Understanding the California Privacy Rights Act (CPRA): Key Changes, Protections, and Requirements

You’ve probably heard of the California Consumer Privacy Act (CCPA)—it’s one of the US’s most prominent data protection regulations. But what about the CPRA? If you’re not sure how they differ, you’re not alone.

How does the CPRA compare to the CCPA? How does it impact your business? And most importantly, what steps do you need to take to stay compliant?

What Is the California Privacy Rights Act (CPRA)?

The CPRA is a data privacy bill in the state of California that amends and extends the existing California Consumer Privacy Act that was enacted in January 2020.

It’s an addendum to the CCPA that furthers the rights of California residents by strengthening the regulations placed on the collection and use of personal information (PI) by businesses. Most notably, it formed a new agency to enforce privacy requirements and made several changes to the original law. 

So when did the CPRA come into place? Although it was officially passed into law on November 3rd, 2020, it only became fully effective in January 2023. Furthermore, actual enforcement of its policies didn’t begin until July 2023, with a “lookback period” to January 2022. This meant that data collected from that date onwards was subject to the law’s provisions. 

Here’s a brief look at the most substantial changes to come out of the CPRA:

• Established the California Privacy Protection Agency (CPPA) to enforce the law and regulate compliance
• Increased the applicability threshold for the amount of California residents’ PI businesses can collect, share, or sell before the law kicks in
• Added four new rights and modifies five rights 
• Created a separate category for sensitive personal information (SPI), which requires additional protections 
• Updated the opt-out rule to give consumers more control over how their PI is used for targeted advertising across websites and apps
• Placed responsibility on a business for how third parties use, share, or sell personal data that was collected by the business initially
• Expanded the requirement for consent to cover more scenarios
• Extended certain privacy rights to B2B communications, including for employees, job applicants, and contractors

CCPA and CPRA: Two Acts, One Privacy Mission

Admittedly, the CPRA and CCPA acronyms are something of a compliance tongue twister (not to mention the CPPA). But despite the alphabetical overlap, these two acts play important roles in the history of California's data privacy landscape.

As mentioned, the CPRA amends the previously enforced CCPA. So how does one work with the other? 

Essentially, the CCPA remains California’s foundational data privacy law, while the CPRA simply reinforces it with extra consumer rights, stricter requirements for businesses, and the creation of a dedicated enforcement agency. Think of it like adding seasoning to a dish; the CCPA serves as the meat and potatoes, while the salt and pepper of the CPRA brings out the depth and detail. 

So, rather than there being two separate comprehensive data privacy laws in California, there’s one solid framework made up of both parts playing distinct but connected roles. It’s important to note that the CPRA always refers back to the CCPA text while expanding its points or adding new ones.

Who Does the CPRA Apply to?

As the CPRA builds on policies already established by the CCPA, it applies to the same entities. If your business falls under one, you must also comply with the other. 

However, the CPRA slightly changed the scope of who must comply. Its most notable change was to double the PI handling threshold from its original 50,000, shifting focus towards larger companies and reducing the inclusion of smaller businesses.

To be subject to the CPRA, you must be a for-profit business that collects, shares, or sells California residents’ personal information. But this is not the only requirement; you must also meet one of the following thresholds:

• Annual gross revenue of at least $25 million 
• Buy, sell, or share the personal information of 100,000 or more California residents or households
• Earn 50% or more of your annual revenue from selling California residents’ personal information

As you can imagine, this covers a vast range of businesses. But what may be surprising is that the CPRA doesn’t just apply to companies situated within California—it covers anyone who conducts business in the state, either online or offline, regardless of whether they have a physical presence there. Naturally, this extends to many ecommerce, digital services, and online advertising ventures. 

Changes Made Under the CPRA

While the CCPA laid the groundwork for consumer privacy in California, the CPRA takes things a step further, building on it and introducing new rights designed to give Californians even more of a say in how their data is handled. 

Let’s explore these amendments in more depth to provide a detailed understanding of how the CPRA’s additions may impact your business.

The Creation of Sensitive Personal Information

One of the greatest changes implemented in the CPRA was the creation of SPI as a new category of personal information. 

Under the law, examples of SPI are:

• Geolocation
• Race or ethnicity
• Financial information
• Biometric data
• Passport or driver’s license number
• Health information
• Religious and political beliefs or sexual orientation

It’s a common misconception that SPI is treated the same as any other PI, but this is not true. Rather, it’s regulated separately, and consumers have more rights over how it’s used. For instance, businesses must inform individuals when they’re collecting SPI and give them the choice to opt out of use. To meet this requirement, businesses now have to add a clear link on their website titled “Limit The Use Of My Sensitive Personal Information.”

Establishment of the California Privacy Protection Agency

Before the addition of the CPRA, Californian data privacy was overseen by the California Attorney General. But this led to limited capacity to uphold the law, unclear guidance, and slower responses to concerns due to limited resources and competing responsibilities. 

As such, the CPPA was formed as a fully dedicated data protection agency—the first in the US. This allows for more proactive CPRA enforcement as well as greater education and guidance for the public and businesses. 

They work alongside the Attorney General, who still maintains overall authority and has the power to halt investigations. Importantly, businesses can’t be fined by both the CPPA and the AG for the same violation, as this would cause unfair overlapping of penalties. 

Additionally, the CPRA removes the 30-day cure period—a grace window previously granted under the CCPA, which gave businesses 30 days to address and fix violations before enforcement action could be taken. Without this buffer, businesses are now at greater risk of immediate penalties for noncompliance.

New Consumer Rights

When the CPRA was passed, Californians gained more than just an updated privacy law; they got four new rights designed to strengthen their say over how their personal information is handled: 

• The right to correct inaccurate PI: Consumers can ask businesses to fix any personal data they hold that is incorrect 
• Right to restrict sensitive data use: Consumers have the right to limit the use and disclosure of sensitive personal information by a business to only what’s required to perform the service or provide the product
• Right to know about automated decision-making: Consumers are entitled to know how automated decision technologies work and their likely outcomes, as well as if their PI is used in this process
• Right to opt-out of automated decision-making: Consumers can refuse the use of their personal data in making automated decisions

Expanded Consumer Rights

In addition to adding new clauses, the CPRA also expanded upon some of the existing data privacy protections to strengthen them and expand their scope:

• Right to delete: Upon request, businesses must not only erase a consumer’s personal information, but also instruct any service providers or third parties with access to do the same, unless exceptions apply.
• Right to know: There’s no longer a 12-month limit on requesting access to personal information collected by a business (as was originally set by the CCPA), provided the data was collected on or after January 1, 2022.
• Right to opt out: The CPRA gives consumers the option to opt out of both selling and sharing their personal information. Business websites must include a “Do Not Sell or Share My Personal Information” link, and consumers can also opt out of targeted advertising or profiling based on their data.
• Right to data portability: When requesting access to their PI, consumers can now ask for it in a readily usable and structured format to send to other organizations
• Private right of action: Under the CCPA, consumers could only sue if non-encrypted and non-redacted personal information was wrongfully accessed or disclosed. The CPRA expands this to include breaches involving an email address combined with a password or security question and answer, as long as the data isn’t encrypted or redacted.

Stronger Safeguards for Minors

Under the original CCPA legislation, the parents or guardians of minors aged 13-16 had to provide opt-in consent for businesses to sell or share their personal data.

Now, the CPRA has added to this rule, increasing protections for minors even more by stating that if they do not agree to their data being shared or sold, businesses have to wait a year before requesting it again. This avoids the issue of companies continuously and frequently asking for consent after already being declined.

But that’s not all the CPRA introduced. To strengthen protections even further, the law increased penalties for any violations including minors. Now, businesses can face fines of nearly $8000 for noncompliance. 

Extension of Privacy Right to B2B Communications

The CPRA previously maintained a temporary exemption for B2B communications (such as information on a client employee), which expired on January 1, 2025. Now, the CPRA extends certain privacy rights to employees, job applicants, and contractors.

Data Minimization Requirements

Another key principle introduced by the CPRA is data minimization. Businesses may only collect, use, store, and share personal information that is strictly necessary to achieve an intended purpose. This forces companies to be far more mindful about what data they’re collecting, why they’re doing it, and whether sharing is essential. 

With this new restriction in place, businesses must now clearly disclose their reasons for collecting data. Any use of it beyond this has to be justified and is likely to need additional consent.

Data minimization limitations also link closely to retention policies. Under the CPRA, businesses are encouraged to only keep consumer data for as long as is absolutely necessary before disposing of it. This means they now also have to be more thoughtful about how long they retain information. 

All of these considerations help to strengthen consumer privacy by reducing the risks of excessive collection, overly long storage periods, and the misuse of data. In a nutshell, it promotes more responsible, respectful, and ethical use of information.

Increased Risk Assessments

To further ensure that businesses are reflecting more on the way they collect and use consumer data, the CPRA introduced a formal requirement for risk assessments to be carried out before doing any high-risk processing. The idea is to identify and mitigate potential privacy harms before they occur, particularly when engaging in activities that present higher concern around consumer rights. 

So what counts as high-risk processing? Examples of this would include using personal information for profiling, targeted advertising, or the sale of personal data. 

A CPRA risk assessment must weigh up the benefits of data collection against the risks to individual privacy, considering factors like the nature of the data, the scope of use, and the likelihood of harm.

Furthermore, the law states that these assessments must be submitted to the CPPA upon request, which enforces an added layer of transparency and accountability. Reactive compliance is no longer enough; instead you must proactively build privacy considerations into business operations from the start.

How Does the CPRA Compare to the GDPR?

The General Data Protection Regulation (GDPR) is the European Union’s (EU) data privacy law, which was brought into force in 2018. It’s often spotlighted as having some of the strictest standards for how organizations collect, use, and protect the personal data of citizens. As a result, it’s seen as the benchmark for modern privacy laws worldwide. 

How the CPRA Brings U.S. Privacy Closer to the GDPR

As the U.S. continues to evolve its own privacy standards, the CPRA stands out as one of the most significant updates in bringing the U.S. regulations more in line with the EU’s approach. 

The CPRA is often seen as nudging California’s laws closer to the gold standard set by the GDPR. The amendments it made to the original CCPA specifically align it closer with the EU framework in areas such as consumer control, accountability, and data governance. Comparing the two helps us understand how American privacy laws are catching up, and what differences still remain. 

Here’s how the CPRA narrows the gap: 

• Stronger consumer rights: By building on existing rights and adding new ones like the ability to correct and limit the use of data, the CPRA brings consumer control more in line with the GDPR’s individual protections
• Highlighting sensitive data: The GDPR has a specific classification for “special category” data, which is closely related to the CPRA’s addition of SPI, requiring businesses to give users additional choices over how this data is used
• Risk and accountability: By introducing mandatory risk assessments for high-risk processing, the CPRA mirrors the GDPR’s Data Protection Impact Assessments (DPIAs). It’s important to note, however, that the CPRA isn’t as strict on this. 
• A dedicated enforcement body: The creation of the CPPA replicates the GDPR’s dedicated supervisory authorities. Both ensure there is sufficient focus on privacy enforcement and education. 

CPRA vs GDPR: At a Glance 

Top Tips for Compliance With the CPRA

Map Your Data Collection and Use

First, understand what PI and SPI you currently collect, where it comes from, how it’s used, stored, and who it’s shared with. This allows you to see whether you are CPRA-compliant and identify gaps so you can take steps to improve your processes.

Update Your Privacy Policy

Ensure your privacy policy includes all additional compliance requirements introduced by the CPRA, including details on SPI, new consumer rights, opt-out options for data sharing and automated decision-making, and the use of third parties. 

Provide Notice at Collection

Tell consumers at or before the point of data collection what personal information is being gathered, for what purpose, and whether it will be sold or shared. This ensures they can make informed choices about their own information.

Implement Clear Opt-Out Methods 

As mentioned, the CPRA requires businesses to have very specific opt-out links on their site, so ensure you have a clear “Do Not Sell or Share My Personal Information” and, if applicable, a “Limit the Use of My Sensitive Personal Information” link on your website homepage.

Prepare for Data Requests

With additional consumer rights, you need to ensure you have effective processes in place to deal with requests within the correct timeframes, including access, deletion, correction, portability, and opt-outs. 

Review and Limit SPI Usage

As with any personal data, take steps to minimize SPI use, ensure it’s disclosed clearly, and limit it to only what’s strictly necessary for your service (unless you have explicit consent otherwise).

Train Your Team

Legal compliance is a collective effort, so all your employees need to have a comprehensive understanding of CPRA obligations and how it impacts their work. It’s especially important that the relevant teams know how to respond to consumer requests appropriately. This can be done through regular training and strong internal communication.

Conduct Regular Privacy Assessments

Evaluate your privacy practices regularly and ensure you’re conducting one each time you do any high-risk processing. But it’s not enough to just conduct frequent assessments; you must also document these thoroughly, along with any mitigation steps you take, so you can be fully transparent and accountable if the CPPA requests evidence of compliance. This process also builds trust with consumers by showing you take their privacy seriously.

CPRA Compliance, Powered by Osano

Being confidently compliant in the ever-changing landscape of privacy laws like the CPRA can feel complicated, but Osano makes it simple. As a leading data-privacy platform, we don’t only help you tick the right boxes—we help you build trust.

With Osano, you can automate consent management, respond to CPRA data subject rights requests in a few clicks, and keep your policies airtight, all within one intuitive dashboard. No more complex setups or legalese overload. Just clarity, speed, and tools that grow alongside your business.

Privacy is more than just a legal requirement; it’s also a competitive edge. And with Osano, you have the smartest tools in your corner to stay ahead.