What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All states·CCPA/CPRA

California (CCPA/CPRA) Privacy Law Compliance

California has the most mature US state privacy regime — the original CCPA (2020) plus the CPRA amendments (2023) that added sensitive personal information, the right to correct, sharing as a distinct concept from selling, and the California Privacy Protection Agency. As of March 2024 the CPPA is actively enforcing, with Sephora ($1.2M), DoorDash ($375K), and Tilting Point ($500K) already settled. Any business collecting data on California residents — even with no California operations — should treat CCPA/CPRA as the floor.

Statute

California Consumer Privacy Act / California Privacy Rights Act

Cal. Civ. Code §1798.100 et seq.

Effective

CCPA effective Jan 1, 2020

CPRA amendments effective Jan 1, 2023; enforcement Mar 29, 2024

Enforcer

California Privacy Protection Agency

(CPPA) + California Attorney General

Consumer rights

9 business obligations

Run free policy audit Does this apply to me? ↓

Who must comply

For-profit business doing business in California AND collecting personal information from California residents
AND one of: (a) $25M+ annual gross revenue (prior year, worldwide); OR (b) buys/sells/shares personal information of 100,000+ California residents/households; OR (c) derives 50%+ of revenue from selling/sharing personal information
Any size business if you sell or share PI of California minors under 16 (opt-in consent required)
Service providers and contractors of any covered business are bound by flow-down obligations

Exemptions

Personal information already covered by GLBA, HIPAA, FCRA, DPPA in the context of those laws
Employee and B2B data is now FULLY covered (the Jan 2023 sunset of partial exemptions)
De-identified data that meets the CCPA technical + contractual de-identification standard

Consumer rights (9)

Right to access / know

Confirm whether personal data is processed and obtain a copy in a portable format

Right to delete

Request deletion of personal data the controller has collected

Right to correct

Correct inaccurate personal data

Right to data portability

Receive data in a portable, machine-readable format

Right to opt out of sale

Opt out of the sale of personal data to third parties

Right to opt out of targeted advertising

Opt out of cross-context behavioural advertising

Right to opt out of profiling with legal effect

Opt out of automated decisions producing legal or similarly significant effects

Right to limit use of sensitive PI

Restrict processing of sensitive personal information to disclosed purposes

Right against discrimination

Not be denied service or charged more for exercising privacy rights

Business obligations (9)

Public privacy notice

Clear, accessible notice of categories collected, purposes, third parties, rights, and contact channel

Rights response within 45 days

Respond to consumer rights requests within 45 days (extendable by 45 more with notice)

Data processing agreements

Written contracts with processors restricting their processing to the controller's documented instructions

Data protection assessments

Document risk assessment for targeted advertising, sale, profiling, sensitive data processing

Conspicuous opt-out mechanism

Clear opt-out link/mechanism in the footer and at point of collection

Honour universal opt-out signals (GPC)

Recognise the Global Privacy Control browser signal as a valid opt-out (where required)

Reasonable security practices

Administrative, technical, physical safeguards appropriate to the data's sensitivity

Data minimisation + purpose limitation

Collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes

Children & teen consent

Opt-in consent before selling or sharing data of minors (age threshold varies 13–16)

Required privacy notice elements

Categories of personal information collected (12-month lookback)
Categories of sensitive personal information (separate disclosure)
Business or commercial purpose for each category
Categories of sources
Categories of third parties to whom PI is disclosed, sold, or shared
Consumer rights enumerated with how-to-exercise instructions
'Do Not Sell or Share My Personal Information' footer link
'Limit the Use of My Sensitive Personal Information' footer link
Retention period for each category
Date of last update (review every 12 months)
Toll-free number or designated method to submit requests (businesses with online + offline)
Authorised agent process

Don't hand-check this. Drop your existing privacy policy into the free policy audit and we'll grade every required element and surface the missing language.

Penalties

Civil penalty — unintentional violation

Up to $2,500/violation

Cal. Civ. Code §1798.155

Intentional violation OR violation involving minor

Up to $7,500/violation

§1798.155

Private right of action (data breach only)

$100–$750/consumer/incident OR actual damages

§1798.150

Sephora (CA AG, 2022)

$1.2M

Failed to honour GPC + Do-Not-Sell signal

DoorDash (CA AG, 2024)

$375,000

Selling PI without proper opt-out

Common compliance pitfalls

⚠ 'We do not sell PI' while running Meta/Google Ads

Cross-context behavioural advertising IS 'sharing' under CPRA — a separate concept from 'selling'. If your site fires Meta Pixel or Google Ads Conversion tags, you almost certainly share PI and need the opt-out link plus GPC recognition.

⚠ Ignoring the Global Privacy Control signal

California explicitly requires controllers to respect GPC as a valid opt-out. This is the violation that earned Sephora a $1.2M settlement. Verify your CMP fires the opt-out on detection.

⚠ Using a pre-CPRA policy

The 2018 CCPA policy is missing: sensitive PI category, right to correct, sharing as separate from selling, retention disclosures, contact agent process. Auditors will spot a stale policy in seconds.

⚠ Treating employee data as out of scope

The Jan 2023 sunset of the B2B + employee exemptions means HR data is fully in scope. You need a separate employee privacy notice + rights workflow.

FAQ

Does CCPA apply to my out-of-state business?

Yes if you collect personal information from California residents AND meet one of the thresholds ($25M revenue, 100K+ CA records, or 50%+ revenue from selling/sharing PI). Physical presence in California is not required.

How is sharing different from selling?

Selling = exchange of PI for monetary or other valuable consideration. Sharing = disclosing PI for cross-context behavioural advertising (whether or not money changes hands). CPRA made sharing a separate opt-out so behavioural ads can't hide behind the 'we don't sell' loophole.

Who is the CPPA?

The California Privacy Protection Agency — the first dedicated state privacy regulator in the US, created by CPRA. It has rulemaking + enforcement authority alongside the California Attorney General.

Grade your California privacy policy in 20 seconds

Paste your privacy policy and we'll score it against CCPA/CPRA requirements — categories collected, rights enumeration, opt-out mechanism, sensitive data handling. Free, 3 audits/day, no signup.

Run free audit for California