What is the CPRA?
The California Privacy Rights Act (CPRA) is an amendment and addendum to the California Consumer Privacy Act (CCPA). It refines and extends the provisions laid down in the CCPA. The CCPA and CPRA, taken together, constitute a single California privacy law: the CPRA does not replace the CCPA.
The CPRA took effect on December 16, 2020, with most provisions becoming operative on January 1, 2020, and enforceable on July 1, 2023. The “lookback” period reaches back to January 1, 2022. This means that data collected from 2022 onwards is subject to the provisions of the CPRA.
What does the California Privacy Rights Act (CPRA) add to the California Consumer Privacy Act (CCPA)?
The CPRA adds many important provisions, clarifications, and course corrections to the CCPA. Some of these provisions bring the CCPA into closer alignment with the EU’s GDPR (General Data Protection Regulation) while others expand consent requirements to cover more scenarios.
Enforcement changes
The CPRA gives the California Privacy Protection Agency (CPPA) “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA. Before the CPRA, the CCPA granted the attorney general these enforcement powers. The CPRA doesn’t limit the authority of the attorney general in this regard.
New privacy rights
The CPRA grants California residents four new rights and modifies five rights that already existed under the CCPA. New rights include the right to correct inaccurate personal information, the right to limit the use and disclosure of sensitive personal information, and the right to opt out of automated decision-making technology.
CCPA rights that have been expanded or modified by the CPRA include the right to delete personal information, the right to know categories and specific pieces of personal information, the right to opt-out of the sale or sharing of personal information, and the right of non-retaliation (formerly the right to nondiscrimination).
A new category of personal information
The CPRA creates a new category of personal information called sensitive personal information. Sensitive personal information is regulated more strictly than other personal information and includes data concerning:
- A consumer’s religious or philosophical beliefs
- A consumer’s sex life and sexual orientation
- A consumer’s genetic data
- A consumer’s biometric data
- A consumer’s precise geolocation
- A consumer’s racial or ethnic origin
- A consumer’s financial account information
- A consumer’s credentials allowing access to an account or accounts
- A consumer’s union membership
- A consumer’s driver’s license number, passport number, and Social Security number.
Fine-tuned business inclusions
The CPRA introduces new criteria for businesses that are subject to the CCPA. Smaller businesses that don’t generate significant revenues from the collection, sharing, and sale of California consumers’ personal information are now excluded from some or all compliance requirements.
Conversely, a greater number of larger businesses that generate significant revenues through the collection, sharing, or sale of personal information are now obliged to comply with the CCPA and CPRA.
Third-party accountability
CPRA regulations make covered businesses responsible for how third parties handle consumers’ personal information. This means that the company that performed the initial data collection answers to the California Privacy Protection Agency for how third parties use, share, or sell the personal information they shared with them.
Cross-context behavioral advertising
The CPRA modifies the opt-out right defined in the CCPA to specifically regulate cross-context behavioral advertising (CCBA) and its use of personal information. CCBA involves targeting advertising to a consumer using personal information that was gathered from activity “across businesses, distinctly-branded websites, applications, or services.”
More privacy law resources
- Colorado Privacy Act
- California Consumer Privacy Act (CCPA)
- Utah Consumer Privacy Act (UCPA)
- Connecticut Data Privacy Act (CTDPA)
- New York SHIELD Act
- Health Insurance Portability and Accountability Act (HIPAA)
FAQ
What does CPRA stand for?
“CPRA” stands for California Privacy Rights Act. Taken together with the California Consumer Privacy Act (CCPA), the CPRA makes up the California state privacy law. Both Acts are in effect at the same time, with the CPRA overriding the CCPA wherever they are in conflict.
When did the CCPA go into effect?
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and went into effect on January 1, 2020. It was the first comprehensive state data privacy law in the United States. Since then, it’s been joined by similar legislation in other states, like Utah, Virginia, and Colorado.
CCPA vs CPRA
It doesn’t make sense to compare the CCPA and CPRA as both are parts of a single data privacy law. The CPRA is newer than the CCPA, but it builds on and modifies the CCPA, so the two work together to bring California’s data privacy protection legislation up to date as the wrinkles get ironed out.
What is the California state privacy law?
The California state privacy law is a combination of the CCPA (California Consumer Privacy Act), the CPRA (California Privacy Rights Act), and other privacy related laws. The core of the California state privacy law is the CCPA, but the refinements and extensions of the CPRA are equally important.
Updated on: June 28, 2023
