Skip to main content
Future Shredding — Secure Document Destruction

California's Data Privacy Law: From CCPA to CPRA

Law · Last updated July 7, 2026

Originally published in 2019, ahead of the CCPA taking effect. Updated to reflect the CPRA era.

When the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, California became the first state to give consumers broad, enforceable rights over their personal information. Voters then doubled down: Proposition 24 (November 2020) created the California Privacy Rights Act (CPRA), which amended and expanded the CCPA, with most provisions operative since January 1, 2023. Together they form the toughest state privacy regime in the country — and a template that other states keep borrowing from.

The Rights Californians Hold Today

Under the CCPA as amended by the CPRA, California residents can:

  • Know what personal information a business collects, where it comes from, why it’s collected, and who it’s shared with;
  • Delete personal information a business holds about them (with exceptions);
  • Correct inaccurate personal information — a right the CPRA added;
  • Opt out of the sale and sharing of their personal information;
  • Limit the use of sensitive personal information (another CPRA addition covering things like SSNs, precise location, health, and financial data);
  • Not be retaliated against for exercising any of these rights.

The CPRA also created a dedicated regulator — the California Privacy Protection Agency (CPPA) — so enforcement no longer depends solely on the Attorney General, and consumers keep a private right of action for data breaches caused by a business’s failure to maintain reasonable security.

The Part Most Businesses Overlook: The End of the Data’s Life

Two obligations in the law land directly on disposal practices:

  • Retention limits. The CPRA requires businesses to tell consumers how long they keep each category of personal information — and not to keep it longer than reasonably necessary. That makes “we never throw anything away” a compliance problem, not a virtue.
  • Reasonable security. Breach liability attaches to unreasonable security practices, and courts and regulators have long treated readable documents in a dumpster as exactly that. California’s separate disposal statute (Civil Code §1798.81) has required shredding or equivalent destruction of customer records since before the CCPA existed.

In practice: when retention periods expire, records containing personal information must be destroyed in a way you can defend later. For paper and retired media, that means documented destruction — the kind that ends with a Certificate of Destruction in your file.

What to Do About It

  1. Know what personal information you hold and how long you’re keeping it.
  2. Put expiration dates on it — retention schedules are now consumer-facing promises.
  3. Destroy expired records on-site, witnessed, and documented, including hard drives and media.

We’re shredders, not lawyers — for advice on your specific obligations, talk to privacy counsel. But when your retention schedule says “destroy,” we’re the last step.

Ready to Shred?

Book online in two minutes or call (562) 426-0557 — most jobs are scheduled within days, and every job ends with a Certificate of Destruction.