The California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA)

On July 1, 2020, California's CCPA became enforceable. A few days prior, privacy advocacy group, "California for Consumer Privacy" (CFCP) declared it collected almost a million signatures to have the California Privacy Rights Act (CPRA) placed on the November 2020 ballot.

The CPRA expands upon and amends the CCPA, which has led to it being known as CCPA 2.0. However, it was on the ballot officially as Prop 24.

According to a poll of 605 Californians by Goodwin/Simon Research, up to 81% supported the legislation, which passed in November 2020.

Whether your business is in California or not, you should be observing this bill closely as it could have substantial consequences for how you operate.

What Does the CPRA Do?

As noted by the CFCP, the CPRA is designed to make it much harder to weaken privacy. As it says on the CFCP website, the CPRA will:

"MAKE IT MUCH HARDER TO WEAKEN PRIVACY in California in the future, by preventing special interests and politicians from undermining Californians' privacy rights, while allowing the Legislature to amend the law to further the primary goal of strengthening consumer privacy to better protect you and your children, such as opt-in for use of data, further protections for uniquely vulnerable minors, and greater power for individuals to hold violators accountable."

The CCPA is greatly expanded upon by the CPRA. It will grant consumers new rights and impose unique obligations on businesses, as well as change enforcement provisions within the CCPA.

According to the new measure, the CCPA will be integrated into the CPRA. Anything added to the CCPA by the CPRA will take effect on January 1, 2023, although enforcement of added obligations won't start until July 1, 2023.

Who Does the CPRA Apply to?

There are many changes to the CCPA made by the CPRA. These changes range from new and potentially burdensome obligations, to helpful clarifications of the original law's language.

The CPRA essentially applies (just as the CCPA does) to any for-profit organization, which may do business in the State of California, and which meets a few criteria.

Check out our free tools for website owners:

  • Cookie Consent - a free cookie consent solution to comply with GDPR + ePrivacy Directive.
  • CCPA Opt-Out - a free CCPA opt-out solution to allow visitors to opt-out from personalized ads and comply with GDPR.
  • I Agree Checkbox - a free solution to enforce your legal agreements.

Generate legal agreements for your website or app in minutes with TermsFeed: Privacy Policy, Terms & Conditions, Cookies Policy and more.

The CPRA applies to businesses that:

  • Have a gross annual revenue of over $25 million in the preceding calendar year, or
  • Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or
  • Derive 50% or more of their annual revenue from selling or sharing California residents' personal information

Exemptions from CPRA Provisions

In general, the CPRA keeps the same exemptions as the CCPA, although it improves upon some of them.

The CCPA already provides exemptions for data related to job applicants, employees, and business-to-business (B2B) contacts. However, the CPRA extends these exemptions.

Some of the improvements upon the CCPA made by the CPRA include clarifications on clinical trial exemptions. For instance, if biomedical research or clinical trial is conducted in keeping with the Common Rule, an exemption applies.

The CPRA also provides exemptions on healthcare providers and medical data that's protected by the Confidentiality of Medical information Act.

Additionally, the following is also exempt:

"Personal Information collected as part of a clinical trial or other biomedical research study subject to or conducted in accordance with the Federal Policy for the Protection of Human Subjects...."

Significant Requirements of the CPRA

Significant Requirements of the CPRA

  • Service providers are banned from combining data received from other businesses or collected in the "business" capacity of the service provider with personal information collected as a service provider.
  • Businesses will now have to enter into contracts with third parties that the business "shares" or sells personal data to. In this context, "sharing" refers to transfers of data for the purpose of cross contextual advertising.
  • Storage limitation, data minimization, and data security requirements are established. For example, the CPRA demands that businesses disclose: "the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible the criteria used to determine such period..."
  • The 30-day "cure" period before a case of non-compliance ends in a CCPA violation is abolished.
  • The CCPA's private right of action has been broadened to encompass unauthorized disclosure of or access to an email address and password or security question, which would grant access to an account if the disclosure or access came as a result of a failure to execute reasonable security measures.

The CPRA also allows consumers to specifically:

  • Ask that a business use a commercially reasonable effort to correct erroneous personal data in response to a verified request
  • Restrict a business's disclosure and use of the consumer's "sensitive personal information" that includes a broad range of data elements
  • Opt out of "sharing," which is defined by the CPRA as disclosures of personal data for the purposes of cross-contextual advertising
  • Opt out of automated profiling and decision making (although this is dependent upon a rulemaking proceeding

How to Comply With the CPRA

How to Comply With the CPRA

When it comes to CPRA compliance, businesses should be prepared to respond to all regulatory requirements swiftly. Through advanced reporting, which may include executive reports, trends, and native reporting, companies must be prepared to satisfy data requests at scale.

Additionally, businesses need to automatically discover, identify, and classify all sensitive personal information (SPI) no matter where it is stored. According to the CPRA, this data includes such things as:

  • Drivers licenses
  • State ID numbers
  • Exact geolocation
  • User credentials
  • Passport information
  • "Sex life" or sexual orientation information
  • Racial or ethnic origin data
  • Biometric or genetic information
  • Union membership
  • Content of mail, email, and SMS messages
  • Philosophical or religious beliefs
  • Social Security Numbers

The Right to Correction Stipulation

With the above in mind, organizations doing business in California must be able to make an inventory of all personal and sensitive information that belongs to an identity. This information can be either direct or inferred.

You should inventory all that data to gain a complete picture of exactly what consumer information your business is collecting.

That's because the CPRA stipulates that businesses have to provide consumers with the means to correct and update any information the company has, which the consumer deems incorrect.

The Right to Know Stipulation

Your business should also try to strengthen any privacy management program it has by recording data flows and automating the "right to know" fulfillment process.

According to the CPRA, a consumer's "right to know" includes personal information that is not just collected, but that is also shared or sold. Your company must now reveal what data categories it collects, shares, or sells to any third party. Moreover, you should keep in mind that the right to know extends past the CCPA's current 12-month lookback provision.

The Right to Limit the Disclosure and Use of Sensitive Personal Information

Your company should add context to the information it collects by inferring new attributes, uncovering relationships, and viewing information according to its end-use.

The reason for this is due to the CPRA's stipulation that consumers will now be allowed to limit the collection and processing of their sensitive personal data to only "necessary" uses with the goal of providing the services or goods they've asked for.

The Right to Delete Rule

Your business must be able to determine where information is located, what ought to be deleted, and then ensure that ongoing deletion validation is automatic.

This is because the CPRA demands that businesses inform service providers, contractors, and third parties of deletion requests made by consumers. The important part to remember here is that if your company receives that deletion request, you are now responsible for ensuring that all third parties work together to continue deleting the consumer's data down the line.

To comply with the CPRA, you'll want to focus on:

  • Protecting data
  • Limiting data retention
  • Minimizing data collection

Additionally, keep in mind that your business will be required to prominently display a "Limit the Use of My Sensitive Information" link or button on its website. The only exception to this is if you provide consumers with the ability to limit information use through a preference signal (as in from a browser).

Penalties for Non-Compliance

The CPRA updates the CCPA's penalties to include administrative fines for intentional violations involving the sensitive personal information of people under the age of 16. These fines may also extend up to $7,500 (USD).


The CPRA updates and expands upon the CCPA. It creates new privacy rights for consumers, allowing them to prevent businesses from using sensitive personal data, which may include financial or health information. It also prevents businesses from selling or knowing a consumer's location without the consent or knowledge of that consumer.

Additionally, the CPRA establishes a new agency to protect the rights of the consumer by giving them back control over data that belongs to them and by increasing overall transparency.

The CPRA gives consumers the following major rights:

  • The right to know what personal, sensitive information businesses collect and why
  • The right to deny the sale of that personal information
  • The right to hold businesses responsible for the security of any personal information that is collected

Finally, the CPRA triples fines for collecting and selling the private information of anyone under the age of 16, and requires that businesses must acquire opt-in consent in order to sell to anyone 16 years old or younger.

William B.

William B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.