California Privacy Rights Act (CPRA): Complete Guide
Learn what the California Privacy Rights Act (CPRA) is, how it amended the CCPA, and what businesses must do to comply with CPRA requirements.
The California Privacy Rights Act (CPRA) represents the most significant expansion of consumer privacy protections in the United States since the original CCPA took effect in 2020. Understanding what the CPRA is and how it changed California's privacy landscape is essential for any business that collects personal information from California residents.
This guide explains the California Privacy Rights Act in detail, covering its key provisions, who it applies to, the new rights it created, its enforcement structure, and what businesses need to do to comply. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
What Is the CPRA?
The California Privacy Rights Act, commonly referred to as the CPRA, is a voter-approved amendment to the California Consumer Privacy Act (CCPA) that substantially expanded privacy rights for California residents. Voters passed it as Proposition 24 in November 2020 with 56% of the vote, and its substantive provisions took effect on January 1, 2023.
Understanding what the CPRA is starts with recognizing that it is not a standalone law. The California Privacy Rights Act amends and builds upon the existing CCPA, which is codified in California Civil Code Sections 1798.100 through 1798.199.100. After the CPRA's amendments, the combined statute is sometimes referred to as the "CCPA, as amended by the CPRA," though many practitioners simply call it the CPRA.
The CPRA addressed several gaps that privacy advocates and businesses identified after the CCPA's initial implementation. These included limited enforcement resources, narrow consumer rights compared to the GDPR, and temporary exemptions that shielded employee and business contact data from the law's protections.
Who Does the California Privacy Rights Act Apply To?
The CPRA retains the CCPA's threshold-based applicability model but updated certain thresholds. A for-profit business is subject to the California Privacy Rights Act if it meets any one of the following three criteria.
Applicability thresholds
- Revenue threshold: Annual gross revenue exceeding $25 million in the preceding calendar year, adjusted for inflation beginning January 1, 2023 (Section 1798.140(d)(1)(A))
- Data volume threshold: Annually buys, sells, or shares the personal information of 100,000 or more consumers or households (Section 1798.140(d)(1)(B)). The CPRA raised this from the original 50,000 and removed "devices" from the count, but added "shares" alongside "buys" and "sells."
- Revenue from data: Derives 50% or more of annual revenue from selling or sharing consumers' personal information (Section 1798.140(d)(1)(C)). The CPRA added "sharing" to this criterion.
Geographic reach
The California Privacy Rights Act applies to businesses regardless of where they are physically located, as long as they meet the thresholds and collect personal information from California residents. A company headquartered in New York, London, or Singapore is subject to the CPRA if it serves California consumers and meets any threshold.
Key exemptions
Several exemptions carry over from the CCPA:
- Nonprofit organizations remain exempt, as the law applies only to for-profit entities
- Government agencies are not covered
- Data governed by specific federal laws receives partial exemptions, including data subject to HIPAA, GLBA, FCRA, and DPPA
However, the CPRA removed the temporary exemptions that previously shielded employee data and business-to-business contact information. As of January 1, 2023, these categories of personal information receive full protection under the law.
New Consumer Rights Under the CPRA
The California Privacy Rights Act expanded the rights available to California residents beyond those originally established by the CCPA. Businesses must honor these rights through verifiable consumer requests.
Right to correct (Section 1798.106)
Consumers can request that a business correct inaccurate personal information it holds about them. This right is new under the CPRA and mirrors the right to rectification found in Article 16 of the GDPR. Businesses must use commercially reasonable efforts to correct the information upon a verified request.
Right to limit use of sensitive personal information (Section 1798.121)
This is one of the most significant additions in the California Privacy Rights Act. Consumers can direct a business to limit its use and disclosure of sensitive personal information to purposes that are necessary for performing the services or providing the goods reasonably expected by the consumer. Businesses that use sensitive personal information beyond these necessary purposes must include a "Limit the Use of My Sensitive Personal Information" link on their homepage.
Expanded opt-out rights
The CCPA originally gave consumers the right to opt out of the sale of personal information. The CPRA expanded this to include sharing for cross-context behavioral advertising (Section 1798.120). This means that businesses using targeted advertising across different websites or platforms must provide opt-out mechanisms even if no money changes hands for the data.
Retained CCPA rights
The following rights from the original CCPA remain in effect under the CPRA:
- Right to know (Section 1798.100): Consumers can request disclosure of what personal information a business collects, where it comes from, what it is used for, and who it is shared with
- Right to delete (Section 1798.105): Consumers can request deletion of personal information, subject to specific exceptions
- Right to opt out of sale or sharing (Section 1798.120): Businesses must honor opt-out requests and display a "Do Not Sell or Share My Personal Information" link
- Right to non-discrimination (Section 1798.125): Businesses cannot retaliate against consumers who exercise their privacy rights
Sensitive Personal Information Under the CPRA
The California Privacy Rights Act introduced a new legal category called "sensitive personal information" (SPI), defined in Section 1798.140(ae). This concept did not exist in the original CCPA and represents a major change in how businesses must handle certain types of data.
What qualifies as sensitive personal information
The CPRA defines SPI to include:
- Social Security numbers, driver's license numbers, state ID numbers, and passport numbers
- Account login credentials (username combined with password or security question answers)
- Financial account numbers combined with access codes or passwords
- Precise geolocation data (within a radius of 1,850 feet)
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union membership
- Contents of mail, email, and text messages (unless the business is the intended recipient)
- Genetic data
- Biometric information used to identify a person
- Health information
- Sex life or sexual orientation data
Business obligations for sensitive data
When a business collects or processes sensitive personal information, it must:
- Disclose the categories of SPI collected and the purposes for collection in its privacy policy
- Provide consumers with the right to limit use of their SPI to necessary purposes
- Display a "Limit the Use of My Sensitive Personal Information" link on the business homepage if SPI is used beyond what is reasonably necessary
- Conduct regular risk assessments (cybersecurity audits) for processing activities that involve SPI
The California Privacy Protection Agency
One of the most consequential changes in the California Privacy Rights Act was the creation of the California Privacy Protection Agency (CPPA), established under Section 1798.199.10. The CPPA is the first dedicated state privacy enforcement agency in the United States.
Agency structure and authority
The CPPA is governed by a five-member board. It has full administrative authority to implement and enforce the CCPA/CPRA, including:
- Rulemaking: Issuing regulations that interpret and operationalize the statute
- Investigation: Initiating investigations into potential violations
- Enforcement: Bringing administrative actions and imposing penalties
- Auditing: Ordering businesses to submit to cybersecurity and privacy audits
Relationship to the Attorney General
Before the CPRA, the California Attorney General was the sole enforcer of the CCPA. The CPRA transferred primary enforcement authority to the CPPA while allowing the Attorney General to retain concurrent jurisdiction. In practice, this means businesses may face enforcement from either body.
Penalties
Penalties under the California Privacy Rights Act remain consistent with the original CCPA framework:
- $2,500 per unintentional violation
- $7,500 per intentional violation
- $7,500 per violation involving the personal information of minors under 16 (the CPRA elevated all violations involving minors to the intentional penalty level)
Consumers retain a private right of action under Section 1798.150 for data breaches involving unencrypted or unredacted personal information, with statutory damages of $100 to $750 per consumer per incident.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowCPRA Compliance Requirements for Businesses
Meeting the California Privacy Rights Act's requirements involves updates across several areas of your business operations. The following obligations apply to all businesses that meet the applicability thresholds.
Updated privacy policy disclosures
Your privacy policy must now include:
- The categories of sensitive personal information collected and purposes for collection
- Whether SPI is used or disclosed beyond what is necessary for the stated purpose
- Retention periods for each category of personal information and sensitive personal information
- A description of consumers' right to correct and right to limit sensitive data use
- Contact information for submitting verifiable consumer requests
If you need a privacy policy that addresses these requirements, a privacy policy generator can help you create a compliant document covering the CPRA's disclosure obligations.
Data minimization and purpose limitation
The CPRA introduced data minimization principles that mirror the GDPR's approach under Article 5(1)(c). Section 1798.100(c) requires that a business's collection, use, retention, and sharing of personal information must be:
- Reasonably necessary and proportionate to the purposes for which it was collected or processed
- Not further processed in a manner incompatible with those purposes
This means businesses can no longer collect personal information broadly "just in case." You must be able to justify why each category of data is necessary for a specific, disclosed purpose.
Storage limitation
Businesses must establish and disclose retention periods for personal information. Section 1798.100(d) states that personal information cannot be retained for longer than is reasonably necessary for the disclosed purpose. This requires businesses to:
- Define retention schedules for each category of personal information
- Disclose those schedules in their privacy policy
- Implement processes to delete or de-identify data when the retention period expires
Contractual requirements for service providers
The CPRA strengthened requirements for contracts with service providers, contractors, and third parties that receive personal information. Under Section 1798.100(d), these contracts must:
- Specify the business purposes for which data is provided
- Require the receiving party to comply with the CPRA
- Require the receiving party to notify the business if it can no longer meet its CPRA obligations
- Grant the business the right to take reasonable steps to stop and remediate unauthorized use
Risk assessments
Section 1798.185(a)(15) directs the CPPA to issue regulations requiring businesses to perform cybersecurity audits and submit risk assessments to the agency. These apply to businesses whose data processing activities present significant risk to consumer privacy or security. The CPPA is actively developing these regulations, and businesses should prepare for audit requirements to become enforceable.
How the CPRA Compares to the GDPR
Businesses operating internationally often need to understand how the California Privacy Rights Act compares to the European Union's General Data Protection Regulation. While the two frameworks share several concepts, key differences remain.
Similarities
- Both grant consumers (data subjects) the right to access, delete, and correct personal information
- Both impose data minimization and purpose limitation requirements
- Both require disclosure of data retention periods
- Both recognize a special category of sensitive data requiring heightened protection
- Both have dedicated enforcement agencies with investigation and penalty authority
Key differences
- Legal basis: The GDPR requires a lawful basis for all processing (consent, contract, legitimate interest, etc.). The CPRA follows an opt-out model where businesses can process data unless the consumer objects.
- Scope: The GDPR applies to all organizations processing EU residents' data. The CPRA applies only to for-profit businesses meeting specific thresholds.
- Consent model: The GDPR generally requires opt-in consent for marketing and tracking. The CPRA requires an opt-out mechanism for selling and sharing data.
- Penalties: GDPR fines can reach 20 million EUR or 4% of global annual turnover. CPRA penalties are $2,500 to $7,500 per violation, which can accumulate rapidly across affected consumers.
- Private right of action: The CPRA limits private lawsuits to data breach cases. The GDPR allows private actions for any violation.
Businesses subject to both laws will find that GDPR compliance covers most CPRA requirements, but the reverse is not true. CPRA compliance alone does not satisfy the GDPR's stricter consent and lawful basis requirements.
Steps to Achieve CPRA Compliance
Meeting your obligations under the California Privacy Rights Act requires a structured approach. The following steps provide a practical framework for compliance.
- Assess applicability: Determine whether your business meets any of the three thresholds (revenue, data volume, or data revenue percentage)
- Map your data: Inventory all personal information and sensitive personal information your business collects, including the sources, purposes, recipients, and retention periods for each category
- Update your privacy policy: Ensure it includes all CPRA-required disclosures, including sensitive data categories, retention periods, and descriptions of new consumer rights. A compliance platform like TermsBox can generate a privacy policy that covers CPRA requirements and keep it updated as regulations evolve.
- Implement consumer rights mechanisms: Build or update processes for handling requests to know, delete, correct, opt out of sale/sharing, and limit sensitive data use
- Update homepage links: Add both "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" links, or a single combined link as permitted by the regulations
- Review vendor contracts: Update agreements with service providers, contractors, and third parties to include CPRA-required contractual provisions
- Train your team: Ensure employees who handle consumer inquiries understand the new rights and your response procedures
- Prepare for audits: Begin developing internal risk assessment processes and cybersecurity audit documentation in anticipation of CPPA regulations
Compliance is not a one-time project. The CPPA continues to issue new regulations and guidance, and businesses must monitor developments and update their practices accordingly.
Frequently Asked Questions
What is the CPRA in simple terms?
The California Privacy Rights Act (CPRA) is a voter-approved amendment to the CCPA that expanded consumer privacy rights in California. It introduced the right to correct personal information, the right to limit the use of sensitive personal information, created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, and added new obligations for businesses that process personal data of California residents.
When did the CPRA take effect?
The CPRA was approved by California voters through Proposition 24 in November 2020. Its substantive provisions took effect on January 1, 2023, applying to personal information collected on or after January 1, 2022. Enforcement by the California Privacy Protection Agency began on July 1, 2023.
What is the difference between the CCPA and the CPRA?
The CPRA is not a separate law but an amendment to the CCPA. It added new consumer rights (correction, limiting sensitive data use), created a dedicated enforcement agency (the CPPA), introduced the category of sensitive personal information, expanded opt-out rights to cover data sharing for cross-context behavioral advertising, imposed new requirements for data minimization and storage limitation, and removed the temporary exemptions for employee and business-to-business data.
Does the CPRA apply to small businesses?
The CPRA applies to for-profit businesses that meet at least one of three thresholds: annual gross revenue over $25 million, buying, selling, or sharing the personal information of 100,000 or more California consumers or households annually, or deriving 50% or more of revenue from selling or sharing personal information. Small businesses below all three thresholds are generally exempt, though they may still be subject to other state or federal privacy laws.