What Is the CCPA (and CPRA)?
The CCPA, expanded by the CPRA, is California's privacy law giving consumers rights over their personal data. Here's what it means for home-service contractors.
What it is
The California Consumer Privacy Act, or CCPA, is California’s main privacy law. It gives California residents rights over the personal information that businesses collect about them — things like their name, contact details, and online activity. The idea is simple: people should be able to find out what a company knows about them, ask to have it deleted, and stop the company from selling it.
The CPRA — the California Privacy Rights Act — is a 2020 ballot measure that updated and strengthened the CCPA. It added new protections, created a special category for sensitive personal information, and set up the California Privacy Protection Agency to enforce the rules. In everyday talk, people often just say “CCPA” to mean the current, combined law.
How it works
The CCPA gives California residents a set of rights, and puts matching duties on the businesses that have to follow it:
- The right to know. A person can ask what personal information a business has collected about them and what it’s used for.
- The right to delete. A person can ask a business to delete the personal information it holds about them, with some exceptions.
- The right to correct. Under the CPRA, a person can ask a business to fix inaccurate information.
- The right to opt out. A person can tell a business to stop selling or sharing their personal information.
- No retaliation. A business can’t punish someone — with worse pricing or service — for using these rights.
The law doesn’t apply to every business. It generally kicks in only when a business meets certain thresholds, such as a high annual revenue, handling the personal data of a large number of California consumers, or making most of its money from selling personal data.
Why it matters for contractors
Here’s the honest version for a busy contractor: many small local shops fall below the CCPA’s size thresholds and aren’t directly covered today. If that’s you, you don’t need to panic or hire a privacy lawyer this afternoon.
But two things make this worth understanding anyway. First, the thresholds can pull you in — if you serve California residents and grow, or if you start handling a lot of contact data, you can cross the line. Second, and more important, the CCPA is the front edge of a wave. More states keep passing their own privacy laws, and they share the same DNA: tell people what you collect, let them opt out, and don’t trade their data behind their back.
So the real lesson isn’t “memorize California law.” It’s that the direction of travel everywhere is toward more consumer control over personal data — and contractors who build good habits now won’t have to scramble later.
The CCPA is also pointed squarely at one practice: selling and sharing personal data. A lead vendor that scoops up homeowner information and sells it around is the exact target. A contractor who buys those lists is downstream of an activity these laws are designed to restrict.
Common mistakes
- Assuming “I’m small, so it doesn’t apply” forever. It may be true today, but thresholds and new state laws can change that as you grow.
- Collecting data you don’t need. Every extra field you capture is something you have to protect and might have to delete on request. Collect less.
- No clear privacy notice. Even if you’re below the thresholds, homeowners increasingly expect a plain explanation of what you collect and why. Not having one looks careless.
- Buying and reselling contact data. This is the practice these laws most directly restrict, and it carries privacy risk on top of the TCPA and deliverability problems it already causes.
- Ignoring deletion or opt-out requests. If someone asks you to stop or delete their data and you blow it off, you turn a small obligation into a complaint.
How it relates to consent
Privacy laws like the CCPA and CPRA all circle back to one principle: people should control their own information and know who’s contacting them and why. That’s the same principle behind consent-first marketing.
When a lead reaches you because the homeowner chose to be contacted — and the data behind it was collected with their knowledge, not bought and resold — you’re aligned with where privacy law is heading instead of fighting against it. Consent-first lead generation keeps the relationship clean: the homeowner agreed, the record shows it, and the data was never traded around behind their back. That’s the safe side of every privacy law, current and coming.