California & CCPA Compliance Advisory Services

Helping organizations navigate California privacy compliance.

VeraSafe helps organizations understand and comply with California’s privacy and consumer data laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the CCPA implementing regulations, data broker laws, the California Invasion of Privacy Act (CIPA), the California Age-Appropriate Design Code (AADC), the California Customer Records Act (“Shine the Light”), breach-related obligations, and emerging artificial intelligence and automated decision-making requirements.

End-to-End Support

From initial risk assessments to ongoing program management, we guide your team through California privacy compliance.

Technical Fluency

Our team has deep experience integrating Global Privacy Control (GPC) with consent platforms, tag managers, and tracking systems.

Trusted U.S. Privacy Advisor

We have extensive experience advising organizations of all sizes on state-specific privacy laws and practical implementation strategies.

Thank You

Thank You!

We’ll be in contact shortly.

California Consumer Privacy Act (CCPA) Compliance


Our privacy attorneys and cybersecurity professionals provide hands-on support for all aspects of compliance with the CCPA, as amended by the CPRA, and the implementing regulations. We can help determine whether your organization is subject to the CCPA, conduct a compliance gap analysis, and prepare a remediation roadmap. Related services include:

Data Mapping

We help identify, map, and document all personal information your organization collects, stores, or shares.

Privacy Notice & Transparency

We review and update your privacy notices to align with CCPA transparency requirements, including point-of-collection notice and mobile app disclosures.

Consumer Rights Implementation

We design and implement processes to honor consumer rights under the CCPA, including opt-out requests, Global Privacy Control (GPC) implementation, authorized agent requests, requests to limit the use of sensitive data, and access, correction, and deletion requests.

Vendor & Contract Support

We review and negotiate service provider, contractor, and third-party agreements to align with CCPA regulatory requirements, clarify data roles, and help avoid unwanted “sale” or “share” classifications while ensuring vendor cooperation.

Risk & Impact Assessments

We conduct and document mandatory privacy risk assessments for high‑risk processing activities, including sensitive personal information and ADMT uses, to meet CCPA regulatory requirements.

Automated Decision-Making & Profiling (ADMT) Support

We help businesses that use automated decision‑making technologies provide required pre‑use notices, opt‑out options, and transparent explanations of how decisions are made. 

Cybersecurity Audit Readiness

We prepare your organization for independent cybersecurity audits, including program review, documentation, and certification support under the finalized California regulations. 

Sensitive Data Governance

We can assess the extent to which your organization collects and processes sensitive personal information such as precise location and message content, and help manage specific obligations related to such data.

Staff Training

We deliver organization‑wide privacy and security awareness training to help reduce risk, improve compliance practices, and support CCPA workforce education requirements.

Global Privacy Control (GPC) Compliance


GPC is a universal opt‑out signal that lets consumers stop the sale or sharing of their personal information automatically. Businesses subject to the CCPA that engage in “selling” or “sharing”—such as through the use of online advertising technologies—must honor GPC signals as valid consumer requests and ensure their systems respond accordingly.

How VeraSafe can help:

  • Work with your web developers and vendors to implement reliable GPC recognition across digital properties.
  • Test system functionality to ensure GPC signals are accurately detected and honored.
  • Configure tag management or consent management tools to respond properly to GPC signals.
  • Update privacy notices and disclosures to describe GPC support.

California Invasion of Privacy Act (CIPA) Compliance


Many businesses have received letters from plaintiffs’ attorneys threatening to sue or arbitrate theories related to CIPA. These theories typically focus on the use of website technologies, such as session replay, chatbots, online advertising tools, and cookie banners. At VeraSafe we can:

  • Help assess your CIPA risk by examining your website technologies and current cookie banner implementation.
  • Recommend options to meet your business’s technological, marketing, and growth objectives while calibrating and balancing CIPA risk and compliance.
  • Respond to and resolve demand letters from plaintiffs’ attorneys related to alleged CIPA noncompliance.

Additional California Privacy Support


The privacy law landscape in California grows increasingly complex each year. VeraSafe can identify and support with additional compliance obligations that may be applicable to your businesses, including:

  • Rules applicable to children and teenagers, including compliance with the California Age-Appropriate Design Code (AADC)
  • Data broker registration, legal requirements, and Delete Request and Opt-Out Platform (DROP) compliance
  • California Customer Records Act (aka “Shine the Light”) consumer requests related to marketing disclosures
  • Data breach assessments, including reporting obligations

Frequently Asked Questions (FAQs)

Under CCPA regulations, a covered business that sells or shares personal information online must treat user‑enabled opt-out preference signals, such as the GPC, as a valid consumer opt‑out request for the sale or sharing of personal information. This includes covered businesses that use commonplace online advertising technologies.

This means that if a business is already subject to the CCPA’s opt‑out requirements because it sells or shares personal information and meets the thresholds of the law, it must read and correctly process GPC signals.

The California Privacy Protection Agency has finalized regulations that require certain businesses to conduct independent annual cybersecurity audits if their processing of personal information presents a significant risk to consumer security. These audits must assess the effectiveness of cybersecurity programs and identify gaps.

Businesses that process personal information in a manner that presents significant risk to consumers’ privacy must conduct risk assessments. This requirement applies to “selling” and “sharing”—a common business activity—as well as processing sensitive data and other circumstances. Businesses must start conducting risk assessments in 2026, and need to submit information about those assessments to the California Privacy Protection Agency no later than April 1, 2028.

Under the updated CCPA regulations, businesses that use ADMT to make “significant decisions” about consumers must comply with new transparency and consumer rights obligations, beginning January 1, 2027. These include providing pre‑use notices about ADMT, offering consumers the right to opt out of ADMT processing, and, in some cases, allowing consumers to access information about how automated decisions were made.

The updated CCPA regulations are effective January 1, 2026, but compliance deadlines are staggered. Cybersecurity audit requirements have phased deadlines, with the earliest audits due by April 1, 2028, for the largest businesses. Businesses need to conduct risk assessments going forward from January 1, 2026, and be prepared to submit required information to the California Privacy Protection Agency no later than April 1, 2028. The ADMT requirements for significant decision‑making are scheduled to begin January 1, 2027.

Key contacts

Matthew Joseph

Matthew Joseph

CIPP/E, CIPP/US, CIPM, FIP

Managing Director

Jim Cormier

Jim Cormier

CIPP/E, CIPM, FIP

Senior Vice President and Head of Professional Services

Learn how VeraSafe can take on the challenge of CCPA implementation in your organization.

Why VeraSafe?

Track record of successful privacy engagements across industries.

Work directly with our in-house team of US and European privacy attorneys, IT experts, and project managers.

Strategic, risk-based approach to compliance.

Fully customizable project plan and templates, tailored to fit your needs.

Reasonable, flexible fee structure and fully customizable engagement scope.

Holistic approach: Our broad expertise ranges from privacy law to cybersecurity operations.