California's privacy law didn't stop evolving after 2020. When the California Privacy Rights Act (CPRA) amended the CCPA and created a dedicated enforcement agency, it also raised the stakes: fines climbed with inflation adjustments, a new right to correct inaccurate data appeared, and the definition of "sharing" expanded to cover cross-context behavioral advertising. For any business handling California residents' personal information, the practical question is no longer "does CCPA apply to us" but "can we prove, on demand, that we meet every current requirement." The California Privacy Protection Agency (CPPA) has now settled or fined companies including Sephora ($1.2 million), DoorDash ($375,000), and Honda ($632,500) — each case turning on documentation gaps, not just missing controls. This overview breaks down what CCPA/CPRA actually requires in 2026, who it applies to, what enforcement looks like, and where vendor and software supply chain risk fits into the compliance picture.
Who Actually Has to Comply With CCPA/CPRA?
Any for-profit business that does business in California and crosses one of three thresholds must comply: $26,625,000 or more in annual gross revenue (the CPPA adjusts this figure for inflation; it was $25 million at CCPA's 2020 launch), buying/selling/sharing the personal information of 100,000 or more California consumers or households annually, or deriving 50% or more of annual revenue from selling or sharing personal information. Unlike GDPR, there's no requirement to be physically located in California — a SaaS company in Texas with 150,000 California users hits the threshold just the same. CPRA also extended obligations to service providers, contractors, and "third parties," meaning your vendors and subprocessors inherit compliance duties through contract terms, not just your own privacy policy. This is why data flow mapping — knowing exactly which vendors touch California residents' data — has become a prerequisite for compliance rather than a nice-to-have.
What Are the Core CCPA/CPRA Compliance Requirements?
At minimum, covered businesses must operationalize seven consumer rights and back each one with a working process, not just policy language. These are the right to know what personal information is collected, the right to delete it, the right to correct inaccuracies (added by CPRA), the right to opt out of sale or sharing, the right to limit use of sensitive personal information, the right to non-discrimination for exercising rights, and the right to data portability. Businesses must respond to verifiable consumer requests within 45 days, with one 45-day extension permitted when reasonably necessary. A compliant privacy policy must be updated at least every 12 months and must specifically disclose categories of personal information collected, sources, business purposes, and any sale or sharing in the preceding 12 months. Since CPRA, businesses that qualify for the "sharing" threshold must also honor Global Privacy Control (GPC) browser signals as valid opt-out requests — treating an unhonored GPC signal the same as ignoring a submitted consumer request.
How Did CPRA Change What CCPA Originally Required?
CPRA, effective January 1, 2023 with enforcement beginning July 1, 2023, didn't replace CCPA — it amended and expanded it, and the difference matters for anyone whose compliance program still reflects 2020-era requirements. CPRA introduced a new category of "sensitive personal information" (Social Security numbers, precise geolocation, biometric data, health data, and more) that consumers can now specifically limit the use of. It removed the 30-day cure period that let businesses fix violations before facing fines, meaning the CPPA can now pursue enforcement without giving advance warning. It created the CPPA itself as a dedicated rulemaking and enforcement body, replacing sole reliance on the California Attorney General. And it added mandatory risk assessments and cybersecurity audits for businesses whose processing presents "significant risk" to consumer privacy — draft regulations put the audit requirement on a phased timeline starting with the largest data processors first, with compliance dates extending into 2027 and 2028 depending on company size.
What Happens If a Business Doesn't Comply With CCPA/CPRA?
Non-compliance carries two distinct financial exposures: regulatory fines and private lawsuits. The CPPA and California Attorney General can levy civil penalties of $2,663 per violation, rising to $7,988 for violations involving minors under 16 — and each affected consumer record typically counts as a separate violation, so a mishandled dataset of 10,000 records can theoretically expose a business to tens of millions of dollars in penalty exposure. Separately, CCPA grants consumers a private right of action specifically for data breaches caused by a failure to implement "reasonable security procedures," entitling them to statutory damages of $100 to $750 per consumer per incident without needing to prove actual harm. Recent CPPA enforcement sweeps have focused heavily on two areas: honoring opt-out preference signals like GPC, and verifying that data broker and ad-tech contracts actually contain the required CCPA terms — Sephora's 2022 settlement centered specifically on selling data via tracking pixels while telling consumers it didn't "sell" personal information.
Why Does Software Supply Chain Security Matter for CCPA Compliance?
It matters because most CCPA "reasonable security" and data-mapping failures originate in third-party code and vendor systems, not first-party application logic. A typical SaaS product now pulls in hundreds of open-source dependencies and integrates dozens of third-party APIs and analytics SDKs — any of which can quietly collect, transmit, or expose California residents' personal information without appearing in a privacy policy's vendor disclosures. The CPPA's proposed cybersecurity audit rules explicitly call out vendor and service provider risk management as an audit component, and CCPA's "reasonable security procedures" standard has been interpreted by regulators to include software composition and dependency risk. A compromised npm package that exfiltrates form data, an SDK that shares device identifiers with an undisclosed ad network, or a CI/CD pipeline breach that exposes a customer database are all CCPA incidents with statutory-damages exposure — and they all originate upstream in the software supply chain rather than in a privacy team's policy documents.
How Safeguard Helps
Compliance platforms like Vanta are built to manage policy workflows, evidence collection, and control checklists across frameworks — useful for tracking that a privacy policy exists and was reviewed. Safeguard is built to answer the harder question underneath CCPA's "reasonable security" standard: what is actually running in your software, where did it come from, and can you prove it wasn't tampered with. Safeguard generates verifiable software bills of materials (SBOMs) across your applications and CI/CD pipelines, continuously monitoring open-source dependencies, container images, and build artifacts for the kind of undisclosed data-collection behavior and known vulnerabilities that turn a routine dependency update into a CCPA reportable incident. That visibility maps directly onto CPRA's forthcoming cybersecurity audit requirements and vendor risk assessments — instead of manually surveying engineering teams about what SDKs and packages touch personal data, Safeguard gives compliance and security teams a continuously updated, audit-ready record of your actual software supply chain. For teams already running Vanta or a similar GRC tool for policy and evidence management, Safeguard slots in as the technical source of truth underneath it: attest to "reasonable security procedures" with real provenance and vulnerability data instead of a static questionnaire response, and catch the supply chain compromises that no privacy policy review would ever surface. Together, that combination — governance workflow plus verified software provenance — is what closes the gap between saying you comply with CCPA and being able to prove it during an actual CPPA audit.