California's privacy laws have changed significantly. The CPRA, effective January 1, 2023, builds on the CCPA by introducing stricter requirements, expanded consumer rights, and stronger enforcement mechanisms. If your business handles data from California residents, here's what you need to know:
- Applicability: CPRA raises the threshold for businesses, now covering those handling data for 100,000 consumers/households (up from 50,000 under CCPA). It also regulates data "sharing", not just "selling."
- Consumer Rights: CPRA adds new rights, including the ability to correct data, limit sensitive personal information (SPI) use, and opt out of automated decision-making.
- Enforcement: The CPRA eliminates the 30-day cure period, allowing immediate penalties. Fines are higher, especially for violations involving minors.
- Business Obligations: Companies must minimize data collection, update privacy policies, and comply with Global Privacy Control (GPC) signals.
Quick Comparison:
| Feature | CCPA | CPRA |
|---|---|---|
| Scope | 50,000 consumers/households/devices | 100,000 consumers/households |
| Regulated Activity | Selling data | Selling and sharing data |
| New Consumer Rights | None | Correct data, limit SPI, opt out of AI |
| Enforcement | 30-day cure period | Immediate penalties |
| Fines | $2,500 (unintentional), $7,500 (intentional) | $2,663 (unintentional), $7,988 (intentional/minors) |
What to Do: Update your privacy policy, website links, and vendor contracts. Use AI tools for compliance tasks like data mapping and handling consumer requests. Prepare now for 2027's automated decision-making regulations.
CCPA & CPRA Explained: What Every U.S. Business Needs to Know About California’s Data Privacy Laws
CCPA: What You Need to Know
The CCPA gave California residents more control over their personal data. Before diving into how the CPRA builds on this, it’s important to understand the CCPA’s foundational requirements.
Scope and Applicability
The CCPA applies to for-profit businesses operating in California that meet at least one of these criteria:
| Threshold | Requirement |
|---|---|
| Annual gross revenue | Exceeds $25 million in the prior calendar year |
| Data volume | Handles personal information of 50,000+ consumers, households, or devices |
| Revenue from data | Earns 50% or more of annual revenue from selling personal information |
It’s worth noting that a business doesn’t need a physical office in California to fall under the CCPA’s jurisdiction.
Consumer Rights Under the CCPA
The CCPA granted Californians several rights over their personal data. These include the ability to:
- Know what personal data a business has collected about them.
- Request that their data be deleted.
- Opt out of having their data sold to third parties.
Importantly, businesses cannot penalize consumers for exercising these rights. This means they can’t charge higher prices or provide lower-quality services as a consequence.
When consumers make access or deletion requests, businesses must comply within 45 calendar days, with an option to extend this by another 45 days if necessary. Opt-out requests, however, must be processed within 15 business days.
Business Obligations and Enforcement
The CCPA requires businesses to provide a "Notice at Collection", which clearly outlines what personal data is being collected and why. Companies must also:
- Maintain an updated privacy policy, refreshed at least every 12 months.
- Offer at least two ways for consumers to submit requests (e.g., a toll-free number and an online form).
- Verify consumer identities before fulfilling access or deletion requests.
Enforcement of the CCPA is handled by the California Attorney General, who can impose civil penalties of $2,500 per unintentional violation and $7,500 per intentional violation. Additionally, consumers have a limited right to sue for data breaches, with statutory damages ranging from $100 to $750 per consumer per incident.
The CPRA builds on these foundations, adding new layers of protection and obligations, which we’ll cover next.
CPRA: What Changed and What It Means
The CPRA, rather than replacing the CCPA, builds upon it by introducing stricter rules, expanded consumer rights, and stronger enforcement measures. As Recording Law explains:
"The CPRA did not replace the CCPA. It built on it. The official statute is still titled the 'California Consumer Privacy Act of 2018,' but its provisions now include every change the CPRA introduced."
This foundation sets the stage for key updates in scope, consumer rights, and business responsibilities.
Updated Scope and Applicability
The CPRA made several adjustments to the law's scope, starting with a significant change to the data volume threshold. Businesses now fall under the law if they handle data for 100,000 consumers or households, doubling the previous threshold of 50,000. A major addition is the inclusion of "sharing" as a regulated activity, addressing a loophole that allowed businesses to exchange consumer data for cross-context behavioral advertising without technically "selling" it.
Additionally, the revenue threshold has been adjusted for inflation, reaching $26,625,000 as of January 1, 2025. Importantly, this threshold now focuses solely on consumers and households, refining its applicability.
New and Expanded Consumer Rights
The CPRA introduced new rights for consumers, expanding the protections provided under the CCPA. Here's a quick breakdown:
| Right | What It Means |
|---|---|
| Right to Correct | Consumers can request corrections to inaccurate personal data using "commercially reasonable efforts." |
| Right to Limit Sensitive PI | Consumers can limit how businesses use sensitive personal information (SPI) to only what is absolutely necessary. |
| Right to Opt Out of Automated Decision-Making | Consumers can opt out of automated systems used for significant decisions, such as housing or employment. |
The CPRA also created a new category called Sensitive Personal Information (SPI). This includes Social Security numbers, precise geolocation (within 1,850 feet), genetic data, racial or ethnic origin, and, starting in 2024, neural data. If businesses use SPI for anything beyond providing the requested service, they must display a "Limit the Use of My Sensitive Personal Information" link prominently on their homepage.
New Business Obligations and Enforcement
The CPRA introduced stricter requirements for businesses, particularly around data collection and retention. Under the law, businesses must follow data minimization rules, meaning they can only collect data that is reasonably necessary for a specific, disclosed purpose. They are also required to dispose of data once it is no longer needed.
Enforcement has also been strengthened. The California Privacy Protection Agency (CPPA), the first dedicated privacy regulator in the U.S., now shares enforcement authority with the Attorney General. The CPRA removed the 30-day cure period, allowing the CPPA to issue immediate penalties: $2,663 per unintentional violation and $7,988 per intentional violation or violations involving minors.
The CPPA has already demonstrated its authority. In 2025, it settled CPRA-related cases with American Honda Motor Co. for $632,500, Tractor Supply Company for $1.35 million, and Todd Snyder, Inc. for $345,178.
sbb-itb-bec6a7e
CCPA vs. CPRA: Key Differences
CCPA vs. CPRA: Side-by-Side Comparison for Businesses
With the CPRA now fully implemented, it's helpful to break down how it differs from the CCPA. These changes affect data collection practices, consumer rights, and enforcement mechanisms.
Applicability and Thresholds
One of the most noticeable updates is the threshold for applicability. The CCPA applied to businesses handling data for 50,000 consumers, households, or devices. The CPRA raises this threshold to 100,000 consumers or households, removing "devices" from the equation. This adjustment means some smaller businesses no longer fall under the law's scope.
Another major change is the regulation of data sharing. Unlike the CCPA, which focused on the sale of consumer data, the CPRA expands its reach to include data sharing, particularly for cross-context behavioral advertising. This closes a loophole that allowed businesses to exchange consumer data without restrictions.
Consumer Rights
The CPRA doesn't just refine existing consumer rights - it introduces entirely new ones. Here's a side-by-side comparison of the key rights under each law:
| Right | CCPA | CPRA |
|---|---|---|
| Right to Know | Data from the past 12 months | Data beyond 12 months (collected on or after Jan. 1, 2022) |
| Right to Delete | ✓ | ✓ |
| Right to Opt Out | Sale only | Sale and sharing (including behavioral ads) |
| Right to Correct | ✗ | ✓ |
| Right to Limit Sensitive PI | ✗ | ✓ |
| Automated Decision-Making | ✗ | ✓ Opt-out rights (enforced starting Jan. 1, 2027) |
| Minor Protections (Under 16) | Standard consent rules | Explicit opt-in required before sale or sharing |
These changes require businesses to update their website links. For example, the CCPA's "Do Not Sell My Personal Information" link must now read "Do Not Sell or Share My Personal Information." Additionally, if sensitive personal information is used beyond what's necessary for providing services, businesses must include a "Limit the Use of My Sensitive Personal Information" link.
Enforcement and Penalties
Under the CCPA, businesses had a 30-day window to address violations after receiving notice from the Attorney General. With the CPRA, this cure period has been removed. Now, the California Privacy Protection Agency (CPPA) can impose fines immediately upon identifying a violation.
Enforcement responsibilities are now shared between the Attorney General and the CPPA, the first U.S. agency dedicated entirely to privacy enforcement. Starting in 2025–2026, fines for unintentional violations can reach $2,663 per incident, while intentional violations - or any involving minors - can result in fines of up to $7,988 per incident.
The CPRA also expands the private right of action for data breaches. Consumers can now seek statutory damages ranging from $100 to $750 per incident for breaches involving sensitive combinations of data, such as an email address paired with a password or security question. This was not covered under the original CCPA.
How Businesses Can Meet CPRA Requirements
Changes to Make Now
The California Privacy Rights Act (CPRA) introduces new rules for how businesses handle data collection, storage, and sharing. To stay compliant, there are several updates you’ll need to make across key areas.
Start with your website. Make sure your homepage links are updated to reflect the new requirements. Replace the old "Do Not Sell My Personal Information" link with "Do Not Sell or Share My Personal Information." If your business uses sensitive personal information (SPI) for purposes beyond your core service, add a "Limit the Use of My Sensitive Personal Information" link as well. Starting January 2026, you’ll also need to provide clear confirmation - like a toggle or badge - when consumers opt out of data sharing.
Update your privacy policy. Your policy should now include specific data retention periods for each type of data collected. It must also explain the new Right to Correct and how consumers can limit the use of their SPI. Avoid vague statements like "we retain data as long as necessary" - the CPRA demands clear, detailed language.
Review vendor contracts. The CPRA introduces a new category of contractors alongside service providers. Any third-party agreement involving consumer data must include clauses that prohibit selling or sharing data and restrict sub-processing activities.
Enable Global Privacy Control (GPC) signals. The California Privacy Protection Agency (CPPA) emphasizes compliance with GPC signals. When a browser sends a "Sec-GPC: 1" header, your system should treat it as a valid opt-out request automatically.
Using AI Tools to Support Compliance
While manual updates are essential, technology can make compliance more efficient and manageable. The CPRA’s expanded requirements mean businesses need tools that save time and reduce errors, and AI is proving to be a valuable resource in this area.
Data mapping is a significant challenge, but AI tools can simplify it. These tools can scan your databases, cloud systems, and third-party integrations to locate and categorize personal information and SPI. This automated approach helps meet the CPRA’s data minimization standards.
For handling consumer requests (DSARs), AI-powered portals can streamline the process by automating tasks like verifying identities, retrieving data, and ensuring data is deleted across multiple systems. Considering that a data breach affecting 50,000 consumers could result in up to $37.5 million in statutory damages, investing in accurate automation is a smart move.
"AI can remove the human factor from certain business processes without compromising compliance. However, businesses still should introduce human validation into the loop to avoid common risks." - Corpsoft Solutions
If you’re looking for AI tools to enhance your compliance efforts, check out AI for Businesses, a resource offering curated solutions for small and mid-sized companies.
Lastly, start preparing for Automated Decision-Making Technology (ADMT) regulations. If your business uses AI for major decisions - such as hiring, lending, or healthcare - you’ll need to implement pre-use notices and provide opt-out options by January 1, 2027.
Conclusion: Staying Ahead of California's Privacy Laws
The transition from the CCPA to the CPRA has reshaped how businesses in California are required to handle personal data. Key changes include the removal of the 30-day cure period, the creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, and the introduction of expanded consumer rights. A notable example of the impact of these changes came in May 2026, when General Motors agreed to a $12.75 million settlement - the largest CCPA penalty to date - after an investigation revealed the unauthorized sale of drivers' data. This case, among others, highlights the increasing scrutiny on privacy practices.
Regulators are no longer satisfied with surface-level compliance. They are focusing on discrepancies between what businesses claim in their privacy policies and what they actually do with consumer data. These gaps can lead to steep penalties and reputational harm.
"The responsibility stops with businesses that use privacy management solutions, not with the vendors." - Head of Enforcement, CPPA
To meet compliance requirements, businesses must prioritize strong data governance. This includes practices like minimizing data collection, enforcing accurate retention schedules, updating vendor agreements, and ensuring systems can handle opt-out requests effectively. AI tools can play a big role here, helping with tasks like automating data mapping, processing consumer requests, and detecting GPC (Global Privacy Control) signals. However, these tools must be configured correctly to deliver results. For businesses seeking support, AI for Businesses offers a directory of AI tools tailored for small and medium-sized enterprises.
With ADMT regulations set to begin on January 1, 2027, and risk-assessment deadlines stretching into 2028, companies that establish robust data governance now will be far better prepared for the challenges ahead.
FAQs
Does my business fall under the CPRA now?
Your business falls under the California Privacy Rights Act (CPRA) if it operates for profit in California, collects personal information from California residents, and meets at least one of these criteria:
- Annual gross revenue surpasses $26,625,000.
- Annually buys, sells, or shares the personal data of 100,000 or more California consumers or households.
- Generates 50% or more of its yearly revenue from selling or sharing personal information.
These thresholds determine whether your business must comply with CPRA regulations.
What counts as “sharing” personal information under the CPRA?
Under the CPRA, “sharing” covers the act of disclosing or communicating a consumer's personal information to a third party for cross-context behavioral advertising, even when no money changes hands. This includes activities like retargeting ads or using tools such as Google Ads or Facebook Pixel. Since the definition extends beyond just “selling,” businesses are required to provide consumers with an option to opt out of this type of sharing.
What do I need to change on my website to comply (links and GPC)?
To align with California privacy laws, make updates to your website's links and how you handle data signals. Replace the "Do Not Sell My Personal Information" link with "Do Not Sell or Share My Personal Information." If you process sensitive personal data beyond essential services, include a new link labeled "Limit the Use of My Sensitive Personal Information." Additionally, ensure your site recognizes and honors the Global Privacy Control (GPC) signal as a valid opt-out request.
