Covered Businesses California Privacy Rights Act FAQs

CPRA in one minute: what it is and why “covered business” matters

The CPRA amended the CCPA and expanded consumer rights, added the concept of sensitive personal information,
strengthened rules around advertising “sharing,” and gave California a dedicated privacy regulator (the California Privacy
Protection Agency, or CPPA). If you’re a “covered business,” you have to post notices, offer privacy choices,
respond to consumer requests, and keep your vendor relationships on a tighter leash.

Translation: being “covered” isn’t about vibesit’s about thresholds and what you do with data

Lots of organizations collect personal information. The CPRA focuses on for-profit entities that do business in
California and meet certain criteria. Once you cross the line, you’re expected to run a real privacy programnot
just a footer link that says “Privacy-ish.”

FAQ: What businesses are covered by the CPRA?

1) What counts as a “covered business” under the CPRA?

In everyday terms, a covered business is generally a for-profit company that does business in California,
decides why and how personal information is processed, and hits at least one coverage threshold.
If you’re thinking, “But we’re based in Ohio,” congratulationsyou may still be covered. California does not require you to
rent a desk in Los Angeles to care about California privacy.

2) What are the coverage thresholds?

The most talked-about thresholds (and the ones businesses usually trip over) are:

• Revenue threshold: Gross annual revenue over $25 million (adjusted for inflation).
• Data-volume threshold: Buying, selling, or sharing personal information of 100,000+
  California consumers or households in a year.
• Data-monetization threshold: Deriving 50% or more of annual revenue from selling or
  sharing personal information.

Practical note: the “100,000” threshold can include ordinary digital activity when you’re using ad tech, analytics,
or marketing pixelsespecially if personal information is “shared” for cross-context behavioral advertising.

3) Do I have to be physically located in California?

No. If you do business in California (for example, you sell to California residents or operate a service used there),
you can be in-scope even if your headquarters is elsewhere. Many online businesses end up covered simply because Californians
can sign up, buy, or browse.

4) What about small businesses and startups?

If you don’t meet any threshold, you’re generally not a covered business. But two warnings:

• Growth happens fast: You can cross thresholds mid-flight (especially the 100,000 data-volume line).
  Plan early so compliance doesn’t become a panic sprint.
• Vendor reality: Even if you’re not covered, you may be asked to support CPRA obligations as a
  service provider or contractor for a covered client.

5) Are nonprofits covered?

The CPRA’s “business” definition is primarily aimed at for-profit entities. That said, nonprofits sometimes get pulled into
privacy compliance expectations through contracts, partnerships, or operational necessityespecially when they run
fundraising platforms, membership programs, or technology products that look a lot like a commercial business.
If your nonprofit operates a closely linked for-profit arm, talk to counsel about structure and obligations.

FAQ: Does the CPRA apply to employee and B2B data?

Short answer: yes, more than it used to

The CCPA had partial exemptions for certain HR and business-to-business (B2B) personal information. Those exemptions
sunset and, starting January 1, 2023, HR and B2B data moved more fully into scope. That means covered businesses should
treat employees, job applicants, contractors, and B2B contacts as having privacy rightssubject to specific statutory
carve-outs and practical verification limits.

Translation: if your privacy program only thinks “consumer = shopper,” you’re going to have a bad time.
Your workforce and CRM are part of the story now.

FAQ: What data is covered?

1) What is “personal information”?

Personal information is broadly defined as information that identifies, relates to, describes, is reasonably capable
of being associated with, or could reasonably be linked (directly or indirectly) to a particular consumer or household.
That can include names, emails, device identifiers, browsing history, geolocation, purchase records, and more.

2) What is a “household,” and why should I care?

The law recognizes household-level datainformation tied to a group of people living at the same address and sharing devices or services.
This matters for connected devices, streaming services, smart home setups, and “family account” products.
If your business maps identity by household or shared device, your data governance needs to reflect that.

3) What is “sensitive personal information” (SPI)?

Sensitive personal information is a special category that gets extra controls. It can include things like
Social Security numbers and government IDs, account log-in credentials combined with access codes/passwords,
precise geolocation, certain health information, and other high-risk data types. If you collect SPI, you should be ready
to support the right to limit certain uses and disclosures, and to justify that you’re using it in a way that’s
reasonably necessary and proportionate.

Practical example: An app that collects precise geolocation “all the time” should be able to explain why that’s needed,
how long it’s stored, who it’s shared with, and how a consumer can limit or opt out where applicable.

FAQ: What rights do covered businesses need to support?

The greatest hits (and the ones people actually use)

• Right to know/access: Consumers can request categories and specific pieces of personal information you collected,
  sources, purposes, and certain disclosures.
• Right to delete: Consumers can request deletion of personal information, with exceptions (like security, legal obligations,
  or completing transactions).
• Right to correct: Consumers can ask you to correct inaccurate personal information.
• Right to opt out of sale: “Do Not Sell” means don’t transfer personal information for certain value-based exchanges.
• Right to opt out of sharing: “Do Not Share” targets cross-context behavioral advertising (more on that in a second).
• Right to limit use/disclosure of sensitive PI: Consumers can restrict certain uses of SPI.
• Non-discrimination: You can’t punish consumers for using their rights (with certain rules around bona fide loyalty programs).

How fast do we have to respond?

A common operational baseline is 45 calendar days to respond to consumer requests, with the ability to extend by another
45 days (90 total) when reasonably necessaryso long as you notify the consumer.

Do we have to verify every request?

You’re expected to verify requests in a way that’s appropriate to the sensitivity of the data and the risk of harm from disclosure.
But you also shouldn’t collect more personal information just to verify someone. A good approach is to build tiered verification:
low-risk requests (like general categories) get lighter verification, while requests for specific data require stronger checks.

FAQ: What’s the deal with “sharing” and targeted advertising?

1) What is “cross-context behavioral advertising”?

Cross-context behavioral advertising generally means targeting ads to a consumer based on personal information obtained from the consumer’s activity
across different businesses, websites, apps, or servicesoutside the one the consumer intentionally interacted with.
If your marketing stack involves third-party tracking across sites, you’re in this neighborhood.

2) How is “sharing” different from “selling”?

The CPRA treats certain advertising disclosures as “sharing” even if no money changes hands. In other words, “We didn’t get paid”
is not a magic spell that makes ad tech disappear. If you disclose personal information to a third party for cross-context behavioral advertising,
it can be “sharing.”

3) What’s a service provider, contractor, or third partyand why does it matter?

Covered businesses often rely on vendors. The labels matter because they change the rules:

• Service providers/contractors process personal information on your behalf under a contract that limits what they can do with it.
  This is how you keep a vendor from turning “helping you run payroll” into “building their own marketing dataset.”
• Third parties receive personal information for their own purposes (or for cross-context behavioral advertising),
  which increases notice and opt-out obligations.

Practical example: If you use an analytics vendor that combines your users’ data with data from other clients to improve ad targeting,
you may be drifting from “service provider” behavior into “third party” territory. That’s where your contracts and technical configuration
become make-or-break.

FAQ: What notices and links do covered businesses need?

1) Your privacy policy is necessary, but not sufficient

Covered businesses typically need:

• A privacy policy that explains categories of personal information collected, purposes, retention practices (where applicable),
  rights, and how to exercise them.
• A notice at collection (or “just-in-time” notice) describing what you collect and why, at or before collection.
• A “Do Not Sell or Share My Personal Information” mechanism if you sell or share.
• A “Limit the Use of My Sensitive Personal Information” mechanism where required based on your SPI use/disclosure.

2) Make your opt-out real (not a scavenger hunt)

The user experience matters. If consumers need to click through six screens and provide their life story just to opt out,
you’re inviting complaints and enforcement attention. Your opt-out should be easy to find, easy to use, and respected across systems.

3) Preference signals: the “one setting to rule them all” idea

California regulations recognize opt-out preference signals (often discussed in the context of browser-based signals).
If your business is required to honor these signals, your tech stack needs a way to detect them and apply the choice without forcing
the consumer to repeat themselves on every visit like a privacy-themed Groundhog Day.

FAQ: What about enforcement, penalties, and lawsuits?

1) Who enforces the CPRA?

Enforcement can come through the CPPA and the California Attorney General. California also has a limited private right of action
tied primarily to certain types of data breaches (not “you used a confusing cookie banner,” but “a breach exposed certain data”).

2) What are the penalties?

Civil penalties can reach thousands of dollars per violation, with higher amounts for intentional violations and violations involving minors’ data.
The exact calculation can become complicated quicklyespecially when “per violation” can mean “per consumer” or “per impacted record,”
depending on enforcement theory and facts. The real-world takeaway is simple: privacy debt compounds like credit card interest.

3) Did the CPRA expand the breach-related private right of action?

Yesone notable expansion includes certain account credentials: if an email address combined with a password (or security Q&A that permits account access)
is exposed due to failure to maintain reasonable security, that can fall within the statute’s breach-related private action framework.
In plain English: credentials are not “just IT’s problem.” They’re a legal risk multiplier.

FAQ: What changed recently? (Hello, 2026 regulations.)

New rules: cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT)

California’s privacy program isn’t standing still. The CPPA adopted a major regulations package covering updates to existing rules plus
new requirements for certain businesses to conduct privacy risk assessments, complete annual cybersecurity audits, and implement consumer rights
related to automated decisionmaking technology (ADMT). The package took effect January 1, 2026, with additional compliance runways for some requirements.

What this means for covered businesses:

• Risk assessments: If you perform higher-risk processing, you may need documented assessments weighing benefits against privacy risks,
  and tracking safeguards.
• Cybersecurity audits: Certain businesses may be expected to complete annual audits and related certifications on a schedule.
• ADMT rights: Consumers may have new ways to access information about ADMT use and to opt out in specified contexts, plus related processes
  (including appeals in some designs).

If your organization uses automated tools in hiring, lending, healthcare, personalization, or fraud detection, you’ll want to treat 2026 as the year
you inventory automated decisionmakingbefore it inventories you.

FAQ: How do covered businesses get CPRA compliance rightwithout losing their minds?

1) Start with a data map that reflects reality

CPRA compliance is hard when your organization doesn’t know what it collects, where it goes, and who touches it. A practical data map includes:
collection points (web, app, call center), system-of-record locations (CRM, data warehouse), sharing points (ad tech, analytics, vendors),
and retention rules (how long you keep what, and why).

2) Fix the “marketing stack surprise” early

Many businesses assume they don’t “sell” or “share” personal informationuntil they look at tags, pixels, and SDKs.
If you run third-party advertising or cross-site measurement, assume “Do Not Sell/Share” will touch your marketing operations,
not just your legal page footer.

3) Build request-handling like a customer support superpower

The best CPRA request workflows feel like good support: clear intake, predictable timelines, fast routing, and consistent responses.
Automation helps (ticketing, identity verification steps, templated responses), but accuracy matters more than speed.
A sloppy “we deleted everything” messagewhen you didn’tcan backfire.

4) Treat vendor contracts as living documents

CPRA-aligned vendor contracting isn’t a one-and-done PDF you file away. Vendors change products, add subprocessors, and
“improve features” in ways that can silently shift them from service provider-like behavior into third-party behavior.
Review high-risk vendors regularly and align contract terms with actual technical configurations.

of “lived experience” lessons from CPRA compliance projects

Here’s what teams often learn the hard way when they move from “We have a privacy policy” to “We have a privacy program.”
(No names, no war stories that identify anyonejust real patterns you’ll probably recognize.)

The first surprise: you’re already “sharing,” even if you never meant to

A classic moment happens when marketing says, “We don’t sell data,” and legal says, “Great,” and then someone opens the tag manager
and discovers a small universe of pixels, SDKs, and “totally essential” trackers that talk to third parties. The business didn’t set out
to share personal information for cross-context behavioral advertising. It just wanted conversions to go up and costs to go down.
CPRA compliance turns that “invisible plumbing” into an explicit decision: either configure vendors so they act like true service providers,
or accept you’re sharing and build a clean opt-out that actually works.

The second surprise: identity verification is an art, not a checkbox

Teams quickly learn there’s no perfect verification method. Ask for too little and you risk disclosing data to the wrong person.
Ask for too much and you annoy legitimate users and collect extra sensitive data you didn’t need. The most successful programs use a
risk-based approach: low-risk requests get lighter verification, while requests for specific pieces of personal information require stronger checks.
And the best teams document why they chose their methodbecause “we guessed” is not a great compliance narrative.

The third surprise: HR and B2B requests feel different than consumer requests

When employee and B2B data moved more fully into scope, many organizations realized their consumer-facing process didn’t fit HR reality.
Workforce systems often involve multiple vendors (payroll, benefits, recruiting) and complicated retention needs. HR request handling tends to
require more internal coordination and more careful exception analysis. Successful teams build separate intake paths and playbooks for workforce and B2B,
while keeping the same core commitments: transparency, timely responses, and consistent documentation.

The fourth surprise: the “hard part” is operational ownership

Privacy work fails when it lives only in legal. It also fails when it lives only in security. CPRA requires collaboration across legal, security,
engineering, product, marketing, and customer support. The programs that stick assign clear owners for:
(1) data inventory and retention,
(2) opt-out enforcement in ad tech,
(3) request fulfillment workflows,
(4) vendor management, and
(5) incident response readiness.
Once those owners exist, everything else gets easierbecause “someone owns it” beats “everyone’s responsible” every single time.

The best news: once you’ve built these muscles for CPRA, other state privacy laws become dramatically easier. Your privacy program turns into a reusable
operating system, not a one-off emergency patch.

Conclusion

Being a covered business under the CPRA isn’t about whether you consider yourself “a tech company.” It’s about whether you do business in California,
meet the thresholds, and process personal information in ways that trigger meaningful consumer rights. The winning approach is straightforward:
know your data, control your sharing, respect choices, respond on time, and treat vendors like part of your compliance perimeter.
If you do those things, CPRA becomes manageableand your customers’ trust becomes a competitive advantage instead of a liability.