Privacy-proof consumer data and stay ahead of CPRA compliance
Display opt-out notice, ‘Do not sell or share’ link and honour browser signals with the #1 consent management platform.
The #1 cookie consent solution, trusted by 1.5 Million+ websites
The California Privacy Rights Act (CPRA) is an amendment to California Consumer Privacy Act (CCPA). It is a state-wide data privacy law that expands the provisions and enhances the privacy rights granted to California residents under the CCPA. The CPRA regulates how businesses process the personal information of consumers in California and provides consumers control over their data. CPRA came into effect on January 1, 2023.
CPRA is an amendment to the existing CCPA. You need to fulfil the new obligations of CPRA by the enforcement date on July 01, 2023 (now extended to March 29, 2024).
CPRA Compliance Checklist for Websites
- Display a banner to opt-out of the sale or sharing of personal data
- Provide a ‘Do not sell or share my personal information’ link on your website
- Minimize data collection only for relevant data and legitimate purposes
Prepare for CPRA Compliance with CookieYes
Implement opt-out requests
Under CPRA, when businesses sell or share personal data (including the use of third-party cookies), they should disclose this information in a clear and conspicuous way and inform consumers how to opt-out.
With CookieYes you can
Automate consent management
To respect users’ right to opt-out under CPRA, it’s necessary to ensure that websites set third-party cookies only based on users’ consent preferences and ensure continuous compliance.
With CookieYes you can
With CookieYes you can
Transition from CCPA to CPRA compliance
with our simple cookie consent solution
Learn more about CPRA and take the
next step towards compliance
What is CPRA?
CPRA or California Privacy Rights Act is a state-wide privacy law that amends the California Consumer Privacy Act (CCPA) and is referred to as CCPA 2.0. The CPRA expands the provisions of CCPA and establishes new requirements for businesses that collect and process personal information including new privacy rights for California consumers, a new agency responsible for enforcing privacy laws in California called the California Privacy Protection Agency.
Among other things, CPRA requires businesses to provide consumers with the ability to correct inaccurate personal information, limit the use of sensitive personal information, and obtain explicit consent before collecting or using certain types of personal information. The CPRA took effect on January 1, 2023, and includes a one-year lookback period, for personal information collected from January 1, 2022, onwards.
Who does CPRA apply to?
The CPRA applies to for-profit businesses that conduct business in California or market their goods and services to California residents and either
- Has annual gross revenues over $25 million in the preceding calendar year
- Buys, sells, or shares the personal information of 100,000 or more consumers or households
- Gets 50% or more of its annual revenues from selling, or sharing consumer’s personal information
The CPRA does not apply to non-profit organisations and personal information collected under certain health and medical privacy laws such as HIPAA.
What are consumer rights under CPRA?
Right to know
The right to know about the personal information a business collects about them and how it is used and shared.
Right to delete
The right to delete personal information that a business has collected from them.
Right to correct
The right to request that businesses correct any inaccurate personal information they hold.
Right to opt-out
The right to opt out of the sale of their personal information by a business.
Right to restrict processing
The right to request that businesses limit the use and processing of their personal information.
Right to non-discrimination
The right to not be discriminated against for exercising their consumer rights under CPRA
Right to data portability
The right to obtain a copy of their personal data in a portable and readily usable format.
What is the penalty for non-compliance?
Businesses that fail to comply with CPRA can get civil penalties of up to $7500. The California Privacy Protection Agency has the discretion to provide a business with time to rectify the alleged violation. The Agency also has the right to seek injunctions and other equitable relief to enforce the law.
The CPRA also includes a private right of action for certain types of data breaches due to negligence from a business. Affected California residents may be able to sue for damages of up to $750 per incident or actual damages, whichever is greater.
FAQ on CPRA Compliance
The California Privacy Rights Act (CPRA) is a new privacy law that amends and expands upon the existing California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. CPRA was passed by California voters in November 2020 and came into effect on January 01 2023, with enforcement beginning on July 1, 2023.
The CPRA California includes several new provisions and changes to the CCPA, including the creation of a new enforcement agency, the right of consumers to opt out of the sharing of their personal information, not just the sale of their personal information and increased fines for violations.
No, the California Privacy Rights Act (CPRA) does not replace the CCPA but amends it. The CPRA is an expansion of the CCPA, as it modifies existing provisions and introduces additional requirements for businesses and new rights for California consumers. The CPRA came into effect on January 1, 2023. Businesses that are subject to the CCPA will need to comply with the new requirements of the CPRA now.
Under the California Privacy Rights Act (CPRA), “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. The CPRA expands the definition of personal information of CCPA to include information such as geolocation data, race, ethnicity, religious or philosophical beliefs, and biometric information.
In addition, the CPRA introduces “sensitive personal information” that includes specific categories of personal information, such as financial information, identification numbers like social security number, driver’s licence and passport and personal information that reveals a consumer’s precise geolocation data health, genetic data, and biometric information.
The California Privacy Protection Agency (CPPA), the new enforcement agency created under the new provisions of CPRA, is the enforcement authority for CPRA. The CPPA is a first-of-its-kind state agency in California and will be taking over the enforcement and rulemaking responsibilities of the California Attorney General (CAG), who has been the regulatory authority for the CCPA.
The CPPA and the CAG were expected to begin CPRA enforcement on July 1, 2023. However, a California state court ruling delayed the enforcement of the new CPRA regulations, issued in March 2023, until March 29, 2024. However, this ruling does not limit the CPPA or CAG to enforce the amendments to the CCPA that became effective on January 1, 2023.
The California Privacy Rights Act (CPRA) applies to any for-profit entity or business that operates in California or collects personal information from California residents. The CPRA can apply to an entity that:
- Does business in California
- Collects the personal information of California residents, and
- Meets certain revenue requirements or data processing thresholds
If a business meets any of these criteria, it will be subject to the CPRA’s requirements, even if it is not physically located in California.
The CPRA includes several new provisions and changes to the CCPA, including:
- Creation of a new enforcement agency: The CPRA created a new agency called the California Privacy Protection Agency (CPPA), which will be responsible for enforcing privacy laws in California.
- Introduces sensitive personal information: The CPRA expands the definition of sensitive personal information to include new categories, such as financial information, precise geolocation, race, ethnicity, and health information.
- Introduces ‘sharing’ of personal information and opt-out rights: Sharing is defined as any disclosure of personal information to third parties for cross-context behavioural advertising, whether or not for monetary or other valuable consideration.
- New consumer rights: The CPRA grants consumers the right to correct inaccurate personal information held by businesses.
- Increased fines for violations: The CPRA increases the fines for violations of privacy laws, with fines ranging from $2,500 to $7,500 per violation.
CPRA compliance refers to your businesses’ obligation to comply with the California Privacy Rights Act (CPRA), a comprehensive data protection law enacted in California. CPRA amends the existing California Consumer Privacy Act (CCPA) and introduces new requirements for businesses that collect and process the personal information of California residents. CPRA compliance is essential for organizations operating in California or handling the personal data of California residents.
The California Privacy Rights Act (CPRA) applies to the state of California and focuses on the data privacy rights of residents of the state. The General Data Protection Regulation (GDPR) applies to all European Union member states and aims to protect the personal data of individuals in the EU. Some of the key differences include:
- Applicability: The CPRA applies to businesses that meet certain threshold requirements, such as annual gross revenue of $25 million or more and businesses that sell or share personal information to generate 50 per cent of their revenue. The GDPR applies to any organization that processes the personal data of individuals in the EU, regardless of the organisation’s location or revenue.
- Consent: The GDPR has stricter requirements for obtaining consent from individuals for data processing. It requires opt-in consent, while the CPRA requires an opt-out consent framework.
- Penalties: CPRA imposes a penalty of $7,500 per intentional violation or up to $2,500 for unintentional violation. For GDPR, the penalty can go up to a maximum of €20 million or 4% of global annual turnover, whichever is higher.
Refer: CCPA vs GDPR: What’s the Difference, for a detailed explanation.
The CPRA amended the California Consumer Privacy Act (CCPA) and introduced new provisions, including an updated applicability threshold. Here are some key threshold requirements under the CPRA:
- Business size: The CPRA applies to businesses with an annual gross revenue of over $25 million in the preceding calendar year.
- Data processing: It applies to businesses that alone or in combination, annually buy, sell, or share the personal information of, 100,000 or more consumers or households.
- Revenue from data sale/sharing: Businesses that derive 50 per cent or more of their annual revenues from selling or sharing consumers’ personal information.
The California Privacy Rights Act (CPRA) requires that businesses follow certain obligations for collecting personal information from California residents. Some of the key CPRA obligations include:
- Provide a privacy notice: Businesses are required to provide a clear and transparent notice informing consumers about the types of personal information collected, the purposes for which it is used, their data privacy rights and how to exercise them.
- Offer opt-out of sale/sharing of data: Businesses must present a conspicuous and easily accessible mechanism for consumers to opt out of the sale/sharing of their personal information.
- Honour consumer requests: Businesses are required to address consumer requests to access, correct, delete, or limit the processing of their personal information within a reasonable timeframe.
- Limit data retention: Businesses must refrain from retaining personal information beyond what is reasonably necessary for the purpose it was collected.
Refer: The Complete Guide to CPRA, for an in-depth understanding of CPRA regulations.
Here are the key requirements you need to implement on your website to become CPRA compliant:
- Implement a clear and conspicuous “Do not sell or share” link on your website so consumers can easily opt out of the sale or sharing of their personal information.
- Add an opt-out cookie banner so that your site visitors can opt out of third-party cookies that sell or share their data.
- Respect universal opt-out preference signals such as GPC (Global Privacy Control).
- Avoid dark patterns in your website and opt-out mechanisms.
- Provide accessible methods to make consumer requests.
- Implement basic technical controls and security standards on your website.
Fast-track your CPRA compliance in minutes
Set up a cookie consent banner in 3 simple steps and automate your compliance.