The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are foundational consumer privacy laws in the US that protect the personal information of California residents. For businesses operating in the state or handling personal information from its residents, understanding the laws is essential to avoid potential fines, lawsuits, and damage to their reputation as a result of noncompliance.
We look at the differences between the CCPA and the CPRA, and what businesses need to know to stay compliant.
What is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is the first comprehensive consumer privacy law in the US. The regulation was passed in 2018 and came into effect on January 1, 2020. It protects California’s nearly 40 million residents, known as “consumers” under the law, and aims to give them more control over their personal information. The CCPA governs how their personal information is handled by businesses.
Simply being in California does not qualify someone for protection under the CCPA. Individuals must meet the legal definition of a resident, meaning they must be:
- in the state for other than a temporary or transitory purpose
or
- domiciled in the state, but temporarily outside of the state, such as on vacation or business trip
Those in the state temporarily are not covered. However, the law still protects California residents even when they are temporarily outside the state. The law’s definition may evolve over time as courts interpret it in response to privacy lawsuits.
Deepen your understanding of the CCPA
Explore the essential aspects of the California Consumer Privacy Act (CCPA) and its impact on your business practices.
What is the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act (CPRA) was a ballot measure passed on November 3, 2020. The CPRA strengthens and expands the CCPA, amending the law to enhance consumer privacy protections and add new responsibilities for businesses.
The CPRA took effect on January 1, 2023, with enforcement starting in February 2024 after a legal challenge delayed the original July 2023 enforcement date.
Understand the CPRA’s impact on your business
Discover the key changes brought by the CPRA and how they affect your obligations as a data controller.
Does the CPRA replace the CCPA?
The CPRA does not replace the CCPA. Rather than creating a separate or new law, the CPRA amends and builds on the CCPA, replacing some aspects of it, by:
- introducing new consumer rights
- expanding existing consumer rights
- imposing additional compliance obligations on businesses
- establishing a new government agency for enforcement, the California Privacy Protection Agency (CPPA)
The California privacy laws are often referred to collectively as “the CCPA, as amended by the CPRA,” or as ”the CCPA/CPRA”.
CPA vs CPRA: who must comply?
The CCPA applies to for-profit businesses that operate in California, handles the personal information of the state’s residents, and meet at least one of the following thresholds:
- have annual gross revenues exceeding USD 25 million
- receive, buy, or sell personal information of 50,000 or more consumers, households, or devices
- earn more than 50 percent of their annual revenue from the sale of consumers’ personal information
The CPRA amended the thresholds for compliance. While the revenue thresholds remain unchanged, the threshold for the number of consumers whose personal information is handled has increased from 50,000 consumers to 100,000 consumers.
Businesses subject to the CPRA are for-profit entities that:
- have annual gross revenues exceeding USD 25 million in the preceding calendar year
- buy, sell, or share personal information of 100,000 or more California residents or households
- earn more than 50 percent of their annual revenue from selling or sharing consumers’ personal information
The CPRA also expanded the definition of business to include those that share consumers’ personal information in addition to selling it.
The CCPA/CPRA has extraterritorial jurisdiction, meaning it applies to any business that meets these requirements, even if the business is located outside California.
CCPA vs CPRA: data sharing
The CPRA imposed obligations on businesses that share consumers’ personal information with third parties.
The regulation defines sharing as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
Businesses that share personal information of 100,000 consumers must comply with the CCPA/CPRA.
The CPRA also granted new rights to consumers with regards to the sharing of their personal information. Consumers have the right to opt out of data sharing, and businesses must provide a clear and conspicuous link labeled “Do Not Sell Or Share My Personal Information” to enable this opt out.
CCPA vs CPRA: personal information and sensitive personal information
Personal information under the CCPA and CPRA “is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This includes a range of information, such as consumer’s real name, email address, alias, IP address, browsing or history, search history.
The CPRA expands on this by introducing “sensitive personal information,” which can cause greater harm to a consumer if misused, and to which the law grants additional protection. Sensitive personal information includes, among other things, details like:
- Social Security number, driver’s license, state ID card, passport number
- debit card or credit card number in combination with any required password or credentials that provide access to the account
- precise geolocation data that can accurately identify a person within a radius of 1850 feet (563 meters)
- racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership
- genetic data
- contents of a consumer’s postal mail, email, and text messages, except those specifically communicated to the business
The CPRA requires businesses to disclose when they collect sensitive personal information. Consumers have the right to limit the use or disclosure of their sensitive personal information to the purposes necessary for providing services or goods disclosed.
To facilitate this, businesses must provide a clear and conspicuous link titled “Limit The Use Of My Sensitive Personal Information” on their websites.
Do you know what personal information you collect from website visitors?
Scan your website and get a free audit of cookies in use.
CCPA vs CPRA: contractors
Businesses sometimes share personal information with third parties for different purposes, including data processing, for example ecommerce fulfillment or advertising. Under the CCPA, a “service provider” is a third party that processes personal information on behalf of a business.
The CPRA introduces the term “contractors,” defined as a third party that receives personal information for a business purpose and pursuant to a written contract.
A contractor cannot sell or share personal information, or retain, use or disclose it for any purpose other than the business purpose specified in the contract. Businesses must enter into data processing agreements with contractors.
CCPA vs CPRA: consumer rights
The CCPA gave consumers control over their personal information with the following rights:
- Right to know what personal information is being collected about them in the preceding 12 months
- Right to delete personal information collected from them
- Right to opt out of the sale of their personal information
- Right to nondiscrimination for exercising their CCPA rights
The CPRA expanded on some of these existing CCPA consumer rights.
- Right to know: California residents can now request access to personal information collected beyond the original 12-month limit in the CCPA, provided it was collected on or after January 1, 2022
- Right to delete: businesses must delete consumers’ personal information and notify any service providers, contractors, or third parties who have this information to delete it from their records (with exceptions)
- Right to opt out: consumers have the right to opt out of the sale and sharing of their personal information, as well as its use for targeted advertising or profiling
The CPRA also empowers consumers with new rights that were not included in the CCPA. These include:
- Right to correct inaccurate personal information
- Right to limit use and disclosure of sensitive personal information
- Right to data portability
- Right to access information about automated decision-making or profiling, and the likely outcomes of the same
- Right to opt out of the use of their personal information for automated decision-making
CCPA vs CPRA: opt-in rights for minors
Under the CCPA, businesses must obtain opt-in consent from minors between 13 years and 16 years of age, and from a parent or legal guardian for minors under 13 years, before collecting their personal information.
The CPRA expands on this, stating that if a minor opts out of the sale or sharing of their personal information, businesses must wait 12 months before requesting consent again.
Additionally, the CPRA increases penalties for violations involving minors, raising the maximum fine to USD 7,500 per incident.
CCPA vs CPRA: consent
The CPRA expands the consent requirements established by the CCPA, aligning more closely with the principles of the European Union’s General Data Protection Regulation (GDPR). Key areas where consent is now required include:
- selling or sharing personal information after a user has opted out
- selling or sharing personal information of minors
- secondary use, selling, or sharing sensitive personal information after a user opts out
- research purposes
- opting into financial incentive programs
The CPRA’s definition of consent is also closely aligned with the GDPR’s definition. Consent under the CPRA means “means any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer…signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose.”
The following actions do not constitute consent under the CPRA:
- acceptance of a general or broad terms of use document that contains descriptions of personal information processing along with other, unrelated information
- hovering over, muting, pausing, or closing a given piece of content
- agreement obtained through use of dark patterns
Consent can be given by the consumer themselves, a minor’s legal guardian, a person with power of attorney, or a person acting as a conservator for the consumer.
What you need to know about the CCPA and the GDPR
Unsure if your business needs to follow the CCPA, the GDPR, or both? Get clarity on your compliance requirements with this detailed comparison.
CCPA vs CPRA: data minimization
The CPRA introduces the principle of data minimization, similar to the GDPR, requiring businesses to only collect personal information that is ”reasonably necessary and proportionate” for the disclosed purpose. Any additional processing must remain consistent with the context in which the personal information was initially gathered.
It also restricts how long businesses can retain this information, limiting it to the time necessary to fulfill the purpose for which it was collected, with consideration for other regulatory requirements for retention, e.g. financial records purposes. This aligns with the GDPR’s storage limitation principle, where personal data should not be kept for longer than is necessary to achieve the specified purpose.
CCPA vs CPRA: notice at collection
Under the CCPA, businesses must inform consumers at or before the point of collection about:
- Categories of personal information to be collected
- Purposes for which the categories of personal information shall be used
The CPRA added new requirements for information that businesses must include in this notice at collection:
- Whether the personal information collected is sold or shared
- Categories of sensitive personal information collected
- Purposes for which sensitive information is collected or used
- Whether they are sold or shared, if applicable
- How long the business plans to retain each category of personal information (including sensitive personal information, if applicable)
Tailor your privacy policy for the CCPA/CPRA
The CCPA/CPRA requires businesses to publish a detailed privacy policy in addition to the notice at collection. Create a customized privacy policy that aligns with the CCPA/CPRA regulations in just a few steps.
CCPA vs CPRA: risk assessment
The CPRA introduces a requirement for businesses to conduct annual cybersecurity audits and regular risk assessments where processing of consumers’ personal information presents “significant risk to consumers’ privacy or security.”
Risk assessments must identify whether the processing involves sensitive personal information and must weigh the benefits against potential risks to consumer rights. Any risk assessment conducted must be submitted to the California Privacy Protection Agency .
These are significant additions to the California privacy law, but formal rules regarding their implementation are still under development.
CCPA vs CPRA: enforcement
Enforcement of the CCPA was solely the responsibility of the Attorney General. The CPRA introduced an additional enforcement body, the California Privacy Protection Agency (CPPA), which operates alongside the Attorney General without replacing its authority.
The CPPA cannot limit the Attorney General’s power and must halt any actions or investigations at the Attorney General’s request.
Additionally, businesses cannot be penalized by both the CPPA and the Attorney General for the same violation, ensuring no double penalties for the same offense.
CCPA vs CPRA: 30-day cure period
Under the CCPA, businesses in violation of the law were given a 30-day period to address and fix the alleged violation after notification from the Attorney General. The CPRA removed this automatic 30-day cure period for violations, though it can still be applied at authorities’ discretion.
However, the 30-day cure period still applies when a consumer brings a private action against a business for a data breach, allowing the business time to resolve the issue before facing penalties.
CCPA vs CPRA: private right of action
The CCPA granted consumers a private right of action to file civil proceedings against a business in case of a data breach. A consumer may bring such an action if their nonencrypted or nonredacted personal information is stolen, disclosed, or subject to unauthorized access because of the business’s failure to implement and maintain reasonable security measures.
The CPRA expanded this right. Consumers may now also bring a civil suit if their email address combined with a password or security question (which could grant access to their account) is breached. Interestingly, to date California is the only US state to provide this right in its privacy laws.
How to be CCPA/CPRA compliant
Here is a checklist for your business and its website to help you meet the CCPA/CPRA’s compliance requirements. To ensure compliance, we strongly recommend seeking qualified legal counsel.
- Feature “Do Not Sell Or Share My Personal Information” and “Limit The Use Of My Sensitive Personal Information” links on your website to enable consumer opt-outs.
- Provide a notice at or before the point of collection detailing the categories of personal information (including sensitive personal information), the purposes for which it’s collected, and whether it will be shared or sold.
- Publish a privacy policy updated at least annually that includes all required information, including your usage of cookies either within the privacy policy or as a separate cookie policy.
- Establish at least two methods for consumers to exercise their rights, such as a toll-free phone number, email address, or web form.
- Respond to opt-out requests within 15 days, halt further sale or sharing of the data, and notify all third parties who received the personal information in the previous 90 days.
- Obtain opt-in consent from minors aged 13 to 16, and from parents or legal guardians for minors under 13, before selling or sharing their personal information.
- Provide consumers with records of the personal information collected in the past 12 months if requested, free of charge.
- Respond within 45 days to verifiable consumer requests for disclosure or deletion, providing information on how the request will be processed.
- Offer financial incentives (such as different prices or services) only if they are reasonably related to the value the consumer’s personal information brings to the business.
- Ensure non-discrimination against consumers who exercise their rights under the law, including the right to opt out of data collection and processing.
CCPA/CPRA compliance with Cookiebot CMP
Tracking cookies, particularly third-party cookies from plugins, can collect personal information and sensitive personal information from website visitors.
Cookiebot CMP automatically scans websites to detect cookies and tracking technologies in use, and can block them if users opt out, enabling compliance with CCPA/CPRA.
Cookiebot CMP also enables you to display a “Do Not Sell Or Share My Personal Information” link on the cookie banner to meet the CCPA/CPRA requirement and facilitate California residents’ right to opt out of the sale or sharing of their personal information.
Experience it for yourself — try Cookiebot CMP free for 14 days. No credit card required.
The California Consumer Privacy Act (CCPA) is the first comprehensive privacy law in California, enacted in 2020, that provides California residents with rights regarding their personal information. The California Privacy Rights Act (CPRA), effective January 1, 2023, amends and expands the CCPA by introducing new rights, establishing the California Privacy Protection Agency (CPPA) for enforcement, and increasing compliance obligations for businesses. While the CPRA enhances consumer protections, it does not replace the CCPA but builds upon it.
No, the CPRA does not replace the CCPA, though the CPRA does replace some conditions of the CCPA. The CRPA strengthens and expands the CCPA, introducing new rights for consumers and additional obligations for businesses. It also establishes the CPPA for enforcement. The two laws are often referred to collectively as “the CCPA, as amended by the CPRA.”
The CCPA applies to for-profit businesses operating in California that meet specific thresholds, including having annual gross revenues exceeding USD 25 million, processing personal information of 100,000 or more consumers, or earning more than 50 percent of their revenue from selling or sharing personal information.
The CPRA introduces several new consumer rights, including:
- Right to correct inaccurate personal information
- Right to limit the use and disclosure of sensitive personal information
- Right to data portability
- Right to access information about automated decision-making and profiling
- Right to opt out of the use of personal information for automated decision-making
The CPPA is established as a new enforcement body alongside the Attorney General for overseeing compliance with privacy laws in California. It has the authority to investigate violations and impose penalties, but it cannot limit the Attorney General’s powers or penalize businesses for the same violation as the Attorney General.
