The California Privacy Rights Act of 2020

The California Privacy Rights Act of 2020, also known as Proposition 24, was passed in November 2020. It significantly expanded and strengthened the original California Consumer Privacy Act (CCPA), reshaping the state's data privacy scenario.  

More than a set of amendments, the CPRA redefines how organizations must manage and protect personal data, placing greater emphasis on transparency, accountability, and data governance. The law was championed by privacy advocate Alastair Mactaggart and Californians for Consumer Privacy to create durable, enforceable privacy protections that are less susceptible to dilution over time. 

Having gone into effective on January 1, 2023, the CPRA covers a wide scope, including the handling of sensitive personal information, consumer rights to data correction and restriction, and oversight of automated decision-making. For businesses, it signals a shift from policy-driven compliance to operational readiness and demonstrable control. 

The CPRA doesn’t just expand privacy laws; it reshapes how businesses must classify, manage, and protect sensitive consumer data across the board. 

Defining Sensitive Information Under the California Privacy Rights Act 

One major change in the California Privacy Rights Act is its definition and classification of sensitive personal information. It provides special protection for data that poses higher privacy risks to consumers. 

CPRA sensitive personal information includes several critical categories that require special handling. Biometric data comprises facial recognition patterns, fingerprints, retinal scans, voice recordings, and other unique physical identifiers. Financial information covers bank account numbers, credit card details, insurance policy numbers, and related monetary data. 

This law also protects the content of private communications, including emails, text messages, and other non-public correspondence. Geographic location data, genetic information, and details about sex life or sexual orientation receive enhanced protections under these provisions. 

Government-issued IDs, such as Social Security numbers, driver’s licenses, and passports, are considered sensitive and must be handled with care. The CPRA also protects data that reveals consumer traits, job details, race, ethnicity, religion, or union membership. 

Enhanced Consumer Rights and Protections 

The California Privacy Rights Act significantly expands consumer rights beyond those provided by the California Consumer Privacy Act (CCPA). These enhanced protections give individuals greater control over their personal information and how businesses use it. 

Consumers now have the right to correct inaccurate personal information maintained by businesses. This correction right ensures that organizations cannot rely on outdated or incorrect data when making decisions that affect consumers. The process requires businesses to establish systems for receiving, verifying, and implementing correction requests within reasonable timeframes. 

Another key update is the right to limit how businesses use and share personal data. Consumers can now restrict their use to only what’s needed to deliver expected services. This prevents companies from using the data for unrelated purposes without clear permission. 

The CPRA also strengthens data portability rights. It requires businesses to give consumer data in a structured, machine-readable format so it can be easily transferred to other platforms. 

The CPRA also gives consumers new rights around automated decision-making. They can ask for details on how the automated decisions are made, especially if the outcome affects them. Consumers can also opt out of having their data used in automated systems, including profiling that may influence how they are treated. 

Enforcement Through the California Privacy Protection Agency 

The California Privacy Protection Agency (CPPA) represents a significant shift in how privacy law violations are addressed. Unlike in the past, when the Attorney General managed enforcement, the CPPA is now fully dedicated to privacy issues. 

The agency has full authority to investigate, enforce rules, and create new regulations. It can act independently or respond to complaints from consumers, competitors, or advocacy groups, ensuring that violations are identified and addressed from multiple sources. 

The CPPA follows a five-year limit for taking action on violations, but this can be extended if a business hides the issue through fraud. Unlike the CCPA’s automatic 30-day fix period, the CPPA now decides whether a business gets time to correct a violation. 

Any fines the agency collects help fund its enforcement work and covers costs for the courts and the Attorney General. This self-funded model enables the agency to expand its efforts as privacy regulations evolve. 

Meeting CPRA’s obligations isn’t just about checking boxes. It’s about building smart, scalable systems that can adapt to future data expectations. 

Understanding Covered Entities and Their Obligations 

The California Privacy Rights Act broadens the scope of covered entities, adding “contractors” alongside businesses, service providers, and third parties. If your organization operates for profit in California, you’re subject to CPRA if you meet at least one threshold: over $25 million in annual revenue, processing data of 100,000+ consumers per year, or deriving 50% or more of revenue from selling personal information. 

Understanding your data-sharing relationships is critical. Service providers operate under strict contractual terms and may only use data for specified purposes, adhering to appropriate security controls. Contractors, a new CPRA category, must certify compliance, cannot commingle data across clients, and must disclose any subcontractors. In contrast, third parties are less regulated under CPRA but must honor original data-use terms and inform consumers of any changes. Clear identification of these roles is essential to maintain compliance and minimize risk. 

GDPR-Inspired Principles in CPRA Data Privacy 

The CPRA brings in several key ideas from the European Union’s General Data Protection Regulation (GDPR), which were missing in the original CCPA. These additions reflect global best practices for handling personal data. 

One of them is data minimization, which means you should collect only the information that’s directly needed for a specific purpose. Gathering extra data “just in case you might need it later” is no longer acceptable. 

Purpose limitation ensures that personal data is used only for the reason it was collected. If you want to use it for something else later, you must get consent or meet other legal requirements. 

The CPRA’s storage limitation requires you to be transparent about how long you keep consumer data. If you can’t give an exact timeframe, you must explain the factors that influence your retention decisions, like whether the user still has an active account. 

Industry-Specific Considerations for CPRA Compliance 

Different industries face unique challenges when implementing the requirements of the California Privacy Rights Act. Understanding these sector-specific considerations helps organizations develop more effective compliance strategies. 

1. CPRA life sciences organizations, such as those in healthcare and pharmaceuticals, handle sensitive data, including health records, research findings, and clinical trial details. Under CPRA, they must protect this data while also supporting innovation, especially when developing treatments or conducting trials. 
    
2. Technology companies face unique pressure due to their use of automated systems and behavioral advertising. The CPRA’s expanded rules on “sharing” now apply to common practices, such as data-driven personalization and ad targeting. 
    
3. Financial services firms must align CPRA rules with existing financial privacy laws. Since the CPRA includes financial data as sensitive information, extra steps are needed to protect banking and insurance-related data. 
    
4. Retail and e-commerce businesses must efficiently manage consumer privacy requests. With new rights under CPRA, businesses need better systems for handling requests and communicating clearly with customers, without disrupting their daily operations.

Understanding how the CPRA builds upon the CCPA demonstrates the significant progress made in privacy laws. Both the scope and the way rules are enforced have grown stronger. 

Key Differences Between the Two Frameworks 

Understanding what the CPRA is in comparison to the original CCPA helps businesses grasp how much the privacy landscape has grown in  reach and enforcement. 

While the CCPA set down the foundation for consumer data rights, the CPRA builds upon it with stricter requirements, broader definitions, and a more aggressive enforcement approach. 

The differences between CCPA and CPRA go beyond terminology; they signal a maturing legal framework that demands stronger accountability from businesses that handle personal data. 

• Broader scope: The CPRA raises the compliance threshold to 100,000 consumers and includes companies that share personal data, not just those that sell it. 
   
• Stronger enforcement: Unlike the CCPA, which relied on the Attorney General, the CPRA establishes a dedicated enforcement agency- theCalifornia Privacy Protection Agency. 
   
• Tighter timelines: The automatic 30-day grace period under the CCPA is removed. Under the CPRA, cure periods are granted at the agency’s discretion, with stricter penalties for violations involving minors. 
   

Enhanced Data Subject Rights and Business Obligations 

The evolution from the CCPA to the CPRA reflects California’s deeper commitment to protecting consumer privacy in today’s data-driven world. While the original CCPA gave consumers five core rights, the CPRA modifies and expands them to meet new digital realities. 

From improving how data is shared and deleted to adding new rights regarding data correction and automation, the CPRA transforms what was once basic compliance into a more comprehensive and actionable framework for privacy. 

• Stronger portability and deletion rights: Data must now be shared in usable, machine-readable formats. Deletion rights also extend to third parties, not just the original data holder. 
• Broadened opt-out protections: The right to opt out now covers data sharing for cross-context behavioral ads, not just data sales. 
• New consumer rights: The CPRA adds rights to correct inaccurate data, limit its use, and opt out of automated decision-making, offering more control than ever. 

These expanded protections are more than legal updates; they’re signals that your consumers expect transparency and control. 

Checking off compliance boxes won’t make your business stand out. But when you treat privacy as a long-term strategy, it becomes a real customer service advantage. Strong programs do more than meet rules; they build trust, improve your reputation, and make your operations more efficient. 

It begins by prioritizing privacy at the core of your work. Bring your legal, tech, and business teams together. Make privacy part of your daily processes, not just a reaction to risks. Platforms like Egnyte can help you by offering secure data governance tools that support data control, governance, and compliance without hindering your workflow. 

At the end of the day, when you lead with privacy, people notice. Customers trust companies that protect their data and respect their choices. By going beyond the basics, you’re not just following the law; you’re building loyalty, setting higher standards, and future-proofing your business. 

What makes the California Privacy Rights Act different from other privacy laws? 

The CPRA gives consumers stronger rights, enforces them through a dedicated privacy agency, and offers deeper protection for sensitive data than most other state laws. The State of California’s focus on data privacy has also proven to be a model for other U.S. states’ data privacy regulations.  

Do small businesses need to worry about CPRA compliance requirements? 

Not all businesses are required to comply. You fall under the CPRA if you earn over $25 million a year, handle data of 100,000 or more consumers, or make at least 50% of your revenue from selling personal information. 

How does sensitive personal information get special protection under CPRA? 

CPRA sensitive personal information comes with extra safeguards. You must give clear notice to contacts who are protected by the regulation, offer opt-out options, limit how long you keep the data, and apply stronger security than usual. 

Can consumers really correct wrong information that companies have about them? 

Yes, the CPRA allows consumers to request corrections to inaccurate personal data. Businesses must have clear processes in place to verify and fix that information quickly. 

What happens if my company violates CPRA requirements accidentally? 

A: The California Privacy Protection Agency can choose to give businesses time to fix violations, but unlike the original CCPA, there’s no automatic 30-day grace period.