California Privacy Rights Act takes effect

At a glance

The California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) took effect on 1 January 2023, significantly expanding consumer privacy rights and imposing new obligations on businesses handling California residents' personal information. The law created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body and introduced improved requirements for data minimization, purpose limitation, and sensitive personal information handling.

Key New Consumer Rights

CPRA expands the rights available to California consumers:

• Right to correct: Consumers can request that businesses correct inaccurate personal information they hold.
• Right to limit use of sensitive information: Consumers can direct businesses to limit use and disclosure of sensitive personal information to purposes necessary for providing requested goods or services.
• Enhanced right to delete: Deletion requests now extend to service providers and contractors, requiring businesses to pass requests through the data processing chain.
• Right to opt-out of automated decision-making: Consumers can opt out of decisions made solely through automated processing, including profiling, in certain contexts.
• Expanded opt-out rights: Opt-out rights now cover cross-context behavioral advertising, not just traditional sales of personal information.

Sensitive Personal Information

CPRA creates a new category of "sensitive personal information" with heightened protections:

• Covered data types: Social Security numbers, driver's license numbers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, health information, sex life or sexual orientation, biometric data, and genetic data.
• Use limitations: Businesses must limit use of sensitive data to purposes reasonably necessary and expected for providing requested services unless consumers explicitly consent to broader use.
• Notice requirements: Privacy policies must separately disclose categories of sensitive information collected and purposes for which it is used.
• Opt-out mechanism: Businesses must provide a clear "Limit the Use of My Sensitive Personal Information" link.

Business Compliance Obligations

CPRA imposes significant new obligations on covered businesses:

• Data minimization: Businesses must limit collection of personal information to what is reasonably necessary and proportionate for the purposes disclosed.
• Purpose limitation: Businesses cannot use personal information for purposes incompatible with disclosed purposes without additional consumer consent.
• Storage limitation: Retention of personal information must be limited to what is reasonably necessary for disclosed purposes, with retention periods disclosed in privacy policies.
• Contractor requirements: New category of "contractor" with specific contractual obligations beyond existing service provider requirements.
• Risk assessments: Businesses conducting high-risk processing must conduct cybersecurity audits and risk assessments.

California Privacy Protection Agency

CPRA established a new dedicated enforcement agency:

• Agency structure: The CPPA is governed by a five-member board with rulemaking, interpretive, and enforcement authority.
• Enforcement powers: The CPPA can investigate violations, issue subpoenas, conduct hearings, and impose administrative fines up to $7,500 per intentional violation.
• Rulemaking authority: The agency has broad authority to issue regulations implementing CPRA requirements.
• Transfer from AG: Primary enforcement authority transferred from the California Attorney General to the CPPA.

Regulatory Development

The CPPA has been developing implementing regulations:

• Initial regulations: First set of regulations finalized addressing consumer rights, business obligations, and enforcement procedures.
• Ongoing rulemaking: Additional regulations expected addressing cybersecurity audits, risk assessments, and automated decision-making.
• Industry guidance: CPPA providing guidance on compliance questions through FAQs and opinion letters.
• Enforcement priorities: Agency has signaled focus on consumer-facing compliance including notice and opt-out mechanisms.

Service Provider and Contractor Contracts

CPRA requires updated contracts with data processors:

• Contractual requirements: Contracts must specify purposes for processing, prohibit unauthorized use or disclosure, and require deletion upon request.
• Contractor category: New "contractor" classification for entities receiving personal information under written contracts meeting specific requirements.
• Due diligence: Businesses must conduct due diligence on service providers and contractors and take reasonable steps to ensure contract compliance.
• Audit rights: Contracts should include rights to audit service provider and contractor compliance.

Privacy Notice Updates

Businesses must update privacy notices to address CPRA requirements:

• Disclose categories of sensitive personal information collected and purposes for collection
• Specify retention periods for each category of personal information
• Describe consumer rights including new correction and sensitive data limitation rights
• Provide required opt-out links for sale/sharing and sensitive data use limitation
• Disclose whether personal information is used for automated decision-making

Cross-Context Behavioral Advertising

CPRA specifically addresses tracking and advertising practices:

• Sharing definition: "Sharing" for cross-context behavioral advertising is separately defined from "selling" personal information.
• Opt-out requirement: Businesses must honor opt-out requests for both selling and sharing personal information.
• Global Privacy Control: Businesses must treat Global Privacy Control signals as valid opt-out requests.
• Advertising implications: Many common digital advertising practices now require opt-out mechanisms.

Compliance Priorities

If you are affected, focus on the following compliance activities:

• Update privacy notices to include CPRA-required disclosures
• Implement consumer request intake processes for new rights
• Review and update service provider and contractor contracts
• Establish sensitive personal information handling procedures
• Implement data retention schedules and deletion procedures
• Deploy Global Privacy Control recognition mechanisms

Wrapping up

The California Privacy Rights Act represents the most significant expansion of U.S. consumer privacy rights since CCPA's original enactment. Businesses subject to CPRA must implement full compliance programs addressing new rights, improved obligations, and dedicated enforcement by the California Privacy Protection Agency. The law's influence extends nationally as organizations often apply California standards across their operations to simplify compliance.

You may also find useful

Hand-picked articles on adjacent topics.

Data Strategy · Credibility 91/100 · January 1, 2023

California Privacy Rights Act Effective Date

California Privacy Rights Act (CPRA) became effective January 1, 2023, amending CCPA with stricter requirements. New rights, a dedicated enforcement agency (CPPA), and expanded business obligations. If you have…

Data Strategy · Credibility 86/100 · October 1, 2022

Japan APPI Cross-Border Transfer Rules Enforced

Japan enforced the amended Act on the Protection of Personal Information on 1 October 2022, requiring fuller disclosure and monitoring for cross-border transfers plus mandatory breach notification to the PPC.

Data Strategy · Credibility 76/100 · April 17, 2023

Data Strategy — Privacy compliance

Vietnam's Personal Data Protection Decree in April 2023 created comprehensive data protection requirements. Consent, data subject rights, and cross-border transfer rules for organizations operating in Vietnam.

Data Strategy · Credibility 73/100 · September 1, 2022

China data export

China’s Measures for Security Assessment of Data Exports took effect on 1 September 2022, making CAC-led reviews mandatory for important data and large personal data transfers and triggering a 30 November rectification…

Data Strategy · Credibility 86/100 · May 20, 2023

Data Strategy — Data governance

G7 Hiroshima DFFT roadmap outlined Data Free Flow with Trust priorities. International data governance coordination among G7 nations. Cross-border data transfer mechanisms in focus.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

January 1, 2023

Coverage pillar

Data Strategy

Source credibility

71/100 — medium confidence

Topics

Privacy · Data Governance · Consumer Rights

Sources cited

2 sources (iso.org, iapp.org)

Reading time

5 min

Documentation

1. Industry Standards and Best Practices — International Organization for Standardization
2. IAPP Privacy Law Resources