Overview
What it is, in plain English.
The California Consumer Privacy Act — as amended by the California Privacy Rights Act (CPRA) and enforced by the California Privacy Protection Agency (CPPA) — is the most consequential US state privacy law. With a growing patchwork of similar laws in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and beyond, Lyra builds privacy programs that handle California today and the next dozen state laws on the way.
CCPA (and CPRA) readiness — including data inventory, consumer rights workflows, and privacy notice operations.
Who needs it
Built for organizations that have to get this right.
Businesses with California consumers and $25M+ revenue (or volume / sale thresholds)
Companies offering personal-data-driven advertising or analytics
B2B SaaS — CCPA's B2B exemption sunset; employee and B2B data are now in scope
Anyone operating a multi-state US privacy program
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Applicability & Scoping
We confirm CCPA applicability, map applicable state laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, etc.), and design a multi-state program.
- 02
Data Inventory & Disclosures
We inventory personal information, sensitive personal information, sales, and sharing — and rewrite privacy notices and at-collection disclosures.
- 03
Rights & Signals Operations
We implement consumer rights workflows (know, delete, correct, limit, opt-out) and Global Privacy Control (GPC) handling.
- 04
Vendor & Contract Remediation
We remediate vendor contracts to meet CCPA service provider / contractor / third-party requirements and run risk assessments for high-risk processing.
Key controls
What's actually in scope.
Privacy policy and just-in-time notices at collection
Do Not Sell or Share My Personal Information link and GPC honoring
Limit the Use of My Sensitive Personal Information mechanism
Verifiable consumer request workflows (45-day SLA, extendable to 90)
Contractor / service provider / third-party contract terms
Cybersecurity audit and risk assessment requirements (per CPPA regulations)
Deliverables
What you walk away with.
Personal information inventory and category mapping
Updated privacy policy and at-collection notices
DSAR / opt-out / correction workflow implementation
Vendor contract remediation package
Multi-state crosswalk and unified compliance matrix
Timeline
Initial CCPA readiness: 8–14 weeks. Multi-state US privacy program: 4–6 months.
Questions we hear
Straight answers to the real questions.
- Is CCPA the same as the other state laws?
- Similar in spirit, different in detail. CCPA is broader (covers employee and B2B data) and has unique elements like sale/share opt-outs. We build one operational program and map it across every applicable state.
- What's CPPA enforcement looking like?
- Active and growing. The CPPA has issued multimillion-dollar settlements, focuses heavily on dark patterns, GPC honoring, and vendor contract terms — and is finalizing regulations on automated decisionmaking, cybersecurity audits, and risk assessments.
- Do we still need GDPR if we have CCPA?
- If you have EU users, yes — they cover different jurisdictions and have meaningfully different requirements. We harmonize them under one operational program with jurisdiction-specific overlays.
Other frameworks we support
SOC 2 (Type 1 and Type 2)
AICPA SOC 2
Learn moreISO 27001
ISO/IEC 27001 ISMS
Learn moreCMMC
Cybersecurity Maturity Model Certification
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreNIST CSF (including 2.0)
NIST Cybersecurity Framework
Learn moreHIPAA / HITRUST
Healthcare privacy and security
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.