Articles
State guides
The California Privacy Rights Act (CPRA): A comprehensive guide for businesses
State guides
new

The California Privacy Rights Act (CPRA): A comprehensive guide for businesses

Published  

7/26/2022

by 

Brian Eckert

8
min read

Published  

July 26, 2022

by 

Brian Eckert

10 min read
Summary

California remains at the forefront of data privacy regulation in the United States with the California Privacy Rights Act (CPRA). California voters approved Proposition 24, which introduced the CPRA as an amendment to the California Consumer Privacy Act (CCPA).

This guide provides a detailed overview of the CPRA, its key provisions, compliance requirements, and practical steps for businesses.

What is the CPRA? A quick overview

The California Privacy Rights Act (CPRA) builds upon the foundation laid by the California Consumer Privacy Act (CCPA), introducing stronger protections for consumer data and establishing more robust enforcement mechanisms. At its core, the CPRA expands consumer rights, creates new obligations for businesses, and establishes the California Privacy Protection Agency (CPPA) as the primary authority overseeing compliance and enforcement.

One of the most significant changes introduced by the CPRA is the regulation of Sensitive Personal Information (SPI). Social Security numbers, biometric information, financial account details, and precise geolocation are now categorized under SPI and require enhanced protection.

The California attorney general plays a crucial role in adopting regulations and enforcing compliance under the CPRA. Some rulemaking powers have transitioned to the California Privacy Protection Agency, but the attorney general retains enforcement capabilities.

Additionally, the CPRA mandates stricter guidelines for data retention and purpose limitation, ensuring that businesses collect only the data they need and retain it only for as long as necessary.

The CPRA also introduces mandatory cybersecurity audits and risk assessments for businesses engaged in high-risk data processing activities. These audits are designed to identify vulnerabilities and ensure compliance with privacy and security best practices.

Effective date of the CPRA

The California Privacy Rights Act (CPRA) officially went into effect on January 1, 2023, but enforcement for new regulations was delayed to March 29, 2024.

This did not apply to the entire CPRA statute or previously finalized regulations under the California Consumer Protection Act (CCPA), as the California Privacy Protection Agency (CPPA) and the Department of Justice can enforce CPRA amendments to the CCPA since July 1, 2023.

It is also important to note that the law applies to personal information collected on or after January 1, 2022. This means that businesses subject to the CPRA must ensure compliance with the law from its effective date and must also provide notice to consumers about their rights under the CPRA. This includes informing consumers about their rights to access, correct, and limit the use of their personal information, as well as the right to opt-out of certain data processing activities. By adhering to these requirements, businesses can ensure they are in compliance with the CPRA and are transparent with consumers about their data practices.

Scope and applicability: What types of businesses are covered by the CPRA?

The California Privacy Rights Act (CPRA) applies to businesses that meet specific thresholds, ensuring that a wide range of entities are covered under its regulations. These thresholds include:

  • Businesses with annual gross revenues of $25 million or more.
  • Businesses that, alone or in combination, annually buy, receive, sell, or share the personal information of 100,000 or more consumers, households, or devices.
  • Businesses that derive 50% or more of their annual revenues from selling consumers’ personal information.

In addition to these businesses, the CPRA also applies to service providers, defined as entities that process personal information on behalf of a business. Service providers must comply with the CPRA and provide notice to consumers about their data collection and use practices, ensuring transparency and accountability.

It is important to note that the CPRA does not apply to non-profit organizations or government agencies. However, these entities may still be subject to other laws and regulations governing their data collection and use practices.

Furthermore, the CPRA extends its reach to businesses not physically located in California but that collect personal information from California residents. These businesses must comply with the CPRA and provide notice to consumers about their rights under the law, ensuring that the privacy rights of California residents are protected regardless of where the business is based.

Key highlights of the CPRA

The California Privacy Protection Agency (CPPA) has been established as the primary body responsible for enforcing the CPRA. Unlike the California Consumer Privacy Act, which relied on the Attorney General for enforcement, the CPPA has dedicated resources and authority to monitor compliance, investigate violations, and impose penalties. This agency can also conduct audits and address complaints from consumers. The California attorney general retains enforcement capabilities under the CPRA.

The CPRA introduces several important changes that businesses must be aware of to remain compliant:

Expanded consumer rights

The California Privacy Rights Act expands the rights previously granted under the California Consumer Privacy Act.

Consumers now have the right to correct inaccurate data, opt out of data sharing for targeted advertising, and limit the use of their sensitive personal information. Consumers also have the right to opt-out of cross-context behavioral advertising, which involves the sharing of personal data for targeted advertising based on behavior across multiple platforms.

Businesses must also be transparent about data retention periods and disclose these details in their privacy policies.

Purpose limitation and data minimization

The CPRA emphasizes the principle of data minimization. Businesses must collect and process only the data that is necessary for the specified purpose and cannot retain it longer than needed. Clear documentation of data collection purposes and retention policies is required.

Sensitive Personal Information (SPI)

Sensitive Personal Information (SPI) is now explicitly defined under the CPRA. This category includes data such as Social Security numbers, financial information, biometric data, precise geolocation, and religious or philosophical beliefs.

Businesses must ensure SPI is handled with additional protections, including providing clear opt-out mechanisms, ensure enhanced security measures and limiting SPI use to necessary purposes. In case of uses beyond basic service provision, organizations are required to collect explicit consent from consumers.

To learn more about the definitions and rules surrounding Sensitive Personal Information (SPI) in various states, check out our dedicated article on SPI in the U.S. and associated comparison chart:

Risks of non-compliance with the CPRA: Enforcement and penalties

Non-compliance with the CPRA carries significant risks, both financial and reputational. The law allows fines of up to $7,500 per intentional violation, and violations involving minors' data carry automatic penalties.

Beyond financial costs, non-compliance can severely damage a company's reputation. In an era where consumers value transparency and trust, mishandling personal data can erode customer loyalty and impact brand image. Operational challenges also arise when businesses attempt to address compliance gaps reactively, especially under the pressure of regulatory scrutiny or legal action.

One notable example is the Sephora case, where the company faced a $1.2 million fine for failing to disclose its data-sharing practices. This highlights the importance of proactive compliance and transparency.

CPRA compliance checklist for businesses

A comprehensive CPRA Compliance Checklist visual by Didomi, designed to guide organizations through key steps for compliance with the California Privacy Rights Act. The checklist is split into two columns with five tasks each, displayed as checkbox items. On the left column, the steps include: 'Know if you're covered,' 'Familiarize yourself with the law,' 'Have a compliance team,' 'Inventory and map your data,' and 'Train staff.' On the right column, the tasks are: 'Implement compliance protocols,' 'Update privacy policies,' 'Perform regular risk assessments and audits,' and 'Reassess contracts.' The checklist title, 'CPRA Checklist,' is displayed in bold black and elegant handwritten blue font. The background is clean and white, enhancing the clarity of the text. Each checklist item is marked by an empty checkbox, signaling actionable tasks. This visual serves as a quick-reference guide for businesses aiming to meet CPRA requirements effectively.

Ensuring compliance with the CPRA requires a structured approach. Below are key steps businesses should take:

  1. Businesses must assess whether they are covered by the CPRA. Companies operating in California with annual revenues exceeding $25 million or processing data of 100,000 or more consumers fall under its jurisdiction.
  2. Privacy policies must be updated to align with CPRA requirements. These updates should clearly explain consumer rights, opt-out options, and data retention policies.
  3. Data mapping and inventory exercises are also critical. Businesses must understand what personal data they collect, how it flows through their systems, and where it is stored. Without this visibility, fulfilling consumer requests for data access, correction, or deletion becomes nearly impossible.
  4. Businesses must train their teams on CPRA compliance. Regular training ensures all stakeholders are aligned with compliance goals, whether managed by a Chief Privacy Officer, legal counsel, or dedicated compliance team.
  5. Contracts with third-party service providers must also be reviewed and updated to meet CPRA standards. These contracts should specify obligations around data processing, retention, and sharing.
  6. Lastly, organizations should implement regular risk assessments and cybersecurity audits to identify vulnerabilities and strengthen their data protection frameworks. Businesses must also have procedures in place to notify individuals in the event of data security breaches.

How the CPRA differs from the CCPA and the GDPR?

The California Privacy Rights Act (CPRA) introduces several key differences from the California Consumer Privacy Act (CCPA):

  • Definition of personal information: The CPRA expands the definition of personal information to include sensitive personal information, such as genetic data, health information, and precise geolocation data. This broader scope ensures that more types of data are protected under the law.
  • Consumer rights: The CPRA grants new rights to consumers, including the right to correct inaccurate personal information and the right to limit the use of sensitive personal information. These rights empower consumers to have greater control over their data.
  • Enforcement agency: The CPRA strengthens enforcement mechanisms by establishing the California Privacy Protection Agency (CPPA), a dedicated body responsible for enforcing the law. This agency has the authority to conduct audits, investigate violations, and impose penalties.
  • Penalties and fines: The CPRA imposes stricter penalties for non-compliance, with fines of up to $7,500 for intentional violations, underscoring the importance of adhering to the new regulations.

The CCPA, as amended by the CPRA, is often compared to its European counterpart, the General Data Protection Regulation (GDPR). But both law feature fundamental differences beyond their geographic scope:

  1. Legal basis for processing: The CPRA primarily relies on consumer consent and transparency, whereas the GDPR provides multiple legal bases for data processing, including consent, contractual necessity, legal obligations, vital interests, public interest, and legitimate interests.
  2. Data subject rights: Both CPRA and GDPR provide rights against automated decision-making, but GDPR offers more explicit protections and conditions for profiling.
  3. Enforcement and penalties: The GDPR penalties can be more severe, with fines up to €20 million or 4% of annual global turnover, compared to CPRA's maximum of $7,500 per violation, emphasizing stricter enforcement in the EU.
  4. Data protection office (DPO) appointment: The GDPR mandates the appointment of a DPO under certain conditions, which is a more structured approach compared to CPRA's more flexible guidelines regarding the roles responsible for privacy compliance.
  5. Data breach notification: The GDPR requires a data breach to be reported within 72 hours to the relevant authority under more circumstances, whereas CPRA mandates notification based on the nature of the breached information and the number of consumers affected.
  6. Cross-border data transfer rules: The GDPR imposes strict regulations on data transfers outside the EU, requiring adequacy decisions, appropriate safeguards, or specific exceptions, whereas CPRA provides guidelines but is less prescriptive about the mechanisms.
  7. Privacy-by-design: The GDPR explicitly requires privacy by design and by default for all data processing activities, making it a legal requirement, while CPRA encourages these practices but does not make them mandatory.

Overall, the GDPR remains the most stringent data privacy law of the two. Use the following visual as a helpful reminder of some of the key differences in consumer rights and business obligations between California's CPRA and the EU's GDPR:

A detailed comparison chart titled 'CPRA vs. GDPR' by Didomi, showcasing the differences between the California Privacy Rights Act (CPRA) and the General Data Protection Regulation (GDPR). The chart is divided into two sections: 'Consumer Rights' and 'Business Obligations.' In the 'Consumer Rights' section, both regulations share rights like access, rectification, deletion, and portability, with notable differences around the right to opt-out of sales (granted by CPRA but absent in GDPR) and the private right of action (limited in CPRA and not present in GDPR). In the 'Business Obligations' section, both regulations require consent, opt-in by default for minors, transparency notices, risk assessments, and prohibition on discrimination when exercising rights. The CPRA side is represented by a circular icon with a California map silhouette labeled 'CPRA,' while the GDPR side features a similar circular icon showing a map of Europe labeled 'GDPR.' The design uses a clean, professional layout with alternating blue and white rows for readability, providing a visual guide for understanding privacy compliance differences.

Dark patterns: A growing concern in U.S. data privacy practices

Dark patterns refer to deceptive user interface designs intended to manipulate users into making choices they might not otherwise make. Examples of dark patterns include pre-checked consent boxes, misleading button placements, or requiring users to navigate multiple steps to opt out.

The CPRA explicitly prohibits the use of dark patterns that trick or manipulate consumers into giving consent.

Businesses must ensure their consent mechanisms are clear, user-friendly, and free from manipulative design choices. Privacy officers and UX teams should collaborate to align digital interfaces with CPRA requirements.

{{learn-more-about-dark-patterns}}

CPRA and consent management: How Didomi can help

An economic impact statement from the California Privacy Protection Agency (CCPA) estimated that more than 66,000 businesses—including nearly 44,000 small businesses—will be affected by California Privacy Rights Act regulations.  

Complying with data privacy laws is becoming an increasingly complex and costly task as more jurisdictions pass legislation enshrining consumers’ digital rights, and more are expected to follow - especially in the U.S.) where the CPRA represents just one step in a complex privacy patchwork.

{{us-map-link}}

A top-rated Consent Management Platform (CMP) like ours at Didomi helps you comply with hundreds of data privacy laws worldwide, from a single platform. We empower thousands of businesses worldwide to comply with regulations while delivering great privacy user experiences thanks to our solutions and expertise.

But that's not all. Our solutions cover a wide range of use cases and needs for U.S. companies looking to comply with data privacy laws like the CPRA:

Complying with data privacy laws can feel overwhelming, especially in the U.S. where the legal ecosystem surrounding data collection and privacy gets more intricate by the day. Get in touch to discuss your privacy challenges with one of our experts, or keep reading to find out on how other companies approach compliance in the U.S.:

{{common-approaches-privacy-laws-us}}

Frequently Asked Questions (FAQs)

What does CPRA stand for?

CPRA stands for California Privacy Rights Act. It is an amendment to the California Consumer Privacy Act (CCPA) and was designed to strengthen data privacy protections for California residents.

When did CPRA enforcement begin?

The CPRA officially went into effect on January 1, 2023, and enforcement began on March 29, 2024.

Who does the CPRA apply to?

The CPRA applies to businesses operating in California that have annual revenues exceeding $25 million, process data of 100,000 or more consumers, or derive more than 50% of annual revenue from selling or sharing personal information.

How can my business maintain CPRA compliance?

Start by reviewing your data collection practices, updating your privacy policies, training your staff, and conducting data audits. Implementing tools like a Consent Management Platform (CMP) can streamline compliance.

What are dark patterns, and why do they matter?

Dark patterns are deceptive design choices that manipulate users into making unintended decisions. Under CPRA, any consent obtained through dark patterns is considered invalid. We put together a comprehensive list of dark patterns with concrete examples, check it out to learn more.

Related Articles

State guides
Understanding sensitive personal information (SPI) in U.S. data privacy laws
December 20, 2024
Read article
State guides
Tennessee privacy law: Understanding the Tennessee Information Protection Act (TIPA)
December 13, 2024
Read article
State guides
Delaware Personal Data Privacy Act (DPDPA): Exploring the Delaware privacy law
November 20, 2024
Read article
State guides
New Hampshire Privacy Act (NHPA): Everything you need to know
November 13, 2024
Read article
State guides
Montana Consumer Data Privacy Act (MTCDPA): What to know and how to comply
November 7, 2024
Read article
State guides
Oregon Consumer Privacy Act (OCPA): Everything you need to know
July 1, 2024
Read article