Mandatly Knowledge Base
What is CPRA?
The California Privacy Rights Act (CPRA) is a groundbreaking data privacy law that enhances and amends the original California Consumer Privacy Act (CCPA). Passed in 2020 and fully enforced as of July 1, 2023, CPRA strengthens consumer privacy rights, introduces new protections for sensitive personal information, and creates a dedicated enforcement agency.
Key Enhancements Under CPRA:
With the CPRA, California residents receive stronger protections and more control over their data. Here’s what the updated law brings:
- Right to Correct Inaccurate Data: Consumers can request corrections to inaccurate personal information held by businesses.
- Expanded CPRA Opt-Out Rights: Users have the right to opt out of the sharing of personal information for targeted advertising purposes.
- Sensitive Personal Information Protections: CPRA introduces new obligations for handling sensitive data such as Social Security numbers, financial information, health data, biometric identifiers, and precise geolocation.
- Stricter Data Retention Policies: Businesses must disclose data retention periods and avoid storing data longer than necessary.
- California Privacy Protection Agency (CPPA): This new agency now oversees CPRA compliance and replaces the Attorney General as the primary enforcer.
The CPRA applies to for-profit businesses operating in California that meet any of the following thresholds:
- Annual revenue exceeds $25 million
- Processes personal data of 100,000 or more California consumers or households annually
- Derives 50% or more of annual revenue from selling or sharing personal information
These criteria ensure the CPRA covers major players that collect large volumes of data or profit from data sales.
CCPA vs. CPRA: What’s the Difference?
CPRA modifies and expands the CCPA by adding new consumer rights, stricter compliance rules, and a dedicated enforcement agency.
| Feature | CCPA | CPRA (Expanded Law) |
|---|---|---|
| Right to Correct Data | ❌ Not included | ✅ Available under CPRA |
| Sensitive Data Protections | ❌ Basic Protections | ✅ Stricter rules for sensitive data |
| Opt Out of Targeted Ads | ❌ Not explicitly covered | ✅ Covered with Enhanced CPRA Opt-Out Rights |
| Enforcement Agency | ❌ Attorney General | ✅ California Privacy Protection Agency (CPPA) |
| Data Retention Limits | ❌ Not required | ✅ Mandatory Disclosure of Retention Periods |
The California Privacy Rights Act builds on CCPA to offer more robust privacy protection and stronger enforcement mechanisms.
CPRA Compliance Checklist for Businesses
To ensure compliance with the CPRA, businesses should:
- Update Privacy Policies: Clearly describe data collection purposes, consumer rights, and data retention timelines.
- Implement Opt-Out Mechanisms: Include a clear “Do Not Sell or Share My Personal Information” link for users.
- Honor Consumer Rights: Establish procedures to respond to consumer requests to access, delete, or correct their personal information.
- Conduct Risk Assessments: Evaluate data processing activities and implement necessary security measures.
- Review Contracts with Third Parties: Ensure agreements with service providers and contractors include CPRA-compliant terms.
- Maintain Compliance Records: Track DSAR requests, disclosures, and data processing activities to stay audit-ready.
CPRA Timeline:
- November 3, 2020: CPRA approved by California voters.
- January 1, 2023: CPRA provisions became effective.
- July 1, 2023: Enforcement of CPRA commenced.
For more insights on CPRA compliance, check out these resources: