Privacy-proof consumer data and stay ahead of CPRA compliance
Display opt-out notice, ‘Do not sell or share’ link and honour browser signals with the #1 consent management platform.
The #1 cookie consent solution, trusted by 1.4 Million+ websites
The California Privacy Rights Act (CPRA) is an amendment to California Consumer Privacy Act (CCPA). It is a state-wide data privacy law that expands the provisions and enhances the privacy rights granted to California residents under the CCPA. The CPRA regulates how businesses process the personal information of consumers in California and provides consumers control over their data. CPRA came into effect on January 1, 2023.
CPRA is an amendment to the existing CCPA. You need to fulfil the new obligations of CPRA by the enforcement date on July 01 2023.
CPRA Compliance Checklist for Websites
- Display a banner to opt-out of the sale or sharing of personal data
- Provide a ‘Do not sell or share my personal information’ link on your website
- Minimize data collection only for relevant data and legitimate purposes
Prepare for CPRA Compliance with CookieYes
Implement opt-out requests
Under CPRA, when businesses sell or share personal data (including the use of third-party cookies), they should disclose this information in a clear and conspicuous way and inform consumers how to opt-out.
With CookieYes you can
Automate consent management
To respect users’ right to opt-out under CPRA, it’s necessary to ensure that websites set third-party cookies only based on users’ consent preferences and ensure continuous compliance.
With CookieYes you can
With CookieYes you can
Transition from CCPA to CPRA compliance
with our simple cookie consent solution
Learn more about CPRA and take the
next step towards compliance
What is CPRA?
CPRA or California Privacy Rights Act is a state-wide privacy law that amends the California Consumer Privacy Act (CCPA) and is referred to as CCPA 2.0. The CPRA expands the provisions of CCPA and establishes new requirements for businesses that collect and process personal information including new privacy rights for California consumers, a new agency responsible for enforcing privacy laws in California called the California Privacy Protection Agency.
Among other things, CPRA requires businesses to provide consumers with the ability to correct inaccurate personal information, limit the use of sensitive personal information, and obtain explicit consent before collecting or using certain types of personal information. The CPRA took effect on January 1, 2023, and includes a one-year lookback period, for personal information collected from January 1, 2022, onwards.
Who does CPRA apply to?
The CPRA applies to for-profit businesses that conduct business in California or market their goods and services to California residents and either
- Has annual gross revenues over $25 million in the preceding calendar year
- Buys, sells, or shares the personal information of 100,000 or more consumers or households
- Gets 50% or more of its annual revenues from selling, or sharing consumer’s personal information
The CPRA does not apply to non-profit organisations and personal information collected under certain health and medical privacy laws such as HIPAA.
What are consumer rights under CPRA?
Right to know
The right to know about the personal information a business collects about them and how it is used and shared.
Right to delete
The right to delete personal information that a business has collected from them.
Right to correct
The right to request that businesses correct any inaccurate personal information they hold.
Right to opt-out
The right to opt out of the sale of their personal information by a business.
Right to restrict processing
The right to request that businesses limit the use and processing of their personal information.
Right to non-discrimination
The right to not be discriminated against for exercising their consumer rights under CPRA
Right to data portability
The right to obtain a copy of their personal data in a portable and readily usable format.
What is the penalty for non-compliance?
Businesses that fail to comply with CPRA can get civil penalties of up to $7500. The California Privacy Protection Agency has the discretion to provide a business with time to rectify the alleged violation. The Agency also has the right to seek injunctions and other equitable relief to enforce the law.
The CPRA also includes a private right of action for certain types of data breaches due to negligence from a business. Affected California residents may be able to sue for damages of up to $750 per incident or actual damages, whichever is greater.
FAQ on CPRA Compliance
The California Privacy Rights Act (CPRA) is a new privacy law that amends and expands upon the existing California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. CPRA was passed by California voters in November 2020 and came into effect on January 01 2023, with enforcement beginning on July 1, 2023.
The CPRA California includes several new provisions and changes to the CCPA, including the creation of a new enforcement agency, the right of consumers to opt out of the sharing of their personal information, not just the sale of their personal information and increased fines for violations.
No, the California Privacy Rights Act (CPRA) does not replace the CCPA but amends it. The CPRA is an expansion of the CCPA, as it modifies existing provisions and introduces additional requirements for businesses and new rights for California consumers. The CPRA came into effect on January 1, 2023. Businesses that are subject to the CCPA will need to comply with the new requirements of the CPRA now.
Read more: Complete Guide to CPRA California
Under the California Privacy Rights Act (CPRA), “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. The CPRA expands the definition of personal information of CCPA to include information such as geolocation data, race, ethnicity, religious or philosophical beliefs, and biometric information.
In addition, the CPRA introduces “sensitive personal information” that includes specific categories of personal information, such as financial information, identification numbers like social security number, driver’s licence and passport and personal information that reveals a consumer’s precise geolocation data health, genetic data, and biometric information.
The California Privacy Protection Agency (CPPA), the new enforcement agency created under the new provisions of CPRA, is the enforcement authority for CPRA. The CPPA is a first-of-its-kind state agency in California and will be taking over the enforcement and rulemaking responsibilities of the California Attorney General (CAG), who has been the regulatory authority for the CCPA.
The CPPA and the CAG can begin to enforce the CPRA regulations only from July 1, 2023.
The California Privacy Rights Act (CPRA) applies to any for-profit entity or business that operates in California or collects personal information from California residents. The CPRA can apply to an entity that:
- Does business in California
- Collects the personal information of California residents, and
- Meets certain revenue requirements or data processing thresholds
If a business meets any of these criteria, it will be subject to the CPRA’s requirements, even if it is not physically located in California.
The CPRA includes several new provisions and changes to the CCPA, including:
- Creation of a new enforcement agency: The CPRA creates a new agency called the California Privacy Protection Agency (CPPA), which will be responsible for enforcing privacy laws in California.
- Introduces sensitive personal information: The CPRA expands the definition of sensitive personal information to include new categories, such as financial information, precise geolocation, race, ethnicity, and health information.
- Introduces ‘sharing’ of personal information and opt-out rights: Sharing is defined as any disclosure of personal information to third parties for cross-context behavioural advertising, whether or not for monetary or other valuable consideration.
- New consumer rights: The CPRA grants consumers the right to correct inaccurate personal information held by businesses.
- Increased fines for violations: The CPRA increases the fines for violations of privacy laws, with fines ranging from $2,500 to $7,500 per violation.
Here are some links you can refer to for additional reading:
Fast-track your CPRA compliance in minutes
Set up a cookie consent banner in 3 simple steps and automate your compliance.