What is CPRA Compliance? What's changing with the California Privacy Rights Act

  • by Osano Staff
  • · posted on April 20, 2022
  • · 10 min read
What is CPRA Compliance? What's changing with the California Privacy Rights Act

The California Privacy Rights Act of 2020 will replace the California Consumer Privacy Act of 2018, and many organizations will need to make some adjustments to data processing and sharing based on the new requirements.
Online data privacy rights are continually and rapidly evolving. The leading set of laws and regulations in the US has been the California Consumer Privacy Act (CCPA) of 2018. In November 2020, voters in California passed Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA).

Like the CCPA, this law applies to every for-profit organization located in California and those doing business in the state, collecting personal information from California residents (or has it collected for them), and meeting revenue or other thresholds described below.

The law further strengthens online privacy rights for Californians, but the changes naturally extend to all consumers, as businesses want to create comprehensive privacy policies that will meet current and new state regulations as they come about.

It’s imperative that companies not only stay abreast of the online data collection and privacy changes, but that they also maintain compliance with new laws and regulations. This guide will outline California’s history related to privacy regulation, how it impacts businesses, critical elements of the CPRA, enforcement and penalties, and how you can better prepare for CPRA and other upcoming regulations.

A brief history of California privacy regulation

It wasn’t so long ago that online privacy rights were established, and in fact, the US still doesn’t have comprehensive federal law on data privacy. As states work to tackle privacy rights, companies that operate nationally and internationally are left trying to interpret and maintain compliance. Globally, the European Union has established the General Data Protection Regulation, and other nations are following with their own set of guiding principles.  

California has led the way in codifying rules and regulations in the US. In 1972, voters in the Golden State amended the state constitution to include the right of privacy as an “inalienable” right extended to all. 

“Voters acted in response to the accelerating encroachment on personal freedom and security caused by increased data collection and usage in contemporary society,” the CPRA amendment update reads. “The amendment established a legal and enforceable constitutional right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.”

Since that time, the California Legislature has established several safeguarding mechanisms, from the Online Privacy Protection Act to the Privacy Rights for California Minors in the Digital World Act. 

In 2018, the CCPA expanded privacy rights to include the ability for consumers to learn what personal information a business has collected and how it’s used, as well as to prohibit companies from selling their personal data. 

The California Privacy Rights Act is the next iteration of California law that strengthens privacy regulations and protects consumers’ privacy. The CPRA supports the California Consumer Privacy Act (CCPA) of 2018, and many organizations will need to make some adjustments to data processing and sharing based on the new requirements.

What are the key changes of this so-called CCPA 2.0, and how might it affect my business? 

You’re probably wondering how the CPRA will impact your company. The answer is: it depends. Broadly, the law updates a number of rights in the CCPA and introduces several others. It offers many of the same protections, but it also updates many provisions and adds a handful of new rights.

The CPRA updates take effect January 1, 2023, with enforcement set to begin in July. Some of the most substantial changes include:

Updated “Right to Know” and “Right to Access Personal Information”: 

Consumers have the right to request: 

  • Categories of personal information (PI) it has collected; 
  • Categories of sources from which PI is collected; 
  • Business or commercial purpose for collecting, selling, or sharing PI; and 
  • Categories of third parties to whom the business discloses personal information. 
  • Specific pieces of PI a company has collected about them. 
The primary updates to this stipulation include the addition of sharing and disclosing procedures.

Updated criteria for qualifying businesses: 

The CPRA redefines the size and scope of information a business processes to be required to adhere to the law. A legal, for-profit entity that collects California consumers’ personal information must follow the law if it meets any of the following: 

  • Has an annual gross revenue of over $25 million in the previous calendar year. 
  • Buys, sells, or shares the personal information of 100,000 or more consumers or households (this is either alone or in combination with another company). The number is double what the CPPA outlined. 
  • Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information.
This stipulation may make it so some businesses no longer have to comply. Still, others that didn’t have to comply with CPPA may be required to fall in line with CPRA, such as SMBs that don’t meet the revenue requirements but still derive more than half of their annual revenue from selling or sharing PI of consumers.

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

Grace period eliminated: 

While the CCPA contains a provision allowing businesses to correct violations before the California attorney general issues a fine, the CPRA eliminates the grace period. 

Ability to correct information: 

Under the CPRA, consumers are allowed to correct inaccurate personal data. Further, businesses must add a notice of the right to their privacy policy disclosures and create policies to respond to such requests.
New obligation for processing sensitive data: 
Among the most significant changes in comparison to the CPPA is that the CPRA will impose a new set of responsibilities for processing sensitive data. The law defines sensitive data broadly and includes any information that reveals the following about a person:

  • Government ID (Social Security numbers, passports)
  • Geolocation
  • Sexual orientation
  • Race, religion, or union membership
  • Finances (credit cards, access codes)
  • Communications (log-ins, etc.)
  • Genetic information
  • Health
Greater control over sensitive information:
In addition, the CPRA grants consumers greater control over their sensitive information. While the CCPA allowed consumers to opt out of companies selling their data to marketers and other interested parties, the CPRA goes further. It says consumers can tell companies to not even use or disclose their sensitive personal data. 
Companies also must provide a notice to consumers and a link on their homepage titled “Limit the Use of My Sensitive Personal Information.” 

New rules on data sharing and portability: 

The CPRA allows consumers to opt out of the sharing of their personal information. The law defines data sharing as disclosing personal data to third parties for behavioral advertising. Related, a consumer can request a business transfer personal information to another entity “to the extent technically feasible, in a structured, commonly used, machine-readable format.”

Data retention limits: 

The CPRA imposes limits on data collection, retention, and use. The law states that a business can’t retain personal or sensitive information for purposes other than initially collected or “longer than reasonably necessary for that disclosed purpose.” Further, consumers can request a business delete personal data, and companies must send that request to third parties that have received the information.


While there’s not quite enough guidance yet on the specific rules related to profiling, the CPRA allows consumers to opt out of the use of their data to run through automated decision-making processes to derive insights about a consumer. 

Rights for Minors: 

Under the CCPA, businesses must obtain opt-in consent to sell personal information of California residents under the age of 16. Now, if a minor doesn’t opt-in, companies must wait 12 months before asking for consent again.

Below is a chart comparing some of the CPRA’s most significant changes compared to its predecessor, the CCPA.

California Attorney General’s Office 
California Privacy Protection Agency
Consumers can opt-out of automated decision-making 
Sensitive data 
Businesses must disclose how they collect, use and disclose 

Consumers may opt-out of the use of their sensitive data
Data minimization 
Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose
Consumer remedies
Consumers may file a private right of action when lack of reasonable security leads to a breach
CCPA, plus consumers can file a private right of action if data breached includes consumer’s email address and password or security question 
Data Protection Impact Assessments
Required, specific rules to be determined by forthcoming rulemaking
Businesses must fulfill validation consumer requests to delete their data 
Businesses fulfilling legitimate deletion requests must also notify third-parties to delete such information
Third parties
Not defined
Third-parties defined, excludes service providers and contractors 

Businesses must impose CPRA-level contractual obligations on third-parties before sharing, selling or disclosing personal data
Opt-out links on websites
Businesses must have a “Do not sell my personal information” link
Businesses must have a “Do not share my personal information” link and a “Limit the use of my personal information” link 
Up to $7,500 per violation or $2,500 per unintentional violation
Automatic $7,500 fine for violations of minors’ data (children under the age of 16)

 “No retaliation” is allowed

It’s important to note that the CPRA prohibits discriminating against consumers who opt-out by: 

  • Denying goods or services to the consumer. 
  • Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. 
  • Providing a different level or quality of goods or services to the consumer. 
  • Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
  • Retaliating against a team member, an applicant for employment, or an independent contractor for exercising opt-out rights. 

 Enforcement of the CPRA 

The CPRA required creating a new agency to implement and enforce the law. Dubbed the California Consumer Protection agency, the newly-established group will be responsible for ensuring the CPRA regulations are enforced. 

According to Bloomberg Law, “Although the CPRA grants the California Privacy Protection Agency’ full administrative power, authority, and jurisdiction to implement and enforce’ the CCPA, the Attorney General still retains enforcement powers. Cal. Civ. Code § 1798.199.90 provides that the California Privacy Protection Agency ‘may not limit the authority of the Attorney General to enforce this title.’” 

The agency can bring enforcement actions against businesses, and it’s charged with educating the public on the rules protecting Californians’ privacy. Additionally, the agency is responsible for writing the specific regulations and guidelines businesses must follow under California law. 

Many businesses are eagerly awaiting guidelines. In February 2022, the agency announced an update on the rulemaking process, with completion estimated in the fourth quarter. If rulemaking isn’t complete until the end of 2022, businesses would be left with little time to interpret and change their practices. It remains unclear if the initial January 1, 2023 compliance and July enforcement dates will be changed due to the rulemaking taking longer than expected.

What happens if the CPRA is violated?

The CCPA carries fines of $2,500 per violation, or $7,500 for each intentional violation. Still, it allows 30 days for businesses to remedy the violation once they’re informed of noncompliance.

The CPRA has more teeth — it both eliminates the 30-day remedy period and increases the fine for violations in the case of minors to $7,500 per incident, whether the violation was intentional or unintentional. The $2,500 maximum stands for accidental violations that involve California residents older than 16.

How can my company prepare for and ensure we’re compliant with the CPRA?

Right now, CPRA noncompliance becomes enforceable in mid-2023. This could change based on when the protection agency completes the final rulemaking. But (there’s always a “but”), there’s a 12-month “look-back” period. This means companies must be able to supply a person’s personal data to them for the entire year before the law takes effect on January 1, 2023. 

Like with any new regulatory compliance measures, preparing early will help ease the transition and spread out any implementation costs. If you haven’t already, now is the time to review where you are and need to be.

Try Osano Free!

Make sure you understand your company’s processes: 

  • What personal information does your business collect? 
  • Why is data being collected? 
  • What is done with PI collected by your company? Where is it stored, and with whom do you share it? 

Update notices on your website:

Point of data collection notices will need to be updated. In addition to notifying consumers that their data may be sold or shared, companies also have to inform users how long their data will be kept. Ensure your website’s privacy notice reflects the new definition of sensitive personal information (see above).

Update home page links: 

The CPRA mandates that businesses update their “Do not sell my personal information” links to include “Do not sell or share my personal information” and to display it prominently on their home page.

Update your privacy policy: 

Ensure all changes are reflected in your company’s privacy policy and update your policy annually.

Consider a consent management platform:

A designated consent management platform (CMP) can help your company document and manage user consent in a legally compliant manner before data is collected, stored, sold, or shared. They can help ensure compliance with privacy laws, even as they change. CMPs also can help manage requests for data information and monitor third-party vendors.

Download our ebook:

Our ebook “Preparing for the CPRA” will help you better understand the law and how it impacts you in easy-to-understand language. 

The CPRA is a complex set of regulations. We’ve tried to highlight fundamental changes that will impact businesses so you can better prepare for the future. You don’t have to do it alone — Osano provides solutions to keep companies compliant and ready for whatever the next new set of privacy regulations brings.

Why Osano? 

Osano has attorneys on hand to continually monitor international privacy legislation, DPA opinions, and court cases, so you can rest easy that your company is doing everything possible to comply with regulations globally, even as they change. 

We can assist your company in creating policies, act as a company’s data protection officer (DPO), conduct assessments, create checklists, and more. We work with businesses of all sizes – from SMBs to Fortune 500 companies and everyone in between – and those at all stages in the compliance journey. 

Osano helps companies decide which vendors they want to work with, comply with regulations like GDPR, CPRA, and other laws, and efficiently collect and store consent for verification. With Osano, you can see all your SaaS vendors, privacy scores, data transfers, and risk factors instantly.

Reach out for a demo or free trial. 

About The Author · Osano Staff

The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”