close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Glossary Contents

CPRA

Summarize this content with:
ChatGPT Perplexity Claude Grok

What is CPRA? Understanding the California Privacy Rights Act

The California Privacy Rights Act (CPRA) is a ballot initiative passed by California voters in November 2020 that amends and strengthens the California Consumer Privacy Act (CCPA)

The CPRA does not create a separate law. As both the California AG and the CPPA note, the result is a single framework typically referred to as "CCPA" or "CCPA, as amended." The CPRA's amendments took effect January 1, 2023, with enforcement by the newly created California Privacy Protection Agency (CalPrivacy) beginning July 1, 2023.

CPRA vs. CCPA: What’s Changed?

While the CCPA laid the foundation for consumer privacy rights in California, the CPRA strengthens and refines those protections in several key ways:

  • Expanded Consumer Rights: The CPRA adds the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information.
  • New Category: Sensitive Personal Information (SPI): This new classification covers data such as social security numbers, precise geolocation, racial or ethnic origin, health data, and biometric information. SPI triggers additional protections and gives consumers the right to restrict how it is used.
  • Creation of CalPrivacy: The CPRA established the California Privacy Protection Agency (“CalPrivacy” or formerly “CPPA”) as the state's first dedicated privacy regulator, with authority to investigate violations, draft regulations, conduct audits, and impose administrative fines. The California Attorney General retains concurrent enforcement authority.
  • Expanded Right to Access: The CCPA limited data access requests to information collected within the prior 12 months. The CPRA removes that cap, requiring businesses to provide access to all personal information collected on or after January 1, 2022, unless doing so is impossible or involves disproportionate effort.

Learn more: CCPA vs. CPRA

Key Requirements for Businesses

The CPRA introduces stricter compliance obligations, particularly for businesses that process high volumes of personal data. According to DataGrail's CISO Guide to CPRA, organizations must now:

  • Honor expanded consumer rights (access, deletion, correction, opt-out, and limitation of sensitive personal information).
  • Implement data governance practices to handle SPI and demonstrate accountability.
  • Conduct regular risk assessments and audits for high-risk data processing activities.
  • Establish written contracts with service providers, contractors, and third parties that include CPRA-compliant data handling provisions.

CPRA and Children's Data

The CPRA increases protections for minors under the age of 16, requiring opt-in consent before selling or sharing their personal information. For children under 13, that consent must come from a parent or guardian; minors between 13 and 15 may consent for themselves. 

The CPRA also triples the fine for violations involving minors' data: while unintentional violations carry a base fine of up to $2,500 per violation, any violation involving the personal information of a minor is subject to fines of up to $7,500 per violation regardless of intent. (As of January 1, 2025, these amounts have been adjusted for inflation to $2,663 and $7,988, respectively.)

Learn more: Children's Data and the CPRA

Enhanced Enforcement & Consumer Trust

Through the creation of the CPPA, the CPRA adds a dedicated enforcement body to privacy oversight in California. The CPPA can initiate investigations on its own, conduct audits, issue cease-and-desist orders, and impose administrative fines. The California Attorney General retains the ability to bring civil actions for violations. The CPRA also eliminated the CCPA's 30-day cure period, though the CPPA has discretion to provide time to remedy a violation based on factors like intent and prior cooperation.

Learn more: CPRA Overview

Privacy Metrics and Reporting

Businesses that buy, sell, share, or otherwise make available the personal information of 10 million or more California residents in a calendar year must publicly disclose privacy metrics by July 1 of each year, covering the previous calendar year. Required disclosures include:

  • The number of access, deletion, correction, opt-out, and data limitation requests received.
  • Whether each request was complied with in whole or in part, or denied.
  • The median or mean number of days to respond to each type of request.

This reporting requirement, which originated in the CCPA's regulations and was expanded by the CPRA to include new request categories (correction and limitation of SPI), reinforces corporate accountability and allows consumers, regulators, and researchers to evaluate how businesses manage personal data.

Learn more: Metrics & Reporting Requirements

Back to Glossary

Related Terms

Ethical AI

CA CCPA

What is Shadow AI?

Preference Management