The California Consumer Privacy Act (CCPA, effective 2020) and its 2023 successor the California Privacy Rights Act (CPRA) are the foundational US state privacy laws — creating comprehensive rights for California residents and obligations for businesses that collect their personal information. The CPRA created a dedicated enforcement agency — the California Privacy Protection Agency (CPPA) — with enforcement powers and the ability to issue fines of up to $7,500 per intentional violation.
For Indian IT firms and SaaS providers, CCPA/CPRA applicability is triggered by business thresholds: annual gross revenue exceeding $25 million; buying/selling/receiving personal information of 100,000+ consumers/households; or deriving 50%+ of revenue from selling/sharing personal information. Indian firms that process or sell personal information of California residents on behalf of US clients as Service Providers face contractual obligations equivalent to GDPR Article 28 Data Processing Agreements.