What is The CPRA (California Privacy Rights Act)?
Published: • Updated:
The California Privacy Rights Act is a voter approved law that amends the CCPA. It creates a state privacy regulator, adds rights to correct and to limit the use of sensitive personal information, expands opt outs to selling and sharing, and tightens contracts, notices, and retention rules.
Need a CPRA compliance plan mapped to your data flows and notices? Talk to a CPRA consultant
What is the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act (often shortened to CPRA) amended the California Consumer Privacy Act. The amendments took effect January 1, 2023 and created the California Privacy Protection Agency to write regulations and enforce the law across California businesses.
CPRA vs. CCPA: what changed
- New and expanded rights. Right to correct, and a right to limit the use and disclosure of sensitive personal information. Consumers can also opt out of both selling and sharing for cross context behavioral advertising.
- Who is in scope. Thresholds now capture businesses that buy, sell, or share the data of 100,000+ residents or households, those with revenue above the statutory amount, or those deriving 50% or more of revenue from selling or sharing personal information.
- New regulator. The California Privacy Protection Agency issues regulations, conducts enforcement, and may levy penalties.
- Retention and minimization. Keep data only as long as reasonably necessary for stated purposes, and disclose retention periods in the notice at collection and privacy policy.
- Contracts and service providers. Updated terms for service providers, contractors, and third parties, plus restrictions on secondary use.
Who must comply with CPRA California
CPRA compliance generally applies to for profit businesses doing business in California that meet one or more thresholds, such as gross annual revenue above the statutory amount, processing data of 100,000+ residents or households, or deriving 50% or more of annual revenue from selling or sharing personal information.
Key consumer rights and business duties
CPRA regulations and timeline
| Topic | Date | Reference |
|---|---|---|
| Initial CCPA regulations updated by CPPA | March 2023 | CCPA regulations package |
| Appeals court allows immediate enforcement of final CPRA regulations | February 2024 | California Court of Appeal decision |
| CPPA Board finalizes rules on ADMT, risk assessments, and cybersecurity audits | July 2025 | Board vote; OAL review pending before effective dates |
| Planned compliance date for new ADMT, audits, and risk assessments package | January 1, 2027 | Law firm summaries of CPPA rule text |
Practical CPRA compliance checklist
- Map data flows. Catalog personal and sensitive personal information, sources, uses, recipients, retention, and sharing for advertising.
- Refresh notices. Update the notice at collection and privacy policy with categories, purposes, retention, “sell or share” status, and links for opt out and limit SPI.
- Honor rights. Implement intake and verification for access, delete, correct, opt out, and limit SPI, including agent flows.
- Tune cookies and ads. Respect opt out preference signals and limit cross context advertising unless consented as allowed.
- Update contracts. Add required terms for service providers, contractors, and third parties, including flow down of requests.
- Prep for audits and assessments. Build templates for cybersecurity audits and risk assessments covering high risk processing and automated decision use cases, mindful of 2027 timelines.
- Train teams. Legal, marketing, product, data, and support should know request timelines and escalation paths.
About “CPRA public records” to avoid confusion
In California, CPRA can also mean the California Public Records Act, a transparency law that gives the public access to government records. It is unrelated to the privacy rights act above. If you are researching public record access, search for “California Public Records Act” or “Gov. Code 7920 et seq.”
Related NMS Consulting guides
- Change delivery and adoption in regulated programs: business transformation services
- Data platform and consent tooling: digital consulting services
- Security and privacy operating model: strategy
Our team delivers CPRA compliance programs end to end and offers CPRA consulting services tailored to your data stack and marketing tech.
Sources
- California Privacy Protection Agency – FAQs and thresholds: https://cppa.ca.gov/faq.html
- California Privacy Protection Agency – Law & Regulations and 2023 regulations PDF: https://cppa.ca.gov/regulations/ and https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf
- California Court of Appeal allows immediate enforcement of CPRA regulations (summary): https://www.wiley.law/alert-California-Appeals-Court-Allows-Immediate-Enforcement-of-CPRA-Regulations
- CPPA Board finalizes ADMT, risk assessment, and cybersecurity audit rules; compliance timelines: https://iapp.org/news/a/cppa-board-finalizes-long-awaited-admt-risk-assessment-rules and https://www.hunton.com/privacy-and-information-security-law/cppa-finalizes-ccpa-regulations-on-automated-decision-making-technology-risk-assessments-and-cybersecurity-audits
- California Public Records Act overview and code reference: https://law.justia.com/codes/california/code-gov/title-1/division-10/part-1/chapter-1/article-1/section-7920-000/
About the Author
Aykut Cakir, Senior Partner and Chief Executive Officer, has a demonstrated history in negotiations, business planning, business development. He has served as a Finance Director for gases & energy, pharmaceuticals, retail, FMCG, and automotive industries. He has collaborated closely with client leadership to co-create a customized operating model tailored to the unique needs of each project segment in the region. Aykut conducted workshops focused on developing effective communication strategies to ensure team alignment with new operating models and organizational changes.
