• Platform
    • The Osano Platform Overview

      Get an overview of the simple, all-in-one data privacy platform

    • header__icon-1
      Cookie Consent

      Manage consent for data privacy laws in 50+ countries

    • user-square
      Subject Rights Management

      Streamline and automate the DSAR workflow

    • assessments primary 200

      Efficiently manage assessment workflows using custom or pre-built templates

    • Unified Consent primary 200
      Unified Consent & Preference Hub

      Streamline consent, utilize non-cookie data, and enhance customer trust

    • data mapping primary 200
      Data Mapping

      Automate and visualize data store discovery and classification

    • shield-tick
      Vendor Privacy Risk Management

      Ensure your customers’ data is in good hands

    • Features & Integrations

      Key Features & Integrations

    • Privacy Templates
    • GDPR Representative
    • Consult Privacy Team
    • Regulatory Guidance
    • Integrations
  • Solutions
    • By Regulation
    • CPRA

      Discover how Osano supports CPRA compliance

    • CCPA

      Learn about the CCPA and how Osano can help

    • GDPR

      Achieve compliance with one of the world’s most comprehensive data privacy laws

    • By Organization Type
    • Icon (10)

      Don’t let data privacy compliance get in the way of growth

    • Icon (11)

      Preserve your competitive edge

    • Icon (12)

      Manage data privacy at scale

    • By Use Case
    • Path
      Consent Management

      Manage consent without the complexity

    • Icon (14)
      DSAR Automation

      Never miss a DSAR deadline again

    • Icon (15)
      Vendor Risk Management

      Regain insight and control over your customers’ data

    • Icon (16)
      Privacy Program Management

      Build and grow an end-to-end privacy program

  • Resources
    • View All Resources
    • book-open-01

      Expert insights on all things privacy

    • Icon (25)
      Resource Center

      Key resources to further your data privacy education

    • globe icon primary 200
      U.S. Data Privacy Laws

      A guide to data privacy in the U.S.

    • Icon (17)

      Research the most essential privacy topics

    • envelope icon primary 200

      Subscribe and become a Privacy Insider

    • Icon (20)
      Our Pledge

      No fines, no penalties

    • Icon (21)
      Product Updates

      What’s the latest with Osano?

    • Icon (22)
      System Status

      What’s the status of account management systems, the platform, and support systems?

  • Company
    • Vector
      About Us

      The Osano story

    • Icon (25)

      Become an Osanian and help us build the future of privacy!

    • Icon (26)

      We’re eager to hear from you

    • 
      Our Pledge

      No fines, no penalties

    • Icon (27)
      Data Licensing

      Add Osano data privacy ratings and recommendations to your application

    • Icon (28)
      Osano Swag Store
    • Icon (29)
      Press & Media

      Inquiries and Osano in the news

    • Icon (30)
      Partners & Resellers

      Interested in partnering with us?

  • Pricing
  • Sign In Book a Demo

How To Navigate the CPRA

Key Resources For Compliance

The Survival Guide

You wouldn’t navigate the jungle without the right equipment; you shouldn’t navigate California’s privacy landscape without the right equipment, either. 

Don’t worry, you don’t need a machete, tent, or mosquito netting—when it comes to data privacy compliance, knowledge is the best gear to equip yourself with.

Find it here, in your CPRA Survival Guide. We’ve gathered all of our most informative resources on the CPRA here, so you can quickly find the most relevant answers to your questions.

Download the Guide

Want the Guide as a PDF?

Download the content of this page in an easy-to-reference and easy-to-forward PDF.

Or, continue to read below:

Switchback - CPRA Survival Kit
Table of Contents

Need help complying?

Schedule a Demo

What Is the CPRA?

CPRA Overview

Are you subject to the California Privacy Rights Act (CPRA)? What are its primary requirements What penalties could you incur? Learn the answer to these questions and more in this blog article:

  • California Privacy Law: CCPA, CPRA, and Beyond

CPRA Effective Date

  • CPRA effective date: 1/1/2023
  • CCPA effective date: 1/1/2020
  • Enforcement date: 7/1/2023
    (updated: on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial CPRA regulations and retroactively setting the enforcement effective date to July 1, 2023.)

Deeper Dive

For those looking for a deeper dive into the CPRA questions, we field the most, download our free and ungated FAQ eBook: 

  • Preparing for California’s Next Big Privacy Law: The CPRA (PDF)

Why Is It important?

Fines That Add Up

Privacy-minded individuals understand that respecting consumers' rights is inherently worthwhile, but data privacy compliance also saves businesses money and reduces risk.

Businesses that violate the CPRA are subject to:

  • $2,000 per offense for mistake
  • $2,500 per offense for negligent mistakes
  • $7,500 per offense for willful offenses

This adds up! Each affected individual counts as one offense, so if a data breach exposes thousands of customers’ data, the penalty could be in the millions of dollars.

The Sephora Example

Take beauty retailer Sephora—the California Attorney General gave them 30 days to fix CCPA violations on their website, but they didn’t make the deadline in time. As a result, they were hit with a $1.2 million fine in what became the first official enforcement action of the CCPA.

We dive deep into what went wrong and how the penalty came about in our blog: 

Read it to learn more about the penalties that noncompliance invites and how best to minimize your own risk.

What Do I Need to Do?

Start With the Basics

For businesses subject to any of the five laws that came online in 2023 or those coming online in 2024, we recommend following along on this checklist:

It covers the basics that you need for compliance with any privacy law, including the CPRA.

DSAR Overview

Learn or remind yourself of the basics of data subject access requests:

Have a DSAR Process That Includes Your Employees

One of the most unique features of the CPRA that businesses must be aware of is how the law treats data subject access requests (DSARs). Unlike other state privacy laws, the CPRA allows employees to make DSARs. Learn more about how this elevates complexity and risk in our infographic: 

Consent Requirements Under CPRA

And, as with all omnibus data privacy legislation, businesses need to be aware of how the law treats consent for data collection, processing, and transfers. Under the CPRA, businesses need to offer a means for consumers to:

  • Opt out of the sale or sharing of their personal information
  • Request businesses to limit the use of their sensitive personal information to only what is necessary for the business to provide its core product or service

To dig deeper into the consent and cookie banner requirements under the CPRA, review our blogs: 

Make It Easier Through Data Mapping

Like most data privacy regulations, the CPRA does not directly require you to map your organization’s data. But if you choose to skip this crucial step, meeting the law's other requirements will be much, much more difficult.

When done well, data mapping provides an accurate, up-to-date view of where personal data is sourced, stored, processed, and transferred throughout your organization. With a well-crafted data map, you'll be equipped to rapidly and accurately respond to DSARs, manage the flow of personal information and sensitive personal information based on user consent preferences, manage your vendors, and more. Learn about the basics of data mapping in our blog:

How Do I Get Compliant? 

Find a Data Privacy Platform That Works for You  

Given the scope and scale of the CPRA, privacy professionals looking to achieve CPRA compliance should evaluate holistic data privacy platforms rather than multiple point solutions. 

It can be tempting to identify a functional cookie consent solution and merely rely on spreadsheets to manage the rest, but this approach invites noncompliance. Not only does using spreadsheets and point solutions waste time with redundant data entry and context switching, but it also raises the risk of human error.  

In order to fulfill a DSAR under this approach, for example, you will have to have developed and maintained a data inventory listing where personal data flows through your organization or interview the owners of personal data stores throughout your organization. In both cases, you will be relying on manual, human-driven processes that put you at risk of missing the CPRA’s 45-day deadline and providing incomplete and/or inaccurate information to boot. What’s more, you’ll need to do this for each DSAR, and the work you do on your data inventory will continue to be manual. 

Using a data privacy platform like Osano supports the full spectrum of tasks required for CPRA compliance in a single, seamless experience. With Osano, you can: 

  • Manage visitor cookie consent; automatically discover site tags like cookies, scripts, and iframes; review automatically recommended site tag classifications; and discover which vendors receive personal information based on the cookies on your website. 
  • Identify high-risk vendors based on Osano’s Privacy Score and cookie scans to prioritize which vendors need assessments and data processing addenda review. 
  • Streamline and centralize the privacy assessment process, including privacy impact assessments and vendor assessments. 
  • Discover stores of personal data throughout your organization and automatically generate a data map and inventory. With the resulting data map, Osano automatically acts on related compliance tasks, like generating RoPAs and responding to DSARs. 
  • Automatically respond to common DSARs like summary and deletion requests with your organization’s data map and manage the workflow of more complicated requests. 
  • Rest easy knowing the Osano Platform is regularly updated by privacy experts in response to changing regulatory standards and protected by the industry’s only “No Fines. No Penalties.” pledge. 

Download the Osano Platform Brochure for an overview of the platform's capabilities!

How Osano Can Help You Comply

As a data privacy platform vendor, Osano is well aware of the individual challenges posed by the CPRA and the ways in which we can help businesses overcome them. Find out how we can support your business in our guide: 

And of course, if you’d rather skip the reading and talk to somebody in person about how we can help your business, just schedule a demo. 

What About Other States?

California may be the most robust data privacy law in the U.S. but there are others to consider. Check out our 2024 U.S. Data Privacy Laws Guide for a summary.

Essential CPRA Resources

Don't miss these essential resources for CPRA compliance.

CPRA Compliance Checklist


CPRA Compliance: How Osano Can Help

Learn more

CPRA Data Mapping: The Why, What, and How

Learn more

Employee DSARs in California

Learn more

Setting up a DSAR Process Checklist


The Expert's Guide to California Data Privacy Law

Learn more

Simplify Data Privacy Compliance

With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.