What is CPRA (California Privacy Rights Act)?
A 2020 California ballot measure that significantly strengthened the CCPA by creating a dedicated enforcement agency, adding rights to correct and limit data use, introducing the concept of 'sensitive personal information,' and establishing the California Privacy Protection Agency.
Also known as: California Privacy Rights Act, Proposition 24, CCPA 2.0
CPRA is often called "CCPA 2.0" — it took California's already strong privacy law and made it significantly stronger, creating the first dedicated privacy enforcement agency in the United States.
What CPRA Added Beyond CCPA
New Rights
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information (SSN, precise geolocation, race, health data, sexual orientation)
- Right to opt out of automated decision-making technology
Sensitive Personal Information (New Category)
CPRA created a new protected category including:
- Social Security numbers, driver's licenses, passports
- Financial account details
- Precise geolocation
- Race, ethnicity, religion
- Genetic data
- Biometric data
- Health information
- Sexual orientation
- Union membership
California Privacy Protection Agency (CPPA)
- First dedicated privacy agency in any US state
- Exclusively focused on privacy enforcement (not shared with AG)
- $10 million annual budget
- Can conduct investigations, issue regulations, and levy fines
- $7,500 per intentional violation (no cap on total fines)
Data Minimization
- Companies may only collect data that is reasonably necessary and proportionate to the disclosed purpose
- Cannot retain data longer than necessary
- Storage limitation principle (similar to GDPR)
Who Must Comply
CPRA applies to for-profit businesses that:
- Have annual revenue over $25 million, OR
- Buy/sell data of 100,000+ consumers/households, OR
- Derive 50%+ of revenue from selling/sharing personal information
Enforcement
- CPPA handles administrative enforcement
- California Attorney General retains authority for civil actions
- No private right of action for most violations (only for data breaches)
- Fines: $2,500 per negligent violation, $7,500 per intentional violation
Compared to GDPR
| Feature | CPRA | GDPR |
|---|---|---|
| Scope | California residents | EU residents |
| Consent model | Opt-out | Opt-in |
| Private right of action | Limited (breaches only) | Yes |
| Enforcement agency | CPPA | National DPAs |
| Maximum fine | $7,500/violation | 4% of global revenue |
Related Terms
CCPA
The California Consumer Privacy Act grants California residents rights over their personal information, including the right to know what data is collected, delete it, opt out of its sale, and not be discriminated against for exercising these rights.
Data Minimization
A privacy principle that organizations should collect only the minimum amount of personal data necessary for a specific purpose, and retain it only as long as needed. This reduces privacy risks by limiting exposure in case of breaches or misuse.
GDPR
The General Data Protection Regulation is a comprehensive data protection law in the European Union that gives individuals control over their personal data. It establishes strict requirements for how organizations collect, process, store, and transfer personal information.
Right to Be Forgotten
A legal right, primarily under GDPR Article 17, that allows individuals to request the deletion of their personal data from organizations and search engine results when it's no longer necessary or was processed without proper consent.
State Privacy Laws
US state-level data privacy legislation that fills the gap left by the absence of a comprehensive federal privacy law — with California, Virginia, Colorado, Connecticut, and others creating a patchwork of consumer privacy protections.
Have more questions?
Use our guided flow to get the right next privacy step for CPRA (California Privacy Rights Act).
Open Guided Flow