CCPA/CPRA Regulations — California Privacy Protection Agency

Regulatory authority: California Privacy Protection Agency (CPPA) Statute: California Consumer Privacy Act (CCPA) as amended by California Privacy Rights Act (CPRA, Prop. 24) Regulations finalized: March 29, 2023

Key Consumer Rights

The CPRA regulations operationalize four core data subject rights for California residents:

• Right to Know: Consumers may request disclosure of personal information collected, sold, or disclosed in the preceding 12 months.
• Right to Delete: Consumers may request deletion of personal information; businesses must propagate deletion requests to service providers and contractors.
• Right to Opt-Out of Sale/Sharing: Consumers may opt out of sale or sharing of personal information for cross-context behavioral advertising; businesses must honor Global Privacy Control (GPC) signals.
• Right to Correct: Consumers may request correction of inaccurate personal information held by a business.

Regulatory Scope

• Applies to for-profit businesses that collect California residents' personal information and meet revenue, data volume, or data-sharing thresholds.
• "Sharing" for cross-context behavioral advertising is regulated separately from sale — both are subject to opt-out rights.

CDP and Paid-Media Pipeline Implications

• Opt-out signals (including GPC) must propagate to downstream destinations including ad platforms, data brokers, and CDPs processing California resident data.
• Deletion requests must cascade across all service providers and contractors that received the data.
• Composable CDPs must implement deletion propagation APIs to comply with request timelines (45 days, extendable once).

Related KG nodes: Grounds constraint.ccpa-data-subject-rights (TC-46 proposal). Complements source.gdpr-info-eu.art-17-gdpr-2016 (GDPR erasure right) and source.law-cornell-edu.uscode-text-47-227-2026 (federal TCPA).