California Privacy Rights Act (CPRA)

The CPRA was approved by California voters in November 2020 through Proposition 24. Rather than replacing the CCPA, the CPRA amends and expands it to address evolving privacy risks, technological advancements, and gaps identified in the original law.

The law became effective on January 1, 2023, with enforcement beginning on July 1, 2023.

One of the most important changes introduced by CPRA is the creation of a dedicated privacy regulator, the California Privacy Protection Agency (CPPA), which shares enforcement authority with the California Attorney General.

The CPRA’s primary goals are to:

• Strengthen consumer privacy rights

• Increase transparency in data processing

• Improve accountability for businesses handling personal data

• Require stronger data security and risk management practices

CPRA applies to for-profit businesses that operate in California and meet at least one of the following criteria:

• Generate more than $25 million in annual gross revenue; or

• Buy, sell, or share personal information of 100,000 or more California residents or households annually; or

• Derive 50% or more of their annual revenue from selling or sharing personal information
  
  

The law also applies to service providers, contractors, and third parties that process personal data on behalf of regulated businesses.

Importantly, CPRA expands regulation beyond the “sale” of personal data to include “sharing,” which covers the disclosure of personal information for cross-context behavioral advertising, even when no monetary exchange occurs.

The CPRA significantly expands consumer rights and provides individuals with greater control over their personal information.

1. Right to Know

Consumers have the right to request detailed information about:

• What personal information is collected

• The sources of the data

• The purpose of collection

• How the information is used

• Whether the data is sold or shared

• Categories of third parties receiving the data
  
  

2. Right to Delete

Consumers may request that businesses delete personal information collected about them, subject to certain legal and operational exceptions.

Businesses must also notify service providers, contractors, and third parties to delete the information where applicable.

3. Right to Correct

CPRA introduces the right for consumers to request the correction of inaccurate personal information maintained by businesses.

Organizations must implement reasonable procedures to verify and correct data upon request.

4. Right to Opt-Out of Sale and Sharing

Consumers have the right to opt out of:

• The sale of their personal information

• The sharing of personal information for cross-context behavioral advertising
  
  

Businesses must provide clear and accessible mechanisms to exercise this right.

5. Right to Limit Use and Disclosure of Sensitive Personal Information

Consumers have the right to restrict how businesses use and disclose Sensitive Personal Information (SPI), limiting its use to necessary purposes such as providing requested services.

6. Right to Data Portability

Consumers may request access to their personal information in a structured, commonly used, and machine-readable format, enabling easy transfer between organizations.

7. Rights Related to Automated Decision-Making

CPRA authorizes regulations that provide consumers with rights related to automated decision-making, including profiling and automated processing that significantly affects individuals.

Businesses may be required to provide transparency and opt-out options regarding automated decision-making systems.

CPRA introduces a new category of highly sensitive data called Sensitive Personal Information (SPI), which includes:

• Social Security numbers

• Driver’s license and passport numbers

• Financial account and payment information

• Precise geolocation data

• Racial or ethnic origin

• Religious beliefs

• Health information

• Biometric information

• Sexual orientation

• Contents of private communications
  
  

Businesses must provide consumers with the ability to limit how this information is used and disclosed.

CPRA imposes significant compliance obligations on businesses.

1. Transparency Requirements

Businesses must provide clear and accessible privacy notices explaining:

• What data is collected

• Why it is collected

• How it is used

• Whether it is sold or shared

• How long it is retained
  
  

Organizations must disclose retention periods or explain how retention periods are determined.

2. Data Minimization and Purpose Limitation

Businesses may only collect, use, and retain personal information that is reasonably necessary and proportionate to the disclosed purpose.

Data cannot be used for unrelated purposes without additional notice and consent.

3. Data Retention Limitations

Businesses must not retain personal information longer than necessary to fulfill their stated purpose.

Retention policies must be documented and enforced.

4. Security Safeguards

CPRA requires businesses to implement reasonable security procedures and practices to protect personal information from unauthorized access, disclosure, or loss. This includes securing:

• Web applications

• APIs

• Client-side applications

• Cloud infrastructure

• Internal systems
  
  

Failure to implement adequate security controls may result in enforcement actions and civil liability.

5. Risk Assessments and Cybersecurity Audits

CPRA authorizes the CPPA to require businesses engaged in high-risk data processing to conduct:

• Privacy risk assessments

• Cybersecurity audits
  
  

These assessments help identify and mitigate risks to consumer data.

6. Third-Party and Contractor Requirements

CPRA creates distinct legal categories for:

• Service providers

• Contractors

• Third parties
  
  

Businesses must establish written contracts requiring these entities to protect personal data and comply with CPRA requirements.

Organizations remain accountable for how third parties handle consumer information.

7. Consumer Request Handling

Businesses must implement processes to:

• Receive consumer privacy requests

• Verify identity

• Respond within required timelines

• Maintain records of requests and responses
  
  

Employee training on privacy compliance is also required.

CPRA enforcement is conducted by:

• California Privacy Protection Agency (CPPA)

• California Attorney General
  
  

Violations may result in penalties of:

• Up to $2,500 per violation

• Up to $7,500 per intentional violation

• Up to $7,500 per violation involving minors under 16
  
  

Each affected consumer may count as a separate violation, significantly increasing potential penalties.

Consumers also have a private right of action for certain data breaches involving inadequate security.

CPRA emphasizes the importance of protecting personal data across modern digital environments.

Compliance requires securing not only backend systems but also:

• Web browsers and client-side applications

• JavaScript environments

• APIs and integrations

• Third-party scripts
  
  

Security vulnerabilities in client-side applications can expose personal data even when backend systems are secure.

Organizations must implement comprehensive application security strategies to protect personal information throughout its lifecycle.

CPRA strengthens and expands CCPA in several important ways:

• Establishes the California Privacy Protection Agency (CPPA)

• Introduces Sensitive Personal Information protections

• Adds the right to correct personal information

• Expands opt-out rights to include data sharing

• Strengthens requirements for data minimization and retention

• Adds risk assessment and cybersecurity audit requirements

• Increases accountability for third parties
  
  

Enhances enforcement mechanisms and penalties.

The California Privacy Rights Act (CPRA) represents a major advancement in U.S. privacy law. By strengthening consumer rights, expanding business obligations, and establishing a dedicated enforcement agency, CPRA creates a more robust framework for protecting personal information.

Organizations must adopt comprehensive privacy, security, and governance practices to comply with CPRA requirements and protect consumer data effectively.

As privacy regulations continue to evolve, CPRA sets an important benchmark for privacy protection and data accountability in the digital economy.