The article is written by Tejaswini Kaushal, a student at Dr. Ram Manohar Lohiya National Law University, Lucknow. This article seeks to elucidate the objectives, rights, and obligations of individuals and corporations under the California Privacy Rights Act, 2020.

It has been published by Rachit Garg.

Table of Contents


The California Privacy Rights Act (CPRA) is the latest revision of California law that tightens privacy laws and safeguards the privacy of customers. The California Privacy Rights Act was proposed with the aim of making the privacy laws in the state of California even more powerful. In the November 2020 election, Californians approved the California Privacy Rights Act ballot proposition, updating and enhancing the current California Consumer Privacy Act (CCPA). 

Download Now

The proposition expands the rules established under the California Consumer Privacy Act. The new California state privacy legislation updates the California Consumer Privacy Act’s current provisions, establishes new consumer rights, adds new requirements for companies that gather personal data from California residents, and establishes the California Privacy Protection Agency as a new enforcement authority. Together with the California Department of Justice, the agency will be responsible for monitoring and enforcing consumer privacy laws. This change in law will require both businesses and individuals to comply with new norms and standards set by the newly proposed act. The initiative also mandates that businesses acquire consent from customers under the age of 16 and consent from a parent or legal guardian from customers under the age of 13 before collecting personal data. In light of such changes taking place in the privacy laws of California, it is essential for business entities and individuals to update their modus operandi on processing personal data to suit the standards set by the California Privacy Rights Act, 2020. This article provides a comprehensive overview of the changes in the rights and obligations of consumers and organisations in view of the change in the Californian privacy rights law.

Rights granted under CCPA, 2018

The General Data Protection Regulation (GDPR), introduced by the European Union, which garnered a lot of attention with its profusion of privacy-related rules and the possibility of significant fines for offenders, had a significant impact on the data protection and privacy arena in 2018. The California Consumer Privacy Act of 2018 acted as the most important of many other new laws enacted during that year for privacy rights. 

The California Consumer Privacy Act is a state law created to strengthen Californians’ rights to privacy and consumer protection. The Act became operative on January 1, 2020. It is the predecessor of the California Privacy Rights Act, 2020. California consumers have the following rights under the CCPA:

  • Access to their personal data.
  • Understand the types of personal data being gathered.
  • Choose not to have it shared or sold.
  • Request for its removal, or if it’s inaccurate, request for its correction.
  • Exercise their rights without worrying about punishment or prejudice.

The California Consumer Privacy Act has, over time, lost its sheen and relevance, requiring a more stringent and updated Act to come into force instead. The CCPA will, therefore, be expanded and redefined as part of the California Privacy Rights Act in order to protect California citizens’ rights. It will not only improve safety measures but also tighten the California Consumer Privacy Act. Although the objectives and purview of the two laws are comparable, the California Privacy Rights Act was designed to improve the California Consumer Privacy Act’s lax and ill-defined consumer protection requirements, lax enforcement, and patchy monitoring. Customers have more options to opt out, and enterprises must handle data privacy intentionally.

The California Consumer Privacy Act, therefore, builds upon the rights granted under the CCPA to increase the scope of privacy rights. CPRA restricts how corporations can collect, use, store, and disseminate personal data while also granting California residents and customers particular rights. Presently, the CPRA is widely recognised as the most comprehensive rule of its sort in the nation, and in some ways, it resembles the revolutionary General Data Protection Regulation (GDPR), 2018.

Overview of the CPRA

California voters overwhelmingly adopted the California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, when it was placed on the general election ballot on November 3, 2020. The California Consumer Privacy Act (CCPA) of 2018, which laid the groundwork for consumer privacy rules, is built upon this proposition, which broadens the state of California’s consumer privacy statute. The California Privacy Rights Act establishes a thorough data protection framework that is comparable to data protection regulations in many other regions of the globe, such as the General Data Protection Regulation of the European Union, marking a significant divergence from past U.S. legislation pertaining to HR individuals’ data.

The majority of employers conducting business in California will be subject to much stricter privacy and information security requirements under the California Privacy Rights Act, 2020. The private data of California residents who are employees, independent contractors, business people, job applicants, and board members, as well as the dependents of employees who receive benefits from their employer, will be subject to this novel, coherent, and comprehensive legal framework. By enshrining more provisions in California state law, the proposition expands consumers’ rights to limit the use of “sensitive personal information,” which includes precise geolocation, ethnicity, race, religion, private conversations, genetic data, sexual orientation, and medical details, as well as to avoid businesses from disclosing their personal information to third parties and to rectify inaccurate personal information.

The Act establishes the California Privacy Protection Agency as a special agency charged with carrying out and enforcing state privacy laws, looking into infractions, and punishing offenders. The Act also eliminates the predetermined window of time during which businesses can correct violations without incurring penalties; forbids companies from keeping personal data on customers for longer than is necessary; increases threefold the maximum fines for breaches involving kids below the age of 16 (up to $7,500), and allows for civil penalties for the theft of account login information.

On January 1, 2023, a considerable expansion of employers’ data responsibilities will take effect, necessitating significant modifications to the current private data handling policies, processes, and practices of the HR individuals. Even while the compliance date might seem far off, the majority of covered firms will probably require a good deal of this time to deal with the CPRA’s expanded obligations. The CPRA also stipulates a 12-month lookback timeframe for HR personnel who want to use their new rights to inquire about how the business manages their personal information. In order to be able to react to employees’ demands for CPRA rights, companies must start preparing their human resources data as of January 1, 2022. It is also provided that the legislature would be unable to repeal the legislation, and any changes they do make must be congruous with and promote the motives and objectives of the Act. 

Subjects of the CPRA

No matter where they are based, any company that conducts business in California and gathers customers’ personal information is subject to the California Privacy Rights Act. These companies must fulfil either of the following two conditions for the CPRA to be applicable to them, as laid down under Section 1798.140(d)(1) of the Act: 

  1. Exceeded the gross revenue of $25 million in the preceding calendar year as of January 1 of the present calendar year, or
  2. Obtains 50% or more of its yearly revenue from the sale or sharing of consumer data; or
  3. Purchases, sells, or shares the personal information of 0.1 million or more consumers or households annually.

If any of the aforementioned criteria is satisfied, then the company will be considered a “business” under the California Privacy Rights Act.

Objectives of the CPRA

The purpose of the Act is to provide Californians with the right to:

  1. Know who is gathering their personal information as well as that of their children, how it is being used, and to whom it is accessible.
  2. Have their privacy interests protected, even if they are workers, business persons or independent contractors.
  3. Limit the usage of their sensitive personal information and exercise control over how it is used.
  4. Have access to and control over their personal data, including the ability to move, update, and delete it.
  5. Utilizing readily available self-serve methods, people can exercise their privacy rights.
  6. Exercising their right to privacy without suffering consequences.
  7. Profit from the usage of your personal data by corporations.
  8. Hold companies responsible if they don’t adopt appropriate information security measures.

Rights and obligations under the California Privacy Rights Act

Rights and obligations laid down by CPRA

Purpose limitation and data minimization 

Companies are only allowed to acquire, use, retain, and disclose personal information that is “reasonably required” and “proportionate” to fulfil the purpose for which it was collected.

New requirements for sensitive personal information 

Companies that acquire “sensitive personal information” are now obligated to reveal how they do so, as well as provide customers with the option to limit how it is used and disclosed. Geolocation data, account login information, biometric data, genetic and medical data, the social security number or numbers from government-issued identification cards, as well the details about race, ethnicity, religion, or sexual orientation are all examples of “sensitive personal information,” but they are not the only ones.

New right to correction 

Businesses must give customers the option to update erroneous personal information. This is known as the “New Right to Correction.”

Broader timeframe for the right to access data 

Unless doing so would be impractical or require an excessive amount of work, businesses must offer information to customers beyond the CCPA-mandated 12-month window prior to the request.

Changes to the criteria for deletion 

Companies must instruct contractors and service providers to remove private information from their records when they receive credible consumer requests to do so. Businesses must also request the deletion of personal data from third parties with whom they have shared or sold such information unless doing so would be impractical or require excessive effort.

New “sharing” requirements 

Companies that “share” customer information must warn customers of this policy and offer an opt-out mechanism. The term “sharing” refers to the act of giving personal data about a customer to a third party for cross-context behavioural advertising.

New disclosure requirements

Companies now have to publish the parameters that will be used to establish how long they will keep each type of gathered personal information. The additional consumer rights granted by the CPRA, such as the right to rectification, the right to object to sharing, and the right to restrict the use and disclosure of confidential personal information, must also be disclosed by businesses.

Placement of downstream contractual restrictions 

Before selling, distributing, or disclosing personal information to service providers, contractors, or other parties, businesses must impose particular contractual duties on them.

New security requirements and widened scope of data breach liability 

Businesses must have reasonable security methods and processes that are relevant to the form of the personal data they gather and keep. This is due to new security requirements and wider liability for data breaches. The CPRA further broadens the scope of the private right of action to include data theft using a customer’s email address along with a password or security question and answer that would allow access to the customer’s account.

Business-to-Business (B2B) and employee personal information 

The CPRA extends consumer rights and safeguards to B2B and employee personal information, which has been mainly excluded from the CCPA.

Extra requirements to be developed in rulemaking 

Following the publication of the CPRA regulations, businesses will be subject to additional obligations. Primary rulemaking power will reside with the recently established California Privacy Protection Agency, and final CPRA rules will be implemented by July 1, 2022. 22 distinct topics are anticipated to be covered by regulations, such as the application of artificial decision-facilitation tools, risk evaluations, and recordkeeping.

Newly introduced rights

Right to challenge and rectify inaccurate information 

People who use their right to access information may ask businesses to update any information that is inaccurately given. If the company gets a verifiable consumer request, it is then obligated to make commercially reasonable attempts to rectify such information, barring some of the exceptions laid down by the Act.

Right to have personal information collected with minimum data and for limited purposes

Businesses must use, retain, and share customer information only as much as is reasonably required and reasonable to fulfil the reasons for which it was gathered.

Right to request and receive notice from companies planning to use an individual’s sensitive private data as well as restrict them from doing so 

Anyone can request that businesses stop collecting, selling, or disclosing sensitive personal information. Businesses are required to provide consumers with a particular notice if they intend to collect or use any sensitive personal information. Information of this kind includes information that includes the social security number, licence number, state ID number, passport number or any other number of a government-authorised card, login information of financial accounts, debit cards, or credit cards with the access code, password, or other credentials, precise geolocation, origin in terms of race or ethnicity, religion or philosophy, or union membership, email, text, and postal communication content, DNA information for the purpose of identifying someone, biometric data, information gathered and processed on a person’s sexual orientation or medical history.

Expanded rights 

Right to information access 

The California Privacy Rights Act extends the CCPA’s right to request access to personal information a company has collected about a person in the previous 12 months (Section 1798.130(B)) to all information collected, regardless of when it was collected, unless doing so is impossible or would require an unreasonable amount of work.

Right to refuse information sharing with third parties 

As per Section 1798.115 of the Act, people have the option to refuse both the sale and sharing of their personal information with third parties, according to the California Privacy Rights Act. The CCPA raised this issue since sharing is not expressly included in the definition of sale.

Legal right to sue companies that reveal usernames and passwords  

When a company exposes a customer’s personal information due to a data breach brought on by a failure to take adequate security precautions, the CCPA provides customers with the power to sue the company directly. This is broadened by the California Privacy Rights Act to encompass data breaches if the exposed personal information includes a login and password.

Creation of a new agency under CPRA

The California Privacy Protection Agency, a new specialised privacy agency, is established by this new statute under Section 1798.199.10 to manage enforcement. A five-person board that includes the Governor, the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly will be in charge of running it. The Governor also has the power to choose the chair and one other member. The individuals chosen for these positions must be knowledgeable about consumer rights, technology, and privacy, subject to certain restrictions that will help ensure that the members will remain unbiased and free from external influence.

Board members are only permitted to hold office for a maximum of eight years in a row and are subject to termination at any moment by the person who appointed them. Additionally, they are prohibited from working for any person or company that is presently under investigation or was the target of enforcement action within the five years before the board member’s appointment and for two years after leaving the agency.

This organisation, which will be run by an executive director chosen by the board, will get a portion of its funding from enforcement actions, with any administrative penalties levied or settlement money going straight to the Consumer Privacy Fund. Additionally, it will get $10,000,000 yearly, an amount that gets revised on an annual basis by the General Fund.

Timeline for CPRA compliance 

  1. 1 January 2021: California Privacy Rights Act (CPRA) is established as the law and the California Privacy Protection Agency (CPPA) is established. It had been provided that a new agency was to be funded and set up within 90 days of the act’s effective date i.e. five days after the Secretary of State officially files the election results.
  2. 1 July 2021: process for formulating and adopting CPRA regulations began.
  3. 1 January 2022: Personal data collection became liable under the CPRA’s one-year lookback time frame on January 1, 2022.
  4. 1 July 2022: The deadline for final CPRA regulations for adoption by the CPPA was July 1, 2022.
  5. 1 January 2023: The California Attorney General’s office will continue to enforce the CCPA until January 2023. People will not be able to file lawsuits for the disclosure of usernames and passwords until January 1, 2023, although they will still be able to do so during this time if firms reveal their customers’ personal information in a data breach.
  6. 1 July 2023: The enforcement of the CPRA begins under the CPPA.

Enforcement and penalties under the California Privacy Rights Act

The California Privacy Protection Agency is a new state agency that receives all regulation and enforcement power under the California Privacy Rights Act from the California attorney general. The agency started using its rulemaking jurisdiction as early as July 1, 2021, which was six months after giving notice to the California attorney general that rulemaking would begin. The final regulations, consisting of 22 distinct types of rules and many subparts, were to be implemented by July 1, 2022.

The CPRA increases fines for offences involving kids under the age of 16 and strengthens enforcement by eliminating the CCPA’s current mandated 30-day window for enterprises. Additionally, the legislation broadens the categories of data breaches that are covered by the data breach private right of action to incorporate data breaches involving a username, email address, and a password or security question and answer that would allow access to a digital account.

Beginning on July 1, 2023, and only with regard to infractions that take place on or after that date, the CPRA may be put into effect. Businesses must maintain flexibility in order to adapt their compliance practices in light of continuing regulatory action.

Privacy rights for information of minors

Penalties for data breaches involving children

For infractions concerning the personal information of children and minors, the California Privacy Rights Act imposes harsher administrative and civil sanctions under Section 1798.155. While the California Privacy Protection Agency or the Attorney General may pursue fines of up to $2,500 for each infraction or $7,500 for each deliberate infraction of the Act, they may also seek fines of up to $7,500 for any infraction of the Act involving a consumer under the age of 16. The amount of statutory penalties that a consumer may demand in a civil action involving a breach of a minor’s privacy rights under the Act has not increased in line with this.

New obligations regarding educational information for students

The California Privacy Rights Act makes it clear that a business is not required to comply with a customer’s request to erase a student’s grades, test results, or educational scores that the firm maintains on behalf of an educational institution. Additionally, a company is not compelled to give customers access to standardised educational exams if doing so could compromise their validity and dependability. This explanation helps to allay some of the worries expressed about how students could abuse their access to exam materials to alter their grades or acquire an unfair edge over their peers. However, the CCPA and CPRA do not apply to the degree that such scores, academic results, or evaluations are regarded as a part of a student’s academic record under the Family Educational Rights and Privacy Act (FERPA).

Benefits of CPRA Compliance

By eliminating gaps in targeted advertising regulation, bolstering enforcement, and preventing the legislature from weakening the legislation, the CPRA might help consumers in the short run. Its long-term effects on privacy, however, are less certain. The ballot measure adds new difficulties and ambiguities that businesses may potentially take advantage of. Even worse, there’s a chance that the CPRA may put a cap on reform and thwart fresh initiatives to create a stronger privacy paradigm. Additionally, it passes up chances to significantly enhance the California Consumer Privacy Act and guarantee privacy by default for everyone, not just those who can pay for it.

  1. Closing the gaps in targeted advertising 

Since the CCPA’s definition of “sale” and the service provider exemption have been exploited to get around the opt-out, the ballot initiative would benefit consumers by providing them more control over the data exchanged to offer tailored advertising. Another issue is the service provider exemption in the current CCPA, which has been construed by some to mean that hundreds of unidentified organisations may be regarded as “service providers” by a publisher for delivering targeted advertisements. With enhanced controls on information sharing, including information provided for cross-context targeted advertising, the CPRA helps to solve this. Cross-context targeted advertising is no longer covered by the service provider exemption since it is made clear that it is not a legitimate business objective.

  1. More stringent enforcement

Companies often disregard rules that aren’t effectively enforced, so the CPRA may really help if enforcement were to be significantly strengthened. The CCPA’s enforcement measures are considered too lax, and the Office of the Attorney General of California has said that it only has the funds necessary to pursue a small number of privacy complaints annually. The “right to cure” phrase in the Attorney General’s enforcement section would be removed by the CPRA, which would solve one of the greatest issues with the current CCPA. This clause is a free pass that would weaken the Attorney General’s already limited enforcement powers. The right to cure is particularly incorrect under privacy law because it is unclear how the corporation might correct the infringement once data has been disclosed inappropriately. The CCPA would also be implemented and enforced by a new body that would be solely responsible for doing so, which might give the proposal some power and authority.

  1. Motion to avoid tabling weakened amendments 

If voters accept the CPRA, the industry shouldn’t be able to further undermine the CCPA. Legislative changes to the CPRA must be compatible with and serve the initiative’s goals, which include better protecting consumers’ rights, especially the constitutional right to privacy. This may have a really favourable effect. The CPRA might act as a crucial barrier against attempts to weaken safeguards, allowing privacy activists and users to spend more of their limited resources on ensuring that the CCPA is implemented correctly.

Criticism of CPRA

Ambiguity in drafting 

The ballot measure adds certain unfavourable provisions to the new privacy law as well. For instance, the initiative’s unclear wording makes it more challenging to assess the CPRA and its potential effects. The possibility exists that the industry, which has the resources to develop and defend anti-privacy interpretations of the CCPA, might use the initiative in ways that harm consumers, as they have done with the CCPA, because of the vague and conflicting language in it. 

Excessive onus on customers 

The CCPA places too much onus on users to search for and assert their privacy rights. It, therefore, leaves a large bulk of compliance with the provisions of this Act to the prudence of Californian citizens.

Ambiguous universal opt-out

For consumers to exercise their right to stop the sale or sharing of their personal information, the ballot proposal establishes a perplexing procedure. One of CR’s main immediate goals is to establish a worldwide opt-out that businesses must abide by so that customers can take a single, easy action to safeguard their privacy. This would save customers from having to contact every firm individually to halt the sale of their information. Customers who want to properly preserve their privacy must shoulder a tremendous burden to opt out given that there are a huge number of brokers listed on the California Attorney General’s data broker register alone, not to mention the hundreds of additional businesses with whom consumers have dealt. Even worse, some businesses are making it difficult for customers to opt-out by requiring them to download additional apps or go through other hurdles.

In contrast to the CCPA regulations, the ballot proposal may thereby limit consumer options and make it even more challenging for them to opt-out. Consumers shouldn’t have to actively choose not to have their information sold to data brokers. This process should happen automatically. Opt-out systems should, at the very least, be straightforward and accessible to all users, and the ballot initiative’s wording is, at best, confusing.

Potential cap on privacy-enhancing reforms 

Although the initiative sets a ceiling on weakening amendments, it contains ambiguous language that could be used to invalidate laws that would materially strengthen the CCPA. For instance, as was already mentioned, the proposal states that the legislature may only pass laws that are consistent with the initiative’s stated purposes. However, not all of the initiative’s goals are obviously in favour of privacy, and some of them may be construed as being intended to enforce a certain (and poor) kind of privacy protection.

Difference between CCPA, CPRA and GDPR

When it was approved in 2018, the CCPA law marked a turning point for the privacy and protection of data. It was the first substantial piece of legislation that gave Californian customers the right to privacy that they deserved in the twenty-first century. However, looking back, it is obvious that there is potential for growth, particularly following the CPRA’s approval less than a year later. The CPRA may be viewed as a more complete version of the CCPA, which is the best way to define it. It enhances the CCPA’s provisions in a few crucial areas. Both these laws have a common derivative, which is the General Data Protection Regulation (GDPR). The GDPR, issued by the European Union (EU), is the most extensive law ever made addressing consumer data privacy. It was inevitable that the GDPR and the CCPA/CPRA would be compared in all subsequent laws on the issue in Europe and internationally. 

S. No.Basis for differentiationGeneral Data Protection Regulation (GDPR)California Consumer Privacy Act (CCPA)California Privacy Rights Act (CPRA) 
1.Right of CustomersThe necessity for opt-in vs. opt-out permission, which means that businesses must comply with the GDPR in order to process any kind of customer data by obtaining consent and then only the data subjects must opt-in to the processing, is arguably the largest distinction between GDPR and CCPA/CPRA. Contrarily, under the CCPA/CPRA, companies may process customer personal data for any reason they want, unless the consumer exercises a right to prevent the sale or sharing of such data with third parties.All Californians are entitled, under the CCPA, to the right to equal services and prices without discrimination, the right to be informed about data collection and rights, the right to have compiled information disclosed, the right to have compiled information deleted, and the right to opt-out of third-party data sales.All Californians have the right to restrict how a company uses and discloses their sensitive information under the CPRA, and how they retain the authority to instruct the company to utilise such information when it is absolutely essential. Other than that, all companies are required to include a prominent banner on the front page of their websites, along with a suitable link to a page that would enable customers to limit the usage of their personal data on their websites.
2.ScopeThe organisations covered by the GDPR include both for-profit and charity organisations, as well as governmental authorities, that handle the personal data of individuals inside the EU. The GDPR covers almost all forms of personal data and is not restricted in including data such as medical information, clinical trial information, financial information, or personal confidential details, and is far more comprehensive than CCPA requirements in obligating companies to notify customers when their data is being collected, sold, or revealed.The CCPA applies solely to businesses that are for profit and also defines what counts as a business. While the GDPR mandates that this information be provided to users within one month and mandates that consumers be informed of whether the business has their data and how it was acquired,  the CCPA has a 12-month requirement and it only compels all third parties to notify users of whether they have got their information and not how they got it.The definition of what comes under “business” and “sharing” has been modified by the CPRA  for  a widened scope of application of the Act, and has also  created a brand-new kind of protected data called Sensitive Personal Information (SPI). The CPRA, unlike the CCPA, has also accepted requirements from the GDPR that pertain to data reduction, purpose limitation, the right to request that a company’s website limit how it uses its sensitive personal information, and storage restrictions. 
3.Enforcement AgencyThe Information Commissioner’s Office (ICO) has served as the key enforcement authority since the EU-wide regulations went into effect in May 2018. In spite of the United Kingdom’s choice to exit the EU, it was declared in 2019 that the ICO would continue to enforce GDPR legislation throughout the UK.The California Office of the Attorney General (OAG) is responsible for enforcing the CCPA. When an organisation is determined to be in breach of CCPA guidelines, the Attorney General’s office is in charge of imposing the proper fines and penalties.The CPRA established a brand-new agency in charge of enforcing it. The California Privacy Protection Agency (CPPA), which has complete investigative and enforcement authority, will be responsible for enforcing the CPRA.
4.PenaltiesGDPR imposes fines for non-compliance and data breaches that can exceed 20 million euros or 4% of the offending company’s annual global revenue, whichever is larger. Unintentional violations of the CCPA/CPRA are punishable by administrative fines of $2500, and intended offences are punishable by a penalty of $7500.The CCPA only imposes fines once a breach takes place. There is absolutely no penalty for non-compliance. The penalty for violations of CCPA is $2,500. For intentional violations, it is $7,500. $100 – $750 in damages in civil court may also be claimed by the aggrieved The same punishments as the CCPA specifies are laid down under the CPRA, as well as a further $7,500 penalty if a minor’s consumer privacy rights are abused. If businesses address and fix the problems within 30 days after being alerted by the Attorney General, they can escape the penalty.


The California Privacy Rights Act (CPRA), a new state-wide data privacy law, was signed into law. Due to its major expansions over the current California Consumer Privacy Act (CCPA), it further establishes California’s position as the U.S. frontier in data privacy regulation. The California Privacy Rights Act (CPRA) essentially functions as an addendum to the CCPA, strengthening resident rights, tightening business regulations on the use of private data, and creating a new regulating authority for state-wide data privacy enforcement named the California Privacy Protection Agency (CPPA), among other significant changes to the data privacy regime in the Golden State. The Act will make data gathered by companies after the threshold date subject to compliance.

While the California Privacy Rights Act merits consideration on its own terms, we regret that the ballot proposal fails to take advantage of significant changes to make the CCPA more palatable for consumers. By integrating strong data minimization language that restricts data collection, use, and disclosure to only what is necessary to deliver the service the customer has requested, a better model would respect consumer privacy by default. Stronger laws that California has already established are a superior replacement for the cumbersome opt-out procedures under the California Privacy Rights Act. Additionally, the California Privacy Rights Act might have prevented discrimination against or increased charges for customers who exercise their right to privacy.

It is clear that while the California Privacy Rights Act delivers significant short-term incremental changes, its long-term effects are unclear and may even be detrimental. Strong pro-privacy polling, however, reveals that customers are willing to have their privacy protected, if only there were effective regulations to allow them to do so. Appropriate implementation mechanisms for this act can do wonders for its sustenance and relevance in California.

Frequently Asked Questions (FAQs)

What is the California Privacy Rights Act (CPRA)?

On January 1, 2023, the California Privacy Rights Act (CPRA), the legislation governing data privacy, will come into force. It strengthens California’s current privacy rules, such as the California Consumer Privacy Act (CCPA). Businesses that gather personal information about California residents must comply with the CPRA. Its privacy regulations are comparable to the General Data Protection Regulation (GDPR) in the EU.

Is the CCPA supplanted by the CPRA?

Not quite. It would be more correct to refer to the CPRA as a modification of the CCPA. The California Public Records Act (CPRA) clearly indicates that it “adds” new provisions and “amends” existing sections of the CCPA. However, it is uncertain if the Code will continue to be referred to as the CCPA or will become the CPRA beginning January 1, 2023.

Which enforcement agency is in charge of protecting the privacy rights under the CPRA?

The California Privacy Rights Act established a new agency called the California Privacy Protection Agency, which has complete executive authority and jurisdiction to execute and enforce the CCPA.

When will the California Privacy Protection Agency assume rulemaking authority?

The Attorney General’s CCPA regulation power was officially passed to the Agency on April 21, 2022. On April 21, 2022, the newly established California Privacy Protection Agency officially received rulemaking authority under the California Consumer Privacy Act (CCPA), as mandated by the California Privacy Rights Act of 2020. This marked an important new chapter for the California Privacy Protection Agency.

How will the CPPA enforce the CPRA?

The establishment of a new body charged with regulating and enforcing the CCPA as revised by the CPRA is one of the most important structural changes to privacy administration that the CPRA brings. The CCPA as amended by the CPRA will be administered, implemented, and enforced by the California Privacy Protection Agency, a new administrative organisation governed by a five-person board of privacy and technology experts. The CPRA allocates $5 million for the Agency’s first year of operation and $10 million for each fiscal year after that.

Who is subjected to the CPRA?

The companies that purchase, sell, or share the personal information of 100,000 or more consumers or households in a year; or exceed the gross revenue of $25 million in the preceding calendar year as of January 1 of the present calendar year; or derive not less than 50% of their annual revenue from selling or sharing consumers’ data, are “businesses” under the CPRA and have to comply with the CPRA provisions.

How will the CPRA affect businesses?

Similar to the CCPA, regulations will be used to fill in the gaps in the CPRA’s major provisions, such as those governing the right of rectification, technical specifications for opt-outs, and data usage agreements for service providers and the freshly designated “contractor” businesses. The CPRA mandates that final regulations must be adopted by July 1, 2022, thus the new Agency will have its job cut out for it over the next 18 months to give time for feedback, amendment, and implementation.

How has the CPRA modified the CCPA’s application to companies handling California citizens’ personal information?

The CPRA alters the CCPA’s application by altering what is meant by a “business” which comes under the applicability domain of this Act. The definition of “business” under the CPRA determines the sorts of entities that are covered, and consequently the reach and applicability of the legislation. The two business categories listed in the CCPA are modified by the CPRA, and two further categories are added to account for new company kinds.

How does the notice of collection obligations of the CCPA get expanded by the CPRA?

According to the CCPA, a covered firm must warn customers “at or before the time of collection” of the types of personal information that will be gathered and the uses to which it will be put. This need is expanded upon by the CPRA, which calls for notification of:

  • Whether the data will be shared or sold; 
  • How long the data will be retained; and 
  • Further disclosures about the acquisition and use of “sensitive personal information”.

Do the CCPA’s employee and B2B exemptions continue to exist in the CRPA?

The CPRA extends the CCPA’s employee and B2B exemption expiry dates from January 1, 2021, to January 1, 2023.


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here