What Is the CPRA? A Beginner’s Guide to the California Privacy Rights Act

Overview of the California Privacy Rights Act

The California Privacy Rights Act (CPRA) is the statewide privacy law that amends and strengthens the CCPA. It enhances Consumer Privacy Rights, creates a dedicated regulator, and raises the bar for how businesses handle Personal Information. The CPRA took effect on January 1, 2023, and applies to many organizations that do business in California.

At a glance, the CPRA: defines Sensitive Personal Information and gives you the ability to limit its use; expands your rights to know, delete, and correct data; and imposes clear Data Processing Obligations on businesses. It also elevates Privacy Regulation Enforcement by empowering a new agency with rulemaking and audit authority.

• Main focus: stronger transparency, control, and accountability around Personal Information.
• Scope: California residents, regardless of where the business is located.
• Regulatory body: the California Privacy Protection Agency (CPPA), working alongside the state Attorney General.

Consumer Rights under the CPRA

The CPRA expands and clarifies Consumer Privacy Rights so you can understand and influence how organizations use your data. Covered businesses must provide easy ways to exercise these rights and respond within statutory timelines.

Your key rights

• Right to know and access: request the categories and specific pieces of Personal Information collected, the purposes, and the categories of recipients.
• Right to delete: ask a business to delete Personal Information it collected, with limited exceptions.
• Right to correct: request correction of inaccurate Personal Information maintained by the business.
• Right to opt out of selling or sharing: direct a business not to sell or share your Personal Information, including for cross-context behavioral advertising.
• Right to limit Sensitive Personal Information: restrict a business’s use and disclosure of Sensitive Personal Information to what’s necessary for the requested service.
• Right to data portability: receive your data in a usable format and transmit it to another entity where feasible.
• Right to non-discrimination: receive equal service and price for exercising your rights, subject to permitted loyalty programs and incentives.

Timing and verification

Businesses generally must respond to verifiable requests within 45 days (with a possible extension where permitted). They must provide clear instructions for submitting requests and reasonable methods to verify your identity before fulfilling them.

Children and teens

The CPRA increases penalties for violations involving minors’ data and requires opt-in consent to sell or share Personal Information of consumers under 16, with parental consent for those under 13.

Role of the California Privacy Protection Agency

The California Privacy Protection Agency is the dedicated regulator created by the CPRA. It leads rulemaking, conducts investigations and audits, and coordinates Privacy Regulation Enforcement with the Attorney General. The CPPA also promotes education and issues guidance to help businesses and consumers understand their obligations and rights.

Key functions include developing regulations for high-risk processing activities, defining governance expectations, and clarifying how opt-out signals and notices should work in practice. The Agency can bring administrative actions, levy penalties, and require remediation where appropriate.

Business Applicability and Compliance Thresholds

The CPRA applies to for-profit entities that do business in California, determine the purposes and means of processing, and meet at least one threshold. Nonprofits are generally outside scope, though contractual obligations may still flow down when they act as service providers or contractors.

Who is in scope

• Annual gross revenue over $25 million (in the preceding calendar year).
• Buys, sells, or shares the Personal Information of 100,000 or more California consumers or households.
• Derives 50% or more of annual revenue from selling or sharing Personal Information.

Affiliates under common branding and certain joint ventures may also be covered. Businesses must assess their data flows and relationships to determine whether they are a “business,” “service provider,” “contractor,” or “third party” under the CPRA—each status carries distinct Business Compliance Requirements.

Key Provisions and Obligations

Core Data Processing Obligations

• Purpose limitation and data minimization: collect, use, retain, and share Personal Information only as reasonably necessary and proportionate to the disclosed purposes.
• Storage limitation and retention: disclose retention periods and avoid keeping data longer than needed to fulfill the stated purposes.
• Security: implement reasonable safeguards appropriate to the nature and volume of data processed, including Sensitive Personal Information.

Sensitive Personal Information controls

Sensitive Personal Information includes data such as precise geolocation, financial account details, government IDs, health information, and more. Consumers may direct businesses to limit its use and disclosure to necessary, expected purposes. Your notices and internal policies should clearly flag when SPI is collected and how it is handled.

Transparency and notices

• Provide a concise, accurate notice at collection describing categories of data, purposes, retention periods, and whether data will be sold or shared.
• Maintain a comprehensive privacy policy covering Consumer Privacy Rights and instructions to exercise them.
• Offer clearly labeled opt-out mechanisms and honor user-enabled opt-out signals (for example, recognized global privacy controls) where required.

Contracts with service providers, contractors, and third parties

• Execute written contracts that bind partners to CPRA-compliant processing, prohibit secondary use, and ensure appropriate security.
• Flow down obligations, enable oversight or audits where appropriate, and require notice if a partner can no longer meet requirements.

Children’s data and penalties

• Higher penalties apply to violations involving minors’ Personal Information.
• Penalties can reach up to $2,500 per violation and $7,500 for intentional violations or those involving minors, in addition to other remedies.

Adtech and cross-context advertising

The CPRA’s concept of “sharing” captures certain cross-context behavioral advertising. Businesses must provide opt-outs for selling or sharing and ensure contracts with ad partners meet CPRA standards.

CPRA vs CCPA Comparison

• New regulator: the California Privacy Protection Agency assumes rulemaking and enforcement roles beyond the Attorney General’s under the CCPA.
• Expanded rights: adds the right to correct and the right to limit Sensitive Personal Information, strengthening Consumer Privacy Rights.
• Stronger governance: introduces explicit purpose limitation, data minimization, and retention disclosure requirements.
• Broader opt-outs: covers “sharing” for cross-context behavioral advertising, not just “selling.”
• Higher thresholds and refined scope: changes volume thresholds and clarifies roles for service providers, contractors, and third parties.
• Enforcement: removes an automatic cure period and enhances Privacy Regulation Enforcement tools via the CPPA.

Compliance Best Practices and Resources

• Determine applicability: map your entities, revenue, and data volumes against the statutory thresholds.
• Inventory data: document what Personal Information you collect, where it flows, who receives it, and how long you retain it.
• Classify Sensitive Personal Information and restrict use to necessary purposes; prepare a “limit use” request flow.
• Refresh notices and your privacy policy with clear purposes, retention periods, and disclosures about selling or sharing.
• Build a DSAR program: intake, verification, fulfillment within timelines, and accessible methods for consumers.
• Strengthen vendor management: update contracts, require CPRA terms, and implement oversight for service providers and contractors.
• Adtech governance: provide selling/sharing opt-outs and honor recognized opt-out signals where required.
• Security and resilience: align safeguards to risk, log incidents, and test response plans for potential data breaches.
• Retention governance: set defensible schedules and minimize data you do not need.
• Training and accountability: train staff, assign ownership, and track compliance metrics for ongoing improvement.
• Monitor regulatory updates from the California Privacy Protection Agency and be ready for additional rules on audits or risk assessments.

In short, the CPRA shifts privacy from one-time disclosures to continuous governance. By aligning your Business Compliance Requirements, contracts, and operations to the statute’s Data Processing Obligations, you reduce risk and build trust with California consumers.

FAQs

What businesses are subject to the CPRA?

For-profit entities that do business in California and meet at least one threshold—annual revenue over $25 million, buy/sell/share the Personal Information of 100,000 or more consumers or households, or derive 50% or more of revenue from selling or sharing Personal Information—are subject to the CPRA. Affiliates under common branding and certain joint ventures can also fall in scope.

How does the CPRA enhance consumer privacy rights?

It adds the right to correct data, strengthens the right to delete and access, creates an opt-out for selling and sharing, and introduces the right to limit the use of Sensitive Personal Information. It also reinforces transparency, retention limits, and nondiscrimination protections.

What is the function of the California Privacy Protection Agency?

The Agency writes regulations, provides guidance, conducts audits and investigations, and brings administrative enforcement actions. It works with the Attorney General to drive effective Privacy Regulation Enforcement and to educate both businesses and consumers.

How does CPRA differ from CCPA?

The CPRA amends the CCPA by expanding Consumer Privacy Rights, adding controls over Sensitive Personal Information, regulating “sharing” for targeted advertising, imposing stricter governance and contract terms, and establishing the California Privacy Protection Agency with dedicated rulemaking and enforcement authority.