September 7, 2022



From CCPA to CPRA: A Summary

  • The CPRA was established by the California Privacy Protection Agency
  • There are changes in the criteria for which business are regulated since California Consumer Privacy Act (CCPA)
  • There are new consumer rights
  • There is a category of sensitive personal information with stronger obligations and rights
  • "Do not sell my data" will be "Do not sell or share my data"
  • There is an extension of the requirements of consent


On 3 November 2020, California citizens voted and directly approved the enactment of the Proposition 24 or officially the California Privacy Rights Act of 2020 (CPRA), which amends and expands the existing California Consumer Privacy Act (CCPA) that became effective on 1 January 2020. In a nutshell, being GDPR-inspired, the CPRA creates new consumers rights, modifies existing ones, introduce a new category of sensitive personal information, alters the scope of application and establishes a dedicated privacy protection authority. The CPRA will become effective on 1 January 2023, applying though to personal information already collected by businesses on or after 1 January 2022.


The CPRA changes the criteria for which business are regulated. In particular, the CPRA doubles the threshold number of consumers or households (no reference to devices anymore) from 50,000 to 100,000, resulting thus to the exclusion of small and medium businesses. Furthermore, it expands the applicability of the privacy laws to businesses that generate their revenue not just from selling but also from sharing personal information.

Moreover, the exemption envisaged in the CCPA that its obligations upon the businesses would not apply to employment and business-to-business data until 31 December 2021, is now extended for an additional year, until 31 December 2022, and they will fully expire on 1 January 2023.

Consumer rights

The CRPA establishes new consumer privacy rights and expands the existing ones as follows:

Right to correction (new)

The CPRA adds a new consumer right to request businesses to use commercially reasonable efforts in order to correct inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

Right to limit the use and disclosure of sensitive personal information (new)

The CPRA adds a new consumer right to direct a business that collect sensitive personal information to limit its use and disclosure of such information for purposes other than those that are commercially necessary or as otherwise authorized by the CPRA. This new category of personal information, the sensitive personal information, includes government-issued identifiers (social security, driver’s licence etc), finance information, precise geolocation, race or ethnic origin, religious or philosophical beliefs, union membership, sex life or sexual orientation, contents of private communications, genetic data, biometric data, and specified health information. The CPRA grants the consumers the rights to restrict businesses’ use and disclosure of these information for advertising and marketing purposes.  

Right to opt-out of automated decision-making (new)

The CPRA gives consumers the right to opt out of the use of automate decision making technology, including profiling.

Right to access information about automated decision-making (new)

The CPRA gives consumers the right to request access to and information about how automated decision technologies work and what their likely outcomes are.

Right to deletion

The CPRA modifies the deletion right by requiring service providers, contractors and third parties to cooperate with the business to delete personal information from their records pursuant to a consumer request. 

Right to know

The CPRA expands the right to know to include personal information collected beyond beyond the current 12-month look-back period, if collected after 1 January 2022.

Right to opt out of sharing (in addition to selling)

The CPRA expands the right to opt out by requiring businesses to provide consumers with the ability to opt out of not only the selling but also sharing personal information for the purposes of cross-contextual behavioral advertising.

Rights of minors

The CPRA provides that the opt-in requirement for businesses when dealing with minors is extended to include the sharing of personal information for behavioral advertising purposes. The opt-in rights for minors and consumers in general have been strengthened, requiring businesses to wait for at least 12 months before requesting an opt-in after consent was declined, respectively after an opt-out.

Right to data portability

The CPRA empowers the consumers to request to have their personal information transmitted to another entities.

Businesses’ responsibilities

The CPRA imposes additional obligations on businesses that essentially correspond to the GDPR principles of transparency, data minimisation, purpose limitation, storage limitation and data security. In particular:

The CPRA requires businesses to only collect, use, retain and share consumers’ personal information for specific, explicit, and legitimate disclosed purposes and only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared.

Information obligations of businesses expand to inform consumers not only of the categories of personal information collected (including now also the categories of sensitive personal information collected) but also for what purposes; if that information is sold or shared; and the length of time the businesses intend to keep each category of information. 

Furthermore, the CPRA requires business to notify, at the time of collection, consumers of the retention periods of each category of personal information collected. Businesses are further prohibited from retaining PI for longer than is “reasonably necessary”for each disclosed and specifies purpose.

Finally, the CPRA requires businesses to implement reasonable security procedures and practices and to perform mandatory risk assessments and cybersecurity audits for high-risk activities. 


Consent Requirements

The CPRA also expands the current consent requirements envisaged in the CCPA to include:

·      Consent needed for the selling or sharing personal information after a user has already opted out

·      Consent needed when selling or sharing the personal information of minors

·      Consent needed for secondary use, selling or sharing of sensitive personal information after a user has opted out

·      Consent needed for research exemptions

·      Consent needed to opt-in to financial incentive

Enforcement and Liability

Similar to the concept of the Data Protection Authorities established in each member state of the European Union under the GDPR, the CPRA provides for the establishment of a dedicated privacy enforcement authority, the California Privacy Protection Agency. The Agency will replace the California Office of Attorney General and it will be vested with full enforcement, investigative and rule making powers regarding the implementation of the Californian consumer privacy laws.

The CPRA removes the 30-day time period in which businesses can currently correct alleged violations before the commence of administrative enforcement and the imposition of penalties by the AttorneyGeneral.

Furthermore, the CPRA triples the maximum penalties up to $7,500 for violations concerning minors under the age of 16 and authorises civil penalties for theft of specified consumer login information.

While the fines in comparison to the GDPR’s possible monetary sanctions seem rather low, we must take into account that the CCPR/CPRA sanctions are for each count of violation (per affected consumer).

Conclusion / preparation

In view of the CPRA, businesses should perform a data mapping exercise in order to determine whether they collect sensitive personal information and review their data retention policies.

Businesses should also update their privacy statements with the new required information and implement mechanisms for allowing consumers to exercise their rights to correction and opt-out. In this regard, businesses shall update their “Do not sell my personal information” mechanism to include a second “Limit the use of my sensitive personal information” or bundle both of them under one single link. Finally, Businesses should update their “Do not sell my personal information” to read as “Do not sell or share my personal information”.

European companies that do business in California fall under the scope of Art, but should be familiar with the requirements, which are similar to those of the GDPR, therefore in some cases only minor adjustments may be needed in order to be compliant with the Californian rules. However, companies should be vigilant and review the new requirements of the CPRA and adjust their processes accordingly as early as possible, so as to be prepared when the new law takes effect and to avoid possible sanctions or claims for damages.


DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The information presented on this website may not reflect the most current legal developments. An attorney should be contacted for advice on specific legal issues. The implementation of a data protection law compliant Consent Management Platform (CMP) is ultimately at the discretion of the respective data protection officer (DPO) or legal department.