When California voters passed the CPRA in November 2020, it wasn’t just a new law—it was a signal. One that said: consumer privacy isn’t optional anymore, it’s essential.
As an amendment to the CCPA, the CPRA tightens up existing protections and introduces new rights that mirror global data privacy standards like the EU’s GDPR. It’s a more precise, more potent version of California’s original privacy act, aimed at giving consumers more control and forcing businesses to get intentional about how they handle data.
If the CCPA was the beginning, CPRA is the next evolution—one that your business can’t afford to ignore.
Enter the California Privacy Protection Agency (CPPA): the new sheriff in town for data privacy enforcement.
Unlike the CCPA, which relied on the Attorney General’s office for oversight, the CPRA establishes a standalone agency—complete with teeth. Think of it as California’s version of the GDPR’s data protection authorities in Europe.
This agency isn’t here to educate. It’s here to enforce. That means no more 30-day grace period to “fix” violations. Instead, penalties can now reach up to $7,500 per incident—that’s a 3x increase. .
For businesses, that’s not just a fine. It’s a flashing neon sign that compliance isn’t optional anymore. It’s foundational.
The California Privacy Rights Act (CPRA) is a 2020 amendment to the CCPA that expands consumer privacy rights in California. It gives residents greater control over how their personal data is collected, used, and shared—requiring businesses to manage data more deliberately and transparently.
With so much on the line, you may be left wondering what has changed and what it means for your business. You aren’t alone. Here’s what companies need to know about CPRA.
A customer data platform is software designed to make sense of your customer data so you can engage with them on a more personal, effective (and valuable) level. But what does that mean for marketers? Executives? Customers? How do CDPs change their experiences?
Most of the California Privacy Rights Act of 2020 provisions will not take effect until January 2, 2023. However, personal information collected on or after January 1, 2022, will be part of the expansion of the “Right to Know” section.
Your business will be required to allow consumers the “Right to Know” what data you’ve collected on them and how it is being used back to any information you collected beginning on January 1, 2022.
You might be wondering: Does the CPRA apply to me?
If you’re a small business, the answer might be no — and that’s intentional. The CPRA raises the threshold for compliance. Under the CCPA, businesses that processed data from just 50,000 consumers were subject to the law. The CPRA? It doubles that.
Here’s the new line in the sand:
That last bit matters. The CPRA didn’t just retain the “selling” language from the CCPA — it expanded it to include sharing. If you’re passing data to third-party platforms, ad networks, or partners — even if you’re not directly profiting — you may still be on the hook.
Bottom line: If your business runs on data, CPRA likely applies to you.
If you think all data is created equal, the CPRA has news for you: some data is more sensitive than others—and now, it’s regulated as such.
Under the CPRA, a new category called “sensitive personal information” (SPI) is carved out and placed under stricter controls. If your business touches any of the following, you need to pay attention:
Companies that collect, sell, or even share this type of data? You’re now responsible for transparency and choice—specifically, disclosing SPI use and enabling users to opt in or out.
In other words, the burden of proof has shifted. It’s not just about whether you use this data—it’s how clearly and ethically you do so.
The CPRA doesn’t just tweak existing rights—it introduces entirely new ones. Rights that put more power directly into your customers’ hands.
These aren’t fringe legal concepts—they’re already law. For any brand that wants to build long-term customer trust, respecting these rights isn’t optional. It’s expected.
Brands recognize that customer experience directly impacts turnover and margin, and will soon trump price and product as differentiators in the near future, if it hasn't already.
If you’re a business with more than 100,000 customers or with data on more than 100,000 consumers, and you use that data for marketing or advertising, or to generate revenue for your business, then CPRA means several things for your data privacy program.
When it comes to consent, the CPRA doesn’t mess around—especially when minors are involved.
Businesses must now obtain explicit, informed consent from users—spelling out exactly what data is being collected, why, and for how long. And if the user is under 16? That bar is even higher. Parental or guardian permission is required, and businesses can’t use dark patterns to sneak by.
But the CPRA doesn’t stop there. Even after consent is given, consumers have the right to change their minds—opting out of data sharing, requesting deletions, and withdrawing access. That’s retroactive and ongoing.
The operational load here isn’t light. That’s where Customer Data Platforms (CDPs) come in. A well-integrated CDP lets businesses track consent status, automate deletion timelines, and simplify opt-out processing—so your compliance doesn’t become a spreadsheet nightmare.
Think of it as moving from checkbox compliance to proactive, trust-driven data ethics.
One of the CPRA’s most impactful changes isn’t flashy—but it’s fundamental: your customers now have the right to know exactly what personal information you’ve collected, how you’re using it, and who you’ve shared it with.
And here’s the kicker: this doesn’t just apply to new data. It’s retroactive. Any personal information collected on or after January 1, 2022 must be disclosed if a consumer asks.
That means your team needs systems in place—now—to track, retrieve, and report on data with accuracy. Customer Data Platforms (CDPs), CRMs, and privacy dashboards aren’t just “nice to have” anymore. They’re your compliance safety net.
This isn’t just about checking a compliance box. It’s about showing customers you respect their data—and their decisions.
The CPRA borrows a few pages from the GDPR playbook—especially when it comes to how much data you collect, why you collect it, and how long you hold onto it.
Here’s what your business now needs to define (and stick to):
If your policy says you’ll delete user data after two years, your systems should automatically do exactly that. No manual workarounds. No “we forgot.”
These aren’t just good compliance practices—they’re smart operational moves that make audits easier, reduce risk, and build credibility with your customers.
The CPRA doesn’t come with a warning shot. It comes with fines—real ones.
Gone is the 30-day “fix-it” period businesses once relied on under the CCPA. Now, if you’re found in violation of the CPRA, penalties can hit $2,500 per unintentional violation and up to $7,500 per intentional violation or those involving minors.
And here’s the hard truth: these fines aren’t theoretical. The California Privacy Protection Agency (CPPA) has full investigative and enforcement authority. No cure period. No do-overs. Just consequences.
If your business handles sensitive personal information or targets consumers in California—and you’re not fully CPRA-compliant—you’re not just risking a legal issue. You’re risking customer trust, brand equity, and a hefty hit to your bottom line.
The time for “we’re working on it” has passed. Enforcement began in July 2023—and regulators are watching.
CPRA compliance isn’t a one-and-done checklist—it’s an ongoing strategy. But if your business is collecting personal data, especially from California residents, here are the essentials to put in place now:
And don’t wait for a warning letter—there won’t be one. Enforcement is already active. The smartest brands are turning privacy compliance into a competitive advantage, not just a legal obligation.
The California Privacy Rights Act (CPRA) may be the most robust consumer privacy law in the U.S. right now—but it won’t be the last. California is setting the standard, but other states are watching, drafting, and catching up fast.
For businesses, this isn’t just about staying compliant—it’s about staying relevant. Consumers are more informed, more skeptical, and more empowered than ever before. They expect transparency. They expect control.
So yes, the CPRA is law. But it’s also a wake-up call. One that pushes every brand—regardless of size or location—to rethink how it collects, uses, and respects customer data.
Don’t treat privacy as a legal box to check. Treat it as a brand pillar. Because in a privacy-first future, trust isn’t a marketing strategy. It’s the entire business model.
