Securiti announces a $75M Series C Funding Round


CPRA vs. CCPA: What Has Changed and How Can Businesses Prepare?

By Privacy Research Team
Published on October 26, 2022

What is the CPRA?

The California Privacy Rights Act (CPRA) is a privacy law that was passed in the November 2020 ballot, as 56% of California voters favored it. The law amends and strengthens consumer data privacy rights established initially by the CCPA in 2018.

The CPRA also imposes additional consumer privacy protection obligations on organizations. The new law will take effect from January 1, 2023, and enforcement will start six months later (July 1, 2023).

What is the CCPA?

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and came into effect on January 1, 2020. Often compared to GDPR, the CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared, or sold. The CCPA was passed by the California legislature under pressure from rights groups who wished to pass it in the form of a ballot measure.

Does CPRA Replace the CCPA?

The CPRA amends and expands the CCPA, creating new requirements, consumer privacy rights, and enforcement mechanisms for applicable organizations. Once the CPRA comes into effect on January 1, 2023, it will effectively replace the CCPA. Till then, CCPA requirements will continue to apply to covered businesses.

Get California Privacy Rights Act (CPRA) Readiness Assessment

Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.

For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.

What is new in the CPRA?

Amended Definition of Covered Organizations

The California Privacy Rights Act (CPRA) is applicable to companies that purchase, sell or exchange personal data of more than 100,000 households or customers in California. The previous limit under the CCPA was 50,000. This means that some small businesses that might have been subject to the CCPA will be exempt under the CPRA.

Also, the CPRA applies to organizations that derive at least 50% of their revenue from selling or sharing a consumer’s Personal Information. Under the CCPA, this provision only included businesses that “sell” consumers’ Personal Information (PI).

New Sensitive Personal Information Category

The CPRA introduces the Sensitive Personal Information (SPI) category, which is subject to more stringent disclosure and purpose limitation requirements. Specifically, the law says security measures should be appropriate to the data type - thus, SPI would need extra protection.

Finally, the CPRA gives consumers the right to ask organizations to limit the use of their SPI.

SPI includes highly sensitive data such as:

  • Social Security Number;
  • Driver’s license;
  • State identification card;
  • Passport Number;
  • Financial account information and log-in credentials;
  • Debit Card or Credit Card number along with access codes;
  • Precise geolocation data;
  • Religious or philosophical beliefs;
  • Ethnic origin;
  • Contents of communication;
  • Genetic data;
  • Biometric information for the purposes of identification;
  • Health information;
  • Information about sex or sexual orientation.

Violations Involving Children's Personal Information

The CPRA prohibits selling the personal information of a person under the age of 16 without their consent, similarly to the CCPA. However, under the CPRA, violations involving children’s personal information are liable similarly to intentional violations, i.e., fines of $7500 per violation. This amendment has provided extra protection to children’s personal information in the CPRA.

New Consumer Privacy Rights

The CPRA grants consumers additional rights regarding their personal data.

Right to Restrict Use of Sensitive Personal Information

Data subjects may request to limit the use and disclosure of their sensitive PI for specific secondary purposes, including disclosure to third parties.

Right to Correction

Data subjects can request the correction of any of their PI held by the organization if inaccurate.

Right to Access Information About Automated Decision Making

Data subjects have the right to request information about automated decision-making processes based on their personal information. Data subjects may also request a description of the likely outcomes that will result from these processes.

Right to Opt-Out of Automated Decision-Making Technology

Data subjects may also request to opt-out of the use of automated decision-making technology, which can include “individual profiling.”

Expanded Consumer Privacy Rights

The CPRA has also expanded or modified the organization’s obligations in fulfilling consumer rights requests granted by the CCPA.

Right to Delete

Consumers can now request businesses to instruct third-party vendors, service providers, or contractors to delete the personal information that might have been sold/shared to them by the business.

Right to Access

Businesses must provide all PI data specified in the CCPA along with the categories of PI it has shared with third parties as well as the third parties it has shared the PI with.

Right to Opt-Out

Data subjects now have the right to opt-out of both the sale and sharing of their PI with third parties, including for the purposes of cross-context behavioral advertising.

Right to Data Portability

Data subjects have the right to ask organizations to transmit specific pieces of PI to another entity. However, this transmission should be technically feasible for the organization.

Expanded Notification Requirements

Data Retention information at Notification at Point of Collection

Businesses will need to notify customers, employees, job applicants, and other workers at or before the point of data collection, similarly to the CCPA. However, businesses must also include details about the retention periods for the collected personal data now.

Businesses are only allowed to retain PI as long as it is ‘reasonably necessary’ for the business/commercial purpose the PI has been collected for.

SPI Collection Notifications

The CPRA mandates organizations to also notify consumers about the categories of SPI being collected, the collection purpose, and the length of time the SPI will remain stored in their databases before or at the point of collection of the SPI.

Opt-in Rights for Minors

Another addition is that businesses must notify minors if they intend to sell or share their personal data. It is also important to note that after a consumer under 16 years of age has declined to provide consent to the business to sell or share their personal information, a business must either wait for another 12 months or wait until the consumer turns 16 before requesting their opt-in consent again.

Changes to Privacy Notices

The CPRA also has additional requirements for Privacy Notices. Starting from January 2023, organizations will be required to modify their privacy notices to include three additional categories of disclosure such as:

  • Disclose whether they share personal information about consumers along with details (the categories of PI shared and with whom).
  • Make disclosures related to their collection, processing, and disclosure of “sensitive personal information.”
  • Disclose the length of time they intend to retain each category of personal information or if that is not feasible, the criteria they will use to determine that retention period.

Creation of California Privacy Protection Agency (CPPA)

Unlike the CCPA, the CPRA creates an exclusive agency for the interpretation and enforcement of the law - the California Privacy Protection Agency (CPPA). Tasked with taking over rule-making power from the California Attorney General, the CPPA shall be the first US-based regulatory authority exclusively focused on data privacy issues.

It shall not only provide guidance on the enforcement of the CPRA but shall also have powers to investigate violations, conduct hearings and assign liability to covered entities for violations.

Cyber Security Audit and periodic Risk Assessment Requirements

Cyber Security audit requirement

The CPRA mandates that organizations that hold personal information that might “present a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA.

This audit must be independent and thorough according to the law. To determine the risk of PI processing operations, organizations need to consider the following factors:

  1. The size and complexity of data processing activities of the organization.
  2. The nature and scope of data processing activities.

Risk Assessment Requirement

The CPRA will also require organizations to conduct regular risk assessments to evaluate their processing activities. All assessments must weigh the privacy risks created by the processing activity against the benefits that are provided. One of the factors that can be used to evaluate a processing activity is the use of consumers’ sensitive personal data. This assessment then needs to be submitted to the CPPA.

Organizations need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This process will allow the organization to conduct timely risk assessments and identify problem areas quickly.

Expanded Private Right of Action

Under the CCPA, consumers can bring a civil suit against a business for actual damages or $100 to $750 in statutory damages (whichever is higher) for failing to take reasonable and appropriate security measures to protect their unencrypted or unredacted personal information from being subject to a breach - under the CPRA the categories of PI for which they can sue has been increased to include, email addresses in combination with a password or security question and answer that would permit access to the account. Since most data breaches involve this category of PI, this is a significant change that could increase liabilities for businesses subject to a breach.

Incorporation of GDPR Principles

Data minimization

Organizations must limit their collection of PI to what is reasonably necessary for its disclosed intended purposes.

Purpose Limitation

Organizations that decide to use PI differently than previously disclosed must notify all data subjects before proceeding.

Storage Limitation

The CPRA mandates that organizations not retain PI for longer than “reasonably necessary” for each disclosed purpose. In addition, organizations must also inform their retention periods for each category of PI data at the time of collection. However, if that is not possible, the organization must at least provide the criteria used to determine the retention period.

Frequently Asked Questions (FAQs)

Here are some commonly asked questions you may have related to CPRA vs. CCPA:

The CCPA is enforced within the state of California by the Office of the Attorney General (OAG). The OAG is responsible for sending notifications to any organizations found in breach or non-compliance with the CCPA and levying fines and other possible punitive measures in case of severe breaches.

The GDPR’s enforcement is unique since all 27 EU member states have their own individual data protection agencies responsible for enforcing both the main GDPR and the local adaptation of the GDPR within their respective countries. These agencies also collaborate with one another for more effective enforcement of the GDPR across the EU.

That’s a somewhat complicated question. For starters, ever since the GDPR came into effect, an increasing number of countries have adopted similar data protection regulations. This has meant that for many organizations, ensuring adequate privacy measures are in place is now a question of legal obligation rather than sound business practice. 

Similarly, users are much more educated about their rights, so organizations have an added responsibility to ensure transparency in how they collect users’ data.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


G2vEase Of Doing Business With G2 Highest User Adoption Adoption G2 Leader Enterprise Leader G2 leader G2 Momentum Leader G2 Users Most Likely To Recommend RSAC Leader Forrester Badge Snowflake Partner Badge IAPP Innovation award 2020 Gartner Cool Vendor Award Sinet Innovator Award