India's DPDP Rules are notified, time to gap-assess your India programmeSee how we helpEU AI Act obligations are phasing in: the privacy groundwork comes firstAI privacy advisoryTransfer documentation is a top enforcement target: SCCs, IDTA, TIAsTransfer servicesIndia's DPDP Rules are notified, time to gap-assess your India programmeSee how we helpEU AI Act obligations are phasing in: the privacy groundwork comes firstAI privacy advisoryTransfer documentation is a top enforcement target: SCCs, IDTA, TIAsTransfer services
Abhishek Bansiwal
USCalifornia Consumer Privacy Act, as amended by the CPRA

Opt-out rights, honored signals, and a regulator that checks.

California's regime gives consumers rights to know, delete, correct, and opt out of the sale or sharing of personal information, with the CPPA actively auditing how businesses honor them. For EU-programme companies entering the US market, the shift from opt-in to opt-out logic is where implementations usually break.

At a glance

Who it catches

For-profit businesses over revenue or data-volume thresholds handling California residents' personal information

Penalties

Civil penalties up to $2,500 per violation ($7,500 if intentional or involving minors), counted per consumer

Key obligations

"Do Not Sell or Share" links, Global Privacy Control honoring, sensitive-data limits, contractor terms

Regulators

California Privacy Protection Agency and the Attorney General

What it requires

The obligations that matter in practice.

  • A compliant privacy policy with California-specific disclosures, refreshed annually
  • "Do Not Sell or Share My Personal Information" mechanisms where applicable
  • Honoring the Global Privacy Control signal as a valid opt-out
  • Rights handling: know, delete, correct, opt out, and limit sensitive-data use
  • Service-provider and contractor agreements with the required restrictions

How we help

Where our practice comes in.

FAQ

Common CCPA / CPRA questions.

Usually not correctly. GDPR logic is opt-in; California is opt-out with mandatory GPC honoring. Running EU opt-in banners for US visitors is legal but hurts conversion; running them without GPC support is a compliance gap. Region-aware configuration fixes both.

Start here

Tell us what you're dealing with.

Pick the service that sounds closest, or just describe the situation. You'll get an honest reply within 24 hours: where you stand, what actually needs doing, and whether we're the right fit for it.

Prefer to talk? Book a free 30-min call

Email: abhishek.adv@yahoo.com

LinkedIn: linkedin.com/in/abhishekbansiwal

Working with clients across the EU, UK, US, India, and beyond. See the privacy notice for how enquiries are handled.

Replies within 24 hours. No mailing list, no follow-up sequence.