The California Consumer Privacy Act, as amended by the California Privacy Rights Act, is the strongest consumer privacy regime in the United States. It applies to for profit businesses that serve California residents and cross defined revenue or data volume thresholds, wherever the business is located, which brings foreign companies into scope through nothing more than the Californians in their user base.
The regime is operational in character. Rights to know, delete, correct, and opt out of the sale or sharing of personal information only work if the business runs request workflows on the 45 day statutory clock and places working opt out mechanics, including the do not sell or share link, in front of consumers.
The work concentrates in three places: threshold analysis to establish whether and how the law applies, opt out mechanics including do not sell or share, and consumer request operations on the statutory clock.
A CCPA and CPRA engagement produces the following, each signed off against written acceptance criteria:
A program runs six to ten weeks, with request volumes and the number of consumer facing channels as the drivers. Businesses already holding a GDPR program reach CCPA and CPRA compliance quickly, because the shared controls carry across with their evidence.
A scoping conversation and a short Scoping Questionnaire tell us your systems, data, and obligations, and this step carries no charge. The written proposal that follows states scope, approach, deliverables, timeline, team, and exact fixed fees. Write to consulting@codecolonies.com or visit codecolonies.com to begin.