How does the free plan work?

Sign up and start using PrivaBase immediately. No credit card required. The Starter plan includes 1 compliance framework, 5 checks per month, policy generator, website scanner, and access to the compliance feed.

What compliance frameworks do you support?

We support 132 frameworks including GDPR, CCPA/CPRA, HIPAA, SOC 2 Type II, SOC 1, ISO 27001, PCI DSS, NIST, DORA, NIS2, 18 US state privacy laws, and international frameworks. You can also build custom frameworks.

How many integrations do you support?

Over 214 integrations across 12 categories including cloud infrastructure (AWS, GCP, Azure), identity (Okta, Google Workspace), DevOps (GitHub, GitLab), MDM (Jamf, Intune, Kandji), HR (Gusto, Rippling, BambooHR), and more.

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Evidence is stored in Supabase Storage with framework-level access controls. We never share your data with third parties.

Do you offer annual billing?

Yes, save 20% with annual billing on all paid plans.

CCPA/CPRA Compliance Guide 2026 — California Privacy Law

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive state privacy law in the United States. This guide covers everything you need to know about compliance.

What is CCPA/CPRA?

The CCPA was enacted in 2018 and took effect in January 2020. The CPRA, passed in November 2020, amended and expanded the CCPA significantly, with full enforcement beginning July 2023. Together, they give California consumers powerful rights over their personal information.

The law applies to for-profit businesses that collect California residents' personal information and meet any of these thresholds: annual gross revenue over $25 million, buy/sell/share personal information of 100,000+ consumers or households, or derive 50%+ of revenue from selling/sharing personal information.

Consumer Rights Under CCPA/CPRA

Right to Know: Consumers can request what personal information a business collects, uses, shares, and sells.
Right to Delete: Consumers can request deletion of their personal information.
Right to Opt-Out: Consumers can opt out of the sale or sharing of their personal information.
Right to Non-Discrimination: Businesses cannot discriminate against consumers who exercise their privacy rights.
Right to Correct (CPRA): Consumers can request correction of inaccurate personal information.
Right to Limit Use of Sensitive PI (CPRA): Consumers can limit how businesses use their sensitive personal information.

Business Obligations

Businesses must:

• Provide a "Do Not Sell or Share My Personal Information" link on their website
• Provide a "Limit the Use of My Sensitive Personal Information" link (CPRA)
• Update privacy policies annually with required disclosures
• Respond to consumer requests within 45 days
• Implement reasonable security measures
• Conduct data protection assessments for high-risk processing (CPRA)
• Limit data collection to what is necessary (CPRA data minimization)
• Enter into contracts with service providers and contractors

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

What Counts as Personal Information?

CCPA defines personal information broadly. It includes identifiers (name, email, SSN), commercial information (purchase history), internet activity (browsing history), geolocation data, biometric information, professional information, education records, and inferences drawn from any of this data.

CPRA added the concept of "sensitive personal information" which includes SSN, driver's license, financial account info, precise geolocation, racial/ethnic origin, religious beliefs, union membership, mail/email/text content, genetic data, biometric data, health information, and sex life/sexual orientation.

CCPA/CPRA Penalties

Enforcement fines: Up to $2,500 per unintentional violation, $7,500 per intentional violation
Private right of action: Consumers can sue for data breaches ($100–$750 per consumer per incident)
CPPA enforcement: The California Privacy Protection Agency actively investigates and enforces violations

While both laws protect personal data, they differ significantly:

• Scope: GDPR applies to all data processors; CCPA applies to for-profit businesses meeting revenue/data thresholds
• Consent Model: GDPR is opt-in (requires consent before collection); CCPA is opt-out (allows collection with right to opt-out of sale)
• Definition: GDPR uses "personal data"; CCPA uses "personal information" which is broader (includes household data)
• Enforcement: GDPR enforced by DPAs; CCPA enforced by CA Attorney General and CPPA

For a complete GDPR guide, see our GDPR Compliance Guide.

CCPA/CPRA Compliance Checklist

☐ Determine if your business meets CCPA thresholds
☐ Map all personal information collection and sharing
☐ Update privacy policy with required CCPA disclosures
☐ Add "Do Not Sell or Share" link to website
☐ Add "Limit Use of Sensitive PI" link (CPRA)
☐ Implement DSR response procedures
☐ Review and update service provider contracts
☐ Honor Global Privacy Control (GPC) signals
☐ Conduct data protection assessments (CPRA)
☐ Train employees on CCPA requirements
☐ Implement data retention schedules

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

What is CCPA/CPRA?

Consumer Rights Under CCPA/CPRA

Right to Know: Consumers can request what personal information a business collects, uses, shares, and sells.
Right to Delete: Consumers can request deletion of their personal information.
Right to Opt-Out: Consumers can opt out of the sale or sharing of their personal information.
Right to Non-Discrimination: Businesses cannot discriminate against consumers who exercise their privacy rights.
Right to Correct (CPRA): Consumers can request correction of inaccurate personal information.
Right to Limit Use of Sensitive PI (CPRA): Consumers can limit how businesses use their sensitive personal information.

Business Obligations

Businesses must:

• Provide a "Do Not Sell or Share My Personal Information" link on their website
• Provide a "Limit the Use of My Sensitive Personal Information" link (CPRA)
• Update privacy policies annually with required disclosures
• Respond to consumer requests within 45 days
• Implement reasonable security measures
• Conduct data protection assessments for high-risk processing (CPRA)
• Limit data collection to what is necessary (CPRA data minimization)
• Enter into contracts with service providers and contractors

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

What Counts as Personal Information?

CCPA/CPRA Penalties

Enforcement fines: Up to $2,500 per unintentional violation, $7,500 per intentional violation
Private right of action: Consumers can sue for data breaches ($100–$750 per consumer per incident)
CPPA enforcement: The California Privacy Protection Agency actively investigates and enforces violations

While both laws protect personal data, they differ significantly:

• Scope: GDPR applies to all data processors; CCPA applies to for-profit businesses meeting revenue/data thresholds
• Consent Model: GDPR is opt-in (requires consent before collection); CCPA is opt-out (allows collection with right to opt-out of sale)
• Definition: GDPR uses "personal data"; CCPA uses "personal information" which is broader (includes household data)
• Enforcement: GDPR enforced by DPAs; CCPA enforced by CA Attorney General and CPPA

For a complete GDPR guide, see our GDPR Compliance Guide.

CCPA/CPRA Compliance Checklist

☐ Determine if your business meets CCPA thresholds
☐ Map all personal information collection and sharing
☐ Update privacy policy with required CCPA disclosures
☐ Add "Do Not Sell or Share" link to website
☐ Add "Limit Use of Sensitive PI" link (CPRA)
☐ Implement DSR response procedures
☐ Review and update service provider contracts
☐ Honor Global Privacy Control (GPC) signals
☐ Conduct data protection assessments (CPRA)
☐ Train employees on CCPA requirements
☐ Implement data retention schedules

Automate Your Compliance with PrivaBase

Start free. No credit card required.

Start Free

Complete CCPA/CPRA Compliance Guide (2026)

What is CCPA/CPRA?

Consumer Rights Under CCPA/CPRA

Business Obligations

Automate Your Compliance with PrivaBase

What Counts as Personal Information?

CCPA/CPRA Penalties

CCPA/CPRA Compliance Checklist

Automate Your Compliance with PrivaBase

Related Guides

Complete GDPR Compliance Guide (2026)

Complete HIPAA Compliance Guide (2026)

Guide to Automating Data Subject Requests (DSRs)

Developer's Guide to Privacy Compliance

Complete CCPA/CPRA Compliance Guide (2026)

What is CCPA/CPRA?

Consumer Rights Under CCPA/CPRA

Business Obligations

Automate Your Compliance with PrivaBase

What Counts as Personal Information?

CCPA/CPRA Penalties

CCPA/CPRA Compliance Checklist

Automate Your Compliance with PrivaBase

Related Guides

Complete GDPR Compliance Guide (2026)

Complete HIPAA Compliance Guide (2026)

Guide to Automating Data Subject Requests (DSRs)

Developer's Guide to Privacy Compliance

Complete CCPA/CPRA Compliance Guide (2026)

What is CCPA/CPRA?

Consumer Rights Under CCPA/CPRA

Business Obligations

Automate Your Compliance with PrivaBase

What Counts as Personal Information?

CCPA/CPRA Penalties

CCPA vs GDPR

CCPA/CPRA Compliance Checklist

Automate Your Compliance with PrivaBase

Related Guides

Complete GDPR Compliance Guide (2026)

Complete HIPAA Compliance Guide (2026)

Guide to Automating Data Subject Requests (DSRs)

Developer's Guide to Privacy Compliance

Complete CCPA/CPRA Compliance Guide (2026)

What is CCPA/CPRA?

Consumer Rights Under CCPA/CPRA

Business Obligations

Automate Your Compliance with PrivaBase

What Counts as Personal Information?

CCPA/CPRA Penalties

CCPA vs GDPR

CCPA/CPRA Compliance Checklist

Automate Your Compliance with PrivaBase

Related Guides

Complete GDPR Compliance Guide (2026)

Complete HIPAA Compliance Guide (2026)

Guide to Automating Data Subject Requests (DSRs)

Developer's Guide to Privacy Compliance