The California Privacy Rights Act (CPRA) will amend the California Consumer Protection Act (CCPA) and substantially increase the rights of consumers and regulate businesses that handle personal information. It was voted into a state-wide data privacy law in the General Election of November 2020. The CPRA (also referred to as CCPA 2.0) earned popular support with 56% voting in favour of the ballot initiative.

Purpose: CPRA’s purpose is to redefine and expand the existing California Consumer Privacy Act (CCPA) including the addition of new consumer rights.

Publication date: November 3, 2020

Effective date: January 1, 2023

Official text: California Privacy Rights Act 2020

What is CPRA?

The California Privacy Rights Act (CPRA) is a state-wide data privacy bill that expands the existing CCPA. The law is intended to “further protect consumers’ rights, including the constitutional right of privacy”. The CPRA does not repeal or replace CCPA but strengthens the existing framework in key areas:

  • Enforcement arm – California Privacy Protection Agency (CPPA)
  • New definitions
  • Expanded consumer rights

The CPRA will apply to information collected on or after January 1, 2022. The enforcement will begin on July 1, 2023, and until then CCPA will remain the primary governing legislation. 

Who needs to comply with CPRA?

The CPRA keeps most of the CCPA thresholds intact but makes a few significant changes.

Has annual gross revenue
over $25 million.
Has annual gross revenue over $25 million in the preceding calendar year.
Buys, or receives, or sells, or shares personal information of 50,000 or more consumers, households or devices for commercial purposes.
Buys, or sells, or shares the personal information of 100,000 or more consumers or households.
Gets 50% or more of its annual revenues from consumer’s selling personal information.
Gets 50% or more of its annual revenues from selling, or sharing consumer’s personal information.

CPRA narrows the applicability of common branding that was applicable under CCPA. Businesses that have a common branding will now be covered under CPRA if they share California consumers’ personal information.

CCPA vs CPRA: What has changed?

New categories of covered businesses in CPRA

CPRA adds two new categories that will be qualified as a business.

  • First, a joint venture or partnership of businesses where each business has at least 40% interest and each business within this joint venture will be considered as a separate single business.
  • Second, any business that does not fall under the given thresholds can self-certify to the newly-created California Privacy Protection Agency that it complies with CPRA.

California Privacy Protection Agency 

The biggest change in CPRA is the creation of a distinct enforcement arm — the California Privacy Protection Agency (CPPA). CPPA will have full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act and the California Privacy Rights Act. CPPA will be entrusted to investigate possible violations of the CPRA and to initiate action through the Administrative Law Court, as opposed to the state court, which has been the mechanism under CCPA.  

In March 2021, California announced the establishment of the first CPPA. The agency consists of a five-member board of experts in privacy, technology, and consumer rights. On July 8, 2022, the CPPA began the formal rulemaking process to establish the proposed amendments to the CPRA.

New definitions in CPRA

Sensitive personal information

The CPRA maintains the CCPA’s definition of personal information but includes a new category of sensitive personal information. It includes:

  • Social security, driver’s license, state ID or passport number 
  • Account log-in credentials like password, security or access code
  • Precise geographic location
  • Racial or ethnic origin, religious belief or union membership
  • Contents of mail, email or text
  • Genetic information
  • Biometric information that can identify the consumer 
  • Medical data
  • Sex life or sexual orientation

Under CPRA, consumers have the right to limit a business’s use and disclosure of sensitive information and can direct the business to use it only to perform the necessary service. Businesses have to provide a “clear and conspicuous link” on their website homepage titled “Limit the Use of My Sensitive Personal Information.” This is in addition to the opt-out link required under CCPA.


CPRA explicitly defines what does and does not constitute consent. It defines that consent should be a specific, freely given, specific, informed and unambiguous indication of the consumer’s intent.

Consent does not include:

  • General or broad acceptance of terms of use or similar document
  • Hovering over, muting, pausing, or closing a given piece of content or
  • Consent obtained through the use of dark patterns


The CPRA adds and amends the definition of service providers, contractors and third parties in CCPA. It introduces a new category — contractors. The contractor is defined as a person with who the business “makes available a consumer’s personal information for a business purpose pursuant to a written contract”. 

CPRA requires contractors to certify that they understand and will comply with the requirements. The contractor will also have to notify the business if they are unable to comply with CPRA.

Third party and service provider

CPRA defines a service provider as a “person that processes personal information on behalf of a business” for business purposes under contract. Third parties are defined as anyone other than the business, contractor or service provider. A third party cannot be a business with whom the consumer intentionally interacts and that collects personal information directly from consumers. 


The CPRA introduces a new concept — sharing. It is defined as any disclosure of personal information to third parties for cross-context behavioural advertising, whether or not for monetary or other valuable consideration. 

If a business engages in sharing, it should post a “Do Not Share My Personal Information” link and provide consumers with an option to opt-out of sharing. The new definition of sharing under the CPRA makes clear that any disclosure of personal information for targeted advertising is also subject to consumer opt-out. 


CPRA defines profiling as any form of “automated processing” of personal information done to evaluate an individual’s personal aspects and make predictions such as “performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements”.

Expanded consumer rights of CPRA

Right to opt-out of sharing 

CPRA also expands on CCPA’s right to opt-out and includes the sale and sharing of personal information, including data that is shared with a third party for “cross-context behavioral advertising.” It refers to targeted advertising to a consumer based on data obtained from the consumer’s activity across websites, apps or services other than the one with which the consumer intentionally interacts. 

Similar to the provision in CCPA, the right to opt-out of sharing does not extend to sharing personal information with service providers and contractors.

Right to opt-out of automated decision making

Similar to the provision in GDPR, consumers will now have the right to know and opt-out of any form of automated decision-making. Businesses will be required to provide information about the “logic involved in automated decision-making processes”, and also inform the consumer about the likely outcome of the process. 

Rights of children

CPRA strengthens opt-in rights for minors. A business must obtain opt-in consent before selling or sharing personal information of a consumer under 16. CPRA also calls to “establish technical specifications for an opt-out preference signal that allows the minor or their parent to specify that the consumer is less than 13 or between 13 and 16 years of age. 

Right to delete and correct

Additionally, businesses have to inform consumers about how long they plan to retain their personal information. Consumers also have the right to have their data deleted or corrected. Businesses also have to notify third parties they have shared any data with, about the consumer requests. 

Right to access

Consumers can now request information collected about them beyond the previous 12-month period preceding the request. Businesses can decline to provide information beyond a 12-month look-back period if it involves a disproportionate effort. This applies to information collected on or after January 1, 2022.  

Right to data portability

With CPRA consumers can request businesses to transmit specific pieces of personal information to another entity. CPRA also indicates that data should be provided in a format easily understandable to the average consumer, and a commonly used, machine-readable format.

CCPA vs CPRA: Infographic

Checklist: 6 steps for CPRA compliance

If you have a CCPA-compliant mechanism in place, you are already halfway through CPRA compliance. But, ensure that you stay up-to-date with the latest amendments to CCPA

01 Determine if CPRA applies to your business

  • Assess if your business meets the changed thresholds, as entities who meet the requirements for CCPA may now be exempt from CPRA. 
  • Also, note that CPRA compliance extends outside of the state of California. If a California resident can access your website, CPRA compliance is necessary. 

02 Perform data inventory

  • Conduct a data inventory to figure out the type of information you collect, and if you collect sensitive personal information. Identify the businesses you share data with,  where it is stored, and how it is transferred. 
  • Perform annual audits to review and update data mapping efforts including the tracking and security of sensitive personal information.

03 Review your contracts 

  • Study the updated contractual provisions in CPRA and be prepared to amend the contracts with service providers, contractors, and third parties. 
  • Review that your vendors have adequate data privacy provisions as per the latest amendments to CCPA.

04 Add ‘Do not share’ opt-out notice

Opt-out of sale links is already mandated under the CCPA. CPRA expands the right to opt-out to include ‘sharing’ of personal information with third parties for targeted advertising. So, businesses should update their links to ”Do not sell or share my personal information” and display it on the website’s homepage.

Websites should use clearly labelled, conspicuous opt-out links with plain and jargon-free language on your website. You can also embed this link on your website’s footer or within your Privacy Policy page.

Display a CCPA & CPRA Compliant Opt-out Notice with CookieYes

Sign up for free

14-day free trialNo credit card required

05 Renew privacy policy

Update your privacy policy to detail the rights of the consumers and guide them to exercise their rights under CPRA. Ensure that your privacy policy is easily accessible and compatible with all devices. You can use a free privacy policy generator to create a compliant privacy policy exclusively for your business. The privacy policy should include:

  • Separate disclosure regarding sensitive personal information
  • The methods to request access, change, move, or delete a consumer’s data
  • How consumers can opt-out of selling or sharing their personal information
  • Consent notice for minors (13-16 years) and parents (under 13 years)

06 Add consumer request forms

CPRA gives consumers expanded rights and also the right to make certain requests about their data. Create web request forms where consumers can easily submit these requests.

As CPRA requires businesses to have at least two methods for consumers to submit requests. You may also add a toll-free phone number for the consumer to make requests. Ensure that your phone number is prominently mentioned on your website or privacy page.

What is the penalty for CPRA violation?

Any entity that violates the CPRA can face an injunction and an administrative fine of up to $2,500 for each violation. For violation of the rights of minors (under the age of 16), the fine can go up to $7,500 for each violation.

The CPRA also eliminates the 30-day cure period after the alleged violation under CCPA. The enforcement agency will now have the discretion to provide a business with time to rectify, by taking into account a lack of intent to violate the CPRA and voluntary efforts taken by the business to cure the alleged violation.

Another notable provision of CPRA is that it expands the scope of consumers’ private right of action to include data breaches involving email account credentials.

Other key changes in CPRA

Contractual requirements

The CPRA explicitly requires that businesses must have appropriate contractual provisions in place with service providers, contractors and third parties. Such contracts prohibit the retention, use, or disclosure of personal information for purposes other than the services specified. Contracts may also permit businesses to monitor the service providers’ compliance with contractual provisions through manual reviews, automated scans, regular assessments and audits at least once a year.

Data minimization

CPRA brings in the concept of data minimization and storage limitation, core principles under GDPR. CPRA mandates that businesses can only collect personal information that is reasonably necessary for the purpose it is collected. Besides, businesses cannot retain personal information for longer than what is necessary for the purpose it was collected. 

Risk assessment

While CCPA requires businesses to implement reasonable security procedures and practices, CPRA imposes strengthened auditing requirements. Businesses that may create a “significant risk” to consumers’ privacy have to perform annual cybersecurity audits. They have to submit their regular risk assessment to the California Privacy Protection Agency.  The risk assessment should be performed concerning their processing of personal information, including whether it involves sensitive data, and weighing the benefits resulting from the processing to the business, the consumer and other stakeholders.

Extension of employee exemption

CCPA exempted certain employment and personal information involved in business-to-business (B2B) communications and transactions. This exemption was set to expire on January 1, 2021. But, CPRA extended the exemptions given to employment and B2B data until January 1, 2023.


When does CPRA go into effect?

The CPRA will be operative from January 1, 2023, and applies to information collected on or after January 1, 2022. The enforcement will begin on July 1, 2023, and until then CCPA will remain the primary governing legislation. 

What does CPRA stand for?

The CPRA stands for California Privacy Rights Act (CPRA), a state-wide data privacy law that is an amendment to the California Consumer Privacy Act or CCPA. It expands on the current privacy law CCPA with updated provisions.

What is the timeline for CPRA?

January, 2020: CCPA comes into effect.

November 2020: California Privacy Rights Act, CPRA was passed during the November 2020 ballot.

January 2021: The CPRA becomes law and the California Privacy Protection Agency (CCPA) is established.

January 2022: 12-month lookback period for CPRA commences.

July 2022: The CPPA begins formal rulemaking process.

January, 2023: CPRA becomes operative and comes into force.

July, 2023: Enforcement of the CPRA begins under the CPPA.

What does the CCPA define as ‘Sharing’ of data?

The CPRA defines “sharing” as:

“communicating orally, in writing, or by electronic or other means, a consumer’s personal information . . . to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration”

Cross-context behavioral advertising involves targeted advertising based on a consumer’s activities across various distinct businesses, websites, applications, or services. 

Under CPRA, the purpose of sharing personal information can be for monetary benefits or any other enhanced personalization of services for the consumer.

Who enforces CPRA?

The California Privacy Protection Agency (CPPA), the new agency established by the CPRA, is tasked with enforcing California’s privacy regulations. Headed by Ashkan Soltani, the CPPA will be responsible for implementing CPRA and holding non-compliant organizations accountable.

The CPRA transfers rulemaking authority from the California Attorney General (CAG) to the CPPA. The Agency began the formal rulemaking process on July 8, 2022.