CCPA/CPRA compliance that holds up under enforcement
California is the most actively enforced privacy jurisdiction in the US. Incomplete opt-outs and sloppy data minimization are already drawing real fines — we make sure yours hold.
The CPRA amendments expanded CCPA obligations substantially, and three new duties phase in from 2026: cybersecurity audits, privacy risk assessments, and automated decision-making (ADMT) rules. Kaamel's control framework maps every applicable provision, reusing the SOC 2 and GDPR controls you already have.



Automation built on Vanta and Drata · Trusted by nearly 100 companies going global
What is CCPA/CPRA?
The CCPA is the first comprehensive state consumer privacy law in the US, effective 2020; the CPRA, effective 2023, amended and expanded it. They are not two laws — what your business must comply with is the CCPA as amended by the CPRA. And it does not care where you are incorporated: cross a revenue or data threshold while handling Californians' personal information, and it applies to you.
Three thresholds, any one applies
Global annual revenue over $26.25M (inflation-adjusted); or buying, selling, or sharing personal information of 100k+ California residents or households a year; or 50%+ of revenue from selling or sharing personal information.
Six consumer rights
Know, delete, correct (new under CPRA), opt out of sale or sharing, limit use of sensitive personal information, and non-discrimination. Each needs a process, a log, and a statutory deadline.
Opt-out is the enforcement focus
Opt-outs must work uniformly across every device and service, and honor Global Privacy Control (GPC) signals. The Disney case made the lesson explicit: partial compliance is non-compliance.
Sensitive data keeps expanding
Beyond the CPRA's sensitive categories, California has added neural data to the list. Collection and use limits have to track the legislature, not last year's memo.
The three new duties phasing in from 2026
| New duty | Who triggers it | Key deadlines |
|---|---|---|
| Privacy risk assessments | High-risk processing: selling/sharing PI, sensitive data, ADMT for significant decisions | Existing activities assessed by end of 2027, filed with the CPPA by April 2028; new activities before launch |
| ADMT compliance | Algorithms substantially replacing human decisions in finance, housing, employment, healthcare | Pre-use notice, opt-out, and access mechanisms in place by January 2027 |
| Mandatory cybersecurity audits | 50%+ revenue from selling/sharing PI, or high revenue plus 250k+ consumers' data | Obligations live since January 2026; certifications file in phases, 2028-2030 by revenue |
Why CCPA/CPRA matters
Two enforcers are active at once — the Attorney General and the California Privacy Protection Agency — and the fines have reached companies of every size.
The fines are real, and accelerating
Disney's $2.75M and GM's $12.75M set back-to-back records; Tractor Supply, Honda, and PlayOn were mid-size targets. Enforcement is not just hunting giants.
Table stakes for US buyers
For companies selling into the US, CCPA is now a standard line in security and privacy questionnaires. No good answer, no signature.
The 2026 windows are closing
Risk assessments, ADMT, and audit deadlines are already on the calendar. Starting near the deadline costs far more than pacing the work now.
How the service works
There is no CCPA certificate to earn. Compliance is a running program that has to survive an enforcement look — we build it in four steps.
- 01
Applicability and gap assessment
First confirm whether you cross a threshold at all, then assess against every applicable provision including the 2026 rules — with a phased roadmap coordinated with your SOC 2 or ISO work.
- 02
Policies and rights response
The full privacy policy and notice-at-collection set, response processes and logs for all six rights, and opt-outs that work on every device with GPC signals honored.
- 03
The 2026 trio
A privacy risk assessment process with your first assessments done, ADMT mechanisms (pre-use notice, opt-out, access), and audit-trigger analysis with cybersecurity audit preparation.
- 04
Monitoring and enforcement readiness
Controls feed a compliance automation platform for continuous monitoring, building an evidence package ready for a CPPA inquiry, an AG action, or a customer's diligence.
What does it take from you?
Kaamel consultants lead
Applicability and gap assessments, policy drafting, rights-response design, risk assessments, ADMT evaluation, audit prep, training, drills, and vendor contract review — all done by our team.
Your team assists
Under our guidance: encryption, logging, access control, and opt-out implementation. Most controls reuse cloud capabilities you already pay for.
What you end up holding
Applicability and gap reports, the full policy set, rights-response logs, risk assessment and ADMT reports, an audit-prep checklist, and a live evidence dashboard.
Why Kaamel
We build CCPA programs to the standard of "someone will actually check": every requirement gets a control, an owner, and evidence an auditor can verify.
Build once, reuse across frameworks
Our control framework is natively compatible with SOC 2, ISO 27001/27701, and GDPR. If you are already compliant somewhere, the increment is small — and CCPA controls can fold into your SOC 2 audit scope.
Designed for your stack
Written for SaaS, AI, and cloud-native architectures. Rights-response and data-lifecycle controls match how your systems actually work, not paper compliance.
Tracking the law as it moves
CPPA rulemaking, AG enforcement actions, and expansions like neural data — we follow them continuously, so the advice you get reflects the current rules.
Two teams, no time-zone gap
Silicon Valley and Asia teams hand off daily, delivering in English and Chinese, so your global team and your California counsel stay in sync.
Ten service areas, scoped to your business
- Applicability assessment and phased compliance roadmap
- Full privacy policy, notice-at-collection, and governance set
- Response processes and logs for all six consumer rights
- Opt-out and GPC signal support, uniform across devices
- Sensitive personal information and neural data management
- Privacy risk assessments (2026 rules)
- Automated decision-making (ADMT) compliance (2026-2027 rules)
- Cybersecurity audit trigger analysis and preparation
- Breach response procedures with annual tabletop drills
- Service provider and contractor contract review
CCPA/CPRA questions, answered
We are not registered in California. Does CCPA still apply?
Applicability follows your business, not your incorporation. Cross any one of three thresholds and you are in scope: global revenue over $26.25M; buying, selling, or sharing personal information of 100k+ California residents or households a year; or half your revenue from selling or sharing personal information. Companies selling into the US commonly trip the first one.
What is the relationship between CCPA and CPRA?
The CPRA is not a separate law — it is a comprehensive amendment to the CCPA, effective 2023. What you comply with today is the CCPA as amended: more consumer rights, heavier obligations, and a dedicated regulator (the CPPA) that keeps issuing new rules.
Is there a CCPA certificate?
No official certification exists. Compliance is demonstrated through policies, risk assessment records, and evidence that controls actually run. We build that evidence package with you — and when you need stronger external proof, CCPA controls can fold into your SOC 2 audit scope or an independent third-party assessment.
What exactly do the 2026 rules require?
Three things. Privacy risk assessments for high-risk processing (existing activities assessed by end of 2027, filed with the CPPA by April 2028). ADMT used for significant decisions needs pre-use notices, opt-outs, and meaningful access information by January 2027. And companies crossing the audit threshold need annual cybersecurity audits — the obligation is live now, with certifications filing in phases from 2028 to 2030 by revenue.
We already did GDPR. How much more is CCPA?
Much of the foundation carries over: data mapping, security controls, and breach response are shared. But California has its own specifics — the sale-or-share definitions, opt-out rights and GPC signals, sensitive-data use limits, and the 2026 rules. We add only the increment; we never rebuild what you have.
Does enforcement really reach mid-size companies?
Yes. Beyond Disney and GM, Tractor Supply ($1.35M), Honda ($632k), and PlayOn Sports ($1.1M) have all been fined, and there is a dedicated data-broker enforcement task force plus multi-state GPC sweeps. The net is widening, not narrowing.

