CPRA stands for the California Privacy Rights Act, a California privacy law that amended and expanded the CCPA. The CPRA introduced new consumer rights, created the California Privacy Protection Agency (CPPA), added protections for sensitive personal information, and expanded obligations related to data retention, sharing, and risk assessments.
CPRA
What is the CPRA?
The California Privacy Rights Act (CPRA) is a California ballot initiative passed in 2020 that amended the California Consumer Privacy Act (CCPA).
The CPRA became fully operative in January 2023 and significantly expanded California privacy law.
CPRA meaning and definition
CPRA definition:
A California privacy law that enhances consumer rights, establishes additional data protection obligations for businesses, and creates a dedicated enforcement authority.
The CPRA is not a separate replacement law. It modifies and expands the existing CCPA framework. Today, businesses often refer to the law as:
CCPA (as amended by CPRA).
What did the CPRA change?
The CPRA introduced several major updates to California privacy law.
New consumer rights
The CPRA added:
- The right to correct inaccurate personal information
- The right to limit the use and disclosure of sensitive personal information
These rights build on the CCPA’s original access, deletion, and opt-out rights.
Sensitive personal information (SPI)
The CPRA created a new category called Sensitive Personal Information (SPI), which includes:
- Precise geolocation
- Financial account information
- Government-issued identifiers
- Biometric data
- Certain health and genetic data
Businesses must provide a mechanism allowing consumers to limit certain uses of sensitive personal information.
For a deeper breakdown, see our guide to sensitive personal information under CPRA.
Expanded definition of sharing
The CPRA clarified that sharing personal information for cross-context behavioral advertising qualifies for opt-out rights, even if no money is exchanged.
This expanded the scope of advertising and analytics practices that may trigger consumer opt-out requirements.
Creation of the California Privacy Protection Agency (CPPA)
The CPRA established the California Privacy Protection Agency (CPPA) as a dedicated privacy regulator responsible for enforcement and rulemaking.
Under the original CCPA, enforcement authority primarily rested with the California Attorney General.
Data minimization and retention rules
The CPRA introduced clearer expectations around:
- Data minimization
- Purpose limitation
- Defined retention periods
- Risk assessments for high-risk processing
These requirements strengthened documentation and governance expectations for businesses.
Who does the CPRA apply to?
The CPRA applies to the same general categories of businesses covered under the CCPA, including those that:
- Do business in California
- Collect personal information from California residents
- Meet revenue or data-processing thresholds
To determine applicability, review our detailed guide on CCPA applicability thresholds and business qualification rules.
CPRA and automated decision-making (ADMT)
The CPRA introduced regulatory focus on Automated Decision-Making Technology (ADMT), including profiling and algorithmic decision systems.
Upcoming regulatory developments include:
- Transparency requirements
- Pre-use notices
- Potential opt-out rights
- Risk assessment obligations
CPRA vs CCPA: quick comparison
The CCPA introduced foundational consumer privacy rights in 2020.
The CPRA expanded those rights and added stronger enforcement mechanisms in 2023.
Key additions under CPRA include:
- Correction rights
- Sensitive personal information protections
- Expanded sharing definition
- Dedicated enforcement agency
- Risk assessment requirements
The CPRA amended the CCPA. It did not replace it.
Enforcement and penalties under CPRA
The CPPA now has independent enforcement authority.
Penalties may apply per violation, and regulatory focus includes:
- Selling and sharing disclosures
- Dark pattern enforcement
- Inadequate opt-out mechanisms
- Failure to document privacy processes
Businesses should maintain clear internal workflows for handling consumer rights and privacy disclosures.
Related terms
Frequently asked questions about CPRA
CPRA stands for California Privacy Rights Act. It is a California privacy law that amended and expanded the California Consumer Privacy Act (CCPA).
The CPRA is a California ballot initiative passed in 2020 that enhanced the CCPA by adding new consumer rights, strengthening data protection requirements, and creating a dedicated enforcement agency.
The CPRA became fully operative on January 1, 2023. It applies to personal information collected on or after January 1, 2022.
The CCPA introduced foundational consumer rights such as access and deletion. The CPRA expanded those rights by adding correction rights, sensitive personal information protections, and establishing the California Privacy Protection Agency (CPPA).
Sensitive personal information includes precise geolocation, financial account data, government-issued identifiers, biometric information, and certain health or genetic data. Consumers may request to limit certain uses of this data.
The CPRA applies to for-profit businesses that do business in California, collect personal information from California residents, and meet specific revenue or data processing thresholds.
The CPRA added the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information.
ADMT refers to systems that use algorithms or profiling to make decisions about consumers. The CPRA introduced regulatory focus on transparency, opt-out rights, and risk assessments related to automated decision systems.
No. The CPRA amended and expanded the CCPA. The law is now commonly referred to as CCPA as amended by CPRA.