← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

Data Strategy Briefing — California Privacy Rights Act Effective Date

The California Privacy Rights Act took effect on 1 January 2023, expanding consumer rights, creating the California Privacy Protection Agency, and tightening data minimization rules that organizations must embed into U.S. data governance programs.

Zeph Tech Research Lead

Research lead, Zeph Tech

Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

The California Privacy Rights Act (CPRA) entered into effect on 1 January 2023, amending the CCPA by expanding consumer rights, restricting sensitive data processing, and establishing the California Privacy Protection Agency (CPPA). Although enforcement is staged, organizations must operationalize minimization, purpose limitation, and contracting updates to avoid penalties and private actions.

What changed

  • New rights include correction of inaccurate data and restrictions on sensitive personal information processing.
  • Businesses must provide updated notices, honor opt-out signals for cross-context behavioral advertising, and execute revised contracts with service providers and contractors.
  • The CPPA gained authority to issue regulations and enforce obligations alongside the Attorney General.

Why it matters

  • Data inventories must identify sensitive personal information and map sharing/selling activities to support opt-out and limitation rights.
  • Contracts and vendor assessments need updates to reflect CPRA definitions of service provider, contractor, and third party, including audit and remediation terms.
  • Global programs should align CPRA controls with GDPR and other U.S. state laws to reduce fragmentation and litigation exposure.

Action checklist

  • Refresh privacy notices, consent banners, and preference centers to capture CPRA-sensitive data choices and global privacy control signals.
  • Update data processing agreements and vendor assessments to incorporate CPRA-specific obligations and audit mechanisms.
  • Enhance data minimization practices by defining purpose limitations and retention schedules for each data category, documenting enforcement.
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Privacy
  • US
  • Consumer Rights
  • Data Governance
  • Compliance
Back to curated briefings