Skip to content

Explanation of California Privacy Rights and Enforcement Act (CPRA)

On November 3, 2020, Californians voted the California Privacy Rights and Enforcement Act (also known as CPRA, CCPA 2.0, or Prop24) into law. The CPRA makes a variety of amendments to the requirements in the California Consumer Privacy Act (CCPA).
Although provisions in the CPRA will not go into effect until January 1, 2023, many organizations will need to understand and prepare for these requirements ahead of time to stay ahead of the curve.

Here are some of the main changes between CCPA and CPRA.

Sensitive Personal Information
The CPRA has defined a new type of personal information called Sensitive Personal Information, which includes things such as driver’s license, social security and passport numbers, consumer account logins, precise geolocation, the content of the email, genetic information, sexual orientation, and more. 


Under the CPRA, consumers will have the right to direct a business to limit the use of sensitive personal information to what is needed to perform services or provide goods. To fulfill this right, businesses will need to create a “Limit the Use of My Sensitive Personal Information” link, much like the “Do Not Sell My Personal Information” link already required under the CCPA. 


“Do Not Sell” Expands to “Do Not Share” 

The law will give consumers the right to opt-out of the “sharing” of their data, making it harder for advertisers to target consumers based on data shared about them. The new act will allow for consumers under 16 years old to opt-in to the sale and sharing of data, with consumers under 13 requiring parental consent to opt-in

CPRA also specifically calls out cross-contextual behavioral advertising. Consumers will be able to opt-out from receiving ads third-party data and online behaviors. Publishers will be required to display a “Do Not Sell or Share My Personal Information” link on their homepage to allow consumers to opt-out from receiving targeted ads based on third-party data and online behaviors.

Previously, the CCPA allowed “service providers” to process people’s personal information collected by another company without the sharing of that data being considered a sale under the law. The CPRA now explicitly calls out “cross-context behavior advertising”. As a result, ad tech vendor publisher may no longer use service provider processing as a valid exemption. Downstream vendors will be obligated to comply with those data subject requests.

Updated Consumer Rights
The CPRA provides consumers with a variety of new consumer rights. In addition to the right to opt-out of sharing personal information, and the original “Do Not Sell” link has been adjusted to “Do Not Sell or Share” to reflect this new right. 


Additionally, consumers will have the right to correct inaccurate personal information. Businesses must take reasonable steps to do so after verifying the consumer’s identity. In order to be fully compliant businesses should implement internal processes to rectify inaccurate personal information.
The existing right to access has also been amended. Specifically, in the CCPA, businesses were only required to provide information from the twelve months preceding the access request. In the CPRA, however, the twelve-month limit has been removed. If the information is held maintained for more than twelve months, a business may have to provide more information than it did under the CCPA. 


There are other differences between the two laws. CPRA fixes some of the gaps from CCPA and brings it closer to GDPR, with one difference. While GDPR treats privacy like an inviolable user right, CCPA and CPRA take the needs of the business in consideration.

 For more information about Techniti’s other solutions for data protection and privacy, click here.