California Privacy Rights Act
The CPRA expanded California's CCPA with new rights to correct data and limit sensitive personal information, plus data minimization duties and a dedicated regulator, the CPPA. Most provisions took effect in January 2023.
The California Privacy Rights Act (CPRA) is a voter-approved ballot measure, Proposition 24, passed in November 2020. It amended and substantially expanded the California Consumer Privacy Act (CCPA). Most of its provisions took effect on January 1, 2023, with enforcement starting later that year. The CPRA moves California closer to the European model of data protection while keeping the consumer-control focus of the original CCPA.
The CPRA created the California Privacy Protection Agency (CPPA), the first dedicated privacy regulator in the United States. The CPPA shares enforcement authority with the California Attorney General and is responsible for issuing detailed regulations.
Who It Applies To
The CPRA applies to for-profit businesses that meet revised thresholds: annual gross revenue over USD 25 million in the prior year; buying, selling, or sharing the personal information of 100,000 or more consumers or households; or deriving 50 percent or more of annual revenue from selling or sharing personal information. It introduced the concept of "sharing" for cross-context behavioral advertising and a new category of "sensitive personal information."
Key Requirements
The CPRA adds the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information, such as government IDs, financial account details, precise geolocation, and health or biometric data. It strengthens opt-out rights to cover "sharing" for targeted advertising and requires businesses to honor opt-out preference signals. It introduces data minimization, purpose limitation, and storage limitation as binding obligations. Businesses must enter into contracts with service providers and contractors that include specified privacy terms. High-risk processing requires regular risk assessments and cybersecurity audits, with details set by CPPA regulations. The CPRA removed the 30-day cure period that existed under the CCPA.
Penalties for Non-Compliance
Penalties remain up to USD 2,500 per violation and USD 7,500 per intentional violation or per violation involving the personal information of minors. Both the CPPA and the Attorney General can enforce the law. The limited private right of action for certain data breaches carried over from the CCPA.
How to Comply
Update privacy notices to cover sensitive personal information and the right to correct. Provide a clear way to limit the use of sensitive data and to opt out of sharing, and honor global opt-out signals. Apply data minimization and retention limits and document retention periods. Revise vendor contracts to include required privacy terms. Stand up a program for risk assessments and cybersecurity audits as required by CPPA rules. Since there is no cure period, build compliance in from the start and monitor evolving CPPA regulations.