Back to Frameworks

CCPA/CPRA

United States - California
v2023
11 domains
31 controls

California Consumer Privacy Act / California Privacy Rights Act

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (11)

Business Obligations

10 controls
Controls in the Business Obligations domain of CCPA/CPRA10 controls
CodeTitle
CCR §7012Notice at Collection Drafting Requirements
CCR §7025Opt-Out Preference Signal Configuration
§1798.100General Duties of Businesses that Collect Personal Information
§1798.130(a)(3)Privacy Policy Content Requirements
§1798.130(a)(5)(C)Notice at Collection
§1798.135(a)Do Not Sell or Share My Personal Information Link
§1798.135(b)Opt-Out Preference Signals (Global Privacy Control)
§1798.140Threshold for Applicability and Key Definitions
§1798.145Exemptions and Permitted Activities
§1798.185(a)(15)Risk Assessments for High-Risk Processing

CCPA/CPRA: Accountability & Compliance

0 controls

Demonstration of compliance and accountability (CCPA/CPRA)

CCPA/CPRA: Data Collection & Consent

0 controls

Requirements for lawful collection and consent management (CCPA/CPRA)

CCPA/CPRA: Data Governance

0 controls

Organizational governance of personal data processing (CCPA/CPRA)

CCPA/CPRA: Data Security

0 controls

Technical and organizational security measures (CCPA/CPRA)

CCPA/CPRA: Data Subject Rights

0 controls

Individual rights regarding their personal data (CCPA/CPRA)

Consumer Rights

9 controls
Controls in the Consumer Rights domain of CCPA/CPRA9 controls
CodeTitle
CCR §7026Requests to Opt-Out of Sale/Sharing Handling
§1798.105Right to Delete Personal Information
§1798.106Right to Correct Inaccurate Personal Information
§1798.110Right to Know Categories and Specific Pieces of Personal Information Collected
§1798.115Right to Know Personal Information Sold or Shared and Recipients
§1798.120Right to Opt Out of Sale or Sharing of Personal Information
§1798.125Non-Discrimination for Exercise of Rights
§1798.135(c)Authorized Agent Requests
§1798.185(a)(16)Automated Decisionmaking Technology Access and Opt-Out

Enforcement

3 controls
Controls in the Enforcement domain of CCPA/CPRA3 controls
CodeTitle
CCR §7301-7304CPPA Audit and Investigation Cooperation
§1798.150Private Right of Action for Data Breaches
§1798.155Administrative Enforcement and Civil Penalties

Privacy Operations

5 controls
Controls in the Privacy Operations domain of CCPA/CPRA5 controls
CodeTitle
CCR §7060Consumer Identity Verification
CCR §7100-7102Recordkeeping Requirements
§1798.130(a)(1)Designated Methods for Submitting Consumer Requests
§1798.130(a)(2)45-Day Response Window and Identity Verification
§1798.130(c)Annual Metrics Disclosure (Large Businesses)

Sensitive PI

2 controls
Controls in the Sensitive PI domain of CCPA/CPRA2 controls
CodeTitle
CCR §7027Requests to Limit Use of Sensitive PI Handling
§1798.121Right to Limit Use and Disclosure of Sensitive Personal Information

Service Provider

2 controls
Controls in the Service Provider domain of CCPA/CPRA2 controls
CodeTitle
CCR §7050Service Provider and Contractor Obligations
§1798.100(d)Contractual Requirements for Third Parties, Service Providers, and Contractors

Your Compliance Coverage

If you comply with CCPA/CPRA, you already cover:

Maps to 6 other frameworks

31 total controls
Connecticut Data Privacy Act (CTDPA)
6 source controls mapped|9 target controls covered
19%
Colorado Privacy Act
6 source controls mapped|9 target controls covered
19%
China Personal Information Protection Law (PIPL)
6 source controls mapped|7 target controls covered
19%
Delaware Online Privacy and Protection Act (proposed)
4 source controls mapped|3 target controls covered
13%
COPPA
4 source controls mapped|3 target controls covered
13%
California IoT Security Law
1 source controls mapped|1 target controls covered
3%

Frequently Asked Questions

What is CCPA/CPRA?

CCPA/CPRA is a compliance framework from United States - California with 11 domains and 31 controls. California Consumer Privacy Act / California Privacy Rights Act It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does CCPA/CPRA have?

CCPA/CPRA has 31 controls organised across 11 domains. The largest domains are Business Obligations (10 controls), Consumer Rights (9 controls), Privacy Operations (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does CCPA/CPRA map to?

CCPA/CPRA maps to 6 other compliance frameworks. The top mapping partners are Connecticut Data Privacy Act (CTDPA) (19% coverage), Colorado Privacy Act (19% coverage), China Personal Information Protection Law (PIPL) (19% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with CCPA/CPRA compliance?

Start your CCPA/CPRA compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about CCPA/CPRA requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 31 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.

Get Started Free →

Free forever — no credit card required