California Privacy Rights Act (CPRA)

In this guide:

Key facets of the CPRA

The California Privacy Rights Act (CPRA), a pivotal addition to the state’s data privacy landscape, builds upon the foundation laid by its predecessor: the California Consumer Privacy Act (CCPA). Active as of January 1, 2023, the CPRA brings forth a heightened level of data protection, significantly expanding the rights of California consumers and imposing more robust obligations on businesses that handle personal information.

At its core, the CPRA introduces a host of changes aimed at enhancing individual privacy rights and tightening data governance practices. The act not only refines and clarifies certain provisions found in the CCPA but also introduces novel concepts that reflect the evolving landscape of data privacy and cybersecurity. Importantly, the extraterritorial scope of the legislation is preserved to keep any business processing California consumers’ data in check even if they’re located outside of the state.

One of the central components of the CPRA is the establishment of a new category of sensitive personal information (SPI). This classification includes data such as Social Security numbers, government identification numbers, financial account information, precise geolocation data, racial or ethnic origin, religious beliefs, union membership, and health-related information. The CPRA affords consumers the right to exercise greater control over the collection and use of this SPI, reflecting an awareness of the potential risks associated with its mishandling.

The CPRA expands upon California’s prior data privacy legislation and grants two additional enumerated rights for state consumers:

  • The right to correct inaccurate personal information that a business has about them.
  • The right to limit the use and disclosure of sensitive personal information collected about them.

The enumerated rights already granted by the CCPA include:

  • The right to know about the personal information a business collects about them and how it is used and shared.
  • The right to delete personal information collected from them (with some exceptions).
  • The right to opt-out of the sale or sharing of their personal information.
  • The right to non-discrimination for exercising CCPA rights.

Critically, the CPRA establishes the California Privacy Protection Agency (CPPA) as an independent regulatory body to uphold these rights and enforce violations by an organization. Fines of up to $7,500 per intentional violation and $2,500 per non-intentional violation can be levied against an organization for each violation, which adds up quick when you consider some businesses are collecting and processing the data of millions of individuals each day.

In addition, this legislation ushers in a new era of data protection for children. The CPRA introduces enhanced protections for minors, requiring affirmative consent for the sale of personal information of consumers under the age of 16. For consumers under the age of 13, parental consent is mandatory. These provisions align with growing concerns and international policy around the vulnerability of young individuals in an increasingly digital world.

Source: The California Attorney General’s Website

Ensuring compliance

The CPRA extends its scope for businesses by introducing the term “business purpose,” which creates new minimum contracting terms applicable any time a business sells personal information to a third party, shares it for behavioral advertising purposes or otherwise discloses it to a service provider or contractor. A greater number of businesses are now subjected to these legal requirements as well. Be sure you know if, and to what extent, these regulations apply to you now that they’re active in 2023.

For businesses, an increased emphasis has been placed on providing consumers with the purposes for which their data is being collected and the ability to limit its usage for certain activities, placing a renewed emphasis on informed consent and the principle of data minimization under the CPRA.

Moreover, the CPRA introduces the concept of “contractual limitations,” enabling businesses to contractually bind their service providers to specific data protection requirements. This measure recognizes the intricate web of data sharing that exists in the modern digital ecosystem and emphasizes the importance of holding service providers accountable for maintaining high standards of data security with vendors and partners alike.

Businesses meeting any of the following criteria are regulated by the CPRA today:

  • Annual gross revenue of $25 million or more.
  • Buy, sell, or share the personal information of 100,000 or more consumers or households annually.
  • Derive 50% or more of their annual revenue from sharing consumers’ personal information, which means this criterion is particularly relevant for Data Brokers (called out specifically in the CPRA) and businesses that monetize personal information through sharing with third parties.
  • Process SPI of consumers on a significant scale.
  • Process the personal information of minors (individuals under the age of 16) for the purpose of targeted advertising or profiling.
  • Service providers and contractors are indirectly effected, as they are not directly subject to the CPRA’s obligations but are required to comply with contractual limitations imposed by partner businesses to ensure data protection measures.

By embracing enhanced data protection measures, fostering transparency, and upholding consumer rights, businesses can achieve compliance while building trust and demonstrating their commitment to safeguarding personal information in an increasingly digital world. Privacy Bee can help you get there.

Enhanced External Data Privacy with Privacy Bee

In today’s digital landscape, shielding your personal and business information is paramount. The CPRA further empowers California consumers to take control of their personal data in a more efficient and effective way, so Privacy Bee can step in on your behalf to streamline the time-consuming, manual process of opting out from every site where your data lives today.

With your permission, Privacy Bee can actively curb the dissemination of your personal information—and if you’re a business owner, your employees and customers—across the vast expanse of the internet, including the elusive dark web. This proactive approach significantly reduces the potential attack surface that cybercriminals can exploit, fortifying your External Data Privacy on multiple fronts.

Data Brokers and People Search Sites have emerged as key players in this billion-dollar industry of data processors and sellers, profiting from your sensitive information as they pass it on to unknown and uncontrollable entities. The ramifications of having your private data exposed on the web are far-reaching, posing severe threats in the hands of malicious hackers. A single data breach can lead to the theft of your identity, unraveling a series of events that can compromise not only your personal security, but potentially that of your family members or your entire workplace.

Privacy Bee is your proactive effort to fight back against these threats. By locating all the corners of the web where your data resides and swiftly removing it, Privacy Bee closes the data security gap. This preemptive action mitigates the risk of identity theft risk and, for businesses, a data breach. Privacy Bee’s commitment is rooted in the belief that privacy is a fundamental human right that transcends political debates and negotiations. Our role is to diligently monitor user data for security breaches while holding businesses accountable by compelling them to erase your stored data and opt out of further data collection.

Privacy Bee’s protective umbrella extends over a wide range of potential threats, including:

  • Spam emails
  • Telemarketing calls
  • Cyberstalking
  • Swatting
  • Doxxing
  • Blackmail
  • Identity theft
  • Data breaches

Whether you’re an individual taking proactive measures to safeguard yourself and your loved ones, or a business committed to securing both employees and customers, Privacy Bee empowers you to take charge of your private data. In an era where data privacy is essential, Privacy Bee stands as your steadfast partner in the ongoing battle to preserve your personal and organizational integrity.

Trusted by thousands of companies.

Instant access to the world's leading business privacy platform. Dive into your account: