The California Privacy Rights Act (CPRA) is a major privacy law that amends and
expands the California Consumer Privacy Act (CCPA). It was approved by voters in
November 2020 (via Proposition 24) and became fully operative on January 1, 2023, with
enforcement beginning on July 1, 2023.
🔍 Key Features of the CPRA:
1. New and Expanded Consumer Rights
Right to Correct: Consumers can request correction of inaccurate personal
information.
Right to Limit Use of Sensitive Personal Information: Consumers can restrict how
businesses use information like race, precise geolocation, health data, and sexual
orientation.
Expanded Right to Opt-Out: Includes the sale and sharing of personal data,
especially for targeted advertising.
2. Sensitive Personal Information
CPRA introduces a new category called Sensitive Personal Information (SPI).
Includes data such as:
o Government ID numbers
o Financial account info
o Health and genetic data
o Precise geolocation
o Racial or ethnic origin
o Religious or philosophical beliefs
o Union membership
o Contents of messages
o Sexual orientation
3. Stronger Accountability for Businesses
Data minimization and purpose limitation: Businesses must collect only what’s
necessary for the stated purpose.
Requires annual risk assessments and cybersecurity audits for high-risk data
processing activities.
Must enter into contracts with service providers, contractors, and third parties to
ensure privacy obligations are upheld.
4. New Enforcement Agency
Establishes the California Privacy Protection Agency (CPPA) — the first U.S.
agency dedicated solely to enforcing privacy laws.
5. Applicability Thresholds
Applies to for-profit entities doing business in California that meet any of the
following:
o Gross annual revenue over $25 million
o Buy, sell, or share the personal data of 100,000 or more consumers or
households
o Derive 50% or more of revenue from selling or sharing personal data
⚖️Enforcement & Penalties
CPPA and California Attorney General have enforcement powers.
Fines:
o $2,500 per violation
o $7,500 for intentional violations or violations involving children under 16
No more 30-day cure period for businesses to fix violations before enforcement.
💡 Summary
The CPRA strengthens consumer privacy in California by introducing new rights, increasing
business accountability, and creating an independent enforcement agency. It moves
California closer to the GDPR-style data protection model and sets a national benchmark for
privacy standards in the U.S.