California CCPA/CPRA + CPPA Regulations (2025 package)

California Consumer Privacy Act (AB 375, 2018) as amended by CPRA (Prop 24, 2020, eff. 1 Jan 2023) — the first comprehensive US state privacy regime. Broad consumer rights (know, access, correct, delete, portability, opt-out of sale/sharing, limit use of SPI, non-discrimination), dedicated regulator (California Privacy Protection Agency — CPPA), administrative fines up to $7,500 per intentional violation under § 1798.155, and a private right of action for data breaches under § 1798.150 with statutory damages of $100-$750 per consumer per incident. Post-publication developments (web-verified 20 May 2026): (1) CPPA Regulations package (Cybersecurity Audits, Risk Assessments, ADMT, Insurance) approved by the Office of Administrative Law on 23 Sep 2025; effective 1 Jan 2026. Risk-assessment compliance from 1 Jan 2026; first CPPA attestation due 1 Apr 2028. ADMT compliance from 1 Jan 2027 (narrowed in July 2025 to technologies that 'substantially replace human decision-making'). Cybersecurity audit certifications phased: 1 Apr 2028 for ≥$100M revenue, 1 Apr 2029 for $50-100M, 1 Apr 2030 for <$50M. (2) Enforcement intensifying: Sephora $1.2M (CA AG, Aug 2022), DoorDash $375K (Feb 2024), Tilting Point $500K (Jun 2024), Honda $632.5K (CPPA, Mar 2025), Todd Snyder $345K (CPPA, May 2025), Healthline $1.55M (Jul 2025), Tractor Supply $1.35M (CPPA, Sep 2025), Sling TV $530K (Oct 2025), Jam City $1.4M (Nov 2025), Disney $2.75M (Feb 2026), GM $12.75M (May 2026 — largest CCPA settlement ever; OnStar Smart Driver geolocation sale). (3) Delete Act (SB 362, 2023): broker registration 1-31 Jan; 2026 fee $6,600; DROP live for consumers 1 Jan 2026; broker processing from 1 Aug 2026 (45-day cycle); triennial independent audit from 1 Jan 2028. SB 361 (2025) expanded broker disclosures (foreign actors, gen-AI) effective 1 Aug 2026. (4) SB 1223 (Sep 2024) added neural data to SPI. B11 expansion: 21 audit-defensible controls covering §§ 1798.100, .105, .106, .110, .115, .120, .121, .125, .130, .135, .140, .145, .150, .155 + CPPA Regulations §§ 7027 (SPI nine purposes), 7050 (service-provider contracts), 7150 (risk assessment), 7200/7220 (ADMT), 7300 (cybersecurity audit) + Delete Act § 1798.99.82.

Composition

44 controls currently indexed; participates in 20 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• Automated Decision-Making Technology — pre-use notice, opt-out, access rights
• Children's privacy across US states — heightened protections
• Cloud data privacy lifecycle — CSA CCM v4 DSP control family
• Cloud supply chain transparency — STA control family
• Consent management — capture, modify, withdraw across jurisdictions
• Consumer / Data Subject / Data Principal rights response SLA
• Cross-jurisdiction breach notification timelines
• Cross-jurisdiction consumer / Data Principal rights — operational fabric
• Data Protection Impact Assessment / risk assessment for high-risk processing
• Data broker registration and obligations (US states)
• GDPR Article 35 DPIA + cross-jurisdiction high-risk assessment
• GDPR accountability principle — Art 5(2) demonstrate compliance
• GDPR data subject rights — Articles 12-22 operational implementation
• Mandatory assurance regime — periodic audit, VAPT, third-party assessment, risk review
• PII principal rights — comprehensive ISO 27701-anchored programme
• Processor (PII Processor) obligations — ISO 27701 controller relationship
• Processor / service provider contract requirements across jurisdictions
• Sensitive personal information — heightened protection across jurisdictions
• Universal Opt-Out Mechanism (UOOM) / Global Privacy Control honour across US states
• Workforce security awareness, role-based training, and human-factor controls