Why Data Privacy Compliance Matters in California
California has some of the strictest privacy laws in the U.S. The California Consumer Privacy Act (CCPA) took effect in 2020, and the California Privacy Rights Act (CPRA) expanded it in 2023. Enforcement began in February 2024, and the penalties are steep:
-
$2,663 for each unintentional violation
-
$7,988 for each intentional violation
-
$7,988 for violations involving minors’ data
Unlike most states, California also allows consumers to take legal action. That means businesses face not only fines, but also lawsuits and the risk of losing customer trust.
And the law doesn’t just apply to companies based in California. If you collect or process the personal information of California residents, you’re expected to comply—no matter where you’re located.
Staying compliant is about more than avoiding penalties. It’s about protecting your customers, keeping their trust, and staying ahead of privacy trends that are spreading across other states.
About the CCPA (and
CPRA Updates)
The CCPA gives consumers several key rights:
-
Right to Know – Learn what data is being collected
-
Right to Delete – Remove personal data from company systems
-
Right to Opt-Out – Say no to the sale of personal data
-
Right to Appeal – Challenge a company’s decision
-
Right to Action – Seek legal recourse if harmed
The CPRA expanded these rights, adding:
-
Right to Access – View collected personal data
-
Right to Correct – Fix inaccurate information
-
Right to Data Portability – Receive data in a portable format
-
Right to Limit Use of Sensitive Data
-
Right to Opt-Out of Automated Decision-Making
Businesses also face strict obligations, including:
-
Data minimization and purpose specification
-
Strong data security measures
-
Transparency in privacy notices
-
Opt-in consent for sensitive information
-
Contracts with processors and subcontractors
-
Risk assessments and audits
The CPRA also introduced major changes:
-
Raised the applicability threshold to $26.625 million in annual revenue
-
Increased the consumer threshold from 50,000 to 100,000
-
Eliminated the 30-day cure period
-
Created a new enforcement agency—the California Privacy Protection Agency
-
Expanded the definition of sensitive data and required stricter oversight
If your company does business in California and meets these thresholds, compliance is not optional. It’s a must.
How Our Data Privacy Services Help You Comply
Deliverable Based Services
Policies, procedures, internal guidelines, and more.
Risk Assessment
We help you identify, assess, and address privacy risks.
Employee Training
Training tailored to your team and your industry.
AI Governance
Ensure ethical and compliant AI use.
At Oso, we offer a full suite of services to help you meet the requirements of the California Consumer Privacy and Privacy Rights Acts. Whether you're building a privacy program from scratch or improving what you already have, we’ve got you covered. Our services include:
Our Approach
Our process starts with understanding your current program and your risk level.
-
Gap Assessment – We identify where your practices fall short of CCPA/CPRA requirements.
-
Tailored Plan – We prioritize updates based on your risk tolerance, budget, and goals.
-
Implementation – This may include policy updates, training, vendor reviews, or audits.
-
Ongoing Support – For clients who want continuous monitoring and updates, we provide long-term consulting.
The timeline depends on your needs. Some companies need a few quick updates. Others need a full program buildout that can take months or even ongoing support. Either way, we work with you to make compliance manageable and sustainable.
Serving California Businesses with Excellence
We’ve worked directly with California businesses to implement privacy programs under both CCPA and CPRA. That hands-on experience helps us understand how to balance compliance with the realities of running a business. Our proven experience, tailored solutions, bilingual expertise, and cost-effective approach set us apart.
We already know what works, what regulators look for in California, and how to build a compliant, flexible privacy program.
Common Questions (FAQ)
Does the CCPA / CPRA apply to B2B data?
Yes. The exemption for B2B data expired in 2023, so the law now applies to B2B data.
How do I handle DSARs within the 45-day window?
You need a clear, documented process. That includes acknowledging the request, verifying the requester’s identity, locating and reviewing the data, redacting where necessary, and providing the data in the right format.
What’s the difference between a privacy policy and a privacy notice?
A privacy policy explains your overall approach to collecting and handling personal data. A privacy notice tells consumers specifically how their information is collected, used, and shared—usually shown on your website or app.
Does the law apply if my business is outside California?
Yes. If you handle personal data from California residents and meet the thresholds, you’re subject to CCPA/CPRA regardless of where your business is located.
CONTACT
Let's Get Started! Schedule a Free Consultation
Fill out this form and we'll be in touch within 48 hours to schedule some time with you.
Oso Privacy Consultants is located in Louisiana, but serves businesses globally.