The California Consumer Privacy Act (CCPA), expanded significantly by the California Privacy Rights Act (CPRA), represents the most comprehensive US state-level privacy legislation to date. Often described as America’s GDPR, California’s privacy framework has shaped privacy law across the country and is now used as a compliance baseline by organizations managing privacy obligations nationally.
According to the 2026 Kaseya State of the MSP Report, regulatory compliance and reporting is among the top ten service needs for MSP clients in 2026. California’s CPRA is one of the most scrutinized components of any US compliance program. Kaseya’s platform supports MSPs managing compliance across more than 170 countries, giving us a close view of where CPRA obligations create the most operational friction.
CCPA and CPRA: what’s the difference?
The CCPA, enacted in 2018 and effective January 2020, established foundational consumer privacy rights for California residents. The CPRA, approved by voters in 2020 and fully effective January 2023, expanded those rights significantly and created a dedicated enforcement agency, the California Privacy Protection Agency (CPPA).
Key CPRA additions over CCPA:
- A new category of sensitive personal information (SPI) with enhanced protections, including precise geolocation, racial or ethnic origin, health data, financial account details, biometric data, and contents of communications.
- New consumer rights: right to correct inaccurate personal information; right to limit use and disclosure of sensitive personal information.
- Enhanced data minimization and purpose limitation requirements.
- Dedicated enforcement authority (CPPA) supplementing the California Attorney General.
For compliance purposes, the CPRA supersedes CCPA. Organizations should implement against CPRA standards, not the original 2020 baseline.
Who must comply
CPRA applies to for-profit businesses that collect personal information from California residents and meet one or more of these thresholds:
- Annual gross revenues exceed $25 million
- Annually buy, sell, receive, or share for commercial purposes the personal information of 100,000 or more consumers or households
- Derive 50% or more of annual revenues from selling or sharing consumers’ personal information
Non-profit organizations are generally exempt. For technology companies, including SaaS providers, cloud services, and MSPs with large client bases, the 100,000 consumer/household threshold is the most commonly triggered criterion. Jurisdiction is extraterritorial: a company based in New York or London that processes personal information from 100,000 California residents must comply, regardless of where it operates.
It is worth noting that CCPA applies to employment and B2B contexts under the 2026 regulations. Employee, contractor, job applicant, and business contact data are in scope for risk assessments and other obligations. This is a meaningful difference from many other US state privacy laws.
Consumer rights and what they mean for IT systems
CPRA grants California consumers several rights that create specific IT system requirements.
Right to know. Consumers can request disclosure of what personal information is collected, used, disclosed, or sold. IT systems must be able to generate a complete picture of what personal information exists for a specific individual. This requires data inventory and search capability across all systems, not just the primary CRM or ERP.
Right to delete. Consumers can request deletion of their personal information. IT systems must locate and delete personal information across all systems, including backups and third-party processors. Without a structured data management program, this is operationally complex. A mid-market MSP managing data across 30 client environments, each with its own ticketing system, documentation platform, and backup archive, faces a significant operational challenge without tooling that maps and controls data flows.
Right to correct. Consumers can request correction of inaccurate personal information. Systems must support record correction across all relevant data stores, not just the front-end interface.
Right to opt out of sale/sharing. Consumers can opt out of the sale or sharing of their personal information. Systems must respect opt-out flags across all data processing and sharing workflows. Marketing pixels and retargeting tools that share data with advertising platforms count as “sharing” under CPRA, even without direct payment.
Right to limit use of sensitive personal information. Consumers can restrict how businesses use SPI. Technical controls must enforce these limitations at the system level, not just through policy documentation.
Responding to consumer rights requests within the 45-day response window requires three things: data inventory (knowing where personal information lives), search capability (finding a specific individual’s data across all systems), and deletion/correction capability across all processors.
The IT and security requirements
CPRA requires businesses to implement reasonable security procedures and practices appropriate to the nature and sensitivity of personal information. The California AG has indicated that CIS Controls IG1 compliance represents a reasonable interpretation of the minimum “reasonable security” standard.
More prescriptively, CPRA requires the following.
Data minimization. Collect and retain only what is necessary for the stated purpose. Configure systems to collect the minimum personal data required. This applies to form fields, log retention, analytics tools, and any integration that passes personal data between systems.
Retention limits. Retain personal information only as long as reasonably necessary for the purpose. Automated retention enforcement (deletion schedules) is an operational requirement, not just a policy statement. Organizations need a retention schedule that maps data category, system, owner, retention period, and deletion method.
Risk assessments. For processing activities that present a significant risk to consumer privacy (automated decision-making, large-scale profiling, sharing sensitive data), a documented risk assessment is required. Under the 2026 regulations, new processing activities initiated after January 1, 2026 require a risk assessment before the activity begins.
Cybersecurity audits. Businesses posing a significant risk to consumer privacy may be required to conduct annual cybersecurity audits. Submission timelines to the CPPA are staggered by revenue: April 1, 2028 for businesses with over $100 million in revenue, April 1, 2029 for $50 million to $100 million, and April 1, 2030 for businesses under $50 million. Starting the audit readiness process now is the right approach regardless of submission deadline.
What changed in 2026
The CPPA finalized a significant package of regulatory amendments in September 2025, effective January 1, 2026. These represent the most substantive expansion of California privacy obligations since the CPRA itself took effect.
Automated Decision-Making Technology (ADMT). Businesses that use automated systems to make significant decisions about consumers (credit approvals, employment screening, healthcare eligibility, insurance pricing) must provide a pre-use notice explaining how the technology works, what data it uses, and its potential impact on consumers. Consumers have a right to opt out. ADMT pre-use notices must be deployed by January 1, 2027 for most businesses.
Mandatory risk assessments. New processing activities initiated on or after January 1, 2026 require a documented risk assessment before beginning. For processing activities that were already in place before that date, assessments must be completed by December 31, 2027.
Global Privacy Control (GPC) handling. Multiple CPPA enforcement actions have targeted businesses that failed to honor GPC browser signals, which function as an automatic opt-out from sale or sharing. Configuring systems to honor GPC signals is now a baseline compliance requirement, not optional.
30-day breach notification. California’s breach notification requirement was tightened to 30 days effective January 1, 2026.
Service provider obligations for MSPs
Under CPRA, an MSP providing services to a CPRA-covered business is a service provider, the equivalent of a GDPR processor. The key obligations:
- Process personal information only for the purpose of providing contracted services.
- Do not sell or share personal information received from the client business.
- Delete or return personal information at contract end.
- Implement appropriate security measures.
- Enter into a written service contract specifying CPRA obligations.
This means every MSP serving CPRA-covered clients needs a data protection addendum with appropriate CPRA clauses. It also means the MSP must be able to demonstrate that its own security program is implemented and documented, because a client facing a regulatory inquiry will ask for evidence of the MSP’s security posture, not just a policy document.
Explore how Compliance Manager GRC supports CCPA/CPRA compliance management
Enforcement and penalties
The California AG and the CPPA can both enforce CPRA. Per-violation penalties for 2025-2026, adjusted for inflation:
- Unintentional violations: $2,663 per violation
- Intentional violations: $7,988 per violation
- Violations involving minors’ data: $7,988 per violation
Each affected consumer counts as a separate violation, which is how penalties escalate quickly. The CPPA’s largest fine to date was $1.35 million, issued against Tractor Supply in October 2025 after its “Do Not Sell My Personal Information” link failed to actually stop data sharing. Q1 2026 produced enforcement actions against Disney, Ford, Honda, and others, totaling several million dollars in fines and mandatory remediation orders.
Individual consumers also have a private right of action for security breaches resulting from failure to implement reasonable security: $100 to $750 per consumer per incident, or actual damages if higher. That creates significant class action exposure for any organization that suffers a breach while operating below a defensible security standard.
The CPPA has stated it can investigate conduct dating back to January 1, 2020, the law’s original operative date. Enforcement posture is escalating, not moderating.
How Compliance Manager GRC supports CPRA programs
Compliance Manager GRC automates the evidence collection, assessment, and documentation workflows that CPRA compliance requires. For MSPs managing compliance across multiple clients, it replaces manual spreadsheet-based tracking with a platform that monitors control status continuously, routes assessment tasks to the right owners, and generates compliance documentation ready for regulatory or client review.
Frameworks supported include HIPAA, CMMC, PCI DSS, NIST CSF, CIS Controls, and the FTC Safeguards Rule, alongside California-specific and custom frameworks. IT Glue integration automatically pushes compliance reports to each client’s documentation, keeping everything current without manual export and upload cycles.
Explore Compliance Manager GRC
Key Takeaways
- CPRA (effective January 2023, significantly expanded in 2026) supersedes CCPA. Compliance programs should be aligned to the current CPRA standard, including the 2026 ADMT, risk assessment, and cybersecurity audit requirements.
- Consumer rights requests (know, delete, correct, opt out) require IT systems that can locate, retrieve, correct, and delete specific individuals’ data across all systems and processors, within 45 days.
- Data minimization and automated retention enforcement are operational IT requirements. A retention schedule that maps category, system, owner, and deletion method is the minimum deliverable.
- MSPs serving CPRA-covered clients are service providers with contractual and technical obligations. Appropriate data protection clauses must be in place, and the MSP’s own security posture must be documentable.
- Enforcement is accelerating. The CPPA issued multiple seven-figure fines in 2025 and 2026, and each affected consumer counts as a separate violation.
