What's the difference between CCPA and CPRA?

CCPA (California Consumer Privacy Act) was the original 2018 law. CPRA (California Privacy Rights Act, effective 2023) substantially amended CCPA — establishing the California Privacy Protection Agency (CPPA), creating the category of Sensitive Personal Information (SPI), adding the right to correction, and replacing "sale" opt-outs with "sale or share" opt-outs.

What is the Global Privacy Control?

The Global Privacy Control (GPC) is a browser-level signal expressing the user's intent to opt out of the sale or sharing of their personal information. CPRA regulations require businesses to honor GPC as a valid opt-out request when received from a known consumer.

How fast must I respond to a DSAR?

45 days from receipt, with one 45-day extension available if reasonably necessary and the consumer is notified. Identity verification must be completed before substantive response.

California privacy, operationalized

Meet CCPA and CPRA without a separate program

DSAR intake on your trust portal, GPC opt-out signal handling, sensitive personal information inventory, and use-limitation workflows — wired to the rest of your privacy program.

Start free trial Book a demo

What is CCPA / CPRA?

The California Consumer Privacy Act (CCPA) was the first comprehensive US state privacy law, taking effect January 1, 2020. It was substantially amended by the California Privacy Rights Act (CPRA) — passed by ballot initiative in 2020 and effective January 1, 2023 — which established the California Privacy Protection Agency (CPPA), created the new category of Sensitive Personal Information (SPI), added a right to correction, and broadened "sale" opt-outs to "sale or share" opt-outs.

The combined CCPA/CPRA gives California consumers a set of rights resembling but not identical to GDPR: the right to know what personal information is collected, the right to delete it, the right to correct it, the right to opt out of sale or sharing, the right to limit the use of SPI, and the right to non-discrimination for exercising rights.

Who is subject

For-profit businesses doing business in California that meet at least one threshold: $25M+ annual gross revenue, processing personal information of 100,000+ consumers or households, or deriving 50%+ of annual revenue from selling or sharing personal information. The law also creates obligations for service providers and contractors processing personal information on behalf of businesses.

How episki helps

Most organizations subject to CCPA/CPRA are also subject to GDPR (and increasingly to a growing set of other US state laws: VCDPA, CPA, CTDPA, UCPA, TIPA, and so on). episki treats privacy as a single program with a single set of artifacts that satisfy multiple laws — DSAR intake, opt-out workflows, inventories, retention — rather than parallel California and EU programs.

CCPA / CPRA outcomes with episki

Quantify the impact security and compliance brings to your business.

45-day

Standard DSAR fulfillment SLA tracked per request with extension workflow.

GPC

Global Privacy Control signal handling for opt-out of sale/sharing.

SPI

Sensitive Personal Information inventory and use-limitation tracking.

Why teams choose episki for CCPA / CPRA

Framework-specific automation, collaboration, and reporting in one workspace.

DSAR intake and fulfillment

Consumers submit requests through your trust portal; you fulfill them on the platform.

Right to know, delete, correct, opt-out, limit
Identity verification flows
45-day SLA timers with extension workflow

Sale / share / SPI controls

CCPA opt-out of sale; CPRA opt-out of sharing for cross-context behavioral advertising; SPI use-limitation.

GPC signal honored
Do Not Sell or Share My Personal Information
Sensitive PI use-limitation log

Mapped to GDPR and ISO 27701

Most CCPA/CPRA obligations have GDPR analogues. Reuse the work.

DSAR types crosswalked to GDPR rights
SPI categories mapped to GDPR special-category data
ISO 27701 control mapping

CCPA / CPRA readiness inside episki

From notice at collection to fulfilling the right to delete.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ Personal Information inventory (categories collected, sources, purposes)
✓ Notice at collection language and triggers
✓ DSAR intake portal with verification
✓ Opt-out of sale/share workflows (including GPC)
✓ Sensitive PI use-limitation requests
✓ 12-month look-back for "right to know" requests

CCPA / CPRA accelerators

California privacy accelerators

Stand up California compliance alongside your GDPR program.

PI inventory template

Categories of PI, sources, purposes, and disclosures captured per processing activity.

DSAR fulfillment runbook

Step-by-step playbook for each consumer right.

GPC + opt-out implementation guide

Technical implementation guide for honoring GPC and surfacing the opt-out link.

CCPA / CPRA frequently asked questions

Other compliance frameworks

CMMC FedRAMP GDPR HIPAA HITRUST CSF ISO 27001 ISO 27701 ISO 42001 NIST 800-171 NIST 800-53 NIST CSF PCI DSS SOC 1 Type I/II SOC 2 Type I/II SOX

Operationalize CCPA / CPRA in episki

Add California to your privacy program without spinning up a parallel system.

Start free trial Book a walkthrough