What is the California Privacy Rights Act (CPRA)?

How the CPRA Came About

The CPRA was Proposition 24, a 2020 California ballot initiative led by the same group that pushed the original CCPA. Voters approved it, and the substantive provisions took effect on January 1, 2023, with enforcement starting July 1, 2023. The CPRA didn't replace the CCPA. It amended it. So the law that businesses comply with today is technically the CCPA as amended by the CPRA.

Sensitive Personal Information

The CPRA's most significant addition is a separate category of "sensitive personal information" (SPI) with stronger protections. SPI includes:

• Government identifiers (Social Security number, driver's license, passport)
• Account log-in credentials and financial account numbers (with security or access codes)
• Precise geolocation
• Racial or ethnic origin, religious beliefs, union membership
• The contents of mail, email, and text messages where the business isn't the recipient
• Genetic data and biometric information used to identify a person
• Health information
• Information about sex life or sexual orientation

Consumers have the right to limit the use of SPI to what's necessary to provide the requested service. If a business uses SPI for purposes beyond that core scope (like marketing or profiling), it has to offer a "Limit the Use of My Sensitive Personal Information" link on its homepage.

The Right to Correct

The CPRA added a new consumer right that wasn't in the original CCPA: the right to request correction of inaccurate personal information. Businesses receiving a verified correction request must use commercially reasonable efforts to correct the information.

The Sharing Distinction

The CPRA added a separate concept of "sharing" alongside "sale." Sharing covers disclosing personal information to a third party for cross-context behavioral advertising, regardless of whether money changes hands. This closed a major loophole in the CCPA, where businesses argued that passing data to ad-tech partners wasn't a "sale" because there was no monetary consideration.

Now businesses have to offer consumers an opt-out of sharing alongside the opt-out of sale. The disclosure and homepage link expanded to "Do Not Sell or Share My Personal Information."

The CPPA

The CPRA created the California Privacy Protection Agency (CPPA), the first dedicated state privacy regulator in the US. The CPPA has a five-member board, rulemaking authority, and shared enforcement power with the California Attorney General.

The CPPA has been actively writing and revising regulations since 2022, including detailed rules on automated decision-making technology (ADMT), risk assessments, cybersecurity audits, and consumer rights mechanisms. Enforcement priorities have included opt-out signal compliance, dark patterns in consent flows, and data broker obligations.

Other Notable Changes

The CPRA introduced several other significant changes:

• Data minimization: Businesses must collect, use, retain, and share personal information only to the extent reasonably necessary for the disclosed purpose.
• Storage limitation: Businesses must disclose how long they retain each category of personal information, or the criteria used to determine retention.
• Risk assessments: Businesses whose processing presents significant risk to consumer privacy must conduct regular risk assessments and submit them to the CPPA.
• Cybersecurity audits: Same trigger requires annual cybersecurity audits.
• Employee and B2B data: The CCPA's temporary exemptions for employee and business contact data expired on January 1, 2023. These categories are now fully covered.
• Higher penalties for children's data: Violations involving consumers under 16 carry the elevated $7,500 penalty automatically.
• Contractor obligations: Service providers and contractors have direct obligations under the law, similar to how HIPAA business associates work.

Universal Opt-Out Mechanisms

The CPPA's regulations require businesses to honor universal opt-out mechanisms like the Global Privacy Control (GPC), a browser-based signal that communicates a consumer's opt-out choice to every site they visit. Businesses can't require consumers to opt out site by site if a global signal is available.

Sensitive Personal Information vs Special Category Data

If you're already complying with GDPR's special category data rules (Article 9 GDPR), the CPRA's SPI list will look familiar. They overlap heavily but aren't identical. GDPR's special categories include data revealing political opinions, which the CPRA doesn't classify as SPI. The CPRA includes precise geolocation, which GDPR doesn't put in its special category.

Practical implication: businesses with both EU and California exposure need to map their data against both lists separately.