top of page

California Privacy Rights Act (CPRA) Overview

The California Privacy Rights Act (CPRA) is a privacy law passed in November 2020 by California voters. The law amends and expands upon the California Consumer Privacy Act (CCPA) enacted in January 2020.

The CPRA was created to increase privacy protections and offer Californians more control over their personal information. It contains several new clauses not found in the CCPA, such as expanded consumer rights and the establishment of the California Privacy Protection Agency (CPPA), a new enforcement body.

People who need to comply with CPRA

The CPRA differs from the original CCPA and is much more liberal. Not everyone needs to comply with the law. The CPRA differs from the original CCPA in that it is more liberal.

Businesses with 50,000 or more consumers were required to comply with the CCPA. That number is doubled in the CPRA. Only enterprises with more than 100,000 consumers are subject to CPRA.

If your business has more than 100,000 clients and at least 50% of your yearly revenue comes from selling or distributing consumer personal information (PI), the CPRA will apply to you. In comparison to the CCPA, this is another upgrade to the CPRA. Only the sale of customers’ personal information was covered by the CCPA. It has been increased under the CPRA to include “sharing,” which refers to doing so with outside parties.

Recent regulations introduced by CPRA

The recent regulations depict that this dataset will now be governed in California.

There is various sensitive personal information that the CPRA includes:

  • Government identifiers, Social Security numbers, and driver’s licenses are two examples

  • Examples include the credit or debit card number and login information.

  • An exact position

  • Examples include credit or debit card number together with login credentials

  • Precise geolocation

  • Race, ethnicity, philosophical or religious convictions, or union membership

  • Nonpublic communications’ content, examples include letters, emails, and texts

  • Biometric, genetic, or medical information

  • Information on sexual orientation or the sex life

The key provision of the CPRA

  • The introduction of new consumer rights, including the right to amend inaccurate personal data, the right to restrict the use of sensitive personal data, and the right to refuse personal data for marketing and other uses.

  • The demand is that companies engage in agreements with service providers that provide specific privacy measures.

  • Stronger regulations for data breach notification, including the need to occasionally notify the CPPA.

  • Broadening the definition of “personal information” encompasses new categories of data, including precise geolocation data and specific kinds of biometric data.

The Pros of CPRA

1. Providing independent enforcement

CPRA establishes a permanent privacy-law enforcement branch of the California government, which, while perhaps still insufficient in scope, offers current law the policies it has so far lacked and may grow in the future under increased political pressure.

2. Aligning CCPA with EU GDPR

CPRA offers several safeguards that enable businesses already abiding by EU standards to expand those safeguards to Californians quickly.

3. Regulating sharing of personal data

Despite the complexity of the subject, this is a significant regulatory advancement. Despite numerous flaws, changing how many companies handle customer data might be sufficient.

4. Allowing more significant control over personal data

The law allows people to “correct” false information about themselves being circulated online.

5. Provides a strong foundation for further amendments

No one considers the CPRA a perfect solution, but it touches on many crucial issues and offers a framework for future modifications to build upon.

Penalties for not following CPRA

1. Civil Penalties

Businesses can face civil penalties of up to $7,500 per violation for intentional violations of the CPRA. In addition, there is a maximum fine of $2,500 per violation for unintentional violations.

2. Private Right of Action

The CPRA allows individuals to bring a private right of action against businesses for certain data breaches. If a company fails to protect the personal information of California residents and a breach occurs, individuals can sue the business for damages.

3. Suspension or Revocation of Business License

The CPRA allows people to sue firms privately for specific data breaches. California residents can sue a company for damages if it breaches security and fails to protect their personal information.

4. Reputational Damage

The CPRA allows people to sue firms privately for specific data breaches. California residents can sue a company for damages if it breaches security and fails to protect their personal information.


The California Privacy Rights Act (CPRA) is a comprehensive privacy law that enhances the rights of California residents over their personal information. It imposes new obligations on businesses, including requirements for data minimization, purpose limitation, and transparency.

Failure to comply with the CPRA can result in significant penalties, including civil penalties, private right of action, suspension or revocation of business license, and reputational damage. Businesses, therefore, need to understand their obligations under the CPRA and take appropriate measures to ensure compliance with the law.

28 views0 comments

Recent Posts

See All


Commenting has been turned off.
bottom of page