Most CCPA and CPRA guidance is written for lawyers and privacy officers. But when California tells a business it must honor an opt-out signal, delete a consumer's data across every system, or maintain "reasonable security," someone has to write the code that does it. This guide reframes California's privacy framework as a set of engineering obligations, and shows where the software supply chain quietly becomes part of the compliance story.
What CCPA and CPRA are
The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, giving California consumers rights over the personal information businesses collect about them. The California Privacy Rights Act (CPRA), passed by ballot initiative in 2020, amended and expanded the CCPA, took effect on January 1, 2023, and created a dedicated regulator, the California Privacy Protection Agency (CPPA), which enforces the law alongside the California Attorney General.
Together they grant consumers rights to know, access, delete, and correct their personal information; to opt out of the sale or sharing of that information; and to limit the use of a new category called sensitive personal information (such as precise geolocation, government identifiers, and health or financial data). Each of those rights implies a technical capability someone has to build and maintain.
Who is affected and on what timeline
CCPA and CPRA apply to for-profit businesses that handle California residents' personal information and meet one of several thresholds — broadly, significant annual revenue, large-scale processing of personal information, or deriving substantial revenue from selling or sharing it. The law also reaches your vendors: it draws sharp distinctions between a business, a service provider, a contractor, and a third party, and each role carries different contractual and technical duties. Most SaaS companies handling their customers' data act as service providers, restricted to processing personal information only for the purposes set out in the contract.
The regulatory picture is still moving. In 2025 the CPPA finalized a significant package of regulations covering cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT). The cybersecurity-audit obligation phases in on a staggered schedule tied to a business's size and processing volume, with the earliest mandatory audits landing later this decade. Because these rules and their deadlines have moved through rulemaking and review, treat the exact dates as evolving and confirm current obligations against CPPA guidance.
Software and supply-chain obligations
Several requirements translate directly into engineering work:
- Honor opt-out preference signals. Businesses must treat the Global Privacy Control (GPC) signal as a valid opt-out of sale and sharing. That means front-end and back-end code that detects the signal and propagates the choice through your data flows — not a cookie banner alone.
- Delete and correct across systems. A deletion or correction request has to reach every store that holds the data, including caches, backups where feasible, and downstream service providers, who must be instructed to delete in turn.
- Maintain reasonable security. CCPA Section 1798.150 creates a private right of action when nonencrypted, nonredacted personal information is exposed because a business failed to maintain reasonable security. Consumers can recover statutory damages of $100 to $750 per consumer per incident, or actual damages if greater. The California Attorney General has previously pointed to the CIS Controls as a baseline for what "reasonable" means.
That last point is where the supply chain enters. If a known-vulnerable dependency in software that processes California personal information leads to a breach, the question in litigation becomes whether your security was reasonable. "We did not know that component was in our stack" is not a strong answer, and it undercuts the risk assessments the CPPA now expects.
Compliance checklist
| Obligation | What developers implement |
|---|---|
| Opt-out signals | Detect and honor GPC; propagate the choice through data flows |
| Deletion and correction | Fan requests out to all stores and service providers |
| Data inventory | Map what personal information you hold and where it lives |
| Sensitive PI limits | Support the right to limit use of sensitive personal information |
| Reasonable security | Know your components; scan and remediate vulnerabilities |
| Vendor contracts | Bind service providers with purpose and security terms |
| Risk assessments | Document processing risks per the CPPA rules |
| Evidence retention | Keep scan history and remediation records |
How Safeguard helps
Safeguard supports the "reasonable security" and risk-assessment sides of CCPA and CPRA compliance. SBOM Studio maintains a live inventory of every component in software that handles California personal information — the visibility a defensible risk assessment requires, and the answer to "do you know what is in your stack?" Software composition analysis scans those components continuously so a vulnerability that could expose personal information becomes a tracked finding with the timeline evidence that helps demonstrate reasonable, maintained security rather than a one-time effort.
Griffin AI prioritizes findings by reachability, concentrating remediation on the vulnerabilities that genuinely put personal information at risk. Our compliance pages relate these capabilities to the security expectations behind CCPA and CPRA, and our pricing page shows how the platform scales from a single repository upward.
California treats security as an ongoing obligation, not a checkbox. Continuous inventory and vulnerability management turn "reasonable security" from a phrase you hope holds up in court into a documented, defensible practice.
Frequently Asked Questions
Does CCPA or CPRA require encryption? Neither law flatly mandates encryption, but encryption strongly affects your exposure. The private right of action under Section 1798.150 is triggered by breaches of nonencrypted, nonredacted personal information, so encrypting personal data materially reduces statutory-damages risk and is a core element of what regulators treat as reasonable security.
What is the difference between a service provider and a third party? A service provider processes personal information on a business's behalf and only for the purposes set out in a written contract, with restrictions on retaining, using, or disclosing it. A third party receives personal information for its own purposes. The distinction drives which contractual terms and which consumer-rights duties apply, so misclassifying a vendor is a compliance risk.
Do we really have to honor the Global Privacy Control signal? Yes. Under the CPRA regulations, businesses must treat GPC as a valid request to opt out of the sale and sharing of personal information. That is an engineering obligation: your code must detect the signal and apply the opt-out through your data flows, not just display a banner.
When do the CPPA cybersecurity-audit requirements take effect? They phase in on a staggered schedule based on a business's size and processing volume, with the earliest mandatory audits arriving later this decade under rules the CPPA finalized in 2025. Because the timeline has shifted during rulemaking, confirm the current deadlines against CPPA guidance before relying on a specific date.
Ready to make "reasonable security" something you can prove? Create a free account or read the Safeguard documentation to connect your first repository.