California Consumer Privacy Act / California Privacy Rights Act
Class action exposure reaching hundreds of millions of dollars makes CCPA/CPRA compliance a material financial risk that demands executive-level governance.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive consumer privacy law in the United States. It grants California residents significant rights over their personal information and imposes obligations on businesses that collect, use, or share that information.
The CPRA established the California Privacy Protection Agency (CPPA) as a dedicated enforcement body and introduced new concepts including sensitive personal information, data minimisation, and purpose limitation. The law requires businesses to respond to consumer requests to know, delete, correct, and opt-out of sale/sharing within prescribed timeframes.
For Microsoft 365 environments, CCPA/CPRA compliance requires Purview data discovery for mapping consumer personal information across the tenant, DLP policies for data minimisation, retention policies for storage limitation, and eDiscovery for efficiently processing Data Subject Access Requests (DSARs). StremarControl engineers and operates the Microsoft-native controls required for CCPA/CPRA mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline.
Why This Matters Now
The CCPA, as amended by the CPRA, is the most comprehensive state-level privacy law in the United States, effectively setting the privacy standard for consumer data across the country. It grants consumers rights to know, delete, correct, and opt-out of sale/sharing of their personal information. For M365 environments, compliance requires Purview data discovery for consumer data mapping, DLP policies for data minimisation, retention policies for storage limitation, and eDiscovery for DSAR fulfillment. California's market size means CCPA/CPRA compliance is effectively a national requirement.
Framework Metadata
Scope & Applicability
Applies to for-profit businesses that: (1) have annual gross revenue exceeding $25 million; (2) buy, sell, or share personal information of 100,000+ consumers/households; or (3) derive 50%+ of annual revenue from selling/sharing personal information. Applies to California residents regardless of where the business is located. M365 tenants of businesses meeting these thresholds must implement CCPA/CPRA-compliant controls.
Core Obligations
Right to Know and Access
Provide consumers with the categories and specific pieces of personal information collected, the purposes, and third parties with whom it is shared.
Right to Delete
Delete personal information upon verified consumer request, directing service providers and contractors to do the same.
Right to Opt-Out of Sale/Sharing
Honour consumer requests to opt-out of the sale or sharing of their personal information. Provide a clear opt-out mechanism.
Data Minimisation
Collect, use, retain, and share personal information only as reasonably necessary and proportionate to the disclosed purposes.
Sensitive Personal Information
Provide consumers with the right to limit the use and disclosure of sensitive personal information to that which is necessary.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Consumer Data Discovery (Right to Know)
Purview Data Map for consumer personal information discovery across Exchange, SharePoint, OneDrive, and Teams. Content Search for specific consumer data identification.
Data map scan results, content search logs, consumer data inventory reports.
Right to Delete / Data Minimisation
Purview retention labels with auto-deletion schedules. eDiscovery for targeted deletion of consumer data. DLP policies enforcing collection limitations.
Retention disposition records, eDiscovery deletion logs, DLP policy match reports.
DSAR Processing
Purview eDiscovery for consumer data compilation. Subject Rights Requests workflow automation. Managed response with SLA tracking and verification.
DSAR completion logs, response time analytics, verification reports.
Implementation Timeline
Related Frameworks
With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.
PIPEDA's accountability principle holds management directly responsible for demonstrating compliant data handling—with proposed reforms increasing maximum fines to 5% of global revenue.
Fines up to 2% of Brazilian revenue and public disclosure of infractions make LGPD non-compliance a direct commercial and reputational liability for management.
Ready to get CCPA/CPRA-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against CCPA/CPRA requirements, close gaps, and produce audit-ready evidence.