California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) Compliance Guide for 2025
The California Consumer Privacy Act (CCPA) and its strengthened successor, the California Privacy Rights Act (CPRA), give California residents more control over their personal data. While these laws are fundamentally about privacy, they also require businesses to implement reasonable security procedures, making cybersecurity a key compliance component.
Whether you’re a growing SaaS business or a regulated enterprise, this guide helps you understand your security obligations under CCPA/CPRA and how to reduce risk of enforcement.
What you'll learn in this CCPA/CPRA compliance guide
- Who must comply with CCPA and CPRA in 2025
- The specific cybersecurity expectations implied by the law
- How data breaches trigger enforcement and legal action
- How penetration testing and risk assessments help fulfill your duty
What is the CCPA / CPRA?
The California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, was California’s first comprehensive privacy legislation. It granted consumers the right to know what personal information is collected about them, to request its deletion, and to opt out of its sale. Designed to increase transparency and consumer control, it applied to for-profit businesses that collect personal data from California residents and meet certain thresholds.
In 2020, voters approved Proposition 24, which established the California Privacy Rights Act (CPRA). This amendment went into effect on January 1, 2023, and significantly strengthened the original CCPA by introducing new rights, new enforcement mechanisms, and stricter data handling rules.
Together, CCPA and CPRA create one of the most rigorous state-level data privacy regimes in the U.S., emphasizing both consumer protection and business accountability.
Who is subject to NYDFS cybersecurity regulations?
The CCPA and CPRA apply to any for-profit business—regardless of location—that collects personal information from California residents and meets at least one of the following thresholds:
Compliance criteria
You are subject to the CCPA/CPRA if your business:
- Buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices annually
- Has annual gross revenues over $25 million, regardless of data activity volume
- Derives 50% or more of annual revenue from selling or sharing consumers’ personal information
Note: “Selling” and “sharing” include disclosing personal data for cross-context behavioral advertising, even if no money changes hands.
Common business types that must comply
CCPA/CPRA compliance is not limited to traditional tech companies. It applies to a wide range of industries and business models, including:
- Tech platforms and SaaS providers (e.g., cloud apps, productivity tools, CRM platforms)
- E-commerce brands and digital advertisers that engage in behavioral targeting or collect user behavior data
- Financial services and insrance companies handling customer PII or account details
- Healthcare and wellness apps that track sensitive data but are not fully covered by HIPAA
- B2B service providers that process data on behalf of California-based clients
- Data brokers, loyalty platforms, and analytics services that collect and resell user data
Remote Applicability:
Your business does not need a physical presence in California to fall under the scope of CCPA/CPRA. If you serve California residents or collect data through a website, app, or third party, you are expected to comply.
Get help with CCPA/CPRA security compliance
Book a meeting with our experts to discuss how penetration testing supports your CCPA/CPRA obligations.
- Call 1-877-805-7475
What are the cybersecurity requirements under CCPA and CPRA?
While the CCPA and CPRA primarily focus on data privacy rights, they also include important, if indirect, cybersecurity obligations. Businesses subject to the law are required to: “Implement reasonable security procedures and practices appropriate to the nature of the personal information.”
This clause, though broad, has serious implications. It creates a legal standard of care: if a data breach occurs and your security controls are deemed inadequate, your organization may face regulatory penalties and lawsuits from consumers. Although the law does not provide a list of required controls, enforcement actions and best practices suggest that the following security domains are critical for CCPA/CPRA compliance:
Access control & identity management
Ensure only authorized personnel have access to systems and personal information through strong authentication, role-based access, and user activity monitoring
Secure data storage & encryption
Apply encryption for data both at rest and in transit. Store sensitive personal information (e.g., geolocation, health data, financial identifiers) using secure, industry-standard cryptographic methods
Incident detection & response
Establish procedures to detect, investigate, and respond to security incidents. A tested incident response plan (IRP) reduces breach impact and can demonstrate good-faith compliance
Risk-based security assessments
Conduct periodic risk assessments to identify vulnerabilities, prioritize remediation, and align your security program with current threats and business processes
Vendor security oversight
Assess and monitor third-party service providers. CPRA requires that contracts with vendors include clear data protection obligations, especially for those processing sensitive or shared data
Why it matters: cybersecurity triggers for legal exposure
Under CCPA/CPRA, cybersecurity isn’t just a best practice, it’s a legal obligation. Businesses that fail to implement “reasonable security procedures” may face significant exposure, even if no data breach occurs. Below are three common triggers that turn poor security hygiene into costly compliance failures:
- Data breaches trigger liability
If personal information is compromised due to inadequate safeguards, affected California residents have a private right of action under the CCPA. This applies even when a breach results from negligence and can lead to statutory damages of $100–$750 per consumer per incident. - Negligence = Noncompliance
CPRA strengthens enforcement by explicitly stating that poor or missing cybersecurity protections can constitute a violation, even without a breach. Simply lacking up-to-date risk assessments or access controls may place your business at legal risk. - Increased regulatory scrutiny
In 2023, the newly empowered California Privacy Protection Agency (CPPA) began targeted enforcement actions focused on third-party risk, security safeguards, and data minimization. Businesses that lack formal controls or vendor oversight may be prioritized for audits.
Enforcement & Penalties
Both the California Attorney General and the CPPA have authority to investigate and enforce CCPA/CPRA compliance. Depending on the nature of the violation, organizations may face significant financial and reputational damage:
- Civil penalties
Up to $2,500 per unintentional violation and $7,500 per intentional violation, with each affected consumer or data point counted individually. - Consumer lawsuits for breaches
Consumers can bring legal claims for breaches of specific types of personal information (e.g., Social Security numbers, login credentials, driver’s license numbers) if caused by a failure to implement reasonable security. - Public enforcement actions
In one of its first public cases, the CPPA targeted businesses for poor cybersecurity posture and lack of clarity in data-sharing disclosures. This signals a more active enforcement future—with real reputational risks.
Enforcement spotlight: real CCPA/CPRA case
- Civil penalties: Healthline – $1.55 million settlement
In 2025, the California Attorney General fined Healthline Media $1.55M for disclosing sensitive health data via third-party trackers without proper user consent, marking the largest CCPA penalty to date. Source: WilmerHale - Consumer lawsuit: Stasi v. Inmediata Health Group
A patient sued Inmediata under the CCPA after medical records were exposed online due to a misconfigured webpage. The court ruled that public accessibility of personal data, even without a confirmed breach, may trigger private legal action. Source: IAPP - CPPA enforcement: Honda – $632,500 fine
The California Privacy Protection Agency (CPPA) fined Honda for requiring excessive personal data to process opt-out requests, violating consumer rights under the CPRA. It was one of CPPA’s first public enforcement actions. Source: Regulatory Oversight
Meet CCPA/CPRA expectations with strategic pentesting
Under CCPA and CPRA, businesses must implement “reasonable security procedures” to protect consumer data, yet the law doesn’t define exactly what that looks like.
Penetration testing plays a critical role in demonstrating your organization has taken proactive steps to secure personal information and reduce breach liability.
Whether you’re preparing for a CPPA audit or enhancing your privacy program, this guide breaks down:
- How penetration testing supports “reasonable security” under CCPA/CPRA
- What data assets should be tested to reduce enforcement risk
- How to evaluate qualified pentest providers for privacy compliance
- What regulators and plaintiffs look for in breach-related investigations
Download the Buyer’s Guide: Selecting the Right Pentesting Partner for CCPA/CPRA Compliance. Get actionable guidance to help your security program stand up to scrutiny, before enforcement knocks.
Beyond CCPA/CPRA: navigating multi-state cybersecurity compliance
California’s CCPA/CPRA is just one of several active and enforceable state-level privacy and cybersecurity laws. If your organization handles consumer data or operates across multiple states, it’s critical to understand how these frameworks overlap—and where they diverge.
Other key state-level regulations to consider include:
- New York’s NYDFS 23 NYCRR 500 – A financial-sector cybersecurity rule requiring penetration testing, risk assessments, and breach reporting
- Texas’ TAC 202 – A cybersecurity framework for state agencies based on NIST standards, with mandatory risk management practices
- Massachusetts’ 201 CMR 17.00 – Requires businesses to implement a Written Information Security Program (WISP) to protect residents’ personal data
These frameworks often share common principles, like risk-based controls, third-party oversight, and incident readiness, but differ in scope, sector, and enforcement.
Explore how these intersect in our full guide to U.S. cybersecurity compliance frameworks, including NIST, SOC 2, ISO 27001, and CMMC.
Got an Upcoming Audit? Need Pricing for Pentration Testing?
Answer a few questions regarding your needs, project scope and objectives to quickly receive a tailored quote. No engagement.
- You can also call us directly: 1-877-805-7475
Featured Cybersecurity Compliance Resources
Gain insight on emerging hacking trends, recommended best practices and tips to improve your cybersecurity:
