CCPA/CPRA
California Consumer Privacy Act / California Privacy Rights Act
California's consumer privacy law granting residents rights over their personal data. While HIPAA-covered data is exempt, many healthcare apps handle non-HIPAA consumer health data that falls under CCPA.
California AG — CCPA$2,500 per unintentional violation, $7,500 per intentional violation
2 to 4 months for CCPA/CPRA compliance implementation
Generated code includes consumer rights endpoints, privacy notices, and opt-out management
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California residents extensive rights over their personal information. For healthcare apps, the relationship with HIPAA is nuanced: data covered by HIPAA is exempt from CCPA, but consumer health data NOT covered by HIPAA (wellness apps, fitness trackers, health marketplaces) falls squarely under CCPA. With California representing 12% of the US population, most healthcare apps serving US users need to consider CCPA compliance alongside HIPAA.
What It Covers
Right to know — what personal information is collected and how it is used
Right to delete — request deletion of personal information
Right to opt-out — opt out of sale or sharing of personal information
Right to correct — request correction of inaccurate information
Right to limit — limit use of sensitive personal information
Non-discrimination — cannot penalize consumers for exercising rights
Penalties & Enforcement
Unintentional violations: $2,500 per violation (can add up fast at scale)
Intentional violations: $7,500 per violation
Private right of action for data breaches: $100-$750 per consumer per incident
Enforced by California Attorney General and California Privacy Protection Agency (CPPA)
Sephora settlement: $1.2M (2022) for failure to honor opt-out requests
Real Enforcement Examples
$1.2M
2022
Sephora
First CCPA enforcement action — failed to honor browser-based opt-out signals and did not disclose sale of personal information.
How VertiComply Helps
Consumer rights endpoints — know, delete, opt-out, correct
Privacy notice and cookie consent components
Do-not-sell preference management
Data inventory and mapping patterns
Opt-out signals (GPC) recognition in generated code
Frequently Asked Questions
Does CCPA apply to healthcare apps?
HIPAA-covered data is exempt from CCPA. However, consumer health data not covered by HIPAA (wellness apps, fitness, health marketplaces, non-covered entities) falls under CCPA if you serve California residents.
How does CCPA differ from GDPR?
CCPA is opt-out (consumers must request rights), while GDPR is opt-in (consent required before processing). CCPA has lower penalties but allows private lawsuits for data breaches. CCPA applies to California residents; GDPR applies to EU residents.
Related Articles
Build CCPA/CPRA-compliant from day one
VertiComply generates production-ready code with CCPA/CPRA safeguards built in automatically.
Quick Facts
Region
United States
Category
Data Protection
Max Penalty
$2,500 per
Manual Timeline
2 to 4 months
With VertiComply
Minutes