CCPA, CPRA, and GDPR Compliance

CTO Tech Services does CCPA and GDPR auditing. It’s one of our core specialities, and we help companies set up their data compliance model, and act as the Data Officer documenting and administering data requests. The latest iteration of CCPA is CPRA, which is an attempt to create a nationwide framework for data privacy similar to the CCPA legislation enacted in California.

In this blog I’ll briefly cover the different high level requirements and how we meet evidentiary responsibility. At the end you’ll find my extremely comprehensive GDPR and CCPA Compliance guide. It’s a lot of technical compliance. For the TL;dr version, send me an email.


The California Consumer Privacy Act is a state law that grants California residents comprehensive rights over their personal data. Effective since January 1, 2020, CCPA allows consumers to access, delete, and opt-out of the sale of their personal information collected by businesses. It mandates companies disclose data collection practices and the purposes for which data is used. Additionally, it ensures data portability and provides a private right of action for data breaches. Enforced by the California Attorney General.


The General Data Protection Regulation is a comprehensive data privacy law enacted by the European Union, effective since May 25, 2018. It regulates how organizations collect, store, process, and share personal data of EU residents. GDPR grants individuals robust rights, including access, rectification, deletion (right to be forgotten), and data portability. It imposes stringent data protection requirements on businesses. Non-compliance can result in severe penalties. GDPR aims to enhance individuals’ control over their personal data and harmonize data privacy laws across Europe.


The Consumer Internet Privacy Rights Act is a proposed federal law aiming to establish uniform privacy protections across the United States. It emphasizes consumer rights to access, correct, and delete personal data, mandates data minimization, and requires explicit opt-in consent for data collection, enhancing nationwide consumer privacy and transparency. Similar to, and based on California’s Privacy Act.

What are the differences between CCPA and CPRA?

  • CPRA is a proposed federal law designed to establish a uniform standard of privacy protection across the U.S., emphasizing consumer rights, data minimization, and explicit consent.
  • CCPA is a state law specific to California, providing comprehensive privacy rights to residents, focusing on transparency and consumer control over personal data, with an opt-out mechanism for data sales.

Do I need to do both GDPR and CCPA/CPRA?

Probably. If your website is located in California, you manage a business in California, or you do business with customers from California, then you need to comply with CCPA. If you also collect information and advertise to visitors from the EU, then you need to comply with GDPR. You can do both easily, using the GDPR standard as your model.

Here are the requirements for CCPA/CPRA:

  • CPRA: Businesses that share personally identifiable information (PI) of more than 100,000 consumers or households. CCPA: 50,000 consumer threshold
  • Companies with gross sales of $25M or more for the prior fiscal year.
  • Companies that generate more than 50% of their total revenue by sharing or selling personal information they collect from users.

Evidentiary Requirements

A strongly documented process along with a company Data guide is an active way to manage CCPA/CPRA/GDPR compliance. We build out these processes and educate your team on how to handle privacy inquiries and requests..

For a review of your CCPA/CPRA/GDPR compliance, drop me an email.