The California Consumer Privacy Act of 2018 (CCPA) (Cal. Civ. Code § 1798.100 et seq.) was a watershed moment in U.S. privacy law — the first comprehensive state consumer privacy statute, modeled loosely on European Union General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) but adapted to the California legislative tradition. Since its effective date, it has been amended by the California Privacy Rights Act of 2020 (CPRA) (Cal. Prop. 24), substantially modified by subsequent regulatory action of the California Privacy Protection Agency (CPPA), and interpreted through the first wave of enforcement actions.
For technology companies operating in California or serving California residents, the current compliance landscape is materially different from what the original CCPA created. This post addresses the most significant developments affecting technology companies — particularly those in the embedded systems, automotive, and connected device sectors.
What the CPRA Added to the CCPA Framework
The CPRA, which took full effect in January 2023, made several significant changes to the CCPA baseline. It created the California Privacy Protection Agency as an independent enforcement authority alongside the California Office of the Attorney General. It added a new category of "sensitive personal information" subject to heightened protection, including precise geolocation data, which is directly relevant to any connected vehicle, navigation system, or location-aware embedded product. It created a right to correct inaccurate personal information. It added data minimization and purpose limitation principles more closely aligned with GDPR. And it extended CCPA's scope to cover employee and business-to-business data, which had previously been exempted.
The CPPA has since issued regulations implementing these CPRA provisions, including regulations on risk assessments, cybersecurity audits, and automated decision-making technology — the last of which has the broadest potential impact on technology companies.
Automated Decision-Making: The Embedded Systems Dimension
The CPPA's proposed regulations on automated decision-making technology (ADMT) would give California consumers the right to opt out of certain automated decisions that have significant effects on them, and the right to access meaningful information about how automated decisions affecting them are made. These regulations are still in the rulemaking process, but their potential scope is broad enough to encompass many embedded systems applications.
An insurance telematics system that uses driving behavior data to calculate premiums — that is automated decision-making affecting a consumer's financial situation. A vehicle system that uses biometric monitoring data to determine whether a driver is impaired and remotely limits vehicle functionality — that is automated decision-making affecting a consumer's access to a service. An adaptive advanced driver-assistance system (ADAS) that uses machine learning to make real-time decisions affecting vehicle behavior — the legal characterization of whether this constitutes ADMT subject to the regulations is genuinely unclear and will require case-by-case analysis as the rules finalize.
For embedded systems companies developing products that collect California consumer data and use it to make or substantially influence decisions affecting those consumers, the ADMT regulations — even in proposed form — should be a design consideration now. Building explainability, opt-out mechanisms, human-machine interface (HMI) controls, and human review pathways into an ADMT system is far less expensive at the architecture stage than retrofitting them onto a deployed product.
Precise Geolocation as Sensitive Personal Information
The CPRA's classification of precise geolocation data — location within a radius of 1,850 feet (approximately 564 meters) — as sensitive personal information has direct implications for any embedded product that collects Global Positioning System (GPS) or equivalent location data. Sensitive personal information under the CPRA is subject to a separate opt-out right: consumers may direct a business to limit its use and disclosure of their sensitive personal information to what is necessary to perform the services reasonably expected by an average consumer.
For connected vehicles, navigation systems, fleet management platforms, and any embedded product that reports device location, this creates a compliance obligation that must be addressed in the product's data practices and user-facing disclosures. The opt-out must be honored operationally — which in an embedded system means building the capability to receive and act on a location data opt-out into the product's data collection and transmission architecture.
CPPA Enforcement: What the First Actions Tell Us
The CPPA issued its first enforcement actions in 2024 and 2025, focusing on several themes that technology companies should note. First, the CPPA has prioritized cases involving large-scale data collection where consumer notice was inadequate or consent mechanisms were manipulative (so-called "(so-called “dark patterns” or deceptive user interface designs)"). Second, the agency has focused on businesses that failed to honor opt-out requests in a timely and complete manner — meaning the opt-out must actually work in the underlying data systems, not just in the user interface. Third, the agency has targeted data broker practices, with particular attention to the sale and sharing of location data.
For technology companies, the enforcement pattern suggests that the CPPA is less focused on technical paperwork compliance and more focused on whether consumers can actually exercise their rights effectively. A privacy policy that is technically complete but operationally hollow — where opt-outs are not actually honored in backend systems — is the enforcement priority, not a company with imperfect disclosures that actually honors its commitments.
guibert.law Insight
California's privacy framework is the de facto national standard for U.S. consumer privacy compliance. Companies that build CCPA/CPRA compliance into their product architecture — rather than treating it as a legal paperwork exercise — are simultaneously building toward compliance with the growing body of state privacy laws in Virginia, Colorado, Texas, and a dozen other states that have enacted similar frameworks. Privacy-by-design is now a business efficiency argument, not just a legal one.
Attorney advertising. The information in this post is provided for general informational purposes and does not constitute legal advice. Prior results do not guarantee a similar outcome. © 2026 guibert.law