CCPA vs CPRA: What Changed in California Privacy Law
The CPRA (California Privacy Rights Act) was approved by California voters in 2020 and took effect on January 1, 2023. It significantly amended and expanded the original CCPA by introducing sensitive personal information as a category, adding data minimization and purpose limitation requirements, creating the CPPA enforcement agency, and expanding consumer rights including correction and opt-out of automated decision-making.
| Feature | CCPA | CPRA |
|---|---|---|
| Geographic Scope | California, United States (effective January 2020) | California, United States (effective January 2023, amending CCPA) |
| Who It Applies To | For-profit businesses meeting revenue, data volume, or data sale thresholds | Same thresholds as CCPA, but also covers sharing of personal information |
| Consent Requirements | Opt-out of sale of personal information | Opt-out of sale and sharing; right to limit use of sensitive personal information |
| Cookie & Tracking Rules | No specific cookie rules; opt-out right triggered by sale of data via tracking | Opt-out rights extended to cross-context behavioral advertising via cookies |
| Individual Rights | Know, delete, opt-out of sale, non-discrimination | Know, delete, correct, opt-out of sale/sharing, limit sensitive PI use, portability |
| Maximum Penalties | $7,500 per intentional violation, $2,500 per unintentional violation | $7,500 per intentional violation, $2,500 per unintentional; additional CPPA enforcement |
| Enforcement Body | California Attorney General | California Privacy Protection Agency (CPPA) and California Attorney General |
Key Differences
The CPRA introduced the concept of sensitive personal information, a new data category that includes Social Security numbers, precise geolocation, racial or ethnic origin, biometric data, health information, and contents of mail or text messages. Consumers gained the right to limit the use and disclosure of this sensitive information. The original CCPA did not distinguish between sensitive and non-sensitive personal information.
Data minimization and purpose limitation are new requirements under the CPRA. Businesses must now only collect personal information that is reasonably necessary and proportionate for the disclosed purposes, and must not retain it longer than necessary. The CCPA had no such requirements, allowing broader data collection practices.
The CPRA also created the California Privacy Protection Agency (CPPA), the first dedicated privacy enforcement agency in the United States. Under the CCPA, enforcement was handled solely by the California Attorney General. The CPPA has rulemaking authority and can investigate and bring enforcement actions independently. The CPRA also expanded the right to opt out to include sharing of data for cross-context behavioral advertising, not just the sale of data.
How Pryvii Helps
Pryvii checks your website for both the original CCPA requirements and the expanded CPRA obligations. It verifies opt-out links cover both sale and sharing, checks for sensitive personal information disclosures, and ensures your privacy policy reflects the updated rights and requirements under the CPRA.
Frequently Asked Questions
Do I need to update my website for CPRA if I was already CCPA compliant?
Yes. The CPRA introduced new requirements that go beyond the original CCPA. You need to update your privacy policy to reflect new rights (correction, portability), add opt-out mechanisms for data sharing, include sensitive personal information disclosures, and implement data retention schedules.
What is the difference between selling and sharing under CPRA?
Under CCPA, the opt-out right only applied to the sale of personal information for monetary consideration. CPRA expanded this to include 'sharing,' defined as making personal information available for cross-context behavioral advertising, even without monetary exchange. This captures many ad-tech and analytics practices.
When did the CPRA take effect?
The CPRA took effect on January 1, 2023, with a lookback period to January 1, 2022. The CPPA began formal enforcement on July 1, 2023. Businesses should have updated their practices before these dates, but enforcement actions can reference data practices from the lookback period.
Related Comparisons
Check Your Compliance
Scan your website against multiple regulations in minutes.