California Privacy Rights Act (CPRA): Here's what's changing

  • by Angelique Carson
  • posted on May 3, 2021
  • 4 min read
California Privacy Rights Act (CPRA): Here's what's changing

The California Privacy Rights Act of 2020 will replace the California Consumer Privacy Act of 2018, and many organizations will need to make some adjustments to data processing and sharing based on the new requirements.
The California Consumer Privacy Act's passage in 2018 was a tough pill for many companies to swallow. It created the first state privacy law in the U.S., and it incited widespread panic within privacy offices and engineering meetings: New obligations were coming, and some processes would have to change to meet the new duties. Keep in mind that many companies had spent the two years prior trying to set up operations to comply with the EU's General Data Protection Regulation. Now, anyone with customers in California faced two significant challenges.  

While it might have been a headache for companies, California residents were fond enough of the rights granted them by CCPA that two years later, they voted "CCPA 2.0" into law. Or, as it's formally called, the California Privacy Rights Act. 

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

Does the CPRA replace the CCPA? 
The CPRA will replace the CPPA on January 1, 2023. While the CCPA contains a provision allowing businesses to correct violations before the California attorney general would issue a fine, the CPRA eliminates the grace period. California Privacy Rights Act, CPRA, builds on the CCPA and imposes additional obligations on businesses.  
What is the difference between the CCPA and the CPRA? 
The most significant change the CPRA will impose on businesses is a new set of obligations for processing sensitive data. The law defines sensitive data pretty broadly, including any information that reveals the following about a person: 
  • Government ID (Social Security numbers, passports)
  • Geolocation
  • Sexual orientation
  • Race, religion or union membership
  • Finances (credit cards, access codes)
  • Communications (log-ins, etc.)
  • Genetics
  • Health

In addition, the CPRA grants consumers greater control over their sensitive information. While the CCPA allowed consumers to opt-out of companies selling their data to marketers and other interested parties, the CPRA goes further. It says consumers can tell companies not even to use or disclose their sensitive personal data. 

New rules on data sharing 
The CPRA allows consumers to opt-out of the sharing of their personal information. The law defines data sharing as disclosing personal data to third parties for behavioral advertising. 
Data retention limits 
The CPRA imposes limits on data collection, retention and use. The law states that a business can't retain personal or sensitive information for purposes other than it was initially collected nor for "longer than reasonably necessary for that disclosed purpose." 
While there's not quite enough guidance yet on the specific rules related to profiling, the CPRA allows consumers to opt-out of the use of their data to run through automated decision-making processes to derive insights about a consumer. 
Who enforces the CPRA?
The California Attorney General enforces the CCPA. But the CPRA established a California Consumer Protection Agency, which will oversee compliance with the CCPA and CPRA. The agency can bring enforcement actions against businesses, and it's also charged with educating the public on the rules protecting Californians' privacy.
The five-person agency is also responsible for writing the specific rules and guidelines businesses must follow under California law. There are a whole lot of businesses eagerly awaiting those guidelines now. Some say it could be only a matter of weeks before the CPPA initiates its rulemaking process. But it was only in March that California officials announced appointments to the board, so it may be some time before the newly formed agency is ready to act. 

Try Osano Free!

What are the fines for violating?
Penalties for violating the CPRA can be as high as $2,500 per violation. Now, under the CPRA, regulators can fine businesses up to $7500 per violation. The CPPA won't start enforcing the CPRA until July 1, 2023, so there's a little breathing room. 

Below is a chart comparing some of the CPRA's most significant changes as compared to its predecessor, the CCPA. 

California Attorney General’s Office 
California Privacy Protection Agency
Consumers can opt-out of automated decision-making 
Sensitive data 
Businesses must disclose how they collect, use and disclose 

Consumers may opt-out of the use of their sensitive data
Data minimization 
Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose
Consumer remedies
Consumers may file a private right of action when lack of reasonable security leads to a breach
CCPA, plus consumers can file a private right of action if data breached includes consumer’s email address and password or security question 
Data Protection Impact Assessments
Required, specific rules to be determined by forthcoming rulemaking
Businesses must fulfill validation consumer requests to delete their data 
Businesses fulfilling legitimate deletion requests must also notify third-parties to delete such information
Third parties
Third-parties defined, excludes service providers and contractors 

Businesses must impose CPRA-level contractual obligations on third-parties before sharing, selling or disclosing personal data
Opt-out links
Businesses must have a “Do not sell my personal information” link
Businesses must have a “Do not share my personal information” link and a “Limit the use of my personal information” link 
Up to $7,500 per violation or $2,500 per unintentional violation
Automatic $7,500 fine for violations of minors’ data (children under the age of 16)

About The Author · Angelique Carson

Angelique Carson is the Director of Content at Osano, a B-corp privacy platform that makes compliance with privacy laws easy for companies of all sizes. She is a professional writer and editor who has worked in journalism and publishing for more than ten years. Previously Angelique was an editor at the International Association of Privacy Professionals and the host of The Privacy Advisor Podcast. She lives in Washington, D.C., with her puppy Miles.