California Privacy Rights Act

Passed in 2020, the California Privacy Rights Act (CPRA) amended California’s first major privacy law, the California Consumer Privacy Act (CCPA). In broad strokes, the CPRA expanded consumer rights, added more regulation around commercial data processing, and refined the CCPA’s overall scope.

There are several notable differences between CCPA and CRPA, but one of the most significant is the increased data processing threshold.

Increased data processing thresholds

Doubling the CCPA’s data processing threshold, the CPRA applies to businesses processing data for 100,000 or more consumers. The result is that many small or mid-sized businesses could end up exempt; however, there are other threshold criteria to consider.

A business may fall under the CPRA’s scope because it:

  • Has a gross annual revenue over $25 million OR
  • Is processing data for over 100,000 California residents OR
  • Receives 50% or more of it’s annual revenue from sharing or selling data from California residents

Unlike many other state privacy laws, the CPRA applies when only one of these criteria are met.

Learn more about the CPRA