CCPA/CPRA 2025: What California's Privacy Rights Act Requires from AI and Data Processing Vendors

California's Consumer Privacy Rights Act (CPRA, effective 2023) established the California Privacy Protection Agency (CPPA) as the first dedicated US state privacy regulator. CPPA issued over $100 million in enforcement actions in 2024 — demonstrating that California's privacy law is not just a regulatory framework but an active enforcement environment.

CPRA's extraterritorial reach is the most significant aspect for global businesses: the law applies to any company with $25M+ annual revenue, or that processes personal data of 100,000+ California consumers or households. With 40 million California residents and California's status as the world's 5th largest economy, most global enterprises fall under CPRA jurisdiction.

CPRA's Sensitive Personal Information Categories

CPRA creates a distinct tier of "sensitive personal information" requiring heightened protection and specific disclosure requirements. The 19 categories closely map to GDPR's Article 9 special categories, but with US-specific additions:

1. SSNs, driver's license, state ID, passport numbers
2. Financial account, debit/credit card numbers with access codes
3. Precise geolocation (within 1,852 meters)
4. Racial/ethnic origin
5. Religious or philosophical beliefs
6. Union membership
7. Email and postal mail content (if not widely available)
8. Genetic data
9. Biometric data for identification
10. Health/medical data
11. Sexual orientation or sex life
12. Immigration status (added in 2024 regulations)
13. Mental health data (added in 2024 regulations)
14. Citizenship status
15. Financial account numbers (standalone, without access codes)
16. Disability status
17. Employment status indicators
18. Insurance policy information
19. Criminal record or arrest record data

The practical implication: any data processing pipeline that handles these categories must provide consumers with the right to limit use and disclosure of sensitive personal information, separate from the general right to opt-out of sale.

2024 CPPA Enforcement: What Got Targeted

The CPPA issued enforcement actions and settlements in 2024 targeting:

Data broker registration violations: California requires data brokers to register with the CPPA. CPPA found hundreds of unregistered data brokers — organizations selling personal profile data without required disclosure.

Consent management noncompliance: The CPPA found that many companies' "consent management platforms" did not actually provide functional opt-out mechanisms — either the opt-out button did not work, or the opt-out only applied to specific data uses while others continued.

AI automated decision-making: The CPPA's 2025 AI regulations require businesses to notify consumers when automated decision-making is used for significant decisions (employment, credit, housing) and provide meaningful opt-out mechanisms. Several enforcement actions in 2024 targeted AI tools used without adequate notification.

Children's data: Under the California Age-Appropriate Design Code (AADC), businesses likely to be accessed by minors must conduct Data Protection Impact Assessments. CPPA found multiple tech companies failing to complete required DPIAs.

CPRA vs. GDPR: Key Differences for Global Organizations

Organizations operating under both GDPR and CPRA face compliance requirements that are similar in principle but different in specifics:

Opt-out vs. opt-in: GDPR requires opt-in consent for most sensitive data processing. CPRA uses an opt-out model — processing is lawful until the consumer opts out. This means GDPR-compliant consent mechanisms are often more restrictive than CPRA requires, but CPRA-compliant practices may not satisfy GDPR.

Data subject rights: Both require access, deletion, and correction rights. CPRA adds a right to opt-out of automated decision-making — broader than GDPR Article 22's narrower automated decision-making provision.

Employee data: CPRA fully applies to employee personal data. GDPR has a similar scope but member states have varying employment-specific provisions. California employee privacy is often a distinct compliance track from EU employee GDPR.

Sensitive data scope: CPRA's 19 categories partially overlap with GDPR Article 9 but include categories (immigration status, financial account numbers, criminal records) that GDPR treats differently.

The AI Vendor Compliance Implication

CPRA's 2025 AI regulations create specific requirements for organizations using AI tools that process California consumer data:

Vendor contractual requirements: Service providers (vendors processing data on behalf of the business) must contractually commit to: using data only for the disclosed purpose, deleting data when the service terminates, allowing consumer rights requests to flow through, and implementing adequate security measures.

Automated decision-making disclosure: If your AI tool makes or significantly contributes to decisions about California consumers — credit scoring, fraud flagging, content moderation, employment screening — consumers must be notified and provided a meaningful opt-out.

Training data provenance: If California consumer data was used to train an AI model, CPRA's purpose limitation requirements mean that the AI model's outputs cannot be used for purposes incompatible with the original collection purpose.

For organizations managing California consumer data in AI systems: data minimization before AI processing — removing PII before data enters AI training pipelines or AI analysis tools — is the most straightforward way to satisfy CPPA's automated decision-making requirements while reducing sensitive personal information exposure.

Sources:

• CPPA: California Privacy Protection Agency
• CPRA: California Privacy Rights Act full text
• CPPA: AI Automated Decision-Making Regulations 2025