Last updated: What is CPRA? California Privacy Rights Act: Basics and Overview

What is CPRA? California Privacy Rights Act: Basics and Overview

4 shares

Listen to article

Download audio as MP3

From CCPA to CPRA: What changed and why it matters?

When California voters passed the CPRA in November 2020, it wasn’t just a new law—it was a signal. One that said: consumer privacy isn’t optional anymore, it’s essential.

As an amendment to the CCPA, the CPRA tightens up existing protections and introduces new rights that mirror global data privacy standards like the EU’s GDPR. It’s a more precise, more potent version of California’s original privacy act, aimed at giving consumers more control and forcing businesses to get intentional about how they handle data.

If the CCPA was the beginning, CPRA is the next evolution—one that your business can’t afford to ignore.

Meet the California Privacy Protection Agency: Your new compliance partner

Enter the California Privacy Protection Agency (CPPA): the new sheriff in town for data privacy enforcement.

Unlike the CCPA, which relied on the Attorney General’s office for oversight, the CPRA establishes a standalone agency—complete with teeth. Think of it as California’s version of the GDPR’s data protection authorities in Europe.

This agency isn’t here to educate. It’s here to enforce. That means no more 30-day grace period to “fix” violations. Instead, penalties can now reach up to $7,500 per incident—that’s a 3x increase. .

For businesses, that’s not just a fine. It’s a flashing neon sign that compliance isn’t optional anymore. It’s foundational.

What is CPRA? CPRA explained

The California Privacy Rights Act (CPRA) is a 2020 amendment to the CCPA that expands consumer privacy rights in California. It gives residents greater control over how their personal data is collected, used, and shared—requiring businesses to manage data more deliberately and transparently.

With so much on the line, you may be left wondering what has changed and what it means for your business. You aren’t alone. Here’s what companies need to know about CPRA

When do you need to comply with CPRA?

Most of the California Privacy Rights Act of 2020 provisions will not take effect until January 2, 2023. However, personal information collected on or after January 1, 2022, will be part of the expansion of the “Right to Know” section. 

Your business will be required to allow consumers the “Right to Know” what data you’ve collected on them and how it is being used back to any information you collected beginning on January 1, 2022. 

Is your business on the hook? Who needs to comply (and who doesn’t)

You might be wondering: Does the CPRA apply to me?

If you’re a small business, the answer might be no — and that’s intentional. The CPRA raises the threshold for compliance. Under the CCPA, businesses that processed data from just 50,000 consumers were subject to the law. The CPRA? It doubles that.

Here’s the new line in the sand:

  • You must comply if you handle personal data from 100,000+ California consumers or households, or
  • If 50% or more of your annual revenue comes from selling or sharing personal data

That last bit matters. The CPRA didn’t just retain the “selling” language from the CCPA — it expanded it to include sharing. If you’re passing data to third-party platforms, ad networks, or partners — even if you’re not directly profiting — you may still be on the hook.

Bottom line: If your business runs on data, CPRA likely applies to you.

CPRA’s new focus: Sensitive Personal Information (SPI)

If you think all data is created equal, the CPRA has news for you: some data is more sensitive than others—and now, it’s regulated as such.

Under the CPRA, a new category called “sensitive personal information” (SPI) is carved out and placed under stricter controls. If your business touches any of the following, you need to pay attention:

Sensitive personal information now includes:

  1. Government IDs like Social Security numbers and driver’s licenses
  2. Financial data and login credentials (yes, that includes your payment gateways)
  3. Exact geolocation — not just ZIP codes
  4. Religious, philosophical, or union affiliation details
  5. Private communications like emails, texts, and mail
  6. Genetic, biometric, or health data
  7. Sexual orientation or sex life information

Companies that collect, sell, or even share this type of data? You’re now responsible for transparency and choice—specifically, disclosing SPI use and enabling users to opt in or out.

In other words, the burden of proof has shifted. It’s not just about whether you use this data—it’s how clearly and ethically you do so.

The new consumer rights: What your customers now expect

The CPRA doesn’t just tweak existing rights—it introduces entirely new ones. Rights that put more power directly into your customers’ hands.

Here’s what’s new:

  • Right to Correction: Consumers can now request that inaccurate personal data be corrected. Simple, but powerful—especially in a world where personalization depends on clean data.
  • Right to Access Information About Automated Decision-Making: If an algorithm is shaping what a customer sees, buys, or is offered—they now have the right to understand the logic behind it.
  • Right to Opt-Out of Automated Decision-Making: And if customers don’t like it? They can opt out. This includes profiling used for ads, recommendations, or content delivery.
  • Audit Obligations: Businesses must now perform regular audits on how they collect, store, and use personal information. That’s not just a checkbox exercise—it’s accountability in action.

These aren’t fringe legal concepts—they’re already law. For any brand that wants to build long-term customer trust, respecting these rights isn’t optional. It’s expected.

What does CPRA mean for your data privacy program? 

If you’re a business with more than 100,000 customers or with data on more than 100,000 consumers, and you use that data for marketing or advertising, or to generate revenue for your business, then CPRA means several things for your data privacy program. 

Let’s talk consent — especially for minors

When it comes to consent, the CPRA doesn’t mess around—especially when minors are involved.

Businesses must now obtain explicit, informed consent from users—spelling out exactly what data is being collected, why, and for how long. And if the user is under 16? That bar is even higher. Parental or guardian permission is required, and businesses can’t use dark patterns to sneak by.

But the CPRA doesn’t stop there. Even after consent is given, consumers have the right to change their minds—opting out of data sharing, requesting deletions, and withdrawing access. That’s retroactive and ongoing.

The operational load here isn’t light. That’s where Customer Data Platforms (CDPs) come in. A well-integrated CDP lets businesses track consent status, automate deletion timelines, and simplify opt-out processing—so your compliance doesn’t become a spreadsheet nightmare.

Think of it as moving from checkbox compliance to proactive, trust-driven data ethics.

What about the data itself? The right to know is expanding

One of the CPRA’s most impactful changes isn’t flashy—but it’s fundamental: your customers now have the right to know exactly what personal information you’ve collected, how you’re using it, and who you’ve shared it with.

And here’s the kicker: this doesn’t just apply to new data. It’s retroactive. Any personal information collected on or after January 1, 2022 must be disclosed if a consumer asks.

That means your team needs systems in place—now—to track, retrieve, and report on data with accuracy. Customer Data Platforms (CDPs), CRMs, and privacy dashboards aren’t just “nice to have” anymore. They’re your compliance safety net.

This isn’t just about checking a compliance box. It’s about showing customers you respect their data—and their decisions.

Purpose and storage limitations

The CPRA borrows a few pages from the GDPR playbook—especially when it comes to how much data you collect, why you collect it, and how long you hold onto it.

Here’s what your business now needs to define (and stick to):

  1. Data minimization: Only collect what you need—nothing more.
  2. Purpose limitation: Be crystal clear about why you’re collecting data, and communicate that to users.
  3. Storage limitation: Decide how long you’re keeping personal data—and then actually enforce that timeline.

If your policy says you’ll delete user data after two years, your systems should automatically do exactly that. No manual workarounds. No “we forgot.”

These aren’t just good compliance practices—they’re smart operational moves that make audits easier, reduce risk, and build credibility with your customers.

What’s the risk? Enforcement, fines, and real consequences

The CPRA doesn’t come with a warning shot. It comes with fines—real ones.

Gone is the 30-day “fix-it” period businesses once relied on under the CCPA. Now, if you’re found in violation of the CPRA, penalties can hit $2,500 per unintentional violation and up to $7,500 per intentional violation or those involving minors.

And here’s the hard truth: these fines aren’t theoretical. The California Privacy Protection Agency (CPPA) has full investigative and enforcement authority. No cure period. No do-overs. Just consequences.

If your business handles sensitive personal information or targets consumers in California—and you’re not fully CPRA-compliant—you’re not just risking a legal issue. You’re risking customer trust, brand equity, and a hefty hit to your bottom line.

The time for “we’re working on it” has passed. Enforcement began in July 2023—and regulators are watching.

Future-proofing with CPRA compliance: A checklist

CPRA compliance isn’t a one-and-done checklist—it’s an ongoing strategy. But if your business is collecting personal data, especially from California residents, here are the essentials to put in place now:

CPRA Compliance Checklist

  1. Map your data: Know what personal data you collect, where it lives, and who has access to it.
  2. Classify sensitive data: Separate and clearly label sensitive personal information (SPI).
  3. Update privacy policies: Clearly outline your data collection purposes, storage timelines, and consumer rights.
  4. Implement consent tools: Especially for minors—get explicit opt-ins and document everything.
  5. Enable data subject rights: Set up systems that let users access, correct, or delete their data on request.
  6. Automate data deletion: Ensure your systems purge expired data per your stated retention policy.
  7. Adopt a CDP: Use a Customer Data Platform to centralize data, track consent, and simplify compliance.
  8. Audit regularly: Create internal processes or use tech to ensure your privacy practices stay on track.

And don’t wait for a warning letter—there won’t be one. Enforcement is already active. The smartest brands are turning privacy compliance into a competitive advantage, not just a legal obligation.

Why CPRA is just the beginning: Proactive next steps for a privacy-first future

The California Privacy Rights Act (CPRA) may be the most robust consumer privacy law in the U.S. right now—but it won’t be the last. California is setting the standard, but other states are watching, drafting, and catching up fast.

For businesses, this isn’t just about staying compliant—it’s about staying relevant. Consumers are more informed, more skeptical, and more empowered than ever before. They expect transparency. They expect control.

So yes, the CPRA is law. But it’s also a wake-up call. One that pushes every brand—regardless of size or location—to rethink how it collects, uses, and respects customer data.

Don’t treat privacy as a legal box to check. Treat it as a brand pillar. Because in a privacy-first future, trust isn’t a marketing strategy. It’s the entire business model.

Do you really know your customer? Find out how a CDP uncovers the insight you need to power CX that drives growth. Start HERE.

Frequently asked questions (FAQs):

The CPRA is a California data privacy law that expands the rights consumers have over their personal information and strengthens business compliance obligations. It amends the original CCPA and took full effect on January 1, 2023.

The CPRA builds on the CCPA by introducing new rights (like the right to correct data), expanding definitions (such as “sharing” personal info), and creating an enforcement agency. It also tightens rules on sensitive personal information and removes the 30-day cure period for violations.

Businesses that collect data on 100,000+ California consumers, or that earn 50% or more of annual revenue from selling or sharing personal data, are required to comply. It also applies to any business generating over $25 million in gross revenue.

Violations can result in fines of up to $2,500 per incident—or $7,500 if the violation is intentional or involves minors. There’s no grace period to fix issues before penalties apply.

Sensitive personal information includes government IDs, precise geolocation, financial login credentials, health and biometric data, race or ethnicity, religious beliefs, and more. This data requires stricter controls and opt-out options.

Consumers have the right to correct inaccurate data, opt out of automated decision-making, access and delete their data, and see how their information is being used—including who it’s shared with.

While CPRA took effect on January 1, 2023, enforcement officially began on July 1, 2023. From that point forward, businesses became liable for non-compliance.

Customer Data Platforms (CDPs), CRMs, and consent management tools help businesses track user permissions, automate data deletion, and respond to access requests—key for maintaining compliance.

Yes. If a company collects personal data from California residents and meets the compliance thresholds, it must follow CPRA regulations—even if it’s headquartered elsewhere.

Absolutely. The CPRA is part of a broader shift toward privacy-first policies. More states are drafting similar laws, and federal regulations may follow. CPRA is just the beginning.

Search by Topic beginning with