Policy Briefing — California Privacy Rights Act Approved

Executive briefing: California voters approved Proposition 24, the California Privacy Rights Act (CPRA), on 3 November 2020. The CPRA amends the California Consumer Privacy Act (CCPA), establishing a dedicated privacy regulator, expanding consumer rights, and imposing new obligations on businesses processing personal information of California residents. Most provisions take effect on 1 January 2023, with enforcement starting 1 July 2023, but covered entities must act now to remediate data governance, contract management, and operational controls.

Regulatory landscape and enforcement

The CPRA creates the California Privacy Protection Agency (CPPA), endowed with investigative and enforcement authority, rulemaking power, and audit capabilities. Until the CPPA is fully operational, the California Attorney General retains enforcement authority. The CPRA also extends the CCPA’s sunsetted employee and B2B data exemptions through 2022, providing limited relief but requiring preparation for broader coverage once exemptions expire.

Organizations must monitor CPPA rulemaking, which covers topics such as automated decision-making, cybersecurity audits, and risk assessments. Early engagement—through public comments, industry coalitions, and direct consultations—can shape practical compliance requirements. Boards should recognize that a dedicated regulator raises enforcement stakes, making proactive readiness essential.

Establish a CPRA governance task force that tracks CPPA rulemaking, stakeholder consultations, and enforcement updates.
Allocate budget for compliance technology, staffing, and legal support to meet the 2023 enforcement deadline.
Update enterprise risk registers with CPRA enforcement exposure and align executive oversight accordingly.

Expanded consumer rights and transparency

The CPRA introduces new consumer rights: the right to correct inaccurate personal information, enhanced rights to opt out of sharing for cross-context behavioral advertising, and rights to limit the use of sensitive personal information (SPI). It also strengthens existing rights by requiring businesses to honor opt-out signals, respect data minimization, and present clear notices.

Implementing these rights demands robust data inventories and request-handling workflows. Sensitive personal information—such as precise geolocation, health data, and biometric identifiers—requires special treatment, including user interfaces that enable consumers to limit use and disclosure. Companies must update privacy policies, consent mechanisms, and preference centers to reflect the expanded rights.

Classify datasets containing sensitive personal information and design access controls, retention rules, and opt-out mechanisms specific to SPI.
Enhance data subject rights (DSR) platforms to process correction requests, share opt-outs, and limit-use requests within statutory timelines.
Implement support for universal opt-out mechanisms, such as the Global Privacy Control (GPC), across web and mobile properties.

Contracting, service providers, and data sharing

The CPRA redefines “service provider” and introduces “contractor” and “third party” classifications, each with specific contractual obligations. Businesses must include clauses that restrict data processing to specified purposes, require compliance with CPRA provisions, and mandate assistance with consumer requests. The law also imposes downstream liability, making primary businesses responsible for ensuring partners meet privacy requirements.

Effective compliance necessitates a comprehensive contract remediation program. Inventory vendor relationships, evaluate data sharing practices, and execute amendments or addenda that incorporate CPRA language. Ensure technical enforcement through data segmentation, access controls, and monitoring that detect unauthorized use by vendors.

Develop standardized CPRA contract templates and playbooks covering service providers, contractors, and third parties.
Launch a vendor remediation campaign prioritizing high-risk data processors and ad-tech partners that engage in cross-context behavioral advertising.
Implement monitoring and auditing mechanisms—data loss prevention, log reviews, certifications—to verify partner compliance.

Data minimization, retention, and security

The CPRA codifies principles of data minimization, purpose limitation, and retention, requiring businesses to limit processing to what is reasonably necessary and proportionate. It also mandates reasonable security procedures and introduces obligations to conduct regular risk assessments and cybersecurity audits for high-risk processing (subject to CPPA rulemaking).

Organizations must harmonize data governance frameworks with these requirements. Define retention schedules aligned with legal and business needs, enforce automated deletion workflows, and integrate privacy risk assessments into project lifecycles. Security teams should map controls to CPRA expectations, ensuring encryption, access management, and incident response plans meet regulatory standards.

Update data classification and retention policies to document legal bases, retention periods, and deletion triggers for each dataset.
Integrate privacy impact assessments (PIAs) and cybersecurity risk assessments into product development and change management processes.
Implement security controls such as encryption at rest/in transit, least-privilege access, and continuous monitoring to evidence “reasonable security.”

Automated decision-making and profiling

The CPRA authorizes the CPPA to issue regulations on automated decision-making technology, including profiling. While specific rules are pending, businesses should prepare for obligations to provide meaningful information about logic, evaluate fairness, and allow opt-outs in certain contexts. This aligns California law with global trends seen in the EU’s GDPR and forthcoming AI regulations.

Organizations leveraging machine learning for marketing, fraud detection, or employment decisions must inventory automated processing activities, assess risks, and document safeguards. Anticipate requirements for impact assessments, transparency notices, and human oversight mechanisms.

Catalog automated decision-making systems, detailing purpose, data sources, model types, and human oversight arrangements.
Develop AI governance frameworks that include bias testing, explainability documentation, and escalation protocols.
Prepare to honor opt-out or appeal mechanisms if CPPA regulations require providing alternatives to automated decisions.

Program management and change enablement

Implementing the CPRA demands coordinated program management. Establish cross-functional workstreams spanning legal, privacy, security, marketing, engineering, and procurement. Define milestones for policy updates, system changes, training, and vendor remediation. Track progress with dashboards that surface key metrics: percentage of contracts updated, DSR response times, SPI classification coverage, and opt-out signal adoption.

Change management is crucial. Provide training tailored to business functions—marketing teams need guidance on cross-context advertising restrictions, while engineering teams require instruction on implementing opt-out signals. Communicate timelines and expectations to executives and front-line staff to maintain momentum.

Stand up a CPRA program office with clear sponsorship, budget, and reporting cadence to executive leadership.
Develop role-based training modules and maintain completion records to demonstrate compliance readiness.
Establish feedback loops that capture operational issues encountered during implementation and feed them into continuous improvement plans.

Alignment with global privacy frameworks

Many organizations operate in multiple jurisdictions with overlapping privacy requirements. Harmonizing CPRA compliance with GDPR, LGPD, PDPA, and other frameworks reduces complexity. Identify common control sets—data inventories, consent management, data subject request workflows—and tailor them to meet California-specific nuances.

Consider leveraging privacy management platforms that centralize consent, preference, and request handling. Evaluate opportunities to standardize privacy notices and contractual clauses, while allowing for state-specific disclosures where necessary.

Map CPRA obligations to existing global privacy controls, highlighting gaps that require California-specific enhancements.
Implement centralized tooling for consent and request management, enabling consistent experiences across jurisdictions.
Coordinate with global privacy teams to align messaging, avoid conflicting policies, and share best practices.

Next steps and monitoring

With enforcement looming, organizations must maintain disciplined execution. Monitor CPPA rulemaking, Attorney General guidance, and enforcement actions to adjust compliance plans. Document decisions, risk assessments, and remediation evidence to demonstrate accountability during audits or investigations.

Regularly revisit program maturity: assess whether policies remain current, systems honor rights requests, and third parties adhere to contractual obligations. Schedule annual or semi-annual readiness reviews leading up to the enforcement date, ensuring the organization can withstand regulatory scrutiny.

Implement a CPRA monitoring calendar that tracks regulatory updates, industry consortium guidance, and enforcement precedents.
Conduct readiness assessments at least twice before July 2023, capturing remediation tasks and executive approvals.
Maintain detailed documentation—policies, training records, system diagrams—to evidence compliance if regulators initiate inquiries.

Follow-up: CPRA provisions took effect on 1 January 2023, the California appellate court cleared regulation enforcement in February 2024, and the CPPA’s draft automated decision-making and risk assessment rules are in public consultation.

Sources

Proposition 24 (California Privacy Rights Act of 2020) — California Secretary of State; Official statewide statement on Proposition 24 outlining the CPRA's amendments to the CCPA and creation of the CPPA.
Proposition 24: California Privacy Rights Act — California Department of Justice; California Department of Justice overview of CPRA provisions, effective dates, and agency authority.