CCPA and CPRA California Privacy Rights

1. The Regulatory Framework

The California Consumer Privacy Act of 2018 (Cal. Civ. Code §§1798.100–1798.199.100) was enacted as AB 375 (Stats. 2018, ch. 55) and became operative January 1, 2020. The California Privacy Rights Act of 2020 was approved by California voters as Proposition 24 in November 2020, took effect January 1, 2023, with operational provisions applicable to data collected on or after January 1, 2022 (lookback period). CPRA created the California Privacy Protection Agency (CPPA) as the dedicated implementing agency, transferring enforcement authority from the Attorney General (which retains concurrent authority).

Covered entities are "businesses" as defined in §1798.140(d): for-profit entities doing business in California meeting at least one threshold — annual gross revenue exceeding $25 million (adjusted; $26,625,000 effective 2024 under §1798.185(a)(5)); annually buying, selling, or sharing personal information of 100,000 or more California consumers or households; or deriving 50% or more of annual revenue from selling or sharing personal information. "Service providers" and "contractors" (§1798.140(j), (ag)) are covered derivatively through statutory contracts. "Third parties" face direct obligations when personal information is sold or shared to them.

Substantive rights under CCPA/CPRA include the right to know (§§1798.100, 1798.110, 1798.115), right to delete (§1798.105), right to correct (§1798.106), right to opt-out of sale or sharing (§1798.120), right to limit use of sensitive personal information (§1798.121), right to non-discrimination for exercising rights (§1798.125), and right to data portability (§1798.130). Verifiable consumer requests must be responded to within 45 days (extendable to 90), with detailed response substance under CCPA regulations (Cal. Code Regs. tit. 11, §§7000–7304).

Enforcement under §1798.155 produces civil penalties up to $2,500 per violation and $7,500 per intentional violation or violation involving minors. The CPPA's first major enforcement action — a $1.55 million settlement with Honda in March 2025 — involved a combination of right-to-know, right-to-delete, and opt-out compliance failures. The CPPA Board adopted finalized ADMT regulations in July 2025 (Cal. Code Regs. tit. 11, §§7200–7269) effective for processing beginning October 1, 2026, requiring pre-use notice, opt-out and access rights for "significant decisions" using ADMT, and risk-assessment and cybersecurity-audit obligations under CPRA §§1798.185(a)(15)–(16). The §1798.150 private right of action covers data breaches involving non-encrypted, non-redacted personal information, with statutory damages of $100–$750 per consumer per incident.

2. The Architectural Requirement

CCPA/CPRA and the ADMT regulations are jointly an architectural rule disguised as a procedural rule. The verifiable-consumer-request regime under §1798.130 requires that businesses produce, on demand, a complete inventory of personal information about a specific consumer drawn from across all collection sources, all processing systems, and all service-provider/contractor recipients, accompanied by purpose attribution per §1798.100(a)(2)(C) and time-bounded retention information per §1798.100(a)(3).

This is an architectural requirement that personal information be tracked from credentialed source through every processing stage with attribution preserved. A business that aggregates personal information across systems without preserving source-credential and purpose-credential metadata cannot produce the required inventory at the required granularity. The ADMT regulations sharpen this: §7220 (pre-use notice), §7221 (opt-out), §7222 (access right), and §7223 (risk assessment) each require evidence of the decision logic, the inputs used, and the outcome rationale for "significant decisions" (employment, housing, insurance, financial services, education, criminal justice, healthcare, essential goods or services).

The right-to-delete regime under §1798.105 imposes an analogous architectural requirement on the inverse path. A business that has propagated personal information to service providers, contractors, and third parties under §1798.105(c) must extend the deletion to all such recipients within the timeframe, with verifiable evidence of completion. Without lineage tracking that records every propagation event with credential and timestamp, the business cannot meet the regulatory standard.

The cumulative architectural property required is a system in which every personal-information observation arrives credentialed (source, consent state, purpose, sensitivity classification under §1798.140(ae)), is weighted in admissibility evaluations against processing requests (purpose limitation under §1798.100(c), data minimization under §1798.100(c)), produces governed actuations (the processing operations themselves), and leaves audit-grade lineage sufficient to support consumer-rights handling, regulator audit, and ADMT-decision review. This is the five-property governance chain.

3. Why Procedural and Bolt-On Compliance Fails

The dominant CCPA compliance pattern combines a privacy policy, a "Do Not Sell or Share My Personal Information" link, an intake portal for consumer requests, and a manually-coordinated back-end fulfillment workflow. The pattern survives initial implementation but produces high error rates under sustained operation, particularly as data flows scale and as service-provider relationships proliferate.

The structural failure mode appears at the verification step. A consumer's verifiable request asks "what do you have about me, where did you get it, why do you have it, and who else has it?" A procedural compliance program answers this through a manual-review process that depends on each system owner accurately reporting the system's data and lineage — a process that is slow, error-prone, and produces evidentiary artifacts that the CPPA has explicitly criticized in its first-year enforcement. The Honda settlement's findings included verification-process complexity that effectively impeded rights exercise, exactly the failure mode procedural compliance produces under load.

ADMT compliance amplifies the structural mismatch. A "significant decision" rendered by an automated system — credit underwriting, employment screening, insurance pricing — is reviewable under §7222 on a per-decision basis, requiring access to the decision's logic, inputs, and outcome rationale. A bolt-on logging architecture that records inputs and outputs without preserving credential-bound provenance and decision-rule lineage cannot answer access requests at the required specificity, and cannot survive the §7223 risk-assessment audit obligation.

4. What the Five-Property Governance Chain Provides

The five-property governance chain provides the architectural primitive that CCPA/CPRA/ADMT presume. Property 1, authority-credentialed observation, requires every personal-information ingress to arrive signed by an authority within a published taxonomy: collection source (first-party form, third-party transfer, observed activity, inferred attribute), consent or processing-basis credential (opt-in consent, contract, legitimate-interest assertion under §1798.100(c)), and sensitivity classification credential (sensitive personal information under §1798.140(ae)). Inputs without credentials are rejected or downgraded.

Property 2, evidential weighting, weights each admitted observation by composite factors: source authority class, consent currency, purpose-limitation policy, and sensitivity. Property 3, composite admissibility evaluation, evaluates every proposed processing operation (analytics, profiling, automated decision, sale, share, transfer to service provider) against the weighted observation set. The graduated-mode outcome — proceed, defer, refuse, partial — replaces the binary allow/deny pattern that procedural compliance enforces.

Property 4, governed actuation, executes the selected mode with reversibility evaluation (an irreversible processing operation receives heightened admissibility scrutiny), purpose-binding (the actuation is bound to the admissibility evaluation that authorized it), and post-actuation verification. ADMT decisions are a special case: the actuation is the decision itself, and the post-actuation verification is the §7222 access record that supports consumer review.

Property 5, lineage-recorded provenance, records every observation, weighting, admissibility decision, and actuation with credential-bound lineage. The verifiable-consumer-request response under §1798.130 becomes a lineage extract: the system enumerates observations about the consumer, the credentials under which they were collected, the admissibility decisions in which they were used, the actuations that consumed them, and the propagations to service providers and third parties — all with timestamp and attribution.

The right-to-delete propagation under §1798.105(c) becomes a credentialed-actuation cascade through the lineage: each downstream recipient is identified from the propagation log, deletion-actuation requests are generated as credentialed observations to those recipients, and post-actuation verification confirms completion. The right-to-correct under §1798.106 operates through the same machinery with an update rather than a delete actuation. The opt-out under §1798.120 becomes a consent-credential revocation that downstream admissibility evaluations honor.

5. Compliance Mapping: CCPA/CPRA Provisions to Chain Elements

§1798.100 (general duties; right to know at collection) maps to authority-credentialed observation: the at-collection notice requirement is satisfied by the credential metadata bound to ingress. §1798.105 (right to delete) maps to credentialed-actuation cascade through lineage. §1798.106 (right to correct) maps to update-actuation through the same cascade. §1798.110 (right to know — categories) and §1798.115 (right to know — sale/share recipients) map to lineage extract by credential class.

§1798.120 (right to opt-out of sale or sharing) maps to consent-credential revocation propagated through admissibility evaluation. §1798.121 (right to limit sensitive PI use) maps to sensitivity-classification weighting in admissibility. §1798.125 (right to non-discrimination) maps to admissibility-policy fairness constraints. §1798.130 (verifiable consumer request mechanics) maps to lineage-extract operation under requestor authority. §1798.135 (opt-out signal recognition; Global Privacy Control) maps to authority-credentialed signal ingress.

§1798.140 (definitions, including sensitive personal information) maps to taxonomy of credential classes. §1798.150 (data breach private right of action) maps to lineage-evidenced security state and incident reconstruction. §1798.155 (administrative enforcement) maps to CPPA-as-credentialed-authority access to lineage extracts. CPPA ADMT regulations §7220 (pre-use notice) map to admissibility-evaluation policy publication. §7221 (opt-out) maps to consent-credential revocation. §7222 (access right) maps to lineage extract for the specific decision instance. §7223 (risk assessment) maps to admissibility-policy audit. §7224 (cybersecurity audit) maps to lineage-evidenced security control assessment.

6. Adoption Pathway

Deploying entities are CCPA-covered businesses, with primary salience for businesses approaching ADMT applicability (financial services, employment platforms, insurance, healthcare data processors). Service providers and contractors deploy the substrate to support contractual flow-through obligations. The transition path begins with the most-exercised consumer rights — right to know and right to delete — where lineage-extract operation is a strict improvement over manual coordination, and extends to right to correct and opt-out as the substrate matures.

ADMT compliance is a forcing function for full-chain adoption. The October 1, 2026 ADMT operational date and the §7223 risk-assessment audit cycle make piecemeal compliance increasingly untenable for businesses making significant automated decisions. Forward integration with adjacent state laws (Colorado Privacy Act, Connecticut Data Privacy Act, Virginia CDPA, Texas Data Privacy and Security Act, and the proliferating 2025–2026 state regimes) leverages the same chain substrate, since these regimes share the credentialed-observation, purpose-bound-processing, and audit-lineage architectural shape.

The freedom-to-operate posture established by this disclosure is that any consumer-privacy compliance architecture implementing credentialed observation, evidential weighting, composite admissibility, governed actuation, and lineage-recorded provenance with recursive closure operates within the architecture disclosed under the AQ portfolio.