CCPA
The California Consumer Privacy Act is the United States' most comprehensive state privacy law — the functional equivalent of GDPR for businesses serving California residents.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents rights over their personal information: the right to know what data is collected, the right to delete, the right to opt-out of sale or sharing, the right to correct inaccurate data, and the right to limit use of sensitive personal information. The California Privacy Protection Agency (CPPA) enforces the law with fines up to $7,500 per intentional violation.
CCPA applies to for-profit businesses that meet any one of three thresholds: annual gross revenue exceeding $25M, annual buying/selling/receiving/sharing of personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling personal information. Unlike GDPR, there is no small business exemption tied purely to headcount — a profitable startup exceeding the revenue threshold must comply.
The engineering requirements of CCPA are substantial. Data subject rights must be implemented as functional system capabilities: deletion requests must trigger actual data removal across all systems (including backups and analytics platforms), opt-out of sale must be enforced at the data pipeline level, and data inventories must be maintained accurately enough to respond to "right to know" requests within 45 days. These are system design problems, not documentation problems.
We implement CCPA compliance at the data architecture level — building data inventories as live system artifacts, implementing deletion propagation across all data stores, enforcing opt-out signals at the pipeline level, and designing consent management systems that produce auditable records. Our teams understand the intersection of CCPA with downstream analytics, ML training pipelines, and third-party data sharing.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.