California Privacy Rights Act

Effective as of January 1, 2023

The cutting edge of data privacy is EVER CHANGING, which means that procedures are ALWAYS EVOLVING!

Table of Contents

SECTION 1 What is the California Privacy Rights Act (CPRA)?

On November 3, 2020, California voters approved Proposition 24, a ballot initiative which enacted the California Privacy Rights Act (“CPRA”).

The CPRA amends the California Consumer Privacy Act (“CCPA”), the most sweeping consumer data protection law in the U.S. This client alert highlights the differences between the CCPA and CPRA, the newly created agency charged with enforcing the CPRA, and steps businesses can take to begin their compliance efforts.

The CPRA has an effective date of January 1, 2023; however, many of its provisions will retroactively apply to personal information collected from January 1, 2022. 

CPRA Enforcement

CPRA enforcement will only begin on July 1, 2023, with a look-back to January 2022.

SECTION 2 CPRA Background

In 2018, California lawmakers expeditiously passed the CCPA, a consumer protection statute intended to enhance the privacy rights of California residents. Since the law passed, the CCPA’s regulations have been criticized in some quarters as vague and difficult to comply with. The CPRA is expected to address some of these issues by enhancing the CCPA with modifications including expansion of individual rights, introduction of new EU GDPR-style governance measures, and establishment of a new enforcement agency, among other things.

Key Changes New Enforcement Agency

The Privacy Protection Agency ("Privacy Agency")

Arguably one of the biggest changes in the CPRA is the creation of the California Privacy Protection Agency (“Privacy Agency”). 

New Enforcement Authority

The Privacy Agency will have the full administrative power, authority, and jurisdiction to implement and enforce the CPRA. Prior to this act, the CCPA was being enforced by the California Office of the Attorney General.

Violation Fines

The agency is empowered to impose a fine of $2,500 for each violation of the CPRA or $7,500 for each intentional violation or each violation involving a minor.

How much time to cure a violation?

The CPRA eliminates the CCPA’s 30-day notice and cure provision, but the Privacy Agency has discretion to provide a business with a time period in which to cure the alleged violation—taking into consideration a lack of intent to violate the CPRA and voluntary efforts to cure the alleged violation prior to being notified of a complaint.

Key Changes Changes to Covered Businesses

The CPRA modifies the CCPA’s definition of “business,” changing which entities are covered. On the one hand, the CPRA increases the CCPA collection threshold from 50,000 consumers or households to 100,000, and it removes devices from this count. This change will provide relief for small businesses. On the other hand, the CPRA expands coverage to include entities that derive 50% or more of their annual revenues from selling or sharing consumers’ personal information are now covered. While the act of sharing consumer personal information has been added, the 50% threshold remains unchanged.

Finally, in addition to the categories of “third-party vendors” and “service providers” under the CCPA, the CPRA adds “contractor” as a distinct class of regulated entities. A contractor is a third party to whom the business makes consumer personal information available to for business purposes. As with service providers, contractors must now enter into a written contract and agree to take appropriate steps to protect covered electronic data.

Who is covered?

CPRA applies to for-profit organizations that do business in the state of California and meet one or more of the following criteria.

  • Organizations with 25+ Million in Annual Revenue.
  • Organizations that buy, sell, or share information from 100+ consumers or households.
  • Organizations that derive at least 50% of annual revenue from selling or sharing consumer PI.

*CPRA has exemptions. Reach out to an e360 Privacy expert for more information.


Key Changes Sensitive Personal Information

One of the most significant changes from the CCPA is the creation of a new classification of personal information—sensitive personal information. This is a subcategory of Personal Information (PI) that includes:

  • Social Security, driver’s license, state ID, or passport numbers
  • Financial account information
  • Precise geolocation
  • Racial or ethnic origin
  • Sex life or sexual orientation
  • Religious or philosophical beliefs
  • Union membership
  • Nonpublic communication
  • Genetic, biometric, and health data

Collection of sensitive personal information requires additional disclosure, opt-out, and use requirements. The distinct treatment includes granting consumers the right to limit disclosure and use of sensitive personal information except as necessary to perform the services. Companies must provide a link on their website titled “Limit the Use of My Sensitive Personal Information” in addition to the CCPA’s required opt-out link so that consumers may exercise this right.

Key Changes New & Expanded Privacy Rights

Expanded Rights

The CPRA expands this right beyond the CCPA’s normal 12-month look-back period as long as doing so is not “impossible” or does not involve a “disproportionate” effort.

The CPRA expands the CCPA’s requirement to provide the categories of third parties to whom it discloses personal information to include the categories of service providers and contractors to whom it discloses information.

The CCPA allows California residents the right to request that a business delete their personal information if it is no longer needed to fulfill one of the statutory purposes. The CPRA expands this right, requiring businesses to send the request to delete to third parties that have bought or received the consumer’s personal information, so that all parties must comply with the request.

The CCPA allows consumers the right to opt-out of businesses selling their data to third parties. The CPRA expands this right to include the sharing of personal information, in addition to selling.

Businesses now must provide notice to consumers when their information will be shared and also notify them of their right to opt-out.

he CCPA requires businesses to obtain opt-in consent to sell the personal information of a California minor under the age of 16. The CPRA expands this right, mandating that businesses wait 12 months before asking a minor for consent in selling or sharing their personal information after the minor has declined.

In addition to expanding several CCPA rights, the CPRA also introduces several new consumer privacy rights.

New Consumer Privacy Rights

In addition to expanding several CCPA rights, the CPRA also introduces several new consumer privacy rights.

California consumers now have the right to request that a business correct any inaccurate personal information.

California consumers now have the right to limit the use and disclosure of sensitive personal information to uses necessary to perform services or provide goods reasonably expected by an average consumer. Service providers and third parties are also required to adhere to this limitation.

Like the GDPR (General Data Protection Regulation), consumers now have the right to access information about how companies use automated decision-making technology. The CPRA allows consumers the right to opt-out of any automated decision-making processes.

California consumers now have the right to request that businesses transfer personal information to another entity, to the extent it is technically feasible.

Key Changes Adoption of Certain European Union General Data Protection Regulation (EU GDPR) Principles

The CPRA has codified the following GDPR-inspired provisions:

Data Minimization

The CPRA restricts personal information collected by businesses to that which is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected.” This section also prevents companies from avoiding CPRA obligations by sending personal information out of state or through third parties, contractors, or service providers. When a business collects personal information and passes it on to another entity for a business purpose, the CPRA also requires an agreement to be entered into that specifies the limited purposes of the given personal information. The receiving parties also must comply with the CPRA obligations and provide the same level of privacy while the information-sharing business is allowed to take reasonable steps to help ensure that the information is transferred appropriately.

Purpose Limitation

The CPRA allows businesses to collect personal information only for “specific, explicit, and legitimate disclosed purposes” that are disclosed in advance to consumers.

Data Retention Limitation 

The CPRA contains data retention limitations that, like the GDPR, require that businesses disclose to consumers “the length of time the business intends to retain each category of personal information or if that is not possible the criteria used to determine such period.”

Reasonable Security 

The CPRA expressly addresses security and security breaches, which is another GDPR-inspired provision. If a business violates its duty to implement and maintain proper security procedures and practices than consumers may have a civil action to recover damages, injunctive or declaratory relief, or any other relief the court deems proper.

Key Changes Private Right of Action

​​​​The CPRA’s expansion of the private right of action is arguably one of the most important provisions for businesses, given the recent rise in data breaches. The CCPA gives California consumers the private right to take legal action if their non-encrypted or non-redacted personal information becomes exposed because a business failed to implement reasonable security measures. The CPRA expands that private right of action to include unauthorized access to email addresses and passwords or security questions.

Looking Ahead What does the future hold for the CPRA?

These are just a few of the changes the CPRA is making to the world of data and privacy compliance. Although all aspects of the CPRA does not take full effect until January 1, 2023, the CPRA requests that companies that do business in California should start laying the internal groundwork for CPRA compliance throughout the course of 2021 and 2022.

It is important to remember that CCPA is still in effect and will remain so until 2023.

In the meantime, e360 are ready to help companies ensure compliance with CCPA and CPRA as well as other Global, Federal, and State based privacy regulatory requirements.


How to Prepare?

To prepare for the CPRA, organizations can take proactive steps such as:

  1. If you are a CCPA covered business, then ensure your CCPA program is fully up and running.
  2. Determine if you are Subject to the CPRA. Some businesses that were not subject to the CCPA will be impacted by the CPRA, and vice versa.

Discuss with a Privacy Expert

Our team is here to answer all of your CPRA questions and concerns.