Policy Briefing — California Privacy Rights Act Approved

Executive briefing: California voters approved Proposition 24, the California Privacy Rights Act (CPRA), on 3 November 2020. The CPRA amends the California Consumer Privacy Act (CCPA), establishing a dedicated privacy regulator, expanding consumer rights, and imposing new obligations on businesses processing personal information of California residents. Most provisions take effect on 1 January 2023, with enforcement starting 1 July 2023, but covered entities must act now to remediate data governance, contract management, and operational controls.

CPRA changes at a glance

The CPRA layers significant obligations onto the CCPA: it creates the California Privacy Protection Agency (CPPA) with rulemaking and enforcement power; defines sensitive personal information and lets consumers limit its use; adds rights to correct inaccurate information and to opt out of sharing for cross-context behavioral advertising; expands sale to include sharing for cross-context behavioral advertising; codifies data minimization, purpose limitation, and retention disclosure duties; tightens contracting requirements for service providers, contractors, and third parties; and sets a January 1 2022 look-back period for access requests.

• New governance expectations: The CPPA can issue regulations covering risk assessments, cybersecurity audits, and automated decision-making disclosures, signaling a shift toward demonstrable compliance.
• Consumer-facing changes: Updated notices at collection must list data categories, purposes, retention periods, and whether information is sold, shared, or used for automated decision-making.
• Contractual rigor: Agreements must include purpose limitations, delete/return requirements, audit rights, and downstream compliance obligations for subcontractors, with clear prohibitions on secondary use.

Enforcement timeline

Voters approved Proposition 24 on November 3, 2020. Substantive provisions took effect on January 1, 2023 with a January 1, 2022 look-back window for access requests. The California Attorney General and CPPA began enforcing on July 1, 2023, after the CPPA's initial regulations became effective March 29, 2023. A June 2023 trial court decision attempted to delay enforcement of those regulations to March 29, 2024, but the California Court of Appeal lifted that delay in February 2024, restoring immediate enforceability. Additional rulemakings on automated decision-making technology and risk assessments remain in draft form, so organizations should monitor the CPPA's board calendars and public comment periods.

Compliance steps for 2023-2024

• Inventory and classification: Update data maps to capture sensitive personal information, cross-context behavioral advertising flows, and any sharing that triggers the opt-out right.
• Notice and consent: Refresh privacy notices with specific purposes and retention periods; add “Do Not Sell or Share” links and “Limit the Use of My Sensitive Personal Information” mechanisms where applicable.
• Contract refresh: Amend vendor, advertiser, analytics, and data-sharing agreements to incorporate CPRA-required clauses, audit rights, and downstream obligations.
• Rights operations: Enhance intake, verification, and fulfillment for access, deletion, correction, and opt-out requests, including honoring preference signals such as the Global Privacy Control.
• Retention and security: Define retention schedules aligned to documented purposes, enforce deletion/archiving workflows, and review security safeguards that support the duty to implement reasonable security.
• Governance and readiness: Prepare for potential risk assessments, algorithmic transparency, and cybersecurity audits by documenting data flows, legal bases, and technical/organizational controls.

Regulatory landscape and enforcement

The CPRA creates the California Privacy Protection Agency (CPPA), endowed with investigative and enforcement authority, rulemaking power, and audit capabilities. Until the CPPA is fully operational, the California Attorney General retains enforcement authority. The CPRA also extends the CCPA’s sunsetted employee and B2B data exemptions through 2022, providing limited relief but requiring preparation for broader coverage once exemptions expire.

Organizations must monitor CPPA rulemaking, which covers topics such as automated decision-making, cybersecurity audits, and risk assessments. Early engagement—through public comments, industry coalitions, and direct consultations—can shape practical compliance requirements. Boards should recognize that a dedicated regulator raises enforcement stakes, making proactive readiness essential.

• Establish a CPRA governance task force that tracks CPPA rulemaking, stakeholder consultations, and enforcement updates.
• Allocate budget for compliance technology, staffing, and legal support to meet the 2023 enforcement deadline.
• Update enterprise risk registers with CPRA enforcement exposure and align executive oversight accordingly.

Expanded consumer rights and transparency

The CPRA introduces new consumer rights: the right to correct inaccurate personal information, enhanced rights to opt out of sharing for cross-context behavioral advertising, and rights to limit the use of sensitive personal information (SPI). It also strengthens existing rights by requiring businesses to honor opt-out signals, respect data minimization, and present clear notices.

Implementing these rights demands robust data inventories and request-handling workflows. Sensitive personal information—such as precise geolocation, health data, and biometric identifiers—requires special treatment, including user interfaces that enable consumers to limit use and disclosure. Companies must update privacy policies, consent mechanisms, and preference centers to reflect the expanded rights.

• Classify datasets containing sensitive personal information and design access controls, retention rules, and opt-out mechanisms specific to SPI.
• Enhance data subject rights (DSR) platforms to process correction requests, share opt-outs, and limit-use requests within statutory timelines.
• Implement support for universal opt-out mechanisms, such as the Global Privacy Control (GPC), across web and mobile properties.

Contracting, service providers, and data sharing

The CPRA redefines “service provider” and introduces “contractor” and “third party” classifications, each with specific contractual obligations. Businesses must include clauses that restrict data processing to specified purposes, require compliance with CPRA provisions, and mandate assistance with consumer requests. The law also imposes downstream liability, making primary businesses responsible for ensuring partners meet privacy requirements.

Effective compliance necessitates a comprehensive contract remediation program. Inventory vendor relationships, evaluate data sharing practices, and execute amendments or addenda that incorporate CPRA language. Ensure technical enforcement through data segmentation, access controls, and monitoring that detect unauthorized use by vendors.

• Develop standardized CPRA contract templates and playbooks covering service providers, contractors, and third parties.
• Launch a vendor remediation campaign prioritizing high-risk data processors and ad-tech partners that engage in cross-context behavioral advertising.
• Implement monitoring and auditing mechanisms—data loss prevention, log reviews, certifications—to verify partner compliance.

Data minimization, retention, and security

The CPRA codifies principles of data minimization, purpose limitation, and retention, requiring businesses to limit processing to what is reasonably necessary and proportionate. It also mandates reasonable security procedures and introduces obligations to conduct regular risk assessments and cybersecurity audits for high-risk processing (subject to CPPA rulemaking).

Organizations must harmonize data governance frameworks with these requirements. Define retention schedules aligned with legal and business needs, enforce automated deletion workflows, and integrate privacy risk assessments into project lifecycles. Security teams should map controls to CPRA expectations, ensuring encryption, access management, and incident response plans meet regulatory standards.

• Update data classification and retention policies to document legal bases, retention periods, and deletion triggers for each dataset.
• Integrate privacy impact assessments (PIAs) and cybersecurity risk assessments into product development and change management processes.
• Implement security controls such as encryption at rest/in transit, least-privilege access, and continuous monitoring to evidence “reasonable security.”

Automated decision-making and profiling

The CPRA authorizes the CPPA to issue regulations on automated decision-making technology, including profiling. While specific rules are pending, businesses should prepare for obligations to provide meaningful information about logic, evaluate fairness, and allow opt-outs in certain contexts. This aligns California law with global trends seen in the EU’s GDPR and forthcoming AI regulations.

Organizations leveraging machine learning for marketing, fraud detection, or employment decisions must inventory automated processing activities, assess risks, and document safeguards. Anticipate requirements for impact assessments, transparency notices, and human oversight mechanisms.

• Catalog automated decision-making systems, detailing purpose, data sources, model types, and human oversight arrangements.
• Develop AI governance frameworks that include bias testing, explainability documentation, and escalation protocols.
• Prepare to honor opt-out or appeal mechanisms if CPPA regulations require providing alternatives to automated decisions.

Program management and change enablement

Implementing the CPRA demands coordinated program management. Establish cross-functional workstreams spanning legal, privacy, security, marketing, engineering, and procurement. Define milestones for policy updates, system changes, training, and vendor remediation. Track progress with dashboards that surface key metrics: percentage of contracts updated, DSR response times, SPI classification coverage, and opt-out signal adoption.

Change management is crucial. Provide training tailored to business functions—marketing teams need guidance on cross-context advertising restrictions, while engineering teams require instruction on implementing opt-out signals. Communicate timelines and expectations to executives and front-line staff to maintain momentum.

• Stand up a CPRA program office with clear sponsorship, budget, and reporting cadence to executive leadership.
• Develop role-based training modules and maintain completion records to demonstrate compliance readiness.
• Establish feedback loops that capture operational issues encountered during implementation and feed them into continuous improvement plans.

Alignment with global privacy frameworks

Many organizations operate in multiple jurisdictions with overlapping privacy requirements. Harmonizing CPRA compliance with GDPR, LGPD, PDPA, and other frameworks reduces complexity. Identify common control sets—data inventories, consent management, data subject request workflows—and tailor them to meet California-specific nuances.

Consider leveraging privacy management platforms that centralize consent, preference, and request handling. Evaluate opportunities to standardize privacy notices and contractual clauses, while allowing for state-specific disclosures where necessary.

• Map CPRA obligations to existing global privacy controls, highlighting gaps that require California-specific enhancements.
• Implement centralized tooling for consent and request management, enabling consistent experiences across jurisdictions.
• Coordinate with global privacy teams to align messaging, avoid conflicting policies, and share best practices.

Next steps and monitoring

With enforcement looming, organizations must maintain disciplined execution. Monitor CPPA rulemaking, Attorney General guidance, and enforcement actions to adjust compliance plans. Document decisions, risk assessments, and remediation evidence to demonstrate accountability during audits or investigations.

Regularly revisit program maturity: assess whether policies remain current, systems honor rights requests, and third parties adhere to contractual obligations. Schedule annual or semi-annual readiness reviews leading up to the enforcement date, ensuring the organization can withstand regulatory scrutiny.

• Implement a CPRA monitoring calendar that tracks regulatory updates, industry consortium guidance, and enforcement precedents.
• Conduct readiness assessments at least twice before July 2023, capturing remediation tasks and executive approvals.
• Maintain detailed documentation—policies, training records, system diagrams—to evidence compliance if regulators initiate inquiries.

Follow-up: CPRA provisions took effect on 1 January 2023, the California appellate court cleared regulation enforcement in February 2024, and the CPPA’s draft automated decision-making and risk assessment rules are in public consultation.

Sources

• Proposition 24 (California Privacy Rights Act of 2020) — California Secretary of State; Official statewide statement on Proposition 24 outlining the CPRA's amendments to the CCPA and creation of the CPPA.
• Proposition 24: California Privacy Rights Act — California Department of Justice; California Department of Justice overview of CPRA provisions, effective dates, and agency authority.

Related briefings

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 87/100 · September 18, 2020

Compliance Briefing — September 18, 2020

In-depth LGPD go-live guide detailing enforcement scope, ANPD expectations, data subject rights operations, lawful bases, security controls, vendor oversight, and a pragmatic compliance roadmap for Brazil-focused…

Policy · Credibility 89/100 · September 29, 2020

Policy Briefing — California extends CCPA employee and B2B exemptions via AB 1281

Governor Newsom signed AB 1281 on September 29, 2020, extending the CCPA’s partial exemptions for employee and business-to-business data until January 1, 2022, preserving limited notice and breach liability duties in the…

Policy · Credibility 92/100 · August 14, 2020

Policy Briefing — California OAL approves final CCPA regulations effective immediately

The California Office of Administrative Law approved the Attorney General’s CCPA regulations on August 14, 2020, filing them with immediate effect and clarifying notices, request handling, and verification standards.

Policy · Credibility 91/100 · July 1, 2020

Policy Briefing — California begins CCPA enforcement on July 1, 2020

The California Department of Justice started enforcing the California Consumer Privacy Act on July 1, requiring businesses to honor access, deletion, opt-out, and notice obligations despite pending regulation approvals.

Policy · Credibility 88/100 · August 1, 2021

Policy Briefing — Brazil LGPD Sanctions Enforcement Begins

Brazil’s LGPD entered its administrative sanction phase on 1 August 2021, empowering the ANPD to impose fines, public reports, and data-blocking orders on controllers and processors that fail to implement lawful bases…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Semiconductor Industrial Strategy Policy Guide — Zeph Tech

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

• Digital Markets Compliance Guide — Zeph Tech

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Export Controls and Sanctions Policy Guide — Zeph Tech

  Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…