The California Privacy Rights Act (CPRA) is one of the most comprehensive consumer protection measures in the United States — and it’s active as of January 1. This new legislation, which replaces the CCPA, is focused on consumers’ right to control their own information. If you do business in California, it’s essential that you get your company ready for the new requirements and criteria of CPRA so you don’t find yourself facing big fines down the road.

Currently, California is the only state with such a comprehensive law, but experts predict that other states will look to CPRA as a model for their own privacy measures. So while at the moment, only companies who do business in California need to worry about CPRA, it’s smart for all businesses to look ahead to make sure their privacy stances will hold up when faced with rigorous regulations. 

The CPRA is in force as of January 1

CPRA took full effect on January 1, with tightened enforcement from the California Attorney General. The CPRA amends and expands the already active California Consumer Privacy Act (CCPA), which was voted in as a ballot measure in 2018 and has been in effect since 2020. These are widely considered the most comprehensive consumer privacy laws to date, and they are having a significant impact on the landscape of data security and privacy. 

CCPA just went into effect within the last couple of years, and already changes to the law are taking place with the passage of CPRA – including amendments as well as additions to existing provisions. For California businesses, this is a lot of change to keep up with. And the reality is the pace at which information regulation is changing isn’t going to slow down, it’s actually speeding up, in California and around the world. Having the right compliance operation and certification platform in place will make this constant game of catch-up more manageable and ensure that you stay on top of the changing laws.

What are the differences between the CCPA and the CPRA?

The best way to understand the differences between these two measures is to look at the original provisions and clearly identify what has been added or changed. The original CCPA compliance measure lays out six rights to all California consumers. These include:

• The right to know what personal information is collected by businesses, including who provided the information, the reason it was retrieved, and if that information was part of a transaction.
• The right to delete any personal information that has been collected directly from the consumer.
• The right to opt out of any sale of the consumer’s personal information.
• The right to opt in to the sale of personal information of consumers under the age of 16.
• The right to non-discriminatory treatment for exercising consumer rights.
• The right to initiate a private cause of action when data breaches occur.

When the CPRA went into effect in January, a few additional rights were added to the original list. These include:

• The right to correct any personal information that is inaccurate.
• The right to improved transparency about a business’s use and retention of information
• The right to limit use or disclosure of any sensitive personal information (SPI).
• New rights related to the use of automated decision-making technology.

The CPRA also goes on to define more clearly what is meant by sensitive personal information (SPI). SPI refers to the type of information that, if accessed by the wrong people, could result in identity theft or personal damage. This includes information such as social security numbers, passport information, credit card numbers, passwords, geolocation, and even the contents of email and text messages. Now, with the CPRA, consumers have the explicit right to limit the disclosure of this type of information, so businesses need to be aware of how they are using SPI. 

Adding on to the above additions to the CCPA’s list of rights, some changes have also been made. Most notably, the thresholds for defining when a business is held liable to these privacy regulations have shifted with implementation of the CPRA. Now, only businesses that meet the following criteria will be required to adhere to the rules of the CPRA:

• Annual gross revenue of $25 million in the preceding calendar year
• Buying, selling, or sharing personal information of 100,000 or more consumers (This number had doubled from the CCPA’s threshold of 50,000, and the term sharing has been added to the criterion.)
• 50% or more of annual revenue derived from selling or sharing the personal information of consumers

The implication of these amendments is that most larger businesses that were already subject to CCPA will remain that way. But, smaller businesses that now fall outside of these parameters will not be liable to CPRA. Businesses in the small-medium size range should take a careful look at these thresholds to determine what their status will be with the CPRA so they know what to expect for their security compliance in the coming year. 

What does CPRA mean for your company?

For any company doing business in California, understanding the changing compliance measures mandated in the CCPA and now the CPRA is key. And that’s not always easy. The last few years are evidence that these regulations are constantly evolving and can be difficult to keep up with. And with the tightened enforcement that comes with the CPRA, fines for violations are looming for businesses that don’t stay on top of the latest changes. 

So how can you stay up-to-date with the shifting security regulation landscape, avoid fines, and maintain the integrity of your customers’ data privacy? The key is to adopt a strong, but flexible posture when it comes to your overall security. Being able to think ahead and adjust privacy measures quickly will ensure that you meet compliance now and that you can adapt to new changes that will inevitably come in the future. 

How can I make sure I'm compliant? 

Ready to achieve compliance with the new measures of the CPRA?

If you're already a Strike Graph customer and are compliant with or working toward CCPA compliance, good news! Our flexible platform uses the work you've already done for the CCPA to boost you toward CPRA compliance. No need to do the same work twice — just keep adjusting to the new requirements. 

If you’re at the beginning of your compliance journey, starting with Strike Graph means you'll be CPRA compliant in no time, and you'll be set for the next, inevitable shift in regulations.

Strike Graph is ready to help you achieve CPRA compliance and build the flexibility you’ll need to keep up with these changes — and the changes that have yet to come.