A CERT-In Empanelled Auditing Organization
Home/Blog/Regulatory Updates
Regulatory Updates

CCPA and CPRA: what US-facing businesses must know

For any business serving customers in the United States, California’s privacy law is often the one that bites first. The California Consumer Privacy Act, strengthened by the California Privacy Rights Act, gives California residents extensive rights over their personal information — and places enforceable duties on the businesses that handle it. Because California is such a vast and influential market, these rules reach far beyond the state’s borders, including to Indian and other overseas companies that serve US consumers.

Who is covered

The law applies to for-profit businesses that handle the personal information of California residents and meet certain thresholds — based on annual revenue, the sheer volume of personal information handled, or how much of the business’s revenue derives from selling or sharing personal information. Many businesses outside California, including overseas firms serving US consumers online, comfortably cross those thresholds without realising it. The first practical task, therefore, is simply to work out honestly whether you are in scope, rather than assuming a California law cannot reach a company on another continent.

The rights it grants

What it asks of businesses

Meeting these rights in practice requires real operational plumbing rather than a policy statement. You need clear notices at the point of collection, a working mechanism to receive and honour rights requests within the required timeframes, systems that actually recognise and respect opt-out signals including the Global Privacy Control, and the right contractual terms with your service providers and contractors so that data passed to them stays properly governed. The “Do Not Sell or Share” obligation, and the requirement to honour the Global Privacy Control automatically, are among the most distinctive elements and the easiest to overlook — and they are exactly the areas regulators have shown interest in.

How it compares

The CCPA and CPRA differ from the GDPR and the DPDPA in structure and emphasis. Where the GDPR centres on having a lawful basis for all processing, California law leans heavily on transparency and the right to opt out of the sale or sharing of data. That difference in emphasis means you cannot simply copy your GDPR programme across and assume you are compliant — the opt-out mechanics in particular need specific attention. But the underlying discipline — knowing what personal data you hold, why, and being able to act on individuals’ requests — is the same across all of these regimes, which is what makes a unified approach possible.

If you already map your data and honour rights requests for other privacy laws, CCPA and CPRA compliance is an extension of that work, not a fresh start. The opt-out and Global Privacy Control obligations are the parts most worth checking specifically, because they are where California law is genuinely distinctive.

What to do

  1. Determine scope. Check the thresholds honestly against your revenue and data handling.
  2. Reuse your data map and rights-handling processes from your other privacy work.
  3. Build the opt-out mechanics — including honouring the Global Privacy Control — which are the CCPA-specific piece most programmes miss.
  4. Get your service-provider contracts right so data you share stays governed.

The takeaway

For US-facing businesses, California privacy law is frequently the first serious privacy obligation to arrive — and increasingly the one that customers and partners ask about directly. Fold it into a single, well-run privacy programme alongside your other obligations, pay particular attention to the opt-out and sensitive-data handling that make it distinctive, and it becomes another mapped-and-managed regime rather than a separate headache demanding its own dedicated effort.

CCPACPRAPrivacyCompliance
Share

Keep reading

Related insights

Regulatory Updates

RBI, SEBI and IRDAI: keeping pace with India’s financial-sector cyber rules

The financial regulators have raised the bar on cyber resilience. A high-level map of what RBI, SEBI and IRDAI expect - and how to stay current.

4 min read
Regulatory Updates

CERT-In’s six-hour incident reporting: what Indian organisations must do

CERT-In requires certain cyber incidents to be reported within six hours of detection. What that means in practice - and how to be ready.

4 min read
Regulatory Updates

PCI DSS v4.0.1 in 2026: every requirement is now mandatory

The grace period is over - since March 2025 every PCI DSS v4.x requirement is enforceable. What changed, and what card-handling businesses must do now.

3 min read

Have a question this raised?

Our team turns guidance like this into working compliance and security programmes. Tell us where you are — we’ll help you plan the next step.