CCPA vs. CPRA. New data protection rules in California (USA)

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. It has created a data protection regulation that prescribes new consumer rights and business obligations regarding the collection of personal information. Probably most businesses which collect data from Californians are already acquainted with this regulation and aim to comply with its rules.

However, The California Privacy Rights Act (CPRA) amends and expands the CCPA, and it is already “operative” since January 1, 2023. It is essential to know that “operative” does not mean completely “enforced”. CPRA will become enforced on July 1, 2023; thus, enforcement will apply to all the violations committed on or after this date, giving businesses a 6-months period to prepare for new provisions. Please note that CPRA does not replace CCPA, but it amends and adds some new information to its provisions.

What’s new in the CPRA?


First of all, some small businesses which were subject to the CCPA may be exempt under the CPRA, as the threshold of consumers whose data a business processes has increased from 50.000 to 100.000. 

1798.140 (B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices sells, or shares the personal information of 100,000 or more consumers or households.

Furthermore, some companies may become subject to CPRA because of the new provision prescribing that CPRA is applicable to companies who receive 50 percent or more of their annual revenue not only from selling but also from sharing personal information.

1798.140 (C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

Sensitive personal information

CPRA has some similarities with the GDPR (EU data protection regulation). It also introduces a special category of personal information: “sensitive personal information”, also granting consumers the right to forbid businesses from using and sharing such data. According to CPRA, businesses must provide a “clear and conspicuous” link on their homepage titled “Limit the Use of My Sensitive Personal Information.”

Sensitive personal information include the following categories of data:

  • Social Security number;
  • Driver’s license;
  • Government issued identification number;
  • Financial account number; 
  • Health insurance or medical identification number;
  • Account password;
  • Security questions and answers;
  • Debit or credit card number and access codes;
  • Precise geolocation data;
  • Religious or philosophical beliefs;
  • Ethnic origin;
  • Genetic data;
  • Biometric information for identification purposes;
  • Personal health information;
  • Sex or sexual orientation information.

Notice at collection

Notice at Collection has the same function as Privacy Notice. It must provide consumers with all relevant information about processing their personal information in an accessible format, for example, via the link on the website or on a printed form in case of an offline business. The business shall include in its Notice at Collection the following information (new CPRA requirements are in green): 

  • A list of categories of personal information about consumers, including sensitive personal information;
  • The purposes for which the categories of personal information, including categories of sensitive personal information, are collected
  • Whether each category of personal information is sold or shared; 
  • The length of time the business intends to retain each category of personal information, or if it is not possible, the criteria used to determine the period of time it will be retained;
  • If the business sells or shares personal information, the link to the Notice of Right to Opt-out of Sale/Sharing;
  • A link to the privacy policy. 

New consumers’ rights

CPRA provides a wide range of consumer rights, including new ones, namely: 

  • the right to access personal information;
  • the right to delete personal information;
  • the right to correct inaccurate information;
  • the right to know categories and specific pieces of personal information;
  • the right to opt-out of the sale or sharing of personal information;
  • the right to limit the use and disclosure of sensitive personal information;
  • the right of non-retaliation;
  • the right to access information about automated decision-making technology and to opt-out of such processing.

Cross-context behavioural advertising

Сross-context behavioural advertising is defined by CPRA as: “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”

Such processing may include advertising via third-party platforms such as Google Ads, Twitter, and Facebook. They install tracking online identifiers (cookies, pixels, beacons) on a website and collect personal information that consumers leave while browsing different websites to target particular ads to a particular consumer based on his/her actions. 

Excluding general rules, like data protection principles, obtaining consent, responding to consumer requests, etc., there is an obligation to provide a clear and conspicuous link on the website homepage titled “Do Not Sell or Share My Personal Information.” CPRA states that businesses must treat an opt-out preference signal as a valid request to opt-out of sale or sharing for not only that browser or device but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.”

The CPRA requirements for service providers in terms of online advertising are more complex than those for businesses, which may cause problems for such service providers. The point is that cross-context behavioural advertising was explicitly excluded from the list of business purposes for which businesses may contract service providers. Thus, this method of advertising serves no valid business purpose under CPRA. If one business processes consumers’ personal information for such a purpose, it is not a service provider under the CPRA. We hope this issue will be resolved soon by issuing new regulations or clarifications because these provisions are literally killing AdTech business as of now.

Data protection principles

With regard to implementing new data protection principles, CPRA makes American data protection legislation closer to the GDPR rules. The following principles of data protection will be applicable to the businesses subject to CPRA:

  • Data minimization: businesses must collect information only in the amount they necessarily need for achieving its purposes disclosed to the consumer. It means that businesses may not collect additional information “just in case”. 
  • Purpose limitation: businesses must process personal information only for the purposes they previously described to the consumer. In case the business wants to process information for other purposes (for example, collected emails for registration on the platform and now wants to use these emails for marketing purposes), it must notify the consumer about such new purposes and processing.
  • Storage limitation: businesses must store data only for the period it is “reasonably necessary” for achieving mentioned purposes. A business may not store information for an indefinite period.


If you have an application or website targeting children, you must know about the new CPRA rules regarding minors. If a business has “actual knowledge” that it sells or shares the personal information of a consumer under the age of 13, it “shall establish, document, and comply with a reasonable method for determining that the person consenting to the sale or sharing of the personal information about the child is the parent or guardian of that child.” Without consent, the business must either wait at least 12 months or wait until the child turns 16 before asking for their opt-in consent again.

Also, CPRA prescribes that businesses must obtain consent from minors in addition to verifiable parental consent that is required by the federal Children’s Online Privacy Protection Act (COPPA). The CPRA also provide six methods for reasonably calculating whether the person providing consent is the child’s parent or guardian:

  • Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the business by postal mail, facsimile, or electronic scan;
  • Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment systems that provides notification of each discrete transaction to the primary account holder;
  • Having a parent or guardian call a toll-free telephone number staffed by trained
  • personnel;
  • Having a parent or guardian connect to trained personnel via video-conference;
  • Having a parent or guardian communicate in person with trained personnel; and
  • Verifying a parent or guardian’s identity by checking a form of government-issued identification against databases of such information, as long as the parent or guardian’s identification is deleted by the business from its records promptly after such verification is complete.

California Privacy Protection Agency and fines

CPRA creates an exclusive agency for interpreting and enforcing the data protection law – the California Privacy Protection Agency (CPPA). Tasked with taking over rule-making power from the California Attorney General, the CPPA will be the first US-based regulatory authority exclusively focused on data privacy issues. It shall provide guidance on the enforcement of the CPRA but investigate data protection violations, conduct hearings, and assign liability to covered entities for violations.

Violations of the CPRA could result in civil penalties of up to $2,500 per violation or $7,500 per each intentional violation. Additionally, a business that does not “implement and maintain reasonable security procedures and practices” resulting in the “unauthorized access and exfiltration, theft, or disclosure” of a consumer’s personal information faces up to $750 per violation or actual damages, whichever is greater. Thus, if the business is not prepared to new rules, it may face serious financial sanctions in case of a security incident or a data breach. 


Thus, given the large number of new rules, it is an undisputed fact that the CPRA is not only a small addition to the CCPA: it is a reformative legislative act that significantly increases the level of responsibility of companies for the collection of personal data of consumers. Thus, all companies processing data of Californians or registered in California should take into account the new rules and implement them into their data processing processes as soon as possible. If you need any help with data protection compliance in the USA, please send us an email or book a call:) 


    Your question to IT lawyers