Skip to main content

CCPA/CPRA

18 min read

Navigating CPRA Enforcement: Guide for a Data-Driven Company

By Safna February 7, 2025

Expert reviewed

Navigating CPRA Enforcement: Guide for a Data-Driven Company

From video game developers to healthcare providers, recent CPRA settlements highlight the growing enforcement of privacy in California. As CPRA enforcement expands, businesses that prioritise transparency gain a competitive edge. Compliance isnā€™t just about avoiding penaltiesā€”itā€™s about building trust and future-proofing operations. This guide examines CPRAā€™s impact, compliance steps, and how businesses can navigate these regulations while maintaining consumer trust.

What is CPRA?

The California Privacy Rights Act (CPRA) is an expansion of the California Consumer Privacy Act (CCPA) that strengthens privacy rights for consumers and increases compliance requirements for businesses. Despite the amendments, many, including the California Attorney General, continue to refer to the updated law as the CCPA.

Enacted through a ballot initiative in 2020, the amendment introduces stricter rules around data collection, processing, and consumer rights.

CPRA did not repeal CCPA, it only enhanced it.

What are the key differences between CCPA and CPRA?

While both laws aim to enhance consumer privacy, the CPRA introduces several new provisions. The table below summarises the key differences:

      FeaturesCCPACPRA
Enforcement agencyCalifornia Attorney GeneralCalifornia Privacy Protection Agency (CPPA) and Attorney General
Threshold1. Gross revenue exceeds $25 Million 

2. Processes the personal information of 50,000+ consumers

3. Generates >= 50% revenue from selling personal information 
1. Gross revenue exceeds $25 Million in the previous year.

2. Processes the personal information of 100,000+ consumers

3. Generates >= 50% revenue from selling/sharing personal information 
Sensitive personal information (SPI)Not specifically definedExplicitly defined and regulated
Fines for compromising minorā€™s privacyUp to $2500 for unintentional violations

Up to $7500 for intentional violations
Up to $7500 per violation
Risk assessments & cybersecurity auditsNot explicitly requiredMandatory for high-risk processing activities
Third-party contractual obligationsLess stringentStrict contractual requirements for vendors and contractors
Right to correct & limitNot includedConsumers can request corrections to inaccurate personal data and limit the use of sensitive personal information
Employee & B2B data protectionsExemptNow covered under CPRA

Timeline for CPRA enforcement

The amendment officially went into effect on January 1, 2023, with enforcement starting July 1, 2023. Companies that fail to comply face fines of $2,500 per unintentional violation or $7,500 per intentional violation or violations involving minors’ data.

Letā€™s walk through the CPRA timelineā€”from its inception to enforcementā€”to see how this privacy law has evolved over time.

November 2020

Approved by voters

December 2020

  • Employer-employee exemption under CCPA comes into effect 
  • Consumer Privacy Fund and CPPA established.

March 2021

CPPA board appointments begin

July 2021

CPPA begins rule-making

January 2022

New data access rules begin allowing consumers to request all data since this date

January 2023

  • CPRA fully takes effect.
  • Employer-employee exemption expires

July 2023

CPRA enforcement begins

CPRAā€™s impact on data-driven companies

For businesses that rely on consumer data for purposes like marketing and analytics, CPRA brings significant privacy duties to take care of.

It introduces stricter opt-out requirements, limits on data processing including the use of sensitive personal information, and the need for a clear privacy policy. Companies failing to implement these changes risk hefty penalties and reputational damage.

Key areas impacted by the law include:

Expansion of opt-out rights

The right to opt out now covers automated decision-making technologies and the sharing of personal information, broadening its scope beyond the previous limitation to the sale of personal data.

Sensitive personal information

Companies must provide a ā€œLimit the use of my sensitive personal informationā€ link in addition to the ā€œDo not sell/share my personal informationā€ link.

Stronger vendor management

Businesses must ensure that their third-party service providers comply with CPRA rules through a contractual arrangement

Enhanced consumer rights

The law introduced two new consumer rightsā€” the right to limit and the right to correctā€”adding to the existing rights, including the right to know, deletion, opt-out, and protection against discrimination. It also expanded some of the already existing rights.

Stricter data minimisation rules

Businesses must only collect data necessary for a specific purpose and limit its use and retention periods.

Proactive risk mitigation

Companies must conduct privacy impact assessments for high-risk data processing.

Who is responsible for enforcing the CPRA?

The California Privacy Protection Agency (CPPA) and the California Attorney General share enforcement responsibilities for CPRA. While the CPPA has broad authority to investigate complaints, conduct audits, and impose fines, the Attorney General retains the power to take legal action against non-compliant businesses.

What were the legal challenges and CPRA enforcement delays?

CPRA enforcement has been contentious, particularly regarding timing. A June 2023 court ruling temporarily blocked the California Privacy Protection Agency (CPPA) from enforcing its regulations, siding with the California Chamber of Commerceā€™s argument for a one-year enforcement delay.

However, on February 9, 2024, the Third District Court of Appeal ruled that the CPRA grants the Agency the authority to enforce its amended regulations as of July 1, 2023, overturning the lower courtā€™s decision and restoring its enforcement powers.

The key takeaway for businesses is that they must act now. The CPPA has made it clear that enforcement will move forward swiftly, and compliance delays will not be excused. Companies should proactively update privacy policies, align with the regulations, and prepare for future rule changes.

Additionally, federal and international privacy laws, such as the EU’s GDPR and emerging U.S. state privacy laws might influence CPRA enforcement strategy. Businesses operating across jurisdictions must ensure an adaptable privacy framework.

CPRA enforcement: Notable cases

Enforcement of the CPRA is ramping up, with regulators taking strict action against businesses that fail to comply. From unauthorised data sales to violations of children’s privacy, companies across industries are facing significant penalties. Below are some of the most notable enforcement cases, highlighting the financial and legal consequences of non-compliance.

#1 Sephora ā€“ $1.2 Million

Sephora was fined for unauthorised data sales, failure to recognise global opt-out signals, and allowing third-party tracking. Despite a 30-day cure period, the company could not address the violations.

#2 Tilting Point Media LLC ā€“ $500,000

The gaming company was fined for violating childrenā€™s privacy laws under COPPA and CPRA by selling minorsā€™ data without verified parental consent and failing to encourage accurate age disclosure.

#3 Doordash ā€“ $375,000

Doordash faced fines for selling consumer data without providing an opt-out option and failing to disclose data-sharing practices under CalOPPA. The company participated in marketing cooperatives without informing consumers.

Relatable read:

See how businesses are facing hefty CPRA fines for non-compliance and what it means for you.

How to implement CPRA on your website?

#1 Review your privacy policy

Ensure your privacy policy reflects CPRA requirements, including the following:

  • A detailed breakdown of consumer rights
  • Clear opt-out mechanisms for data sharing and targeted advertising
  • Data retention periods for different data categories
  • Procedures for handling consumer requests and appeals

#2 Implement a CMP for CPRA cookie compliance

A Consent Management Platform (CMP) helps businesses obtain, manage, and store user consent in compliance with the law. A CMP ensures:

  • Users can easily opt out of third-party cookies
  • Preference management is accessible and transparent
  • Compliance logs are stored for audit purposes
  • Displays a clear cookie banner with a ā€œDo Not Sell or Share My Personal Informationā€ link
  • Offers granular consent options, allowing users to manage their preferences
  • Regularly update consent logs to maintain accurate records of user choices
  • Honours global opt-out signals

For businesses struggling with CPRA compliance, CookieYes offers an all-in-one solution for consent management and regulatory compliance.

Our robust solutions ensure that your website meets the CPRA opt-out requirements. By choosing CookieYes, businesses can focus on growth while we handle compliance. Stay compliant, build trust, and position your brand as a leader in privacy-first practices.

Comply with CPRA cookie consent requirements

  • Customisable opt-out banners
  • Geo-target features
  • Recognise global opt-outs
  • Add a ā€œDo not sell/share my informationā€ link
  • IAB TCF v2.2 compliant & Google CMP gold partner
  • Global privacy compliance
  • Trusted manuals and technical support
  • Easy-to-implement
  • Step-by-step video tutorials

#3 Conduct privacy risk assessments and employee training

The law requires businesses to assess and mitigate privacy risks through formal Data Protection Impact Assessments (DPIAs).

To stay compliant:

  • Conduct periodic privacy risk assessments to evaluate compliance risks
  • Train employees on compliance and best practices
  • Develop incident response plans to handle potential data breaches effectively
  • Establish a data retention and disposal strategy to prevent unnecessary storage of consumer data

#4 Implement data minimisation and purpose limitation

To comply with privacy laws like CPRA, businesses must limit the collection, use, sharing, and retention of consumersā€™ personal information to what is strictly necessary for a disclosed purpose. This requires a structured approach to data governance, ensuring that every piece of information collected serves a specific, justified need.

  • Regular data audits: Businesses should routinely assess the types of personal data they collect, the reasons for collection, and whether those reasons remain valid. 
  • Defined retention policies: Establish clear data retention policies to ensure that personal data is not kept longer than necessary for the specific purpose. 
  • Transparent privacy policies: Any changes in data collection practices must be promptly reflected in privacy policies. 

#5 Implement robust data security measures

While the California privacy law does not discuss specific security measures yet, it requires businesses to establish reasonable protections proportional to the personal data they handle. Therefore, implementing robust security practices is essential to safeguarding consumer information and maintaining compliance.

  • Risk-based security approach: Assess data security risks and adopt safeguards that align with the sensitivity of the personal data you collect and process. This includes cybersecurity audits, privacy risk assessments, and regulatory compliance reviews.
  • Technical safeguards: Encrypting personal data, enabling password protection, enforcing two-factor authentication, and implementing access controls help prevent unauthorised access.
    Ā 
  • Incident response and resilience: A data breach response plan is critical to mitigating risks. Regular data backups and proactive monitoring help businesses respond effectively to security incidents.
  • Employee awareness and training: Educate your employees on security best practices through training sessions, webinars, and workshops to reinforce compliance.

#6 Ensure third-party and service provider compliance

Businesses are responsible for ensuring that their service providers, contractors, and third parties adhere to the same compliance standards. 

This requires establishing clear contractual agreements, also known as Data Processing Agreements that define data processing limits, retention periods, and security obligations.

  • Every agreement should explicitly restrict the use, retention, and disclosure of personal data to the purposes outlined in the contract. It must also require service providers to implement reasonable security and privacy measures.
  • Businesses should actively verify that third parties uphold their contractual obligations. This can be achieved through manual reviews, automated scans, audits, and assessments conducted at least once a year.
  • Ensure that the contractual terms reflect your businessā€™s privacy commitments and prevent third parties from exceeding their authorised processing activities.

#7 Honour consumer rights

Covered businesses must establish clear mechanisms to respect and facilitate consumer rights. This includes enabling consumers to know, delete, correct, opt-out, limit the use of sensitive data, and avoid discrimination based on their privacy choices.

  • Businesses must provide at least two designated methods for consumers to submit privacy requests, such as a toll-free number, email, or online form
  • The consumer request processes should be simple, accessible, and clearly outlined in privacy policies.
  • Fulfil the requests within 45 days, with a possible 45-day extension if necessary. 
  • Try to honour the Opt-out and limitation requests within 15 business days.
  • Do not discriminate against consumers such as by denial of service, price increases, or quality reductions for exercising their rights.

FAQ on CPRA enforcement

How do global opt-out signals impact CPRA compliance strategies?

Global Privacy Control (GPC) signals are mechanisms that allow consumers to universally opt out of the sale or sharing of their personal information across all websites they visit. Under the CPRA:

  • Businesses are required to honour GPC signals as valid opt-out requests.
  • They must also implement technical measures to detect and process GPC signals received from consumers’ browsers or devices.

Businesses can streamline GPC compliance and CPRA consent management effortlessly using CookieYes CMP, which automatically detects and honours GPC signals, manages cookie consent, and ensures audit-ready compliance with privacy laws.

What industries face the highest CPRA enforcement risks?

While the California Privacy Rights Act (CPRA) applies broadly to businesses that collect or process personal information of California residents, certain industries have faced higher enforcement risks due to the nature of their data practices and the sensitivity of the information they handle.

Some of the industries that fall into this category include eCommerce and Retail, AdTech and Digital Advertising, Financial Services and FinTech, Healthcare and Telehealth, Technology and SaaS, Entertainment and Gaming, Hospitality and Food Services, and Education Technology (EdTech)

How can businesses afford CPRA compliance without huge costs?

Achieving CPRA compliance is essential for covered businesses, but small businesses can also adopt cost-effective strategies to meet requirements:

  • Leverage free resources: Utilise free CPRA compliance checklists and templates available from reputable sources to guide your compliance efforts.
  • Affordable tools: Invest in affordable compliance software solutions designed for small businesses to manage data privacy obligations efficiently.
  • Employee training: Conduct in-house training sessions to educate staff on CPRA requirements and best practices for data handling.
  • Consultation services: Consider limited-scope consultations with legal experts to address specific compliance questions without incurring substantial legal fees.



Photo of Safna

Safna

Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.

Keep reading

Featured image of Server-Side Tracking: A Beginner’s Guide

Cookies

Server-Side Tracking: A Beginner’s Guide

Server-side tracking enhances data accuracy, security, and privacy by routing analytics through your server, overcoming the limitations of traditional client-side tracking.

Read more
Featured image of How to Create a Privacy Policy for Woocommerce: Step-By-Step Guide

Legal policies

How to Create a Privacy Policy for Woocommerce: Step-By-Step Guide

A must-read guide to setting up a privacy policy for your WooCommerce store.

Read more
Featured image of Navigating CPRA Enforcement: Guide for a Data-Driven Company

CCPA/CPRA

Navigating CPRA Enforcement: Guide for a Data-Driven Company

CPRA enforcement is ramping upā€”stricter rules, higher fines, and new consumer rights. Stay compliant, build trust, and avoid penalties with this guide.

Read more

Show all articles