CCPA vs CPRA: Understanding the Amendments
The California Privacy Rights Act (CPRA), passed by voters in November 2020, significantly strengthened the original California Consumer Privacy Act (CCPA). Understanding these amendments is essential for businesses navigating California's privacy requirements.
Key Takeaways
| Point | Summary |
|---|---|
| Relationship | CPRA amended CCPA; it did not create a separate law |
| Effective date | CPRA amendments took effect January 1, 2023 |
| Enforcement agency | CPRA created the California Privacy Protection Agency (CPPA) |
| Major additions | Sensitive personal information, right to correct, new thresholds |
| Current name | "CCPA" or "CCPA, as amended" refers to the combined law |
Quick Answer: CPRA amended and strengthened CCPA, adding new consumer rights (correction, limiting sensitive data use), creating a dedicated enforcement agency (CPPA), introducing sensitive personal information as a category, and raising the data volume threshold from 50,000 to 100,000 consumers.
What is the Relationship Between CCPA and CPRA?
The CPRA is not a separate law. It is a ballot initiative (Proposition 24) that amended the existing CCPA. When discussing California's privacy law today, references to "CCPA" typically mean the original law as modified by CPRA. For an overview, see what is CCPA.
| Aspect | Original CCPA | CCPA as Amended by CPRA |
|---|---|---|
| Effective Date | January 1, 2020 | January 1, 2023 |
| Enforcement | California Attorney General only | AG + California Privacy Protection Agency |
| Consumer Rights | 4 core rights | 6+ core rights |
| Data Categories | Personal information | Personal information + sensitive personal information |
| Data Volume Threshold | 50,000 consumers | 100,000 consumers |
Timeline of California Privacy Law
| Date | Event |
|---|---|
| June 2018 | CCPA signed into law |
| January 1, 2020 | CCPA becomes effective |
| July 1, 2020 | CCPA enforcement begins |
| November 2020 | California voters approve CPRA (Proposition 24) |
| January 1, 2023 | CPRA amendments take effect |
| July 1, 2023 | CPPA begins enforcement of CPRA provisions |
| January 1, 2024 | Additional amendments (AB 947: immigration status as SPI) |
| January 1, 2025 | Updated penalty and threshold amounts |
| January 1, 2026 | New regulations on ADMT, risk assessments, cybersecurity audits |
New Consumer Rights Under CPRA
Right to Correct
The CPRA added the right for consumers to request correction of inaccurate personal information.
| Aspect | Details |
|---|---|
| What it covers | Inaccurate personal information held by the business |
| Business obligation | Use commercially reasonable efforts to correct |
| Response deadline | 45 days (extendable to 90 days) |
| Documentation | Instruct service providers and contractors to correct |
Right to Limit Use of Sensitive Personal Information
| Aspect | Details |
|---|---|
| What it covers | Sensitive personal information categories |
| Consumer action | Request to limit use to specific purposes |
| Business obligation | Limit use or obtain explicit consent for other purposes |
| Required link | "Limit the Use of My Sensitive Personal Information" or combined link |
Enhanced Opt-Out Rights
For detailed implementation requirements, see opt-out requirements.
| Original CCPA | CPRA Enhancement |
|---|---|
| Opt-out of "sale" | Opt-out of "sale" AND "sharing" |
| Monetary consideration only | Includes sharing for cross-context behavioral advertising |
| "Do Not Sell" link | "Do Not Sell or Share" link required |
Sensitive Personal Information: A New Category
The CPRA created "sensitive personal information" (SPI) as a distinct subset of personal information with additional protections.
| SPI Category | Examples |
|---|---|
| Government IDs | SSN, driver's license, passport |
| Financial access credentials | Account numbers with passwords |
| Precise geolocation | GPS-level location data |
| Race/ethnicity/religion | Protected characteristics |
| Union membership | Labor organization affiliation |
| Mail/email/text contents | Private communications |
| Genetic data | DNA, genetic testing results |
| Biometric data | Fingerprints, face recognition |
| Health information | Medical records, conditions |
| Sex life/orientation | Sexual orientation, intimate details |
| Immigration status | Citizenship status (added 2024) |
Consumer rights for SPI:
- Right to know what SPI is collected
- Right to limit use to specific, enumerated purposes
- Right to deletion of SPI
Changes to Business Thresholds
| Threshold | Original CCPA | CPRA Amendment |
|---|---|---|
| Revenue | $25 million | $26.625 million (inflation-adjusted 2025) |
| Data volume | 50,000 consumers | 100,000 consumers |
| Data revenue | 50% from selling | 50% from selling OR sharing |
The increased data volume threshold from 50,000 to 100,000 consumers removed some smaller businesses from scope, while the addition of "sharing" expanded the data revenue threshold.
California Privacy Protection Agency (CPPA)
The CPRA established a new, dedicated enforcement agency with specific powers.
| Aspect | Details |
|---|---|
| Name | California Privacy Protection Agency |
| Created by | CPRA |
| Powers | Rulemaking, enforcement, administrative actions |
| Board | Five-member board appointed by Governor and Legislature |
| Budget | Initially $5M (first year), then $10M/year; current budget substantially higher |
| Relationship to AG | Shares enforcement authority with Attorney General |
CPPA responsibilities:
- Adopting regulations implementing CCPA
- Investigating potential violations
- Bringing administrative enforcement actions
- Imposing administrative fines
- Providing guidance and resources to businesses
Data Processing Contracts
The CPRA added specific contract requirements for businesses working with service providers, contractors, and third parties.
| Contract Party | CPRA Requirements |
|---|---|
| Service Provider | Written contract specifying purpose, prohibiting retention/use beyond purpose, requiring CCPA compliance |
| Contractor | Same as service provider, plus certification of understanding |
| Third Party | Sale/sharing agreement with disclosure obligations |
Employee Data Exemption Expiration
| Aspect | Original CCPA | After CPRA |
|---|---|---|
| Employee data | Temporary exemption | Full CCPA rights apply (as of Jan 1, 2023) |
| Job applicant data | Temporary exemption | Full CCPA rights apply |
| B2B contact data | Temporary exemption | Full CCPA rights apply |
As of January 1, 2023, employees, job applicants, and B2B contacts have full CCPA rights regarding their personal information.
New Requirements Under CPRA
Data Minimization
| Principle | Details |
|---|---|
| Collection | Reasonably necessary and proportionate to purposes |
| Retention | Not longer than reasonably necessary |
| Disclosure | Must specify retention periods or criteria |
Purpose Limitation
| Principle | Details |
|---|---|
| Use limitation | Cannot use data for purposes incompatible with disclosed purposes |
| Notice requirement | Must disclose purposes at or before collection |
| Secondary use | Requires consumer consent or additional notice |
Storage Limitation
| Requirement | Details |
|---|---|
| Retention periods | Must establish and disclose |
| Disclosure format | Category-by-category or criteria for determination |
| Deletion | After period expires, unless retention required by law |
Upcoming CPRA Regulations (2026)
The CPPA has adopted regulations effective January 1, 2026, covering:
| Area | Requirements |
|---|---|
| Automated Decision-Making Technology (ADMT) | Consumer access, opt-out rights, risk assessments |
| Cybersecurity Audits | Mandatory for certain businesses |
| Risk Assessments | Required for high-risk processing activities |
Key Differences Summary
| Feature | Original CCPA | After CPRA |
|---|---|---|
| Consumer rights | 4 core rights | 6+ core rights |
| Sensitive data | Not distinguished | Separate category with added protections |
| "Sharing" | Not covered | Covered (cross-context behavioral advertising) |
| Data minimization | Not explicit | Explicit requirements |
| Enforcement agency | AG only | AG + CPPA |
| Employee data | Exempted | Fully covered |
| Threshold (data volume) | 50,000 | 100,000 |
| Contract requirements | Basic | Detailed specifications |
Common Questions
Do I need to update my compliance program for CPRA?
Yes. If you were CCPA-compliant before January 1, 2023, you needed to update for CPRA requirements including sensitive personal information handling, the right to correct, updated notices, and revised opt-out mechanisms.
Does the CPPA replace the Attorney General for enforcement?
No. Both the CPPA and Attorney General can enforce CCPA. The CPPA handles administrative enforcement and rulemaking, while the AG can still bring civil actions.
Are there new penalties under CPRA?
The penalty structure remains similar, but amounts have been inflation-adjusted. Violations involving minors' data carry higher penalties ($7,988 per violation as of 2025).
How Bastion Helps
Navigating the CPRA amendments and ensuring your compliance program addresses all current requirements can be complex.
| Challenge | How We Help |
|---|---|
| Gap assessment | Identify differences between your current program and CPRA requirements |
| SPI compliance | Implement sensitive personal information handling and consumer rights |
| Updated notices | Revise privacy notices for CPRA disclosures |
| Right to correct | Build processes for handling correction requests |
| Contract updates | Revise service provider and contractor agreements |
Need to update your compliance program for CPRA? Talk to our team →
Sources
- CPRA Full Text - California Privacy Rights Act of 2020
- California Privacy Protection Agency - Official CPPA website
- CPPA Regulations - Current and upcoming regulations
- California Consumer Privacy Act (CCPA) - California Attorney General official CCPA page