CPRA California: Complete Guide to the Privacy Rights Act
Learn what the CPRA California Privacy Rights Act requires, how it amended the CCPA, and what businesses must do to comply. Covers rights, enforcement, and key changes.
The CPRA California Privacy Rights Act significantly expanded the privacy protections available to California residents when it took effect on January 1, 2023. If your business collects personal information from people in California, the CPRA introduced obligations that go well beyond what the original CCPA required, including new consumer rights, stricter enforcement mechanisms, and a dedicated regulatory agency.
This guide explains what the California CPRA requires, how it changed the existing CCPA framework, and what practical steps you need to take to comply. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
What Is the CPRA in California?
The California Privacy Rights Act (CPRA) is a ballot initiative (Proposition 24) that California voters approved in November 2020. It amends and expands the California Consumer Privacy Act (CCPA), which first took effect in January 2020. The CPRA's substantive provisions took effect on January 1, 2023, with a lookback period covering personal information collected from January 1, 2022. Enforcement by the California Privacy Protection Agency (CPPA) began on July 1, 2023.
The CPRA is not a standalone law. It amended the existing CCPA text within California Civil Code Sections 1798.100 through 1798.199.100. In practice, attorneys and compliance professionals refer to the combined framework as "CCPA as amended by the CPRA," though the shorthand "CPRA" or "California CPRA" is commonly used when discussing the newer provisions specifically.
The driving force behind the CPRA was Alastair Mactaggart, the same individual who spearheaded the original CCPA. The ballot initiative approach meant the California legislature cannot weaken the CPRA's protections, only strengthen them through a supermajority vote.
Why the CPRA was enacted
The original CCPA, while groundbreaking for the United States, had gaps that the CPRA was designed to address:
- No dedicated enforcement agency (the California Attorney General handled enforcement alongside all other duties)
- A 30-day cure period that allowed businesses to avoid penalties by fixing violations after being caught
- No concept of sensitive personal information as a distinct category requiring additional protections
- Limited data minimization requirements
- No explicit right to correct inaccurate personal information
The CPRA closed each of these gaps, moving California's privacy framework closer to the standard set by the EU's GDPR (Regulation 2016/679).
Who Does the California CPRA Apply To?
The CPRA applies to for-profit businesses that collect personal information from California residents and meet specific thresholds. The applicability criteria were adjusted from the original CCPA.
Updated applicability thresholds
A for-profit business is subject to the CPRA if it meets any one of the following:
- Revenue threshold: Annual gross revenue exceeding $25 million in the preceding calendar year (unchanged from CCPA)
- Data volume threshold: Annually buys, sells, or shares the personal information of 100,000 or more consumers or households (the CCPA originally set this at 50,000 and included devices in the count; the CPRA raised it to 100,000 and removed devices)
- Revenue from data: Derives 50% or more of annual revenue from selling or sharing consumers' personal information (the CPRA added "sharing" alongside "selling")
Geographic scope
The California CPRA applies to any business that meets the thresholds above, regardless of where it is physically located. A company based in Texas, New York, the United Kingdom, or anywhere else in the world is subject to the CPRA if it collects personal information from California residents and meets at least one threshold.
Exemptions
The CPRA maintains several exemptions, though it narrowed them compared to the original CCPA:
- Nonprofit organizations: The CPRA applies only to for-profit entities
- Government agencies: Not covered
- Federally regulated data: Partial exemptions for data already covered by HIPAA, GLBA, FCRA, and DPPA
- Employee and B2B data: The CPRA removed the exemptions for employee and business-to-business contact data that existed under the original CCPA, bringing this data under full protection as of January 1, 2023
Key Changes the CPRA Made to the CCPA
Understanding the specific amendments the California CPRA introduced is essential for businesses that were already CCPA-compliant and need to identify what additional obligations now apply.
Sensitive personal information
The CPRA created a new category called "sensitive personal information" (SPI) under Section 1798.140(ae). This includes:
- Social Security numbers, driver's license numbers, state ID numbers, passport numbers
- Financial account information combined with access credentials
- Precise geolocation data
- Racial or ethnic origin, religious or philosophical beliefs, union membership
- Contents of mail, email, and text messages (where the business is not the intended recipient)
- Genetic data, biometric data used for identification
- Health information and sexual orientation
Consumers have the right to limit how businesses use their sensitive personal information to purposes that are strictly necessary for providing the requested goods or services.
Right to correct (Section 1798.106)
The CPRA added a new right allowing consumers to request that a business correct inaccurate personal information. The original CCPA had no equivalent right. Businesses must make commercially reasonable efforts to correct the data upon receiving a verified consumer request.
Right to limit use of sensitive data (Section 1798.121)
Consumers can direct businesses to limit their use and disclosure of sensitive personal information to purposes that are necessary for performing the services or providing the goods the consumer requested. Businesses must display a "Limit the Use of My Sensitive Personal Information" link on their website.
Removal of the 30-day cure period
Under the original CCPA, businesses received a 30-day notice to cure violations before penalties could be imposed. The CPRA eliminated this cure period entirely. The CPPA can now impose fines immediately upon finding a violation, without giving the business an opportunity to fix it first.
Data minimization and storage limitation
The CPRA introduced principles that mirror GDPR requirements:
- Data minimization (Section 1798.100(c)): Businesses must not collect more personal information than is reasonably necessary and proportionate to achieve the purpose for which it was collected
- Storage limitation (Section 1798.100(a)(3)): Businesses must inform consumers about how long they retain each category of personal information, or the criteria used to determine the retention period
Expanded definition of sharing
The original CCPA focused on the "sale" of personal information. The CPRA added "sharing" as a separate concept under Section 1798.140(ah), defined as making personal information available to a third party for cross-context behavioral advertising. This closed a loophole where businesses argued that transferring data for targeted advertising was not a "sale" because no money changed hands.
Contractual requirements
The CPRA imposed detailed contractual requirements for businesses that share personal information with service providers, contractors, and third parties. Contracts must specify the purposes for processing, require the recipient to comply with the CPRA, grant the business the right to audit compliance, and require the recipient to notify the business if it can no longer meet its obligations.
The California Privacy Protection Agency (CPPA)
One of the most significant changes under the California CPRA was the creation of the California Privacy Protection Agency (CPPA), the first dedicated state privacy enforcement agency in the United States.
Structure and authority
The CPPA is an independent agency governed by a five-member board. Board members are appointed by the Governor, the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly. The agency has full administrative authority to:
- Investigate potential violations of the CCPA/CPRA
- Issue subpoenas and compel testimony
- Bring administrative enforcement actions
- Impose administrative fines
- Issue regulations, guidance, and opinions
- Conduct audits of businesses' data practices
Shift from Attorney General enforcement
Before the CPRA, enforcement of the CCPA was the responsibility of the California Attorney General. The CPPA took over primary enforcement authority on July 1, 2023. The Attorney General retains concurrent authority to bring civil actions in court but is no longer the primary enforcement body for privacy violations.
Rulemaking activity
The CPPA has been active in issuing regulations that clarify CPRA obligations. Notable rulemaking efforts include:
- Final regulations on consumer opt-out rights, including the framework for opt-out preference signals (Global Privacy Control)
- Draft regulations on cybersecurity audits and risk assessments for businesses whose processing presents significant risk to consumers' privacy
- Draft regulations on automated decision-making technology, including profiling
Businesses should monitor CPPA rulemaking closely, as new regulations can create obligations beyond what the statutory text explicitly requires.
How to Comply with the CPRA in California
Compliance with the California CPRA requires updating both your internal practices and your consumer-facing disclosures. The following steps address the primary obligations.
Step 1: Update your privacy policy
Your privacy policy must be updated to reflect CPRA requirements. Under Section 1798.100(a), the disclosures must include:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now- Categories of personal information collected in the preceding 12 months
- The purposes for collecting or using each category
- Categories of sensitive personal information collected
- How long you retain each category of personal information, or the criteria used to determine retention
- Categories of third parties to whom personal information is disclosed
- Whether personal information is sold or shared, and if so, the categories involved
A privacy policy generator can help you create a policy covering these disclosure requirements, but you need to verify it accurately reflects your actual data practices and includes the CPRA-specific elements.
Step 2: Implement required website links
The CPRA requires specific links on your website:
- "Do Not Sell or Share My Personal Information": Required if you sell or share personal information for cross-context behavioral advertising
- "Limit the Use of My Sensitive Personal Information": Required if you use sensitive personal information for purposes beyond what is necessary to provide the requested service
You may combine these into a single "Your Privacy Choices" or "Your California Privacy Choices" link. The link must be clear and conspicuous.
Step 3: Honor opt-out preference signals
The CPRA and CPPA regulations require businesses to recognize opt-out preference signals, such as the Global Privacy Control (GPC). When a consumer's browser or device sends a GPC signal, you must treat it as a valid request to opt out of the sale and sharing of their personal information. This is not optional.
Step 4: Update data subject request procedures
Review and update your procedures for handling consumer requests to account for the new CPRA rights:
- Correction requests: Establish a process for verifying and correcting inaccurate personal information
- Sensitive data limitation requests: Create a mechanism to restrict the use of sensitive personal information to essential purposes
- Response timelines: You must acknowledge receipt within 10 business days and substantively respond within 45 calendar days (extendable by an additional 45 days with notice)
Step 5: Audit service provider and contractor agreements
The CPRA imposed stricter contractual requirements under Section 1798.100(d). Review all agreements with entities that receive personal information from you. Each contract must:
- Specify the business purpose for the data transfer
- Require the recipient to comply with the CPRA
- Grant you the right to take reasonable steps to ensure compliance, including audits
- Require the recipient to notify you if it can no longer meet its CPRA obligations
- Require the recipient to apply the same level of protection to the data as required by the CPRA
Step 6: Conduct data mapping
Map all personal information flows in your organization. For each category of data, document where it is collected, how it is used, who has access, where it is stored, how long it is retained, and whether it is sold, shared, or disclosed to third parties. This mapping is the foundation for accurate privacy disclosures and for responding to consumer requests.
Tools like TermsBox provide a website compliance scanner that can identify cookies, trackers, and third-party services on your site, giving you a starting point for your data mapping exercise.
CPRA California Penalties and Enforcement
The CPRA strengthened enforcement mechanisms compared to the original CCPA, and the CPPA has signaled an aggressive enforcement posture.
Civil penalties
The penalty structure under the California CPRA is:
- $2,500 per unintentional violation
- $7,500 per intentional violation
- $7,500 per violation involving minors' personal information (consumers under 16)
The removal of the 30-day cure period means the CPPA can impose these fines immediately. Each affected consumer and each instance of non-compliance can constitute a separate violation, so penalties can accumulate rapidly.
Private right of action
Consumers retain a private right of action for data breaches under Section 1798.150. If a business fails to implement reasonable security measures and suffers a breach of unencrypted or unredacted personal information, affected consumers can seek:
- Statutory damages of $100 to $750 per consumer per incident
- Actual damages if higher than statutory damages
- Injunctive or declaratory relief
Enforcement priorities
Based on public statements and early enforcement actions, the CPPA has focused on:
- Businesses that fail to honor opt-out requests and opt-out preference signals
- Inadequate or missing "Do Not Sell or Share" links
- Non-compliant privacy policies that omit required CPRA disclosures
- Businesses that do not respond to consumer requests within required timelines
CPRA California vs. Other State Privacy Laws
California's CPRA is part of a broader trend of state-level privacy legislation in the United States. Understanding how the California CPRA compares to other frameworks helps businesses operating across multiple jurisdictions.
Comparison with other state laws
Several other states have enacted comprehensive privacy laws, each with its own approach:
- Virginia (VCDPA): Took effect January 1, 2023. No private right of action. Enforced by the Attorney General. Uses an opt-out model similar to the CCPA/CPRA.
- Colorado (CPA): Took effect July 1, 2023. Requires recognition of universal opt-out mechanisms. Enforced by the Attorney General.
- Connecticut (CTDPA): Took effect July 1, 2023. Requires recognition of universal opt-out signals. Similar scope to Virginia and Colorado.
- Texas (TDPSA): Took effect July 1, 2024. Notable for having no revenue or data volume threshold, applying to all businesses that process personal data and are not small businesses under SBA definitions.
What makes the CPRA distinct
The California CPRA stands apart from other state privacy laws in several ways:
- Dedicated enforcement agency: California is the only state with an agency (the CPPA) focused exclusively on privacy enforcement
- Sensitive personal information: The CPRA provides a specific right to limit the use of sensitive data, which most other state laws do not
- Voter-approved protections: Because the CPRA was a ballot initiative, the legislature cannot weaken its protections without a supermajority
- Broader scope: The addition of "sharing" for behavioral advertising addresses practices that other state laws may not cover
Building a multi-state compliance program
For businesses operating across multiple states, a practical approach is to use the CPRA as your baseline since it is the most comprehensive U.S. state privacy law. If you comply with the California CPRA, you will meet most (though not all) obligations under other state laws. Use a privacy policy generator to create disclosures that cover California-specific requirements, then supplement with state-specific notices where needed.
If you also serve users in the EU, you will need to address Regulation 2016/679 (GDPR) requirements as well, which impose additional obligations around consent, data processing agreements, and international data transfers. A terms of service generator can help you create the legal agreements needed for your website alongside your privacy disclosures.
Frequently Asked Questions
What is the CPRA in California?
The CPRA (California Privacy Rights Act) is a voter-approved ballot initiative (Proposition 24) that amended and expanded the California Consumer Privacy Act (CCPA). It was approved in November 2020, took effect on January 1, 2023, with enforcement beginning July 1, 2023. The CPRA added new consumer rights, created a dedicated enforcement agency (the CPPA), and introduced the concept of sensitive personal information.
What is the difference between the CCPA and the CPRA?
The CPRA is not a separate law but an amendment to the CCPA. Key differences include the addition of new rights (correction of personal information, limiting use of sensitive data), creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, removal of the 30-day cure period for violations, expansion of the definition of sharing to cover cross-context behavioral advertising, and the introduction of data minimization and storage limitation requirements.
Who does the California CPRA apply to?
The CPRA applies to for-profit businesses that collect California residents' personal information and meet at least one of three thresholds: annual gross revenue over $25 million, buying, selling, or sharing the personal information of 100,000 or more consumers or households per year, or deriving 50% or more of annual revenue from selling or sharing personal information. The thresholds apply regardless of where the business is located.
What are the penalties for violating the CPRA in California?
Civil penalties under the CPRA range from $2,500 per unintentional violation to $7,500 per intentional violation. Violations involving minors' data also carry fines of $7,500 per incident. The CPRA removed the 30-day cure period, meaning the CPPA can impose fines without first giving businesses an opportunity to fix the violation. Consumers retain a private right of action for data breaches with statutory damages of $100 to $750 per consumer per incident.