CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act)
California's comprehensive consumer privacy laws giving residents the right to know, delete, correct, and opt out of the sale or sharing of their personal information. CPRA amended and expanded CCPA effective January 1, 2023.
Overview
The California Consumer Privacy Act (CCPA), signed in 2018 and effective January 1, 2020, gave California residents significant rights over their personal information. The California Privacy Rights Act (CPRA), effective January 1, 2023, amended and strengthened those rights, establishing the California Privacy Protection Agency (CPPA) as the primary enforcement body.
Who It Applies To
A business is subject to CCPA/CPRA if it: (1) operates for profit in California, AND (2) meets one of these thresholds: annual gross revenues exceeding $25 million; buys, sells, or shares for commercial purposes the personal information of 100,000+ consumers or households; or derives 50%+ of annual revenues from selling or sharing personal information.
Key Consumer Rights
| Right | Description | Response SLA |
|---|---|---|
| Right to Know | Access what personal information is collected, used, shared, or sold | 45 days (extendable once) |
| Right to Delete | Request deletion of personal information | 45 days |
| Right to Correct (CPRA new) | Fix inaccurate personal information | 45 days |
| Right to Opt Out | Opt out of sale or sharing of personal information | Immediate |
| Right to Limit Use of Sensitive PI (CPRA new) | Restrict use of sensitive data (SSN, health, location, etc.) | Immediate |
| Right to Non-Discrimination | Cannot be penalized for exercising rights | — |
| Right to Portability | Receive data in a portable format | 45 days |
How Inori Handles CCPA/CPRA
- Data requests: Submit via Settings → Privacy or email ask@askinori.com. 30-day SLA (CPRA tighter target).
- Opt out of sale/sharing: Inori does not sell or share personal information. GPC signal is honored automatically.
- Hard purge: Personal data is permanently deleted 90 days after account deletion, enforced by automated cron.
- Sensitive data: Inori does not collect sensitive personal information as defined by CPRA (no SSNs, health data, financial account numbers, biometrics, geolocation, or immigration status).
Relationship to CPRA
CPRA is an amendment to CCPA, not a separate law. Key additions: the right to correct, restrictions on sensitive PI, the "sharing" opt-out (extends to cross-context behavioral advertising, not just "sale"), and creation of the CPPA with rulemaking authority. The CPPA has issued regulations covering dark patterns, automated decision-making, and cybersecurity audits.
See how Inori handles ccpa / cpra (california consumer privacy act / california privacy rights act)
Try our free COI checker first, or start a free trial of the full platform.