CCPA/CPRA — California Consumer Privacy and Data Subject Rights (2026)

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most consequential US state privacy law and the template for a dozen state privacy laws enacted 2022–2026. It directly governs CDP operations: right-to-delete triggers cascading deletion across the CDW and all reverse-ETL destinations; right-to-opt-out-of-sale-or-sharing governs paid-media audience export; the 2026 ADMT rules govern AI-powered decisioning on California consumers.

The six data subject rights.

1. Right to Know — California residents may request the categories and specific pieces of personal information a business has collected, the sources, the purpose, and the third parties with whom it has been shared in the prior 12 months.
2. Right to Delete — California residents may request deletion of personal information collected from them. Businesses must respond within 45 days (with one possible 45-day extension) and propagate the deletion to all service providers and contractors that received the data.
3. Right to Opt-Out of Sale or Sharing — California residents may direct a business to stop selling or sharing their personal information. Under CPRA, "sharing" specifically covers cross-context behavioral advertising, making this right load-bearing for CDP-to-paid-media activation pipelines. Businesses must honor Global Privacy Control (GPC) signals as a valid opt-out mechanism.
4. Right to Correct — California residents may request correction of inaccurate personal information. Correction must propagate to downstream systems holding the same data.
5. Right to Limit Use of Sensitive Personal Information — California residents may direct businesses to limit the use of sensitive personal information (precise geolocation, race, ethnicity, religion, health, sexual orientation, etc.) to that necessary to provide the requested goods or services.
6. Right to Non-Discrimination — Businesses may not retaliate against consumers for exercising their CCPA rights through price discrimination or service denial.

The 2026 regulatory update — ADMT, risk assessments, cybersecurity audits.

Regulations approved by the CPPA Board took effect January 1, 2026, adding three significant obligation classes:

• Automated Decision-Making Technology (ADMT) rules. Businesses using ADMT for "significant decisions" about California consumers — decisions producing legal effects or similarly significant effects on access to financial services, housing, education, employment, healthcare, or essential goods and services — must provide a pre-use notice (before ADMT is used), honor opt-out rights from such ADMT, and respond to access requests describing the logic of the automated process and the consumer's likely outcome. Direct application to CDP architectures using platform-bundled AI decisioning (Tealium IYOM, BrazeAI Decisioning Studio, Adobe Engagement Intelligence) for scoring-based decisioning that drives significant decisions.
• Risk assessments. Businesses processing personal information in ways that present significant risk to consumers' privacy must conduct annual risk assessments documenting the processing purposes, the categories of data, the risks identified, and the safeguards adopted. Submission to the CPPA is required on request.
• Cybersecurity audits. Businesses meeting threshold criteria must conduct annual cybersecurity audits assessing the design and effectiveness of their information security program.

Architectural implications for CDP design.

• Real-time suppression list. Any sharing of California resident personal data with ad platforms for targeting constitutes "sale or sharing" under CPRA. CDP architectures that route audiences to paid-media destinations must maintain a real-time suppression list synced across all reverse-ETL ad destinations within hours of an opt-out request, not days.
• Deletion cascade audit trail. The right-to-delete obligation extends to all service providers and contractors. Composable CDP architectures with multiple reverse-ETL destinations must maintain a deletion propagation audit trail demonstrating that the request was honored end-to-end within 45 days.
• ADMT pre-use notice and opt-out plumbing. Platform-bundled AI decisioning at the concept.real-time-decisioning Layer 2 (intra-session) must implement pre-use notices and opt-out controls in California-scoped deployments. CDP architectures using churn scoring, CLV modeling, or propensity scoring to drive significant decisions are in scope.
• GPC signal honoring. The CDP's web tag layer must read and honor the Global Privacy Control signal as a valid opt-out of sale or sharing — a control that must be wired before the audience pipeline rather than retrofitted into reverse-ETL filters.

Contrast with GDPR Article 17. CCPA right-to-delete (45-day response, California residents, exemptions for legal compliance, security, and free-speech purposes) and GDPR Article 17 right-to- erasure (30-day response, EU residents, narrower exemptions) are peer data-subject deletion rights from different jurisdictions. GDPR's 30-day window is the binding constraint where both populations overlap. See constraint.gdpr-right-to-erasure.

Enforcement. The California Privacy Protection Agency (CPPA), the first dedicated data privacy enforcement agency in the US, is the primary enforcement body, with concurrent enforcement authority retained by the California Attorney General. The CPPA may impose fines of $2,500 per violation ($7,500 per intentional violation or violations affecting consumers under 16) plus injunctive relief.