The Complete Guide to CPRA Compliance

Table of contents

• What is CPRA?
• Who does the CPRA apply to?
• CPRA enforcement
• CPRA definitions
• Consumer rights under the CCPA
• CPRA vs CCPA
• CPRA fines
• CPRA compliance checklist

What is the CCPA?

Passed in 2018, the California Consumer Privacy Act (CCPA) established consumer data rights in California and placed new requirements on businesses processing personal data from California residents. 

Two years later, in 2020, California passed Proposition 24. More commonly known as the California Privacy Rights Act (CPRA), this bill amended the CCPA—adding and expanding consumer rights, increasing the data processing threshold, and establishing the California Privacy Protection Agency. 

The CCPA is already in effect—with the CPRA going into effect on January 1, 2023.

Understanding the CCPA/CPRA's scope and requirements is critical for organizations who operate in or market goods and services to Californians. 

Keep reading to learn more about CCPA requirements, consumer rights provided by the CCPA, how this law is enforced, and key CCPA amendments made by the CPRA. At the end, there's a checklist to help your organization get started with CCPA compliance.

Return to top

Who does CCPA/CPRA apply to?

The first question to ask when figuring out if the CCPA/CPRA applies is: Does our organization conduct business in California (CA) or process personal data from CA residents?

If the answer is an unequivocal 'No,' then CCPA/CPRA doesn't apply and you're off the hook. However, if the answer is 'Yes'—you'll want to keep reading.

The CCPA/CPRA applies to organizations that conduct business or market/sell goods in California. In addition, an orgnaization must: 

• Process data for 50,000 or more CA residents (until January 1, 2023 when that threshold increases to 100,000) OR
• Have a gross annual revenue of over $25 million OR
• Derive over 50% of annual revenue from sharing or selling personal data from California residents

To be clear, the data processing requirment means that if your commerce website has visitors from California, no matter your company's location, the CCPA applies for that group. 

It’s also worth noting that the CCPA covers subsidiaries, so businesses can’t “offshore” consumer data in order to bypass California’s privacy requirements. 

CPRA enforcement

California’s privacy laws are relatively new, so enforcement is still actively evolving. While the CCPA came into full force in July 2020, the CPRA didn't become enforceable until 2023. 

CPRA enforcement date

Though CPRA took effect on January 1, 2023, CPRA enforcement doesn't start in earnest until July 1, 2023. According to rules laid out by the California Privacy Protection Agency (CPPA):

"civil and administrative enforcement of the provisions of law added or amended by this Act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date." [1]

Who enforces CPRA

Under the CCPA, the California Attorney General had exclusive rights to CCPA enforcement. However, with the creation of the California Privacy Protection Agency (CPPA), the water has become a bit murky. 

According to the CPRA text, the CPPA will have the “full administrative, power, and jurisdiction to implement and enforce” CPRA. That said, the California Attorney General may still take enforcement action.

Though it’s not yet clear exactly how the arrangement will work in practice, this is what we know so far: 

• Both the CPPA and the CA Attorney General may enforce California’s privacy laws.
• The Attorney General has precedence, in that they may ask the CPPA to hold off on an investigation until their office has either completed the same inquiry or decided not to pursue the matter further. (1798.199.90 (c))
• If the CPPA has already issued a decision about an investigation or violation, the Attorney General’s office may not pursue a double jeopardy civil suit. (1798.199.90 (d))

CPRA enforcement actions to date

At the time of this writing, though non-compliance notices have been filed, only one CCPA fine has been levied. On Aug 24, 2022, Sephora agreeed to a $1.2M settlement with the CA Attorney General following allegations that the cosmetics brand was:

• Selling data to third parties
• Not disclosing these sales in their privacy notice, and
• Not honoring consumer requests to opt-out of the sale of data, including not honoring the Global Privacy Control browser signal

In January 2023, the Attorney General's office annnounced another investigative sweep, specifically calling out a focus on businesses who are failing to honor privacy requests made via authorized agents. 

Time will tell whether the CPPA or Attorney General ends up levying futher fines, but as the July 2023 CPRA enforcement date draws closer it will definitely be an interesting space to watch. 

CPRA definitions

The CPRA applies specific definitions to common words, so we’ve compiled some of the most important below. 

Consumer

A consumer is any individual in California for non-temporary and non-transitory reasons, including California residents traveling outside the state who plan to return.

Business

The CPRA, like most privacy laws, defines business in a very specific way. Businesses must be for-profit entities, selling goods or services in California, and meeting one or more of the following criteria:

• Gross annual revenue of at least $25 million
• Buys, sells, or shares the personal data of at least 100,000 consumers 
• Makes at least half of its revenue from selling data

Opt-Out

A business must inform consumers that they use and sell personal data, and provide an easily accessible link that will allow consumers to opt-out.

Personal Information

Personal information is anything that might identify an individual or household. The CPRA defines personal information as: 

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal information can include:

• Name
• Home address
• IP address
• Account name
• Email address
• Social security number
• Driver's license number
• Passport number
• Purhcase history
• Biometric data
• Browsing or search history
• Location data
• Employment data
• Inferences made from any of the data above

Keep in mind that personal information does not include information that's been “de-identified.” De-identified information has been stripped of identifying aspects so that businesses can use it safely. To count as de-identified information, the data cannot be re-identified later and businesses must have prevention procedures in place.

Sensitive personal information

Sensitive personal information (SPI) is a new data designation added by the CPRA—one that build on the concept of personal information, which was originally laid out by the CCPA.

Under CPRA, SPI is any personal information that somehow reveals:

• Driver’s license, social security, or passport numbers
• Log-in information for financial accounts
• Credit and debit card numbers
• Geolocation data
• Data on a consumer’s religion, ethnicity, or race
• A consumer's mail, email, or texts
• Biometric and genetic data
• Data about a consumer's sexual orientation or health

Processing

Processing refers to the collection, possession, or handling of consumer data, both manual and automated. Collecting data through a form and tracking cookies are two common forms of data processing.

Third-Party

Third parties are any external organization that collects, stores, or processes data on behalf of another business.

Return to top

Consumer rights provided by the CPRA

California tends to lead the way in consumer rights, and the CCPA is no exception—creating a broad spectrum of new data rights and protections.

Right to delete 

Businesses must delete a consumer's data upon request, as long as the consumer's identity can be verified. In addition, the business must direct any vendors and other service providers to do the same.

Right to correct 

Consumer have the right to ask a business to correct inaccuracies in the personal data they currently hold. If the business receives a consumer request for correction, they are required to exert "reasonable" effort to correct that data.

Right to access 

Consumers have the right to request access to any personal data a business has collected.

Right to know what personal data is being collected, sold, or shared

Customers have the right to know what data and categories of data a business is collecting on them. They also have the right to know how that data is being collected and how it’s being used by both the business and any third parties.

If a business sells or shares personal information, consumers may request to know what categories of data are being collected, the categories of personal data being sold or shared with a third party, and the categories of data a business has disclosed.

Right to opt-out of sale or sharing

At any time, a consumer has the right to tell a business that sells their personal information not to do so.

Right to limit use and disclosure of sensitive personal information

Consumers may instruct a business to limit the use of their sensitive personal information to activities that are strictly "necessary to perform the services or provide the goods" that they requested. 

Businesses must honor a consumer's request to limit the use or disclosure of their personal information, unless the consumer provides consent at a later date.

Right to equal service and price

Consumers must be able to exercise their data rights without facing penalties from the business. Meaning, regardless of a consumer’s opt-out status, the business may not deny service, charge a higher price, or suggest that price or quality of service is dependent on opt-out status. 

However, businesses may offer a bonus or other incentive in exchange for a consumer’s personal information.

Return to top

CPRA vs CCPA

While the CCPA was California's first landmark privacy law, businesses must also consider the California Privacy Rights Act (CPRA). Passed in 2020, the CPRA amended the CCPA—expanding consumer rights, adding the sensitive personal information data designation, removing the 30 day cure period, and more.

Review the CPRA full text to see all the changes, check out our CPRA vs CCPA blog post, or keep reading below to explore the main highlights.

Expanded privacy rights for consumers

The CPRA has the same intent as the CCPA, protecting consumer data privacy in California, but goes even further. Under the CPRA, consumers were given four net new data rights: 

• Right to correction
• Right to limit sensitve personal information
• Right to access information about automated decision making
• Right to opt-out of automated decision making

The CRPA also expanded the right to know, opt-out, and delete, which already existed under the CCPA.

• Biometrics
• Health records
• Sex life details
• Sexual orientation

New category of protected data

The CPRA extends legal protection to any “sensitive personal information” (SPI). A broader category than the CCPA's personal data designation, all of the following are considered SPI: 

• Social Security numbers
• Driver’s license numbers
• State ID card numbers
• Passport numbers
• Account logins and passwords
• Precise geolocation
• Racial and ethnic origins
• Religious and philosophical beliefs
• Union membership status
• Contents of mail, email, and text not sent to the business
• Genetic data
• Biometrics
• Health records
• Sex life details
• Sexual orientation

Increased data processing threshold

Before CPRA, a business processing data for 50,000 or more consumers fell under the CCPA's scope. The CPRA doubled this number—increasing the threshold to 100,000 consumers.

This means that, under the CPRA, many smaller CA businesses may end up being exempt. However, there are other scope criteria so make sure those are considered.

Elimination of the automatic 30 day cure period

Under the CCPA, businesses automatically had 30 days to address or "cure" a violation after receiving notice. The CPRA made the cure period discretionary, meaning it will only be provided on a case-by-case basis by the California Privacy Protection Agency.

Establishment of the California Privacy Protection Agency

The CPRA created the California Privacy Protection Agency (CPPA), which is tasked with creating and enforcing California's growing set of privacy and data protection laws. 

Learn more about the differences between the CPRA and CCPA.

Return to top

CCPA fines

CCPA violators can be fined up to $2,500 for unintentional incidents and up to $7,500 for intentional refusal to comply. These fines can be applied per person or household without limit—while a single fine may seem rather small, at scale they're quite significant. 

Tech giants and large enterprise process data in massive quantities, so a per person infraction can add up to millions or even hundreds of millions of dollars. 

Take the 2017 Equifax breach, which involved the data of 15 million CA residents. If the breach occurred under the CCPA, it would have resulted in $1.5 billion in fines.

To date, Sephora's $1.2M settlement is the only CPRA fine on record, but that could easily change once CPRA enforcement begins in July 2023.

Return to top

CPRA compliance checklist

At the start, getting CPRA compliant may feel like a daunting task, but using the CPRA compliance checklist below will give you a good idea of what's necessary and where to start. 

At it's core, complying with CPRA means respecting consumer rights by promptly responding to data requests, honoring requests for opt-out, and securing all personal and/or senstive data held by your company. But, of course, it's easier said than done. 

CPRA compliance requires in-depth knowledge of your data and data systems. You'll also need tools and processes, sometimes called privacy infrastructure, that can scale with new data, legislations, and consumer requests.

Aside from your own compliance, it's also critical you ensure compliance among any third-party data processors with whom you have a contract. If they're processing your customer's personal data, you're on the hook.

1. Identify and map sensitve data across all systems

Understanding what data you collect and hold, as well as how it's being used is a critical part of CPRA (or any privacy law) compliance.

This process, often called data mapping, will help your organization fulfill consumer requests for access or deletion, identify risky data processing, and track down affected data in the event of a breach. 

Though data mapping isn't required by the CPRA it's key to fulfilling many of the obligations the CPRA places on businesses.

2. Use an automated privacy tool for responding to consumer data requests

Responding to consumer requests for data access, correction, or deletion sounds relatively simple, at first. But fulfilling privacy requests means first knowing where to find the relevant data (part of why an up-to-date data map is so important), and then collating, packaging, and transmitting the data you find. 

Without the right privacy infrastructure, this process quickly starts to eat at your team's time. More than that, manual request fulfillment opens opportunity for human error and security vulnerabilities. 

Even if you don't take the path of an automated privacy software, it's best to define the data request fulfillment process before requests start pouring in—smoothing inefficiencies where possible and automating what you can. 

3. Implement an identity verification system

One key part of data request fulfillment, one that deserves it's own call-out, is identity verification.

Imagine responding to a data request i.e. sending an enormous data file containing a consumer's personal information (which can include credit card info, a social security number, or even sensitive health data)—only to realize after the fact the data was sent to the wrong person. 

Whether a simple accident or the result of a scam, this scenario is a big risk for any privacy program. Implementing an identify verification system like two-factor authentication is critical to ensuring request validity and personal data security (which, if you remember, is an explicit CPRA requirement). 

Organizations are both allowed and expected to verify a consumer's identify before fulfilling a request, so setting up a system to support this process is key. 

Though an automated identity verification system isn't required, it can ease the burden on both your organization and the consumer—and is baked in to many privacy request fulfillment platforms. 

4. Update your privacy policy

Transparency around data processing is an important part of CPRA compliance, so it's important to refresh your organization's privacy policy on, at minimum, an annual basis.

A compliant privacy policy will provide up-to-date information about how your organization collects, stores, shares, and uses consumer data, including:

• A description of consumer rights under the CPRA
• The commercial and business reasons for collecting information
• Types of personal information sold or disclosed in the last 12 months
• Types of third parties with whom personal information is shared
• A link that allows the customer to opt out of information sale
• A description of any financial incentives for providing data, such as a discount
• Two or more designated measures for submitting information requests
• Details on how to exercise consumer rights, including the verification process

Privacy policies must be easy to find, read, and understand. So do your best to drop the legalese wherever possible—opting instead for clear, even conversational, language.

5. Add a "Do not sell my information" link on your homepage

The CPRA requires that companies allow consumers to opt-out of the sale of their personal data. This means companies under the CPRA must provide a clear and conspicuous "Do not sell or share my personal information" link on their homepage. Most companies choose to put this link in the footer menu. 

We should note too that, under the CPRA, the law was expanded to include data sharing—meaning that if consumer data changes hands for the purpose of targeted advertising, even if no money is exchanged, the consumer must be given the option to say no.

In practical terms, this means that once the CPRA goes into affect on Jan 1, 2023, these links must be updated to reflect opt-out of data sharing. 

6. Obtain consent from minors age 13 to 16

The majority of CCPA requirements follow an opt-out consent regime, meaning organizations can process data without consent but must provide an option to opt-out at any point. However, the rules for minors age 13 to 16 are different. 

Minors under the CPRA are protected by an opt-in consent regime, meaning organizations must obatin consent before selling or sharing personal information. Minors between 13 and 16 may opt-in on their own behalf, while for minors under 13 opt-in must come from a parent or legal guardian. 

Minors that opt-in must also have the option to opt-out if they change their mind after the fact.

7. Audit and address security vulnerabilities

Although it’s already a best practice, the need for proactive cybersecurity has never been higher. The CPRA requires annual cybersecurity audits and risk assessments, though specific guidelines are still being determined. 

Despite this, guidance across all the privacy laws is fairly consistent—companies must make a concerted effort to protect and secure personal data within their possession. In the event of a breach, if there are clear security vulnerabilities that should've been addressed, a company will likely be seen in violation of their CPRA responsbilities.

The CPRA also allows a private right of action (meaning a consumer can press charges on their own behalf) for security breaches involving specific types of sensitive personal information.

No other US state privacy law allows a private right of action under any circumstance, so that alone should reflect the CPRA's serious stance on information security. 

Return to top