REGULATIONSCalifornia Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), also known as Proposition 24, is an extension and amendment of the California Consumer Privacy Act (CCPA). It was approved by California voters in November 2020 and became effective on January 1, 2023. The CPRA builds on the foundation of the CCPA by expanding consumer rights, increasing obligations for businesses, and establishing a dedicated enforcement agency — the California Privacy Protection Agency (CPPA).

What is CPRA?

The CPRA strengthens California’s privacy laws by enhancing consumer protections and clarifying the rules businesses must follow when handling personal data. It is not a separate law from the CCPA but rather amends and expands it, effectively becoming “CCPA 2.0.”

Key improvements introduced by the CPRA include:

• New rights such as the right to correct inaccurate personal data,
• Introduction of the concept of sensitive personal information,
• Stricter rules around data sharing, not just selling,
• Data retention limitations and purpose limitation requirements,
• Creation of the California Privacy Protection Agency for enforcement.

What’s the difference between CPRA and CCPA?

While the CCPA was already one of the most robust privacy laws in the U.S., the CPRA takes it further. Here's how CPRA differs:

Who does the CPRA apply to?

The CPRA applies to for-profit businesses that collect personal information from California residents and meet at least one of the following criteria:

• Have annual gross revenues over $25 million,
• Buy, sell, or share personal information of 100,000 or more consumers or households (up from 50,000 under CCPA),
• Derive 50% or more of their revenue from selling or sharing personal information.

The law has extraterritorial reach, meaning businesses outside California — and even outside the U.S. — are subject to the CPRA if they meet the above thresholds and deal with California residents.

What are consumer rights under CPRA?

Under the CPRA, California residents now have:

• Right to know what personal data is collected and how it is used,
• Right to delete personal data,
• Right to opt out of the sale or sharing of personal information,
• Right to correct inaccurate personal information,
• Right to limit the use and disclosure of sensitive personal information,
• Right to access collected data,
• Right to non-discrimination for exercising their privacy rights.

Sensitive personal information includes data such as Social Security numbers, precise geolocation, biometric data, religious beliefs, and more.

What are the penalties for non-compliance with the CPRA?

The CPRA increases the stakes for non-compliance:

• Fines of up to $2,500 per violation, or $7,500 per intentional violation or violations involving minors under 16.
• Unlike the CCPA, there is no grace period for fixing violations after being notified.
• The newly formed California Privacy Protection Agency (CPPA) has full authority to audit businesses and enforce the law.

Does the CPRA replace the CCPA?

No. The CPRA amends and builds upon the CCPA rather than replacing it. The CCPA remains the foundation, but the CPRA significantly expands its scope, rights, and enforcement mechanisms. Together, they form one of the most comprehensive state-level privacy laws in the U.S.

How does Consentise help with CPRA compliance?

Consentise makes CPRA compliance easier by:

• Displaying clear consent banners and "Do Not Sell or Share My Personal Information" links as required.
• Offering granular user control over the use and sharing of sensitive personal data.
• Logging consent preferences and providing auditable records.
• Helping businesses respect user requests to correct or limit use of their data.
• Ensuring that data retention policies and purposes are communicated transparently.

With Consentise, your organization is empowered to navigate California’s evolving privacy landscape while maintaining trust with your users.