The California Consumer Privacy Act, as amended by the CPRA, stopped being a big-company problem years ago. The thresholds are easy to cross: do business in California and clear roughly $25 million in annual revenue, or handle the personal information of 100,000 or more California residents, and the law applies to you. Plenty of mid-market companies cross a threshold without noticing, because the counting includes website visitors whose data flows to analytics and advertising platforms, not just paying customers.
The three mistakes we see most often
First: treating the privacy policy as the project. A policy rewrite is the visible part, but CCPA/CPRA compliance is mostly operational. If your policy promises deletion within 45 days and nobody owns the process that actually deletes the data, you have converted a compliance gap into a documented broken promise, which is worse.
Second: assuming "we don't sell data" ends the conversation. The law's definition of "sharing" covers disclosing personal information for cross-context behavioral advertising, which describes an ordinary advertising pixel. Many companies that sincerely believe they sell nothing are sharing by the statutory definition, which triggers the "Do Not Sell or Share" obligations, including honoring the Global Privacy Control browser signal.
Third: ignoring service providers. Every vendor that touches personal information needs a contract with specific clauses before they qualify as a "service provider" rather than a third party you are disclosing data to. Vendor inventory is unglamorous work, and it is where audits find the gaps.
A sequence that works
You do not need a two-year program. For most mid-market companies the work falls into a sequence that a small team can execute in a quarter:
- Map the data. Inventory what personal information you collect, where it lives, which vendors receive it, and why. This is the foundation for everything else, and it is usually smaller than feared once you actually write it down.
- Close the sharing question honestly. Audit the tags and pixels on your site. Decide what stays, gate what remains behind appropriate notice and opt-out, and honor GPC signals in code, not just in the policy.
- Build the rights pipeline. A request intake channel, an identity verification step, a documented fulfillment process with deadlines, and a log. Start manual; automate when volume justifies it.
- Fix the vendor contracts. Identify processors, confirm the required contractual terms exist, and remediate the ones that do not.
- Rewrite the policy last. Now the policy describes reality: the categories you collect, the purposes, the vendors, the rights, and how to exercise them.
Why readiness is worth more than avoiding fines
Enforcement is real and the per-violation numbers add up quickly, but the stronger business case is quieter. Enterprise customers send privacy questionnaires before they sign. Acquirers send them during diligence. Insurance carriers ask about data handling before quoting cyber coverage. A company that can answer with a data map, a working rights process, and a truthful policy moves through all three faster than one that answers with a template policy dated several years ago.
Privacy readiness also compounds. The same data map that satisfies CCPA/CPRA is the starting point for other state privacy laws, most of which borrow the same concepts. Do the work once, properly, and each new statute becomes a delta rather than a new program.
Where to start this week
Open your own website with the browser's developer tools and count the third-party requests that fire before a visitor makes any choice. Then ask who in the company could produce a list of every system that stores customer personal information. Those two answers tell you how far there is to go, and both cost nothing to find out.