🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
Compliance Coming Soon

CT CCPA CPRA Privacy

The course teaches employees the fundamentals of CCPA/CPRA, covering personal information definitions, consumer rights, opt‑out procedures, and privacy notice requirements, enabling compliant handling of data requests.

Who Should Take This

Front‑line staff, customer‑service representatives, sales and marketing personnel, and junior privacy analysts at companies subject to CCPA/CPRA benefit from this training. They have limited prior privacy‑law experience and need practical guidance to recognize personal data, honor consumer rights, and route requests to the appropriate internal teams.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 CCPA/CPRA Overview and Scope
2 topics

Legislative background and applicability

  • State the purpose of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) and describe how CPRA amended and expanded CCPA protections effective January 1, 2023.
  • Identify the three business threshold tests for CCPA/CPRA applicability: annual gross revenue exceeding $25 million, buying/selling/sharing PI of 100,000+ consumers or households, and deriving 50%+ of annual revenue from selling/sharing PI.
  • Explain the territorial scope of CCPA/CPRA: it applies to for-profit businesses that collect California residents' PI and meet threshold requirements, regardless of where the business is physically located.

Key definitions

  • Define personal information (PI) under CCPA/CPRA and identify its broad scope including identifiers, commercial information, biometric data, internet activity, geolocation, audio/visual data, employment data, education data, and inferences.
  • Define sensitive personal information (SPI) under CPRA and list examples including Social Security numbers, financial accounts, precise geolocation, racial/ethnic origin, religious beliefs, genetic data, biometrics, health data, and sex life/sexual orientation.
  • Explain the distinction between personal information and sensitive personal information and describe the additional consumer rights that apply specifically to SPI under CPRA.
  • Define the terms consumer, business, service provider, contractor, and third party as used in CCPA/CPRA and describe the obligations associated with each role.
2 Consumer Rights
3 topics

Right to know and right to access

  • Describe the consumer's right to know what categories and specific pieces of PI a business has collected, the sources of collection, the business purpose, and the categories of third parties with whom PI is shared.
  • Explain the verifiable consumer request process: identity verification requirements, response timeframes (45 days with 45-day extension), free requests (at least twice per 12 months), and format of responses.

Right to delete and right to correct

  • Describe the consumer's right to request deletion of PI collected by the business and identify the exceptions permitting retention (legal obligation, security, free speech, internal use, etc.).
  • Explain the right to correct inaccurate PI introduced by CPRA, including the business obligation to use commercially reasonable efforts to correct information upon verified request.
  • Describe the flow-down obligation: when a business deletes PI, it must notify service providers and contractors to delete the consumer's PI from their records as well.

Right to opt-out and right to limit

  • Explain the consumer's right to opt out of the sale or sharing of their PI and describe the distinction between sale (monetary or other valuable consideration) and sharing (cross-context behavioral advertising).
  • Describe the right to limit use and disclosure of sensitive personal information to purposes necessary for the business to provide the requested goods or services.
  • Explain the non-discrimination provision: businesses may not deny goods or services, charge different prices, or provide a different quality of service because a consumer exercised their CCPA/CPRA rights.
  • Analyze a consumer request scenario to identify which CCPA/CPRA right is being exercised, determine the business's obligations, and assess whether the response complies with legal requirements.
3 Sale, Sharing, and Opt-Out Requirements
2 topics

Sale and sharing definitions

  • Define sale of PI under CCPA/CPRA as selling, renting, releasing, disclosing, disseminating, making available, or transferring PI for monetary or other valuable consideration, and identify common examples.
  • Define sharing of PI under CPRA as making PI available to third parties for cross-context behavioral advertising, regardless of whether monetary consideration is exchanged.
  • Explain which disclosures do not constitute a sale or sharing, including disclosures to service providers under contract, disclosures at the consumer's direction, and disclosures within the same business entity.
  • Analyze a data-sharing arrangement to determine whether it constitutes a sale, sharing, or permissible disclosure under CCPA/CPRA.

Do Not Sell or Share implementation

  • Describe the requirement to provide a clear and conspicuous 'Do Not Sell or Share My Personal Information' link on the business's website or mobile app homepage.
  • Explain the requirement to honor Global Privacy Control (GPC) and other opt-out preference signals as valid consumer opt-out requests.
  • Describe the special protections for minors: businesses must obtain opt-in consent before selling or sharing PI of consumers under 16, with parental consent required for consumers under 13.
4 Service Providers, Contractors, and Third Parties
2 topics

Service provider vs. contractor requirements

  • Define service provider and contractor under CCPA/CPRA and explain the key difference: contractors have additional certification and audit obligations beyond those required of service providers.
  • Describe the required contractual provisions for service providers and contractors including purpose limitations, confidentiality obligations, compliance assistance, and the prohibition on selling or sharing received PI.
  • Explain employee responsibilities when sharing PI with service providers or contractors, including verifying contractual protections are in place and limiting data shared to what is necessary for the business purpose.
  • Analyze a vendor relationship to classify the vendor as a service provider, contractor, or third party and identify the required contractual provisions and data handling obligations.

Third-party data transfers

  • Describe the obligations when a business discloses PI to a third party, including the requirement that the third party must agree to comply with CCPA/CPRA and provide the same level of privacy protection.
  • Explain the right to know about downstream recipients: consumers may request the specific categories of third parties to whom their PI has been disclosed or sold.
5 Privacy Notices and Transparency
1 topic

Privacy notice requirements

  • Describe the requirement for an at-or-before-collection notice informing consumers of the categories of PI collected, the purposes for collection, and whether PI is sold or shared.
  • List the required contents of a CCPA/CPRA privacy policy including categories of PI collected, purposes, consumer rights, opt-out instructions, retention periods, and date of last update.
  • Explain the purpose and requirements of just-in-time notices for secondary uses of PI that are not reasonably expected by the consumer at the time of collection.
  • Describe the CPRA requirement to disclose retention periods or criteria for each category of PI collected and explain the data minimization principle: PI should not be retained longer than reasonably necessary.
6 Data Minimization and Purpose Limitation
1 topic

CPRA data minimization principles

  • Explain the CPRA data minimization requirement: businesses may only collect PI that is reasonably necessary and proportionate to achieve the purpose for which it was collected.
  • Describe the purpose limitation requirement: PI may not be used for purposes that are incompatible with the disclosed purpose without providing additional notice and, if required, obtaining consent.
  • Explain how the retention limitation requirement works in practice: businesses must establish retention schedules aligned with the stated purpose and delete PI when it is no longer necessary.
  • Analyze a data collection practice to evaluate whether it satisfies CPRA data minimization, purpose limitation, and retention limitation requirements.
7 Enforcement and Penalties
2 topics

CPPA enforcement and penalties

  • Describe the California Privacy Protection Agency (CPPA) as the dedicated enforcement body created by CPRA, including its authority to investigate violations, conduct audits, and issue administrative fines.
  • Identify the penalty structure under CCPA/CPRA: up to $2,500 per unintentional violation and $7,500 per intentional violation or violation involving minors' PI.
  • Explain the private right of action for data breaches under CCPA Section 1798.150, including statutory damages of $100-$750 per consumer per incident and the 30-day cure period.

Breach notification and data security

  • Describe the relationship between CCPA/CPRA and California's data breach notification law (Civil Code 1798.82), including the obligation to maintain reasonable security procedures.
  • Explain employee responsibilities for data security including recognizing and reporting potential breaches, following security procedures, and understanding that failures can trigger private right of action liability.
8 Employee and B2B Data
1 topic

Employee and B2B PI coverage

  • Explain that the CCPA exemptions for employee PI and B2B contact information expired on January 1, 2023 under CPRA, meaning all consumer rights now apply to employee and B2B data.
  • Describe the implications of full CPRA coverage for HR operations, including the need for employee privacy notices, handling access and deletion requests from employees, and managing employee PI retention.
  • Describe the implications for B2B data practices, including providing privacy notices to business contacts, honoring opt-out requests from B2B contacts, and managing B2B contact information in CRM systems.
  • Analyze an HR or sales scenario to identify CPRA compliance obligations for employee or B2B PI, determine applicable consumer rights, and recommend necessary operational changes.
9 GDPR Interaction and Cross-Jurisdictional Compliance
2 topics

CCPA/CPRA and GDPR comparison

  • Identify the key similarities between CCPA/CPRA and GDPR including consumer/data subject rights, transparency requirements, data minimization principles, and breach notification obligations.
  • Describe the key differences between CCPA/CPRA and GDPR including the consent model (opt-out vs. opt-in), scope of applicability, legal bases for processing, and enforcement mechanisms.
  • Explain the challenges of dual compliance for companies operating in both California and the EU/EEA, including harmonizing privacy notices, consent mechanisms, and data subject request workflows.
  • Analyze a cross-jurisdictional data processing scenario to identify the applicable privacy regulations, determine which requirements apply, and assess the organization's compliance posture.

Integrated privacy compliance

  • Describe the expanding U.S. state privacy landscape and explain why businesses should build scalable privacy programs rather than jurisdiction-by-jurisdiction compliance approaches.
  • Synthesize CCPA/CPRA consumer rights, privacy notice requirements, data minimization principles, and enforcement risks to evaluate an organization's privacy program and propose improvements.
  • Synthesize knowledge of PI definitions, consumer request handling, vendor management, and employee/B2B data obligations to develop a comprehensive response plan for common CCPA/CPRA compliance scenarios.
10 Consumer Request Handling and Employee Obligations
2 topics

Designated request methods

  • Identify the designated methods businesses must provide for consumers to submit requests, including a toll-free number, a website form, and for businesses with online-only presence, an email address.
  • Describe the identity verification process for consumer requests, including the requirement to verify identity to a reasonable degree of certainty and to a reasonably high degree of certainty for access to specific pieces of PI.
  • Explain how authorized agents may submit requests on behalf of consumers, including the requirement for written permission or power of attorney and additional verification requirements.

Employee role in privacy compliance

  • Describe employee responsibilities for recognizing and routing consumer privacy requests received through any channel, including in-person, email, phone, and social media.
  • Explain the importance of maintaining accurate data inventories and data maps to enable timely and complete responses to consumer access and deletion requests.
  • Describe the employee training requirements under CCPA/CPRA, including the obligation to train personnel who handle consumer inquiries about privacy practices and consumer rights.
  • Analyze a customer interaction scenario to determine whether the communication constitutes a verifiable consumer request, identify the applicable right being exercised, and describe the proper response workflow.

Scope

Included Topics

  • California Consumer Privacy Act (CCPA) of 2018 and California Privacy Rights Act (CPRA) of 2020: legislative purpose, scope of applicability, and business threshold requirements (annual revenue, consumer records, revenue from selling/sharing PI).
  • Consumer rights under CCPA/CPRA: right to know (categories and specific pieces of PI collected), right to delete, right to opt-out of sale/sharing, right to correct inaccurate PI, and right to limit use and disclosure of sensitive personal information.
  • Definition of personal information (PI) under CCPA/CPRA: broad scope covering identifiers, commercial information, biometric data, internet activity, geolocation, audio/visual data, employment information, education information, and inferences drawn from PI.
  • Sensitive personal information (SPI) under CPRA: Social Security numbers, driver's licenses, financial account information, precise geolocation, racial/ethnic origin, religious beliefs, union membership, mail/email/text content, genetic and biometric data, health data, and sex life/sexual orientation.
  • Sale and sharing definitions: what constitutes a 'sale' of PI, what constitutes 'sharing' for cross-context behavioral advertising, and the distinction between the two concepts under CPRA.
  • Do Not Sell or Share My Personal Information: requirements for the opt-out link, Global Privacy Control (GPC) signal compliance, opt-out preference signals, and implementing consumer opt-out requests.
  • Service provider vs. contractor distinctions: contractual requirements, data use limitations, downstream obligations, and the flow-down of CCPA/CPRA requirements through the data supply chain.
  • Privacy notice requirements: at-or-before-collection notice, online privacy policy content requirements, just-in-time notices for unexpected data uses, and notice updates.
  • Data minimization and purpose limitation under CPRA: collecting only PI reasonably necessary for the disclosed purpose, use limitations, and retention period requirements.
  • California Privacy Protection Agency (CPPA): enforcement authority, rulemaking power, administrative enforcement actions, and the private right of action for data breaches.
  • Employee and business-to-business (B2B) data: the expiration of CCPA exemptions for employee PI and B2B contact information under CPRA, and implications for HR and sales operations.
  • Interaction with GDPR: key similarities and differences for companies operating in both California and the EU/EEA, including consent models, data subject rights, and cross-border data transfers.

Not Covered

  • Detailed GDPR compliance requirements beyond the comparative analysis with CCPA/CPRA.
  • Privacy engineering and technical implementation of consent management platforms, data mapping tools, and privacy-enhancing technologies at developer level.
  • Other U.S. state comprehensive privacy laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, etc.) beyond brief mention of the expanding state privacy landscape.
  • Detailed legal analysis of CCPA/CPRA litigation, enforcement actions, and case law interpretation.
  • International privacy frameworks (LGPD, PIPEDA, APPI, POPIA) beyond the GDPR comparison.

CT CCPA CPRA Privacy is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified