If your business operates in California and processes consumer data, understanding CCPA vs CPRA is key to maintaining compliance.
You may have already invested significant effort to comply with the California Consumer Privacy Act (CCPA) requirements. But just as you’ve settled into those rules, the California Privacy Rights Act (CPRA) enters the scene, an amendment that reshapes consumer privacy rights and strengthens enforcement.
But, guess what? CPRA builds on CCPA by:
- Enhancing privacy protections
- Expanding consumer rights, and
- Providing clearer guidelines for businesses.
This guide explores the key CCPA vs CPRA changes, new compliance requirements, and how businesses must adapt to stay ahead.
CCPA vs CPRA: What are they?
The CCPA and CPRA are California privacy laws that protect consumer privacy. It started with the CCPA, and the CPRA later expanded on it, making the rules more consumer-focused.
Understanding the difference between CCPA vs CPRA is simpler than it seems. Here is a detailed breakdown.
CCPA: The first step in consumer privacy
The California Consumer Privacy Act (CCPA) was enacted in 2018 and took effect on January 1, 2020. It granted California residents specific rights over their personal data, such as:
- The right to know what personal information a covered business collects about them
- The right to delete their personal data
- The right to opt out of the sale of their personal data
- The right to non-discrimination for exercising CCPA rights
CCPA required businesses to provide clear privacy notices, opt-out mechanisms, and data access requests while allowing consumers to have more control over their data.
CPRA: Strengthening consumer rights
The California Privacy Rights Act (CPRA), an amendment to CCPA, was passed in November 2020 through Proposition 24 and became fully effective on January 1, 2023.
Did CPRA repeal CCPA?
No. Instead of repealing the CCPA, the CPRA amends and expands its provisions. In addition to new consumer rights, it also expands business requirements, such as additional protection for sensitive data and cybersecurity audits. CPRA also created a new enforcement agency called the California Privacy Protection Agency (CPPA).
The Office of the Attorney General clarified that CPRA amends rather than replaces CCPA, meaning businesses previously subject to CCPA must now comply with CPRA’s expanded obligations.
The evolution of privacy laws in California: CCPA vs CPRA
California’s privacy law journey took off with the CCPA, aimed at curbing unchecked data collection by tech giants and data brokers. However, the CCPA had gaps, such as vague definitions and loopholes in cross-contextual behavioural advertising.
For example, it required businesses to provide opt-outs only for data sales. This often led to companies claiming that they were “sharing” rather than “selling” data, thereby avoiding compliance.
To address these gaps, the CPRA amendment introduced stricter regulations:
- Expands opt-out rights to cover cross-context behavioural advertising.
- Introduces stricter regulations for sensitive personal information (SPI), including driver’s license, social security number, and financial account details.
- Establishes the California Privacy Protection Agency (CPPA) for dedicated enforcement.
Did you know this about CPRA enforcement?
Opt-out requirements under CPRA also extend to third-party cookies and trackers. To streamline compliance, CookieYes offers businesses an easy way to create cookie banners, manage consent, and automate compliance with California’s evolving data privacy laws. Join 1.5 M+ businesses using CookieYes to simplify CPRA compliance today.
Win Trust, Boost Sales: 75% Care About Data!
Create an opt-out cookie banner with CookieYes in 3 simple steps and prove your CPRA compliance
14-day free trialCancel anytime
CCPA vs CPRA: What are the key differences? (Infographic)
CCPA vs CPRA: When do they apply?
The CPRA thresholds have changed compared to the CCPA thresholds. Here’s a quick look.
CCPA had a lower threshold and covered businesses that meet at least one of the following thresholds:
- Annual gross revenue exceeding $25 million.
- Buys, receives, sells, or shares personal information of 50,000 or more consumers, households, or devices annually.
- Derives 50% or more of annual revenue from selling consumers’ personal information.
Under CPRA, the second threshold was raised to 100,000 consumers or households, while adding a focus on data “sharing” (not just selling) for cross-context behavioural advertising.
If a business met the CCPA rules, it might still need to follow the CPRA if it meets the new limits. The CPRA also covers more companies, especially those doing targeted advertising.
CCPA vs CPRA: Compliance requirements before CPRA
Before the amendment, businesses needed to:
- Provide clear privacy policies and opt-out mechanisms.
- Allow consumers to request access, deletion, or opt out of data sales.
- Display a “Do Not Sell My Personal Information” link if they sell data.
CCPA vs CPRA: New compliance requirements after CPRA
Key CPRA changes include:
- Expand opt-out rights to include data sharing and give a “Do not sell or share my personal information” opt-out link.
- Conduct data mapping to discover the personal information collected and its flow.
- Implement safeguards for sensitive personal information, such as biometric data and provide a “Limit the use of my sensitive personal information” link.
- Ensure data minimisation and limit retention periods.
- Conduct regular cybersecurity audits and risk assessments
- Respond to consumer requests for data corrections.
- Face immediate penalties without a cure period.
- Have contracts with service providers or third parties to ensure their compliance along with yours.
Guides
The above guides include CPRA amendment requirements.
CCPA vs CPRA: What are the exemptions?
The following are the exemptions to CCPA vs CPRA:
| Exemption Type | CCPA | CPRA |
|---|---|---|
| Employee Data | Temporarily exempt | No longer exempt—employee data is now fully covered |
| B2B Communications | Exempt | No longer exempt—business-to-business communications must now comply |
| Health Data (HIPAA-covered) | Partially exempt | Still partially exempt, but CPRA has stricter data-sharing restrictions |
CCPA vs CPRA: Tools to simplify compliance with both laws
Navigating CCPA vs CPRA compliance can be challenging, but tools like CookieYes CMPs can help businesses simplify compliance and maintain consumer trust. Here’s how:
- Automated compliance: Stay updated with the latest privacy regulations without constant manual adjustments.
- Cookie Consent Management Platforms: Ensure proper opt-in and opt-out mechanisms for consumers.
- Data mapping & risk assessments: Identify the categories of personal information collected, their purposes and where the consumer data is stored, processed, and shared. It also helps prevent data breaches.
- Privacy policy & data request handling: Provide clear privacy notices and respond to consumer requests efficiently.
By implementing a robust compliance framework and leveraging automated tools, businesses can stay ahead of evolving privacy laws, avoid penalties, and build consumer trust.
CPRA and CCPA Regulatory Update: May 2025
On November 8, 2024, the California Privacy Protection Agency (CPPA) Board approved the start of formal rulemaking on several critical topics under the CCPA and CPRA frameworks. These proposed CCPA updates focus on:
- Revisions to existing CCPA regulations
- Mandatory cybersecurity audits and risk assessments for certain businesses
- Consumer rights related to Automated Decision-Making Technology (ADMT), including the right to access and opt out
- Clarifications on how CCPA applies to insurance companies
These developments were officially published in the California Regulatory Notice Register on November 22, 2024.
The latest update came on May 9, 2025, when the Agency issued proposed modifications to the draft rules. A public comment period was open until June 2, 2025, at 5:00 p.m. PT.
CCPA vs CPRA: Wrap-up
The shift from CCPA to CPRA represents a significant step forward in consumer privacy protection. The scope has expanded, sensitive data protections are stronger, and consequences of non-compliance are immediate.
Businesses that were previously compliant under CCPA must now adapt to CPRA’s more stringent requirements.
By implementing privacy practices, investing in compliance solutions, and aligning with regulatory expectations, businesses can protect themselves from legal risks while demonstrating their commitment to data privacy.
Comply with CPRA cookie consent requirements
- Customisable opt-out banners
- Geo-target features
- Recognise global opt-outs
- Add a “Do not sell/share my information” link
- IAB TCF v2.2 compliant & Google CMP gold partner
- Global privacy compliance
- Trusted manuals and technical support
- Easy-to-implement
- Step-by-step video tutorials
FAQ on CCPA vs CPRA
CCPA vs CPRA represents the evolution of California’s approach to consumer data privacy.
CCPA laid the foundation for consumer data privacy, giving California residents rights over their personal information. CPRA expands on this by enhancing consumer privacy rights, strengthening data minimisation and retention policies, and introducing stricter enforcement through the California Privacy Protection Agency (CPPA).
Notably, CPRA eliminates the 30-day cure period, adds protections for sensitive personal information, and extends opt-out rights to data sharing for targeted advertising.
While CPRA does not introduce an opt-in consent requirement for cookies, it does mandate clear opt-out options for the collection and sharing of personal data through third-party cookies and trackers.
This means businesses must ensure compliance with cookie consent mechanisms that allow users to reject tracking beyond just data sales.
CCPA focused on selling personal data, which involved exchanging consumer information for monetary value. CPRA broadens this definition to include “sharing,” which refers to the disclosure of personal data for cross-context behavioural advertising—even when no money is exchanged.
This update ensures that businesses engaging in targeted advertising must now provide clear opt-out options.
To comply with CPRA, businesses must:
- Update privacy policies to reflect expanded consumer rights.
- Implement opt-out mechanisms for data sales or sharing and automated decision making including profiling.
- Introduce data minimisation by collecting only what is necessary.
Limit data retention periods and disclose retention policies. - Ensure compliance with sensitive personal information (SPI) rules.
- Prepare for regulatory audits by the CPPA.
Businesses can simplify compliance by using a Consent Management Platform (CMP) like CookieYes.
A CMP helps in:- Creating customisable cookie banners to manage consent.
- Automating opt-in and opt-out requests for data tracking.
- Providing real-time consent logs to maintain compliance records.
- Ensuring compliance with multiple privacy laws, including CPRA, CCPA, and GDPR.
By integrating CookieYes, businesses can efficiently manage consumer consent and stay compliant with California’s evolving privacy laws.
Safna is the resident data privacy writer at CookieYes, where she breaks down privacy laws into actionable insights for businesses. The rest of her time is a mix of music, zest, and an ongoing soft spot for Christmas movies.
