CPRA Compliance: What Changed from CCPA and What You Need to Do

The California Privacy Rights Act (CPRA) is often described as a new privacy law. It's not. It's an amendment to the CCPA -- a significant one that strengthened and expanded the original law in meaningful ways, but an amendment nonetheless.

If someone tells you to "comply with the CPRA," what they really mean is: comply with the CCPA as amended by the CPRA. It's one law now. The distinction matters because you don't need two separate compliance programs -- you need one program that accounts for everything CPRA changed.

This guide covers exactly what changed, what stayed the same, and what you need to do about it. If you're starting from scratch, read our Complete Guide to CCPA Compliance first. This article assumes you have a basic understanding of the CCPA and focuses on the delta.

What Is the CPRA?

The CPRA (Proposition 24, 2020) was approved by California voters in November 2020 and took effect on January 1, 2023, with a lookback period to January 1, 2022 (meaning businesses needed to track data collected from that date forward). It amended the CCPA (Cal. Civ. Code §§ 1798.100–1798.199.100).

Its official purpose was to strengthen the CCPA by:

• Adding new consumer rights
• Creating a dedicated enforcement agency
• Expanding the definition of what constitutes "sharing" data
• Introducing data minimization requirements
• Adding new categories of regulated data (sensitive personal information)
• Raising certain applicability thresholds

Think of the CPRA as CCPA 2.0. It kept the foundation and added a second story.

What Changed: The Major Amendments

1. New Consumer Rights

The CPRA added two significant new consumer rights on top of the original four (know, delete, opt-out, non-discrimination).

Right to Correct

Consumers now have the right to request that you correct inaccurate personal information (Cal. Civ. Code § 1798.106). When you receive a verified correction request, you must use "commercially reasonable efforts" to correct the data in your records and instruct your service providers and contractors to do the same.

What "commercially reasonable efforts" means in practice:

• Review the consumer's claim and any supporting documentation they provide
• If the correction is straightforward (wrong address, misspelled name), just fix it
• If the claim is disputed (e.g., the consumer says their order history is wrong but your records indicate otherwise), you can investigate and make a good-faith determination
• Document your assessment and communicate the outcome to the consumer

This right is less operationally complex than deletion but still requires a process. Build it into your existing DSAR workflow. For details on DSAR processing, see our CCPA DSAR Process guide.

Right to Limit Use of Sensitive Personal Information

This is a bigger deal. The CPRA created a new category of data called "sensitive personal information" (Cal. Civ. Code § 1798.140(ae)) and gave consumers the right to limit how businesses use it (Cal. Civ. Code § 1798.121).

Sensitive personal information includes:

• Social Security number, driver's license, state ID, or passport number
• Account log-in credentials (username with password or security question/answer)
• Financial account number with access credentials
• Precise geolocation (within a radius of 1,850 feet)
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• Contents of personal mail, email, or text messages (unless the business is the intended recipient)
• Genetic data
• Biometric information for identification purposes
• Health information
• Sex life or sexual orientation data

When a consumer exercises the right to limit use, you must restrict your processing of their sensitive personal information to what is "necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services."

In practice, this means:

• You can still use sensitive PI to complete transactions, provide services, and ensure security
• You cannot use it for profiling, advertising, or other secondary purposes
• You cannot use it for purposes unrelated to why you collected it

If you process sensitive personal information beyond what's necessary for the core service, you must provide a link on your website: "Limit the Use of My Sensitive Personal Information." This can be combined with the "Do Not Sell or Share" link.

2. The California Privacy Protection Agency (CPPA)

The CPRA created the CPPA -- the first dedicated privacy enforcement agency in the United States. This is arguably the most consequential change, because it shifted privacy enforcement from being one of many priorities for the AG's office to being the sole mission of a dedicated agency.

What the CPPA does:

• Rulemaking: The CPPA issues regulations that implement and clarify the CCPA/CPRA. These regulations have the force of law and cover everything from DSAR response requirements to audit procedures.
• Enforcement: The CPPA can investigate violations, conduct audits, issue subpoenas, and bring administrative enforcement actions. It can impose the same penalties as the AG ($2,500/$7,500 per violation).
• Guidance: The CPPA publishes guidance documents, FAQs, and opinion letters that help businesses understand their obligations.

Why this matters for businesses:

A dedicated agency means more resources devoted to privacy enforcement. The AG's office had to balance privacy enforcement against everything else (antitrust, consumer protection, environmental law, etc.). The CPPA does nothing but privacy. That means more investigations, more audits, and more enforcement actions.

The CPPA has been actively issuing regulations since its inception and has made clear that enforcement is a priority. If you've been counting on limited regulatory bandwidth to shield you from scrutiny, that calculus has changed.

For details on enforcement actions and penalties, see our CCPA Penalties guide.

3. Expanded Definition of "Sharing"

The original CCPA regulated the "sale" of personal information. CPRA added "sharing" as a separate concept.

"Sharing" means (Cal. Civ. Code § 1798.140(ah)): Disclosing personal information to a third party for cross-context behavioral advertising, whether or not money changes hands.

Cross-context behavioral advertising is targeting ads to a consumer based on their behavior across different businesses, websites, apps, or services. This is the core of modern programmatic advertising.

Why this matters: Under the original CCPA, some businesses argued that their data flows to advertising platforms weren't "sales" because no money changed hands (the consideration was advertising services, not cash, and the definition was debatable). CPRA closed that loophole. If you share data for behavioral advertising, consumers have the right to opt out -- period.

Practically, this means:

• The "Do Not Sell" link becomes "Do Not Sell or Share My Personal Information"
• Your privacy policy must disclose sharing activities in addition to sales
• Opt-out requests apply to both selling and sharing
• GPC signals must be treated as opt-outs for both selling and sharing

For details on how this affects website tracking, see our CCPA Cookie Compliance guide.

4. Raised Data Threshold

CPRA changed the second applicability threshold (Cal. Civ. Code § 1798.140(d)) from 50,000 consumers/households to 100,000 consumers/households. This was a deliberate move to reduce the number of smaller businesses subject to the law.

If you were on the bubble under the old 50,000 threshold, you may now be exempt. Conversely, if you're well above 100,000, nothing changed for you.

See Who Does the CCPA Apply To? and Does CCPA Apply to Small Businesses? for detailed threshold analysis.

5. Contractor Category

The original CCPA had two categories of entities: businesses and service providers. CPRA added a third: contractors.

Service providers process personal information on behalf of a business under a written contract and cannot use the data for their own purposes.

Contractors receive personal information from a business under a written contract that prohibits them from selling, sharing, or using the data for purposes other than the contract -- but the key difference is that the contractor must certify that they understand and will comply with these restrictions.

In practice: The distinction between service providers and contractors is subtle. Both process data on your behalf. Both have contractual restrictions. The main operational difference is:

• Contractors must certify their understanding of the restrictions
• Businesses must monitor contractors' compliance (and can audit their practices)
• Contractors have slightly different obligations regarding consumer requests

For most small and mid-sized businesses, the practical impact is small: review your vendor contracts and make sure they properly categorize each vendor as a service provider, contractor, or third party, with the appropriate contractual terms for each.

6. Data Minimization and Purpose Limitation

CPRA introduced three principles borrowed from the GDPR:

Data minimization: You should only collect personal information that is "reasonably necessary and proportionate" to achieve the purposes for which it was collected.

Purpose limitation: You should only use personal information for the purposes you disclosed at the time of collection. If you want to use it for a new purpose that is "incompatible" with the original purpose, you must provide new notice.

Storage limitation: You should only retain personal information for as long as "reasonably necessary" for the disclosed purpose. Your privacy policy must now disclose retention periods (or the criteria for determining them) for each category of personal information.

What this means in practice:

• Don't collect data "just in case." If you don't have a specific purpose for a data point, don't collect it.
• If you originally collected email addresses for order confirmations and now want to use them for marketing, you need to provide notice (and, ideally, consent).
• Establish and document retention schedules. "We keep everything forever" is no longer acceptable.
• Delete data when the retention period expires. This requires a process, not just a policy.

7. Expanded Right to Know (Lookback Period)

Under the original CCPA, the right-to-know covered only the preceding 12 months. CPRA changed this: consumers can now request information going back beyond 12 months, as long as the data was collected on or after January 1, 2022.

There's an exception: if providing information beyond 12 months is "impossible or would involve a disproportionate effort," you can limit the lookback. But you need to explain why.

Practical impact: If your data systems only retain 12 months of transaction history, this may not affect you. But if you have years of customer data (as most businesses do), be prepared to respond to requests that cover a longer period.

8. Audit Requirements

CPRA introduced the concept of risk assessments and cybersecurity audits. The CPPA has the authority to require businesses whose data processing activities present "significant risk to consumers' privacy or security" to:

• Submit regular risk assessments to the CPPA
• Perform annual cybersecurity audits

The specific requirements are being developed through CPPA rulemaking. As of this writing, the final regulations are still being refined, but the direction is clear: businesses that process large volumes of personal information or sensitive personal information should expect audit and assessment requirements.

9. Automated Decision-Making

CPRA added provisions around automated decision-making technology -- systems that process personal information to make decisions without meaningful human involvement. This includes algorithms, AI, and machine learning systems that affect consumers' access to goods, services, employment, housing, education, or similar opportunities.

The CPPA has authority to issue regulations giving consumers:

• The right to opt out of automated decision-making
• The right to access information about how automated decisions are made
• The right to request a description of the logic involved

These regulations are still being developed, but if your business uses automated systems to make decisions that affect consumers (automated credit scoring, algorithmic pricing, AI-powered hiring tools), stay tuned. This area is evolving rapidly.

What Stayed the Same

Not everything changed. The core of the CCPA remains intact:

• The four original consumer rights (know, delete, opt out, non-discrimination) -- CPRA added to them but didn't change them
• The $25 million revenue threshold -- unchanged
• The 50% data revenue threshold -- unchanged
• The 45-day response deadline for DSARs -- unchanged
• The private right of action for data breaches (Cal. Civ. Code § 1798.150) -- unchanged (but the CPPA can also bring enforcement actions for security failures)
• The requirement for at least two request submission methods -- unchanged
• The non-discrimination principle -- unchanged
• Service provider contractual requirements -- expanded (with the addition of contractors) but the core concept remains

Your CPRA Compliance Action Plan

If you're already CCPA-compliant, here's what you need to update for CPRA:

High Priority

• [ ] Update your "Do Not Sell" link to say "Do Not Sell or Share My Personal Information"
• [ ] Add a "Limit the Use of My Sensitive Personal Information" link if you process sensitive PI beyond what's necessary for core services (you can combine this with the Do Not Sell/Share link)
• [ ] Implement GPC signal support if you haven't already -- this is an enforcement priority
• [ ] Update your privacy policy to include:
  • Disclosure of "sharing" activities (in addition to sales)
  • Sensitive personal information categories collected and how they're used
  • Retention periods for each category of personal information
  • Updated rights descriptions (including correction and limiting use of sensitive PI)
• [ ] Build a process for correction requests within your existing DSAR workflow

Medium Priority

• [ ] Review and update vendor contracts to include contractor provisions where applicable and ensure all service provider agreements have CPRA-compliant language
• [ ] Implement data retention schedules -- document how long you keep each category of data and set up processes to delete data when the retention period expires
• [ ] Audit your data collection practices for data minimization -- identify any data you collect without a clear, specific purpose and stop collecting it
• [ ] Review your data processing purposes -- ensure you're using personal information only for disclosed purposes

Lower Priority (But Don't Ignore)

• [ ] Monitor CPPA rulemaking for new regulations on automated decision-making, risk assessments, and cybersecurity audits
• [ ] Evaluate whether you process sensitive personal information and whether your current uses go beyond what's "necessary" for the service
• [ ] Update employee training to cover the new rights and the concept of sensitive personal information
• [ ] Review your data breach response plan in light of the CPPA's enforcement authority

CPRA vs. Other State Privacy Laws

One of the most common questions: how does CPRA compare to other state privacy laws that have taken effect?

In general, CPRA is among the strongest state privacy laws in the U.S. Here's a simplified comparison:

California's law is unique in having both a dedicated enforcement agency and a private right of action. Most other state laws rely solely on AG enforcement.

If you comply with CPRA, you'll be in good shape for most other state privacy laws -- but not all, since some (like Virginia) require opt-in consent for sensitive data processing rather than California's opt-out model. A comprehensive privacy program should account for the most restrictive requirements across all applicable states.

Frequently Asked Questions

Do I need to comply with both CCPA and CPRA? No, because they're one law. CPRA amended CCPA. Comply with the CCPA as it currently exists (post-CPRA amendments) and you're covered.

When did CPRA take effect? January 1, 2023, with a lookback to January 1, 2022.

Did CPRA change who the law applies to? Yes, in one way: it raised the data threshold from 50,000 to 100,000 consumers/households. The $25 million revenue threshold and 50% data revenue threshold remained the same. It also added the concept of "sharing" to the opt-out requirements, which expanded the scope of what businesses need to allow consumers to opt out of.

What is "sensitive personal information" and do I need to worry about it? Sensitive PI is a defined category that includes government IDs, financial credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, personal communications content, genetic data, biometric data, health information, and sex life/sexual orientation data. If you collect any of these, you need to evaluate whether your use goes beyond what's necessary for your core service. If it does, you need the "Limit Use" link and the ability to honor those requests.

What's the CPPA and how is it different from the AG? The CPPA (California Privacy Protection Agency) is a new state agency created by CPRA dedicated exclusively to privacy enforcement. The AG (Attorney General) previously handled all CCPA enforcement. Now, both can enforce the law, but the CPPA has the added authority to issue regulations and conduct administrative proceedings. Think of the CPPA as the specialist and the AG as the generalist who can still step in for major cases.

Do I need to update my privacy policy for CPRA? Almost certainly yes. At minimum, you need to add retention periods, update your rights descriptions to include correction and limit-use rights, disclose sharing activities, and identify sensitive personal information categories. See our CCPA Compliance Checklist for the full list.

The Bottom Line

CPRA didn't reinvent the wheel. It added new spokes, strengthened the hub, and gave it a more powerful engine (the CPPA). If you built a solid CCPA compliance foundation, the CPRA updates are manageable -- more evolution than revolution.

The biggest practical changes for most businesses are:

1. The "Do Not Sell or Share" update (adding "share" to the opt-out)
2. GPC compliance (non-negotiable after Sephora)
3. Retention periods in your privacy policy
4. The correction right (build it into your DSAR process)
5. Sensitive personal information (evaluate whether you need the "Limit Use" link)

Get those five things right and you've covered the bulk of what CPRA added.

References

• California Consumer Privacy Act (CCPA): Cal. Civ. Code §§ 1798.100–1798.199.100. Full text on the California Legislative Information site
• California Privacy Rights Act (CPRA): Proposition 24 (2020), amending the CCPA. CPRA ballot text
• CCPA Regulations: Title 11, Division 6, California Code of Regulations. Final CCPA regulations (California Office of the Attorney General)
• California Privacy Protection Agency (CPPA): Official CPPA website

---

Need a complete framework for handling consumer requests under the amended CCPA? Our DSAR Compliance Guide covers the full process -- including the new correction right and sensitive personal information requests added by CPRA. Download it and build a process that handles every request type with confidence.