The privacy era in California commenced with the California Consumer Privacy Act (CCPA), which was subsequently modified by the California Privacy Rights Act (CPRA). It grants significant rights to individuals and enhances consumer autonomy over their data. If you are a business serving Californians, CPRA compliance is non-negotiable. Our extensive CPRA compliance checklist ensures that you meet all the requirements.
What is CPRA?
The California Privacy Rights Act (CPRA) is Californiaās prominent data protection law. It regulates the use of consumerās personal information, empowers consumers with privacy rights and requires businesses to honor these rights. Unlike the General Data Protection Regulation (GDPR), CPRA adopts an opt-out model. Therefore the law allows businesses to engage in reasonable data processing activities without obtaining prior consent.
CPRA amendments came into effect in 2023, bringing in new rights such as the right to correct.
Unlike many recent US data privacy laws like the New Jersey Data Privacy Act, CPRA applies on a monetary threshold basis. If your business offers products or services to Californians and meets any of the following requirements, you must comply with this privacy law.
- Has an annual gross revenue of more than $25 million
- Buys/sells/shares the personal information of more than 100,000 consumers
- Derives 50% or more of annual revenue from the sale/share of personal information
The California Privacy Protection Agency (CPPA) and the California Attorney General have been given enforcement powers by the law. Fines for non-compliance could be as high as $7500 per violation, with a minimum fine of $2500. Additionally, consumers have a limited private right to take legal action, enabling them to sue businesses in the event of security breaches involving personal information, such as unauthorised access to email addresses and passwords.
What are the CPRA requirements?
Now let us discover the key CPRA requirements.
Minimisation requirements
CPRA limits the scope of data collection and requires businesses to minimise the personal data they collect from California residents.
The collection, use, sharing and retention of personal data must align with the purpose that was communicated to the consumer at the time of collection. This means you should set clear objectives for data collection and adhere to them.
Avoid all kinds of secondary usage of collected data. For instance, Look at these examples:
- A game application collecting geo-location or tracking user activities may not be within the scope of the specific purpose for which the application is installed.
- An online shopping business collecting addresses and phone numbers from customers is not expected to sell the data to third parties.
Transparency requirements
Businesses must inform their customers about how they handle user data. To meet this requirement, you must provide easy-to-understand notices, such as a privacy policy and notice at collection.
All the CPRA documents must be written in plain language and be accessible and clear to the audience.
A privacy policy/ privacy notice must contain information that gives the users an idea of an organisationās data practices such as the categories of data they collect, specific purposes for which they use it, how long it will be stored, and whether they engage in the sale of personal information. This is an absolute must for covered businesses serving Californians.
Apart from a privacy policy, you should also provide a notice at collection at the time of collecting personal data or before it. This message helps consumers determine whether to proceed with your organisation based on what data you collect and how you process them.
A notice at collection must contain the following:
- Categories of personal information including sensitive personal information (sensitive data)
- The purposes for which they will be used
- Whether each type of personal data will be shared or sold
- How long the business will retain the personal data for
- Links to opt out of sale and limit sensitive data processing
- Link to privacy policy
Consumer requests requirements
CPRA empowers consumers with the following data privacy rights:
- The right to know about personal information that a business collects, processes and shares/sells.
- The right to correct any inaccuracies in their personal data
- The right to opt out from the sale or sharing of personal information
- The right to limit the use and disclosure of sensitive data
- The right to not be discriminated against for exercising consumer rights
- Right to delete any personal data about the consumer that the business has collected from the consumer
To ensure that the consumers get to exercise their rights, the CPRA also requires businesses to provide two or more convenient consumer request mechanisms. This could include an active email address, a toll-free number, or a web form.
Respond to consumer requests such as deletion or correction requests within 45 days of the receipt. This period can be extended to another 45 days if necessary. You must inform the consumer of such an extension. Do not levy any charges for fulfilling consumer requests unless it is excessive and manifestly unfounded.
Consent requirements
Though CPRA generally follows an opt-out structure, there are some exceptions.
You cannot sell personal data of children under 16 years of age without opt-in consent. For children between 13-16 years of age, they can consent whereas for children below 13, consent must be obtained from their parents or guardians.
Consent under CPRA must be a freely given, informed, specific, and unambiguous indication of a personās agreement to process their personal data.
CPRA prohibits the use of dark patterns that influence a userās decision or do not offer them a real choice. This also applies to implying consent from inaction, hovering over, or closing the consent message.
Opt-out requirements
The California Privacy Rights Act (CPRA) gives consumers the right to direct businesses not to sell their personal information and the right to limit the use of their sensitive data by businesses.
Sensitive data are the types of personal data that if disclosed result in harm, discrimination or violation of oneās rights or freedom. It includes racial/ethnic origin, biometric data, precise geo-location, social security number etc.
Businesses collecting sensitive data must offer users an option to restrict its use. Similarly, if you sell or share personal information with third parties, you must provide consumers with an opt-out banner informing them of such sale and give opt-out options.

Honor the rights by offering consumers the choice to opt-out by displaying clear “Do not sell my personal information” and “Limit the use of sensitive personal information” links on your website. The link can work in two ways: it can either take consumers to a page with details on their rights and how to opt out, or it can instantly opt them out.
The law also requires businesses to recognise global opt-out signals. These are signals that indicate a consumerās preset preference to opt out.
Security requirements
CPRA requires businesses to establish reasonable data security measures proportional to the data handled by them.
The following measures can be chosen to ensure the integrity and confidentiality of consumer data:
- Implement data encryption to avoid unauthorised access
- Password protection and enable two-factor authentication
- Streamline processing activities in a secure manner
- Ensure that access controls are in place to limit access to employees whose job roles necessitate it
- Conduct cybersecurity audits, risk assessments and chart regulatory measures
- Have a response plan to data breaches
- Perform timely back-ups
Contractual requirements
Ensuring your service providers’ and third parties’ compliance with CPRA is just as crucial as your compliance. All covered businesses must comply with this requirement by having a contractual relationship with them.
Such a contract must determine the rights and duties of each party, the retention period, and the nature of the processing. It must also require all parties to implement CPRA-compliant measures and restrict the use of personal data for specific purposes.
These steps will create a binding agreement between your business and third parties with who you share personal information.
CPRA compliance checklist
If you are a business serving Californians, introspect whether to comply with CPRA regulations. Here is a checklist to make things simpler.
Conduct data mapping
Regularly monitor the types of personal information you collect and their purpose of collection. Conduct data auditing, streamline the collection process, and determine data retention periods.
Take steps to ensure that you do not collect information that is more than what is required for the disclosed purpose. Furthermore, you cannot use the collected data for secondary purposes. Remember to update your privacy policy whenever there is a change in the data collection practice.
Provide a privacy policy
CPRA is committed to enhancing the transparency of data processing activities and imposes exacting standards. It requires businesses to provide a detailed and easy-to-understand privacy policy to consumers.
A privacy policy must contain the following:
- Types of personal data collected and their purposes
- Categories of personal data shared/sold to third parties
- Categories of third parties with who the data is shared/sold
- Purpose of the sale/share
- Whether you sell/share childrenās personal data (below 13)
- Whether you process sensitive data
- Consumer rights and methods to exercise them
- Opt-out links
- How your business verifies consumer requests
- How universal opt-out signals can be implemented and how it is processed
- Describe the opt-in process for minors
- Businesses contact information
- Date of last policy update
In addition to the privacy policy, you must provide other CPRA notices such as notice at collection, notice of right to opt-out, and notice of right to limit.
If your website deploys third-party cookies on user devices, which it does in most cases, you may also provide a cookie notice/cookie policy. A cookie notice contains information about the categories of cookies, their purposes, retention period, etc.
Update privacy policy
Keep your privacy policy updated with any changes in data collection and processing activities.
Notice at collection and opt-out banners
Provide a notice at collection informing consumers of how an organisation collects and uses personal information. Also, offer opt-out banners/options to inform consumers of their ability to opt out of the sale of personal information and control the use of sensitive information.
Businesses should have systems in place to accurately target Californian consumers, provide them with opt-out options and also acknowledge global opt-out signals from consumers. This can also extend to non-essential cookies such as third-party cookies deployed on user devices when visiting a website.
While implementing these requirements may be challenging, there are software solutions such as consent management platforms to automate the process and achieve compliance effortlessly.
CookieYes is a dedicated consent management platform that helps your business stay compliant. We are an IAB-certified platform trusted by over 1.5 million businesses worldwide. CookieYes is also a recognised GCM gold partner.
No better time than now
Start your CPRA compliance with CookieYes
Try for free14-day free trialCancel anytime
Provide consumer request mechanisms
Provide at least two or more methods by which consumers can exercise their rights, for example, submit a deletion request. Ensure that these methods are conspicuously available to consumers. The process must be simple and convenient.


Respond to requests
Prompt response is significant under CPRA. Confirm the receipt of the request within 10 days and try to respond to requests within the initial 45 days.
Consent management
Streamline the consent management process to collect, store, and manage consent and opt-out preferences including cookie consent.
Establish a proper system to monitor and update the preferences as required by consumers. Record user consent to prove compliance.
Stay ahead at
CPRA consent management
Automate the process like industry leaders with CookieYes
Sign up for free14-day free trialCancel anytime
Provide opt-out links
CPRA mandates businesses to provide a āDo not sell my personal informationā and āLimit the use of my sensitive informationā link to consumers. Place it conspicuously on your website.
After a consumer opts out, data sales must stop. Similarly, strictly limit the sensitive data usage to what is necessary for the specific purpose.
Security measures
CPRA does not specify the necessary security measures that a business must adopt. However, you should consider implementing adequate and proportional safeguards to protect the confidentiality and integrity of personal information handled by your business.
You may conduct regular cybersecurity audits, analyse privacy risks, and formulate risk management measures. It is equally important to implement encryptions including password protection, and two-factor authentication.
Educate your workforce on data security. Consider hosting webinars and training sessions for your employees.
Contract
Have a contractual agreement with service providers and third parties to ensure their CPRA compliance along with yours. Verify that the agreement reflects your privacy interests and that the processing activities do not exceed the agreement terms.
FAQ on CPRA compliance
CPRA compliance is mandatory if your business caters to Californians and meets any of the required thresholds.
Assess whether the law applies to you and understand the legal requirements. Limit collection and use of personal information to the disclosed purpose. You must also honor consumer rights and set up convenient methods to exercise them such as correction or access requests. Furthermore, enhances transparency by providing updated privacy policies, notice at collection, notice of right to opt-out, and notice of right to limit the use of sensitive personal information.
It is equally important to implement cybersecurity measures, train your employees, conduct risk assessments, etc to achieve CPRA compliance.
Yes, CCPA has an extraterritorial jurisdiction and applies to businesses processing Californian personal data regardless of their location.
CCPA, the Californian privacy law came into effect in 2020 and was amended later in 2023 by CPRA. This does not mean that the CPRA replaced the CCPA, rather it only expanded it with new provisions.