Kaamel offers Drata customers free one-month consultations to help build up your compliance baseline, jumpstart your compliance journey.Learn More

CCPA/CPRA compliance that holds up under enforcement

California is the most actively enforced privacy jurisdiction in the US. Incomplete opt-outs and sloppy data minimization are already drawing real fines — we make sure yours hold.

The CPRA amendments expanded CCPA obligations substantially, and three new duties phase in from 2026: cybersecurity audits, privacy risk assessments, and automated decision-making (ADMT) rules. Kaamel's control framework maps every applicable provision, reusing the SOC 2 and GDPR controls you already have.

AICPA SOCDrataVanta

Automation built on Vanta and Drata · Trusted by nearly 100 companies going global

$12.75M
GM's 2026 fine for data-minimization violations, a new CCPA record
3
new duties from 2026: cyber audits, risk assessments, ADMT
6
consumer rights, each with a process, a log, and a deadline

What is CCPA/CPRA?

The CCPA is the first comprehensive state consumer privacy law in the US, effective 2020; the CPRA, effective 2023, amended and expanded it. They are not two laws — what your business must comply with is the CCPA as amended by the CPRA. And it does not care where you are incorporated: cross a revenue or data threshold while handling Californians' personal information, and it applies to you.

Three thresholds, any one applies

Global annual revenue over $26.25M (inflation-adjusted); or buying, selling, or sharing personal information of 100k+ California residents or households a year; or 50%+ of revenue from selling or sharing personal information.

Six consumer rights

Know, delete, correct (new under CPRA), opt out of sale or sharing, limit use of sensitive personal information, and non-discrimination. Each needs a process, a log, and a statutory deadline.

Opt-out is the enforcement focus

Opt-outs must work uniformly across every device and service, and honor Global Privacy Control (GPC) signals. The Disney case made the lesson explicit: partial compliance is non-compliance.

Sensitive data keeps expanding

Beyond the CPRA's sensitive categories, California has added neural data to the list. Collection and use limits have to track the legislature, not last year's memo.

The three new duties phasing in from 2026

New dutyWho triggers itKey deadlines
Privacy risk assessmentsHigh-risk processing: selling/sharing PI, sensitive data, ADMT for significant decisionsExisting activities assessed by end of 2027, filed with the CPPA by April 2028; new activities before launch
ADMT complianceAlgorithms substantially replacing human decisions in finance, housing, employment, healthcarePre-use notice, opt-out, and access mechanisms in place by January 2027
Mandatory cybersecurity audits50%+ revenue from selling/sharing PI, or high revenue plus 250k+ consumers' dataObligations live since January 2026; certifications file in phases, 2028-2030 by revenue

Why CCPA/CPRA matters

Two enforcers are active at once — the Attorney General and the California Privacy Protection Agency — and the fines have reached companies of every size.

The fines are real, and accelerating

Disney's $2.75M and GM's $12.75M set back-to-back records; Tractor Supply, Honda, and PlayOn were mid-size targets. Enforcement is not just hunting giants.

Table stakes for US buyers

For companies selling into the US, CCPA is now a standard line in security and privacy questionnaires. No good answer, no signature.

The 2026 windows are closing

Risk assessments, ADMT, and audit deadlines are already on the calendar. Starting near the deadline costs far more than pacing the work now.

How the service works

There is no CCPA certificate to earn. Compliance is a running program that has to survive an enforcement look — we build it in four steps.

  1. 01

    Applicability and gap assessment

    First confirm whether you cross a threshold at all, then assess against every applicable provision including the 2026 rules — with a phased roadmap coordinated with your SOC 2 or ISO work.

  2. 02

    Policies and rights response

    The full privacy policy and notice-at-collection set, response processes and logs for all six rights, and opt-outs that work on every device with GPC signals honored.

  3. 03

    The 2026 trio

    A privacy risk assessment process with your first assessments done, ADMT mechanisms (pre-use notice, opt-out, access), and audit-trigger analysis with cybersecurity audit preparation.

  4. 04

    Monitoring and enforcement readiness

    Controls feed a compliance automation platform for continuous monitoring, building an evidence package ready for a CPPA inquiry, an AG action, or a customer's diligence.

What does it take from you?

Kaamel consultants lead

Applicability and gap assessments, policy drafting, rights-response design, risk assessments, ADMT evaluation, audit prep, training, drills, and vendor contract review — all done by our team.

Your team assists

Under our guidance: encryption, logging, access control, and opt-out implementation. Most controls reuse cloud capabilities you already pay for.

What you end up holding

Applicability and gap reports, the full policy set, rights-response logs, risk assessment and ADMT reports, an audit-prep checklist, and a live evidence dashboard.

Want a timeline and a quote for your case?

Why Kaamel

We build CCPA programs to the standard of "someone will actually check": every requirement gets a control, an owner, and evidence an auditor can verify.

Build once, reuse across frameworks

Our control framework is natively compatible with SOC 2, ISO 27001/27701, and GDPR. If you are already compliant somewhere, the increment is small — and CCPA controls can fold into your SOC 2 audit scope.

Designed for your stack

Written for SaaS, AI, and cloud-native architectures. Rights-response and data-lifecycle controls match how your systems actually work, not paper compliance.

Tracking the law as it moves

CPPA rulemaking, AG enforcement actions, and expansions like neural data — we follow them continuously, so the advice you get reflects the current rules.

Two teams, no time-zone gap

Silicon Valley and Asia teams hand off daily, delivering in English and Chinese, so your global team and your California counsel stay in sync.

Ten service areas, scoped to your business

  • Applicability assessment and phased compliance roadmap
  • Full privacy policy, notice-at-collection, and governance set
  • Response processes and logs for all six consumer rights
  • Opt-out and GPC signal support, uniform across devices
  • Sensitive personal information and neural data management
  • Privacy risk assessments (2026 rules)
  • Automated decision-making (ADMT) compliance (2026-2027 rules)
  • Cybersecurity audit trigger analysis and preparation
  • Breach response procedures with annual tabletop drills
  • Service provider and contractor contract review

CCPA/CPRA questions, answered

We are not registered in California. Does CCPA still apply?

Applicability follows your business, not your incorporation. Cross any one of three thresholds and you are in scope: global revenue over $26.25M; buying, selling, or sharing personal information of 100k+ California residents or households a year; or half your revenue from selling or sharing personal information. Companies selling into the US commonly trip the first one.

What is the relationship between CCPA and CPRA?

The CPRA is not a separate law — it is a comprehensive amendment to the CCPA, effective 2023. What you comply with today is the CCPA as amended: more consumer rights, heavier obligations, and a dedicated regulator (the CPPA) that keeps issuing new rules.

Is there a CCPA certificate?

No official certification exists. Compliance is demonstrated through policies, risk assessment records, and evidence that controls actually run. We build that evidence package with you — and when you need stronger external proof, CCPA controls can fold into your SOC 2 audit scope or an independent third-party assessment.

What exactly do the 2026 rules require?

Three things. Privacy risk assessments for high-risk processing (existing activities assessed by end of 2027, filed with the CPPA by April 2028). ADMT used for significant decisions needs pre-use notices, opt-outs, and meaningful access information by January 2027. And companies crossing the audit threshold need annual cybersecurity audits — the obligation is live now, with certifications filing in phases from 2028 to 2030 by revenue.

We already did GDPR. How much more is CCPA?

Much of the foundation carries over: data mapping, security controls, and breach response are shared. But California has its own specifics — the sale-or-share definitions, opt-out rights and GPC signals, sensitive-data use limits, and the 2026 rules. We add only the increment; we never rebuild what you have.

Does enforcement really reach mid-size companies?

Yes. Beyond Disney and GM, Tractor Supply ($1.35M), Honda ($632k), and PlayOn Sports ($1.1M) have all been fined, and there is a dedicated data-broker enforcement task force plus multi-state GPC sweeps. The net is widening, not narrowing.

Serving users in California?

Book a free assessment. We will confirm whether CCPA/CPRA applies to you, what is missing, and how to schedule the 2026 deadlines.