It’s time we clear up any confusion about how the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) interact and affect business obligations and consumer rights.
Before we start, it’s important to note that the CPRA is now entirely in effect and amends portions of the CCPA — any aspect of the CCPA unaffected by the CPRA revisions still apply.
Some key changes the CPRA brings to the CCPA include:
- New legal thresholds
- Introduction to the concept of sharing personal information
- Addition of the category of sensitive personal information
- New consumer rights
- Changes to business requirements
In this article, we leave no stone unturned and explain all the ways the CPRA changed the CCPA and outline what that means for businesses and data privacy compliance.
Quick Summary of the CCPA vs. CPRA
Here’s a quick summary of how the CPRA amendments changed and affected the original version of the CCPA:
- The CPRA increases the legal threshold that applies to businesses that buy, sell, or share personal information to 100,000 consumers or households (previously 50,000 under the original CCPA)
- A new category of personal information, sensitive personal information, is introduced by the CPRA, which is subject to stricter guidelines
- Consumers get new and expanded rights from the CPRA, like opt-out rights, more robust access to personal data, and the right to limit the sharing of sensitive personal information
- The CPRA introduces new legal obligations surrounding the sharing of personal information, which means exchanging data for purposes other than monetary gain
While the list above represents the key changes the CPRA introduced to the CCPA, it only represents the tip of the iceberg.
In the following sections, we give a far more comprehensive breakdown of how the CPRA amends the CCPA.
The CCPA and CPRA Explained
The CPRA came into force on January 1, 2023, amending parts of the CCPA, which has been in effect since January 1, 2020, and any portions of the CCPA unaffected by the CPRA revisions still apply.
These are technically not two different laws but are one law, the CCPA, with a set of revisions introduced by the CPRA. For this reason, many California government entities and independent agencies refer to both laws as just the CCPA or the CCPA as amended.
But for the sake of clarity, throughout this article, we’ll clearly state if we’re referring to the original version of the CCPA or the new version reflecting the CPRA amendments.
In the following sections, we cover the privacy guidelines outlined by the original CCPA, then explain how the CPRA changed those requirements when it took effect.
CCPA
On January 1, 2020, the California Consumer Protection Act (CCPA) became one of the first data privacy laws in the US. It introduced some of the strictest data privacy requirements and consumer protections in the US.
This law outlined standards for data collection, consequences for businesses that don’t adequately protect their user data, and new rights that Californians can exercise over their personal information.
CCPA Legal Threshold
While the CPRA changed the legal thresholds for the CCPA, initially, it applied to any for-profit business that collected data from California residents and met any one of the following conditions:
- Generated $25 million in gross annual revenue
- Annually bought, received, sold, or shared the personal information of 50,000 or more consumers or households
- Derived 50% or more of its gross annual revenue from selling consumer personal information
Consumer Rights Under the CCPA
The CCPA also granted California consumers the following rights:
- To know what information is being collected about them
- To know if their personal information is sold or shared and with what third parties
- To opt out of the sale of personal information
- To opt into the sale of personal information if between ages 13 and 16
- To access and delete their personal information
- To equal service and price, even if they choose to exercise their privacy rights
To honor these rights, businesses under the CCPA must provide any consumer who makes a “verifiable request” to access their data with a log of the collected information.
A “verifiable request” means it was made by:
- A consumer
- A consumer on behalf of a minor
- A person legally allowed to act on behalf of a consumer addressing records verifiably collected from or about the individual
Businesses must provide consumers with details about the last 12 months of data collection, including the sharing, using, and selling of personal information, within 45 days of the request.
CCPA Requirements for Businesses
The CCPA outlined the following requirements for businesses, many of which are still in place or were expanded by the CPRA amendments:
- Inform consumers that personal data is collected
- Provide consumers with a way to opt out of data collection using visible privacy settings
- Respond to consumer requests in a timely manner
- Double-verify identities of consumers who want to check or delete their personal information
- Inform consumers about how much money you earn from data and what it’s worth
- Maintain records for at least two years
To satisfy these requirements, you should post a California-compliant privacy policy and cookie policy explaining what personal data you collect, which is still applicable under the CPRA.
You can honor consumers’ requests to access and delete their information using a Data Subject Access Request (DSAR) form, which you can link to on your website.
According to Section 1798.120(a) of the law, you must also put a visible “Do Not Sell My Personal Information” link on the homepage of your site that allows users to opt out of the sale of their data.
However, the CPRA amended these guidelines by introducing the concept of sharing personal data, which we cover in greater detail later in the article.
Penalties Under the CCPA
If you’re found in non-compliance under the CCPA, the penalties include:
- $2,500 per each violation
- $7,500 per each intentional violation
Originally, businesses got a 30-day cure period, meaning they had 30 days to respond in writing that they had cured all violations and make a statement that the violations would no longer occur. However, this grace period doesn’t apply under the CPRA.
The California Attorney General’s Office enforced these penalties, but under the CPRA, the power of enforcement shifts to a new group called the California Privacy Protection Agency or CPPA.
Consumers also have the right to sue businesses over the loss of their privacy resulting from a data breach, so it’s possible to incur extra penalties from private lawsuits.
With the addition of the CPRA amendments, the reasons for pursuing private legal action against a company have expanded even further, placing even more responsibilities on businesses to protect user data.
CPRA
On January 1, 2023, the statutory requirements of the California Privacy Rights Act (CPRA) came into force and amended portions of the CCPA.
However, the date the enforcement rules became applicable changed multiple times:
- Initially, the rules were scheduled to take effect on January 1, 2023 with a look back to January 1, 2022.
- But, the CPPA was late establishing enforcement rules, so California courts extended the enforcement date to March 29, 2024.
- The CPPA appealed this decision, and on February 9, 2024, it was announced that California’s Third District Court of Appeal sided with the CPPA.
- Today, all CPRA amendments are officially in effect with a look back to July 1, 2023.
This law introduces new data categories, updates the legal thresholds, provides more rights to consumers, and expands upon business obligations previously outlined by the CCPA.
CPRA Legal Threshold
The CPRA introduced a new legal threshold that now applies to the CCPA, so your business falls under the jurisdiction of both laws if you do business in California and meet any one of the following:
- Earned $25 million in gross annual revenue as of January 1 from the previous calendar year
- Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households
- Derived 50% or more of your gross annual revenue from the selling or sharing of personal information
The concept of sharing data is newly introduced by the CPRA and refers to all of the following:
- Renting personal data
- Disclosing personal data
- Disseminating persona data
- Making personal data available
- Transferring personal data
- Communicating details about personal data orally or in writing
- Communicating details about personal data electronically or by other means
As we mentioned previously, because of the extraterritorial scope of these laws, your business does not need to be located in California to fall under its legal jurisdiction.
Consumer Rights Under the CPRA
The CPRA also expanded some consumer rights set by the CCPA and introduced a few new ones.
Under this law, consumers now have the right to:
- Opt out of the selling or sharing of their personal information using a “Do Not Sell or Share My Personal Information” link or by honoring consumers’ browser opt-out consent preferences
- Limit the use and disclosure of their sensitive personal information
- Correct and delete inaccurate personal information after submitting a verified consumer request
- Request to access data collected about them beyond the 12-month look-back period — unless doing so is impossible or requires a disproportionate effort
- Opt-out of automated decision-making and profiling
Sensitive personal information is a new category of personal data defined by the CPRA and includes any of the following details:
- Driver’s license numbers
- Social Security Numbers (SSN)
- State ID numbers
- Union membership
- Passport numbers
- User credentials such as usernames and passwords
- Biometric data and genetics
- Ethnic or racial origins
- Precise geolocations
- Religious or philosophical beliefs
- Information about a consumer’s sexual orientation, sex life, or health
- Contents of a consumer’s text, mail, and email
Businesses now must put a “Limit the Use of My Sensitive Personal Information” link on their website that’s easy for users to find so they can follow through on this new privacy right. However, the law gives you the option to honor browser opt-out preference settings set by the consumer in place of the link.
The CPRA also amended the right to private action, expanding the guidelines set initially by the CCPA. Consumers can now sue businesses if:
- Email addresses in combination with a password or other security questions are breached, permitting access into an account
- Nonencrypted and non-redacted personal information is compromised due to a business’s failure to implement and maintain reasonable security measures
These revisions also expanded rights for consumers who are minors, and businesses must now:
- Obtain explicit opt-in consent before sharing or selling the personal information of a consumer under the age of 16
- Establish a way for a minor or their parent/guardian to specify that the consumer is between 13 and 16 or is under 13
CPRA Requirements for Businesses
There are also new and expanded business obligations set by the CPRA, including security requirements and contractual obligations.
Businesses must actively implement “reasonable security procedures and practices” to protect personal information.
If a company is expected to create a significant privacy risk, you must perform annual cybersecurity checks and submit your results to the California Privacy Protection Agency (CPPA), a new agency established to implement the two data privacy laws.
As for the new contractual obligations, if you share, sell, or disclose personal information to contractors, third parties, or service providers, you must create a contract outlining all of the following:
- Specify the purposes for why that information is disclosed, sold, and shared with the other entity
- Make it necessary for the other party to also comply with the CPRA and provide the same level of privacy protection as required by the law
- The other party must be required to notify you if they can no longer meet their CPRA obligations
- You must inform the other party that you have the right to take appropriate and reasonable steps to stop any unauthorized use of the personal information
There are also new storage limitations and data minimization guidelines set by the CPRA, often compared to the guidelines from the European Union’s (EU) data privacy law, the General Data Protection Regulation (GDPR).
It states that you can only:
- Collect personal information when it’s required or reasonably necessary
- Store and retain personal information for as long as necessary for the purpose it was collected
The CPRA also limits businesses from using certain defenses if a data breach occurs and private action is taken against them. Namely, it now specifies that implementing reasonable security measures after a breach no longer qualifies as a proper defense.
Penalties Under the CPRA
Penalties have been updated under the CPRA and include:
- $2,500 per non-intentional violation
- $7,500 per intentional violation or for offenses involving the personal information of minors under age 16
But the 30-day grace period to correct violations no longer applies. Instead, the CPPA decides how much time each business has to correct its mistakes and will consider the following factors:
- Whether the business meant to violate the CPRA
- Whether the business made efforts to cure the alleged violation
Plus, as we mentioned previously, consumers can now pursue private action against a business for the following two reasons:
- Nonencrypted and non-redacted personal information is compromised
- Email addresses in combination with a password or other details permitting access into an account are breached
Did the CPRA Replace the CCPA?
No, the CPRA did not replace the CCPA, rather, it amends portions of the CCPA, and any part left unchanged still applies to businesses and consumers.
For this reason, places like the CPPA, the agency responsible for enforcing the CPRA, refer to the laws as the CCPA, the CCPA as amended, or the CCPA regulations.
What Changes Did the CPRA Bring?
The CPRA brought several changes to the CCPA, most notably, it expanded upon user rights, introduced new concepts, and provided additional obligations for businesses.
Some of the key changes introduced by the CPRA include:
- New legal thresholds — Some companies that met the CCPA criteria of buying, selling, or sharing data from 50,000 consumers may no longer fall under these laws if they do not meet the updated 100,000 consumer requirement
- New category of data — The new law acknowledges the category of sensitive personal information which must be highly protected, and consumers can request to limit or opt out of the selling, sharing, or processing of this vulnerable information
- New and expanded consumer rights — The CPRA expands upon some consumer rights outlined by the CCPA and grants them the new right to correct their information, limit the use of sensitive data, access information about automated decision-making, and opt out of automated decision-making technology
- New concepts — This law introduced the concept of sharing personal information, which refers to when businesses and third parties exchange data but not necessarily for monetary purposes
- New incorporation of GDPR principles — Like the GDPR, the CPRA adopts similar principles for data minimization, purpose limitations, and storage limitations.
- New private rights to pursue legal action — Consumers can now pursue private legal action against companies that expose their login credentials as part of a data breach
- New creation of a privacy enforcement agency — The California Privacy Protection Agency (CPPA) was created to enforce the new data privacy laws, a responsibility that previously fell on the California Attorney General’s Office
The Differences Between the CPRA vs. CCPA
There are some nuanced differences between the original version of the CCPA and the current regulations in place now that the CPRA has officially come into force, so we’ve created some CCPA vs. CPRA charts for you comparing and contrasting the following details:
- Definitions
- Legal thresholds
- Consumer rights
- Business obligations
- Penalties for non-compliance
You can learn even more about each topic in the following sections.
CPRA vs. CCPA: Definitions
One significant way the CPRA impacted the CCPA is by changing, updating, and introducing new legal terms and definitions, which can be found in section 1798.40 of the law.
In the chart below, you can compare some new and expanded legal definitions introduced by the CPRA to the original definitions outlined by the CCPA.
| Term | CPRA | CCPA |
| Sensitive Personal Information | Highly vulnerable personal information that is subject to increased compliance requirements and includes:
|
The original version of the CCPA did not have a sensitive personal information category |
| Sharing | The disclosure of personal information to third parties for the context of behavioral advertising and includes sharing for free, monetary gain, or any other value | The original version of the CCPA did not reference the sharing of personal information |
| Contractor | An individual who an organization has made a consumer’s personal information available to for business purposes established by a written contract | The original version of the CCPA did not define contractor |
| Publicly Available Information | Any information lawfully made available from federal, state, or local government record
Any information a business reasonably believes has been made lawfully available to the general public from widely distributed media or by the consumer And any information given by a person that the consumer has disclosed the information with, as long as the consumer hasn’t limited the information to a specific group or people |
The original version of the CCPA defined publicly available information only as anything lawfully made available from federal, state, or local government records |
| Link to Original Legal Text | 1798.40 with CPRA amendments | 1798.40 from original CCPA text |
* Any other legal terms unaffected by the CPRA amendments are interpreted the same as when the CCPA initially defined them.
CPRA vs. CCPA: Legal Thresholds
Due to the revisions introduced by the CPRA, the legal thresholds have changed from what they originally were under the CCPA, impacting what businesses fall under the jurisdiction of these laws.
Look at the chart below to compare the new requirements set by the CPRA and the legal thresholds as originally outlined by the CCPA, found in Section 1798.140 of the laws.
| CPRA | CCPA |
Any for-profit entity that conducts business in California and meets any one of the following provisions:
|
Any for-profit entity that conducts business in California, collects data from California residents, and meets any one of the following conditions:
|
| 1798.140 with CPRA amendments | 1798.140 from original CCPA text |
Remember that currently, the legal thresholds outlined by the CPRA are the only requirements in place. If you meet those conditions, your business must abide by both the CCPA and the CPRA data privacy guidelines.
CPRA vs. CCPA: Consumer Rights
Some of the data privacy rights initially granted to consumers by the CCPA have been expanded by the CPRA amendments, plus a few new freedoms were introduced.
The chart below highlights the differences between the new and extended rights resulting from the CPRA and the initial consumer rights from the CCPA, which can be found in Sections 1798.100 through 1798.125 of the laws.
| CPRA | CCPA |
| Consumers have the right to know what personal information is being collected about them, how it’s used, and if it’s sold to or shared with any third parties | Consumers had the same right to know what personal information is being collected about them, how it’s used, and if it’s sold to or shared with any third parties under the original version of the CCPA |
| Consumers have the right to request to access data collected about them beyond the 12-month look-back period, and businesses can only deny the request if doing so is impossible or requires a disproportionate effort | Consumers only had the right to request to access their personal information for the past 12 months under the original version of the CCPA |
| Consumers have the right to opt out of the selling or sharing of their personal information | Consumers only had the right to opt out of the sale of their personal information under the original version of the CCPA |
| Consumers have the right to non-discrimination in services and can opt-out of automated decision-making and profiling in an employment context | Consumers only had the right to non-discrimination in services and price under the original version of the CCPA |
| Consumers have the right to rectification and can request to access, amend, correct, or delete their personal data | Consumers only had the right to request to access or delete their information, which did not have to be honored, but businesses did need to respond in a timely fashion under the original version of the CCPA |
| Consumers have the right to limit the use and disclosure of their sensitive personal information | Consumers previously did not have this right, and there was no category of sensitive personal information under the original version of the CCPA |
| 1798.100 with CPRA amendments | 1798.100 from original CCPA text |
* Any other consumer rights mentioned in the CCPA unaffected by the amendments outlined by the CPRA remain in place and still apply.
CPRA vs. CCPA: Business Obligations
Due to the CPRA amendments, businesses under the jurisdiction of these laws have new requirements they must follow to legally collect, store, process, and use personal information.
Because these are not technically two separate laws with completely different guidelines, the chart below looks different than the others. It outlines the primary business obligations officially in place now that the CPRA is in force and provides suggestions for how to comply with the requirements.
| Business Obligations Under the CPRA & CCPA | How to Comply |
| Inform consumers that personal information is collected, how, why, and who it’s shared with or sold to |
|
| Honor consumer rights and facilitate requests by providing consumers with a way to opt out of data collection using visible privacy settings, including the right to limit the use of their sensitive personal information |
|
| Create a contract following specific guidelines if you share, sell, or disclose personal information to contractors, third parties, or service providers | Contracts must outline all of the following:
|
| Implement reasonable security procedures and practices to protect personal information |
|
| Fulfill the new disclosure and retention obligations |
|
| Provide a notice of consumer rights |
|
We’ve said it a few times, but as a reminder, any other guidelines, requirements, or stipulations outlined by the CCPA unaffected by the CPRA amendments remain in effect.
So if you fall under the jurisdiction of these laws, you must also follow all legal standards.
CPRA vs. CCPA: Penalties for Non-compliance
There are consequences to not following the data privacy guidelines set by the CPRA and CCPA, and the CPRA amendments changed what businesses can be held accountable for in a court of law.
The chart below compares the new CPRA penalties for non-compliance with the original repercussions outlined by the CCPA, which appears in Section 1798.150 of the laws.
| CPRA | CCPA |
|
|
Consumers can sue a business in a privacy lawsuit if:
Consumers may recover damages between $100 to $750 per incident, or actual damages, whichever is greater. |
Consumers can sue a business in a private lawsuit if:
|
| 1798.150 with CPRA amendments | 1798.150 from original CCPA text |
Ultimately, the CPRA amendments put more responsibility on businesses to keep personal user information — and their login credentials — safe from exposure, leaks, and data breaches.
Who Must Comply With the CPRA and CCPA?
As of January 1, 2023, your business must comply with both the CCPA and the CPRA if you do business in California and meet any one of the following conditions:
- Earned $25 million in gross annual revenue as of January 1 from the previous calendar year
- Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households
- Derived 50% or more of your gross annual revenue from the selling or sharing of personal information
All CPPA enforcement rules are now officially enforceable with a look back to July 2023.
How To Ensure Your Business Properly Complies With Both Laws
To ensure your business properly complies with both the CPRA and the CCPA, you’ll want to implement all of the following:
- Post a CCPA-compliant privacy policy on your website
- Also post a well-written cookie policy on your website outlining how those trackers collect, store, and use personal information
- Put a “Do Not Sell or Share My Personal Information” link in the footer of your website
- Also put a “Limit the Use of My Personal Information” link in the footer of your website
- Or, instead of links, honor the opt-out preference settings consumers place on their browsers
- Implement reasonable security safeguards to protect personal consumer data from breaches or hacks
- Facilitate user requests by posting a Data Subject Access Request or DSAR form on your website
- Provide a notice of consumer rights by adding a clause to your compliant privacy policy
- Only retain personal consumer data for as long as reasonably necessary
- Only disclose personal consumer data with third parties as necessary and create compliant contracts each time
It may look like a long checklist, but compliance doesn’t have to be complicated, especially with the right help. Learn how to simplify your data privacy compliance in the next section.
How Termly Can Help
Complying with the CCPA and the CPRA amendments may seem intimidating at first, but we can help take those burdens off of your plate by providing you with templates and policy generators that already abide by the CCPA and the CPRA changes, including our:
- Privacy Policy Generator
- Privacy Policy Template
- Cookie Policy Generator
- Cookie Policy Template
- Cookie Consent Manager
- DSAR Forms
You can download and customize any of our free policy templates, which already feature the phrasing and clauses required by the CPRA and the CCPA.
Or, if you’re short on time or require more assistance, our generators walk you through the entire process of building a policy by having you answer simple questions about your business, as shown in the screenshot below.
As you can see, our tools refer to the law with the CPRA amendments as simply the CCPA, reflecting how other government entities and agencies talk about the regulations. But the CPRA changes are all reflected within the policy builder.
There’s even helpful tips and answers to common questions directly on each page, as shown in the screenshot below. Plus, you gain access to our support team if you get stuck or need assistance.
We pride ourselves on always being up to date, which is why our legal team and data privacy experts worked with our product engineers to update our tools to follow all guidelines and requirements set by the two California laws, as well as the:
- General Data Protection Regulation (GDPR)
- Virginia Consumer Data Protection Act (CDPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- California Online Privacy Protection Act (CalOPPA)
- The UK GDPR
Just think of us as your privacy compliance partner who’s always ready to help with any of your data privacy needs.
CPRA vs. CCPA FAQs
Still a little confused about these California privacy laws? Check out the most frequently asked questions we get about the CPRA and CCPA for even more clarification.
When did the CPRA go into effect?
The statutory requirements of the CPRA went into effect on January 1, 2023. The CPPA enforcement rules entered into effect on July 1, 2023.
Does the CPRA replace the CCPA?
The CPRA does not replace the CCPA, instead it amends parts of the CCPA. Any aspect of the CCPA unaffected by the CPRA changes remains the same and still applies to businesses.
For this reason, some government agencies and other entities, including the CPPA, refer to both laws as the CCPA, the CCPA as amended, or the CCPA regulations.
Do I need to comply with both the CCPA and CPRA?
Yes, you need to comply with both the CCPA and CPRA if you run a for-profit business that does business in California and meets one or more of the following criteria:
- Earned $25 million in annual gross revenue as of January 1 of the previous calendar year
- Sells, buys, or shares the personal information of 100,000 California consumers or households
- Derives 50% or more annual revenue from selling or sharing personal information
Who enforces the CCPA and CPRA?
A new board called the California Privacy Protection Agency (CPPA) was created to enforce the CCPA with the CPRA amendments. Previously, the California Attorney General’s Office was responsible for enforcement.
Summary
With the CPRA formally in force, the scope of the CCPA has expanded, granting consumers more rights and increasing the requirements businesses must follow to legally collect, process, and use personal information.
Some of the primary differences between the CPRA and the CCPA include:
- An increase in the legal threshold, the CCPA, and the CPRA now apply to businesses that buy, sell, or share personal information from 100,000 consumers or households
- The introduction of a new category of personal information, sensitive personal information, which is subject to stricter guidelines
- New and expanded user rights, like the right to limit the sharing of sensitive personal information and more robust access to their personal data
- Legal obligations surrounding the sharing of personal information which applies beyond exchanging data for monetary gain
To comply with the CPRA amendments to the CCPA, update your privacy policy, provide relevant links for users to act on their privacy rights, and implement proper security protocols to keep consumer personal information safe.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
