CCPA vs CPRA: Key differences every business needs to know [Updated 2026]

CCPA vs CPRA: At a glance

• The California Privacy Rights Act (CPRA) significantly amended the California Consumer Privacy Act (CCPA)—expanding consumer rights, tightening business obligations, and creating an entirely new enforcement agency.
• For any business operating in California, understanding the difference between CCPA and CPRA isn't just a compliance exercise. It's a business imperative.
• The CPRA's modified regulations are finalized and the California Privacy Protection Agency is actively enforcing them. With new US state privacy laws coming online in 2026, including comprehensive laws in Indiana, Kentucky, and Rhode Island, the stakes for getting your privacy program right have never been higher.
• This guide breaks down the key differences between CCPA and CPRA, what changed, and what your business needs to do about it.

CCPA vs CPRA: Quick comparison

What is the CCPA?

The California Consumer Privacy Act (CCPA), effective January 1, 2020, was the first comprehensive state-level consumer privacy law in the United States. It gave California residents new rights over their personal data—including the right to know what data businesses collect, the right to delete it, and the right to opt out of its sale.

What is the CPRA?

The California Privacy Rights Act (CPRA), which took effect January 1, 2023, amended and significantly strengthened the CCPA. It introduced new consumer rights, expanded existing ones, added a new category of "sensitive personal information," regulated data sharing (not just data sale), and created the California Privacy Protection Agency as a dedicated enforcement body.

CPRA vs CCPA: 9 key differences

1. New consumer rights

The CPRA amended the CCPA to add four new consumer rights.

• Right to correction: Consumers have the right to correct inaccuracies in their own personal data held by an organization.
• Right to limit sensitive personal information: If a business collects a consumer’s sensitive personal data, the consumer can request that the business limit that data’s use to what’s “necessary to perform the services or provide the goods reasonably expected by an average consumer.”
• Right to access and opt-out of automated decision making: Businesses must respond to consumer requests for information about the logic behind automated decision-making and the likely outcome of those processes.
• Right to opt out of automated decision-making: Consumers can request information about the logic behind automated decisions affecting them—including profiling related to work performance, finances, health, location, or behavior—and opt out of such processes.
• Right to data portability: Consumers can ask a business to transmit their personal data to another business.

2. Expanded rights

The CPRA also broadened three rights that existed under the CCPA:

Right to know

Under the CCPA, consumers may request information about the personally identifiable information (PII), as well as the categories of PII a business collects and sells. The CPRA expands this right to include the data a business shares.

It also expands the timeframe for which a consumer can request that information. A consumer may request information beyond the standard 12 months prior window with two caveats:

• The data was collected on or after January 1, 2022
• Fulfilling the request is possible and doesn’t require “disproportionate” effort.

Businesses are not obligated to keep data for a set period of time, so though a consumer may make requests, the data may not be available.

Right to opt out

Under the CCPA, consumers could only opt out of data sale. The CPRA lets consumers opt out of both sale and data sharing—a critical distinction given how many businesses route data through ad-tech partners without a direct monetary exchange. Learn more about CPRA Do Not Sell or Share requirements.

Right to delete

Though the CPRA maintained the same basic ‘Right to delete’ framework, it added additional guidance about moving these requests downstream.

Under the CPRA, after receiving a consumer data deletion request, businesses must pass the request to any third parties to whom the consumer’s data was shared or sold—instructing they delete the data as well.

The CPRA does offer a few exceptions to this rule, including if the consumer’s data is necessary for completing a requested transaction, part of a security incident, or part of a server log necessary for debugging an error.

Opt-in rights for minors 

The CCPA already required businesses get opt-in consent from any minor under 16. Expanding this requirement, the CPRA states that if a minor refuses the sale or sharing of their personal data, the business must wait 12 months to request consent again.

3. Sensitive personal information

Under the CPRA, sensitive personal information (SPI) includes:

• Identifying information like social security and driver’s license numbers
• Credit and debit card numbers
• Log-in credentials for financial accounts
• Precise geolocation data
• Information about a consumer’s race, ethnicity, and religious beliefs
• Content from a consumers emails, mail, and texts
• Uniquely identifying biometric data, including genetic data
• Information about a consumers health, sex life, or sexual orientation

In contrast, the CCPA only defined requirements around “personal information,” which was defined as:

Put simply, personal information could identify you or your household. And sensitive personal information builds on that definition by including the data types listed above.

Learn more about how to handle sensitive personal information under CPRA.

4. Data "sharing" now regulated

While the CCPA largely only governs data sale, the CPRA places new requirements on data sharing. Data sharing is defined as:

In other words, if you allow an external party access to consumer information for the purpose of cross-context behavioral advertising, in any form, it’s considered data sharing––even if no money was exchanged.

Data sharing is regulated under the CPRA, which gives consumers the right to opt-out, know, and request deletion for any personal data that’s been shared with a third-party.

This new level of scrutiny stems from the fact that, to circumvent data sale regulations under the CCPA, many businesses were exchanging data without a direct monetary transaction.

5. California Privacy Protection Agency established

The CPRA created an entirely new enforcement body: the California Privacy Protection Agency (CPPA). Prior to the CPRA, enforcement of the CCPA was handled by the California Attorney General's office as part of a broader portfolio of responsibilities.

The CPPA (known as CalPrivacy) is a dedicated agency, empowered to:

• Conduct CPRA compliance audits
• Investigate and evaluate potential violations
• Levy fines and issue enforcement actions
• Develop and implement new privacy regulations

The CPPA has been active. Its 2025 rulemaking finalized regulations on automated decision-making technology (ADMT), cybersecurity audits, and risk assessments—all of which took effect January 1, 2026.

Featured resource: Watch the full Transcend Field Trips episode featuring Tom Kemp, Executive Director of the California Privacy Protection Agency

6. Discretionary 30 day cure period

Businesses will no longer have an automatic 30 day cure period, which previously allowed a window where organizations could attempt to address violations. The CPRA made this cure period discretionary, meaning it can be granted by the CPPA on a case-by-case basis.

The CPRA also clarifies that implementing “reasonable security” after a breach does not count towards a meaningful cure.

In other words, if a company fails to provide enough security for sensitive data and then experiences a breach–they will still be held accountable even if they implement additional security measures after the fact.

7. Expanded private right of action

The CCPA offered consumers a private right of action in cases when an organization failed to protect their unencrypted or unredacted data. The CPRA expanded this scope to include a users email address, password, or security question, stating:

In light of steadily increasing cyberattacks and high-profile security breaches, organizations should be especially mindful of this scope expansion. A breach that results in exposure of these credentials could lead to significant, consumer-initiated legal action.

Notably, the CCPA and CPRA are the only US state privacy laws that afford the private right of action–Colorado, Virginia, and Utah don’t provide this right under any circumstance.

8. Higher data processing thresholds

Under the California Privacy Rights Act, businesses must process the personal data of at least 100,000 consumers–doubling the CCPA’s 50,000 threshold.

Impact: Many small and medium sized businesses may end up exempt.

To be clear, the data processing threshold is not the only way an entity can trigger the CPRA. The CRPA also applies to any business which:

• Has a gross annual revenue exceeding $25 million
• Buys, sells, or shares personal data for 100,000 or more California residents
• Derives 50% or more of annual revenue from selling or sharing California residents’ personal data

If a business meets any of these criteria, the CPRA applies.

9. Contract requirements for third-parties

The CPRA requires comprehensive contracts between businesses and any third parties with whom data is being shared or sold. More than that, these contracts must:

• Specify the purpose for which the data is being sold or shared
• Place the third party under the same CPRA obligations as the business, meaning the third party must comply with CPRA privacy protection requirements
• Give the business enough power to enforce their CPRA obligations throughout the third-party’s data processing activities
• Require notice if the third party feels unable to meet their obligations as defined by the contract
• Enable the business to effectively address inappropriate use of consumer data

These new requirements are intended to ensure better data governance and security throughout any third-party processing, so it’s important that businesses consider these contracts carefully.

Learn more about third party and service provider contracts under CPRA.

CCPA vs. CPRA: Frequently asked questions

How Transcend can help

Managing CCPA and CPRA compliance, especially across dozens of internal systems and third-party vendors, requires more than spreadsheets and manual workflows.

Transcend is an all-in-one platform for modern privacy and data governance, purpose-built to automate the work that CCPA and CPRA require:

• DSR Automation: Automatically receive, verify, and fulfill consumer data subject access requests across all connected systems, including third-party vendors. ZoomInfo reduced DSR fulfillment from two days to 10 minutes after switching to Transcend.
• Consent Management: Deploy compliant consent experiences across web and mobile, with real-time enforcement across your marketing stack. Avoid dark patterns that could void consumer consent under CPRA.
• Data Inventory & Mapping: Maintain a living map of where personal and sensitive data lives across your systems, so you're always audit-ready.
• Assessments: Streamline DPIAs and risk assessments required under CPRA with attribute-based automation.
• Preference Management: Give consumers granular control over how their data is used—reducing opt-outs while building loyalty.

Get a demo →

Additional CCPA vs. CPRA resources

• CCPA Compliance: Essential Steps for California Businesses
• CPRA Compliance Checklist for 2025
• How CPRA Defines Personal Information
• CPRA Do Not Sell or Share: What You Need to Know
• Navigating CPRA Service Provider Contract Requirements
• Navigating the Expanding Patchwork of US State Privacy Laws