What Businesses Needs to Know About the New California Privacy Rights Act (CPRA)

October 13, 2021

On November 3, 2020, California voters passed Proposition 24, better known as the California Privacy Rights Act (CPRA). The new act goes into effect on January 1, 2023, giving businesses two years to prepare for compliance.

Yes, California already has a data privacy act, the California Consumer Privacy Act (CCPA), that went into effect on January 1, 2020. However, CCPA was rushed through the state’s legislative body, and, as the organization Californians for Consumer Privacy explained, there are two serious concerns surrounding CCPA: “First, some of the world’s largest companies have actively and explicitly prioritized weakening the law. Second, technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences.”

Enter CPRA, which is designed to strengthen CCPA’s weaknesses. CCPA won’t totally disappear, but instead will be incorporated into CPRA.

Who is in scope of the CPRA?

CPRA will impact any business that meets the following criteria:

  • At least 50 percent of annual revenue comes from sharing or selling the personal data of California consumers. What is new here is the addition of sharing information, so this expansion will include tech companies who were exempt under CCPA.
  • Gross annual revenue of $25 million. This remains the same as CCPA’s requirement.
  • Buys, shares, or sells the personal information of more than 100,000 California consumers. CCPA’s minimum threshold is 50,000 consumers. This change is expected to exempt many small businesses now required to meet CCPA compliance.

What are the key changes added to CPRA?

  • The creation of the Privacy Protection Agency. “CPRA would establish the first agency of its kind in the United States. The Agency will be governed by a five-member board, including the Chair, and will have full administrative power, authority and jurisdiction to implement and enforce the CCPA, instead of the California Attorney General,” the National Law Review explained. This means there will be a standalone enforcing body for the CCPA/CPRA - the first of it's kind in the United States. It is hoped that by having a dedicated agency for privacy protection there will be more oversight of compliance failures and more done to protect consumer personal information.
  • A new category that covers sensitive personal information. Sensitive PI under CPRA includes identifiable numbers like driver’s licenses, passports, and Social Security numbers; account login and passwords; geographic location; genetic information; and contents of mail, email, or text messages.
  • Additional rights, such as the right to opt out or access information in automated decision making; the right to correction of inaccurate personal information; and the right to restrict sensitive personal information.
  • Increased rights for the personal information of children under age 16.

How to get started with CPRA

  • Businesses will need to continue following all CCPA requirements until January 1, 2023.
  • To prepare for the new privacy and rights changes, businesses that will meet the new CPRA threshold criteria should conduct an audit of the data currently held and shared or sold, either by your company or to your company.
  • As part of this audit, companies should classify anything that falls under CPRA’s definition of sensitive personal information and any data belonging to minors under 16 years of age so it can be more easily discovered to meet consumer requests.
  • Begin working with third-party vendors to make sure all agreements will meet CPRA requirements. 

If you need help classifying sensitive personal information, vendor compliance, or implementing the new CPRA privacy rights, reach out to our team and see how we can help.

Book a demo today

Get a free, no-pressure demo of our software.


Peter Barbosa