How the CPRA Law Overhauls and Updates the CCPA

cpra law
Print Friendly, PDF & Email

As readers know, on November 3, 2020, California State voters passed Proposition 24, better known as the California Privacy Rights Act (“CPRA”). The CPRA significantly changes California’s privacy landscape, which was still developing after the recent enactment of the California Consumer Privacy Act of 2018 (“CCPA”). While the CPRA’s history mirrors that of the CCPA, the CPRA law should be seen as a significant expansion of the privacy rights set out under the CCPA.

What is the History of the CPRA Law?

The CPRA Law Creates a Stricter Compliance Regime

The CCPA was originally envisioned as an initiative to be added to the 2018 ballot in California. Fearing that such an initiative would result in unclear obligations, various industries opposed the ballot initiative, and ultimately compromised with privacy advocacy groups to pass the CCPA into law. Although the CCPA has since seen several amendments, privacy rights proponents were disappointed by what they perceived to be weak consumer protections found in the now effective version of the CCPA. To address these issues, privacy rights advocates introduced, lobbied for, and recently passed the CPRA law through a ballot initiative.

How Does the CPRA Law Differ From the CCPA?

The CPRA law creates numerous new obligations for businesses regarding the collection, use, sale, and sharing of personal information. For example, the CPRA law creates a new regulated category of data, referred to as “sensitive personal information,” which includes, inter alia, biometric data, precise geolocation, and government identifiers, such as Social Security Numbers and drivers’ license numbers. Consumers will be able to prescribe how businesses use their sensitive personal information, including prohibiting the disclosure of sensitive personal information to third parties under certain circumstances.

The CPRA law also affords consumers the right to request that a business correct any inaccurate personal information held by that business. In addition, the CPRA law allows consumers to access a company’s information regarding automated decision-making technology, which may include a business’s efforts to profile a consumer’s habits, interests, or economic activity. Critically, the CPRA law allows consumers to opt out of a business’s automated decision-making technology altogether.

The CPRA law also creates a new enforcement authority, which will be known as the California Privacy Protection Agency (“CPPA”). The CPPA will have investigative, enforcement, and rulemaking powers relating to the CPRA. With the creation of the CPPA as a new, dedicated agency, many observers anticipate an increase in enforcement. This is particularly significant because the CPRA removes the thirty (30) day cure period that currently exists under the CCPA. This means that businesses will no longer have the opportunity to avoid liability by rectifying alleged violations after being formally notified by the State’s Attorney General.

Less than two years after the CCPA completely overhauled consumer privacy rights in California and, by extension, the United States, the CPRA law has again introduced massive compliance challenges for many businesses that hold the personal information of California consumers. Indeed, this blog merely scratches the surface of relevant changes. Please note that the CPRA law will become operative on January 1, 2023 and apply to consumer information collected on or after January 1, 2022. Accordingly, businesses need to work quickly to ensure they are ready by 2022. 

If you need assistance preparing for the CPRA law, please e-mail us at, or call us at (212) 246-0900 for regulatory compliance assistance.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Photo by camilo jimenez on Unsplash

Similar Blog Posts:

The New CCPA has Passed into Law. Now When Does it Take Effect?

CCPA 2.0 on California’s November Ballot

How Does the CPRA Compare to the GDPR? Ask a CPRA Lawyer

David O. Klein

David O. Klein

David Klein is one of the most recognized attorneys in the telemarketing, technology, Internet marketing, sweepstakes and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Schedule a Call
In The Know

Trending Topics

New York Sweepstakes Law blog- Klein Moynihan Turco

New York Sweepstakes Law: Are You Compliant?

Print Friendly, PDF & Email

In general, a lottery exists when entrants pay for the chance to win a prize. States alone reserve the right to administer lotteries. Businesses can eliminate one element of what would otherwise be an illegal lottery, in order to transform it into a legal promotional game. If the requirement to

TCPA surveys

An Ad or not an Ad: NY Weighs in on TCPA Surveys

Print Friendly, PDF & Email

Another day, another court decision that refines constitutes a Telephone Consumer Protection Act (“TCPA”) unsolicited fax advertisement. A Manhattan-based federal court recently issued a decision that removes faxed invitations to participate in a survey from the TCPA definition of advertisement. In drawing this distinction for TCPA surveys, the Court held

NY sports gambling law- Klein Moynihan Turco

Agreement Reached to Enact NY Sports Gambling Law

Print Friendly, PDF & Email

This week, Governor Andrew Cuomo and the New York State Legislature agreed to a budget deal that will bring mobile sports betting to the State through a unique NY sports gambling law.  Upon the Governor’s signature, NY sports gambling is primed to become the nation’s largest market. However, New York

UK and US Social Media Influencer Laws

UK and US Social Media Influencer Laws

Print Friendly, PDF & Email

In September of 2020, the United Kingdom’s (“UK”) Committee of Advertising Practice (“CAP”) reviewed the Instagram accounts of 122 UK-based social media influencers to determine whether content was being properly flagged as advertising in accordance with applicable social media influencer laws. This past March, the UK Advertising Standards Authority (“ASA”)

Share on facebook
Share on google
Share on twitter
Share on linkedin