Download Page
Included Laws, Regulations & Frameworks
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap