California Privacy Right Act


As there is growing concern about data privacy and protection, consumers are provided various rights with respect to the use of their personal data. Countries around the world are introducing laws, amending, and providing rules and regulations as there are emerging concerns over the data privacy of individuals.  

The laws and regulations state various obligations for organizations to use the data of the consumers ethically and most safely possible by complying with those laws and regulations. 

Consumers in California are provided with more such rights by the introduction of the California Privacy Right Act. 


In November 2020, the voters approved Proposition of 24, the California Privacy Rights Act of 2020. The California Privacy Rights Act (CPRA) is a privacy law in California, that became fully effective on January 1, 2023. The CPRA is the amended version of the CCPA. The enforcement will begin on July 1, 2023. In the US, this is considered the most comprehensive state data privacy legislation. 

The CPRA focuses on the rights of the residents of California that strengthen the existing California Privacy rights. They also introduced new rights and agencies that will be responsible to take up the rulemaking responsibility.   

The introduction of CPRA further expands the obligation of the organization to comply with the new rights and regulations.  

So, the data-driven organization must be aware of the new regulations and rules of the residents of California to comply with the laws.

California Privacy Rights Act


The CCPA expanded as California Consumer Privacy Act (CCPA), 2018. The CCPA law provides consumer rights and control over the personal data of Californian individuals. It mainly deals with two aspects that are consumer rights and business regulations. The CCPA is the main privacy legislation when it comes to California.  

Various rights are offered to the residents of California with respect to Privacy. The following are the rights that are offered to consumers by CCPA:   

  • RIGHT TO KNOW – about the usage, sharing, and purpose of collecting personal information of the consumers for the business.  
  • RIGHT TO DELETE – the personal data that are collected with some exceptions.  
  • RIGHT TO OPT OUT – or refuse the sale or sharing of personal data.   
  • RIGHT TO NON-DISCRIMINATION – for exercising the rights of CCPA by the consumers.  

The CCPA provides the rights to the consumers of California and the businesses that operate in California. It applies to business that has annual gross revenues above $25 million US dollars, which manage and deals with the personal information of 50,000 or more consumers that earn more than half of their annual revenue from selling the consumer’s data.   

The businesses that are subject to CCPA have several responsibilities, which include responding to the requests of the customer to exercise their rights and giving the customers certain notices to explain their privacy practices. The application of CCPA extends to businesses including data brokers.  

The CCPA also has regulations called the California Consumer Privacy Act Regulations where through the privacy notices businesses are required to inform about their privacy practices.   

It also contains guidance to handle consumer requests, verifying the identity of the consumers who makes the requests, and how to apply the law in the case of minors. In executing this, these regulations make it easier for consumers to exercise their rights in CCPA.   

The CCPA regulations govern compliance with the California Consumer Privacy Act.   

The CPRA amends the CCPA, it is not considered separate but the improved version of the CCPA. The CPRA contains some changes and improvements for the strong protection of consumer rights for the residents of California.


The CPRA adds new rights for Californian consumers. The following are the two new rights that are added. 

  • RIGHT TO CORRECT: the inaccurate personal information. 
  • RIGHT TO LIMIT: the disclosure and use of sensitive personal information.  

CPRA has also introduced a new classification of Personal Information (PI), referred to Sensitive Personal Information (SPI). It has also introduced additional use, disclosure, and opt-out requirements relating to sensitive personal information. 


The CPRA makes a business responsible for how third parties use, share or sell personal information that the business collected in the first place  

 It adds provisions similar to the European Union’s General Data Protection Regulation (GDPR) and adopts the principles of GDPR guided by the concept of lawfulness, fairness, and transparency that relates to  

  •  DATA MINIMIZATION: Limiting the collection of personal data that are only necessary and relevant to the nature of business. 
  • STORAGE LIMITATION: Retaining and storing personal data for a reasonable amount of time. 
  • PURPOSE LIMITATION: Collecting personal data, for explicit, specific, and legitimate disclosed purposes.   


The CPRA establishes the California Privacy Protection Agency (CPPA) to implement and enforce the California Consumer Privacy Act. On October 21, 2012, the CCPA provided notice to the Attorney General that it was prepared to assume rulemaking responsibilities. After six months of this notice, the rule-making authority transfers from the Attorney General to the CPPA.   

 So, the CPPA enforces the CPRA and CCPA. The CPPA is also responsible for initiating public campaigns to increase awareness and understand privacy rights. It has the responsibility to initiate public campaigns to increase awareness and understand the privacy rights provided.   

The rights of California residents are protected by the CPPA and it has four main functions including education, rulemaking, enforcement, and certification.  

On the whole, The CPPA acts as a lead enforcer and supervisor of the CCPA and CPRA, data privacy regime.  



The CPRA changes the definition of a business to exclude smaller businesses and includes bigger businesses that generate a large income from collecting, sharing, and/or selling the Personal Information (PI) of California residents.   

The CPRA creates a new category Sensitive Personal Information (SPI) that is regulated separately and is stronger than Personal Information (PI).   


The CPRA broadens the range of information that consumers can request from businesses, that includes the categories of personal information, categories of collection sources, third-party access, and the specific information collected.  


Considering the CCPA, the violation of minors under the age of 16 and personal information is fined $2500 per violation it is the same for the violation of the personal information of adults. But considering CPRA, the fine is increased and per violation, it is fined $7500.   


 If you’re an organization that uses a large amount of data for business, so complying with CPRA is advisable to get rid of the fine, since CPRA enforcement will begin from July 1, 2023. So comply with the laws and increase your customer trust! 

Checkout Other Whitepapers

In an age defined by technological leaps, the convergence of Generative AI and Data Privacy emerges as a pivotal crossroads.As Generative AI …

This paper is an in-depth analysis of the newly introduced Digital Personal Data Protection Act 2023. The Act is a simple and …

The European Commission introduced a proposal in April 2021 to regulate artificial intelligence (AI) in a 108-page document, aiming to establish a …

As defined by the EU Council, the NIS 2 directive “will set the baseline for cybersecurity risk management measures and reporting obligations …