NEW
Report & API Now Live! Data insights report and open data API endpoints live as of September 23, 2025

CPRA - California Privacy Rights Act

type
Regulation
Full Name
CPRA - California Privacy Rights Act (California Privacy Rights Act of 2020)
Official Name
California Privacy Rights Act of 2020

Description

Description
Source

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA), passed through Proposition 24 in November 2020, significantly expands and amends the California Consumer Privacy Act (CCPA) of 2018. This landmark privacy legislation establishes comprehensive data protection rights for California residents and creates the California Privacy Protection Agency (CPPA) as a dedicated privacy regulator - the first of its kind in the United States.

The regulation represents a major shift in U.S. privacy law, bringing California's privacy framework closer to the GDPR standard while introducing unique requirements for digital identity management and data protection. It strengthens consumer privacy rights, imposes stricter obligations on businesses handling personal information, and creates robust enforcement mechanisms.

Key Aspects

Regulatory Authority

  • Establishes the independent California Privacy Protection Agency (CPPA)
  • Transfers rulemaking and enforcement authority from the Attorney General to the CPPA

Scope and Jurisdiction

  • Applies to businesses that:
    • Handle California residents' personal information
    • Meet specified monetary thresholds (updated annually)
    • Operate in California or serve California residents

Core Requirements

  1. Enhanced Consumer Rights

    • Right to Delete personal information
    • Right to Correct inaccurate personal information
    • Right to Know what personal information is collected and shared
    • Right to Data Portability
    • Right to Opt-out of personal information sharing
  2. Business Obligations

    • Implementation of reasonable security measures
    • Mandatory risk assessments for high-risk processing
    • Cybersecurity audit requirements
    • Enhanced requirements for automated decision-making technology
  3. Data Broker Provisions

    • Mandatory registration requirements
    • Implementation of accessible delete mechanisms
    • Compliance with DROP (Delete Request and Opt-out Platform) system

Technical Implementation Requirements

  • Data security standards
  • Authentication protocols for identity verification
  • API specifications for data portability
  • Encryption requirements for sensitive data
  • Implementation of automated compliance systems

Compliance Mechanisms

  1. Enforcement

    • Administrative enforcement by the CPPA
    • Civil penalties for violations
    • Private right of action for data breaches
  2. Audit Requirements

    • Regular cybersecurity audits
    • Risk assessments for high-risk processing
    • Documentation of compliance measures

Timeline

  • Passed: November 2020
  • Effective: January 1, 2023
  • Enforcement: July 1, 2023
  • Ongoing updates to monetary thresholds and regulations

Privacy and Security Impact

The CPRA significantly enhances digital identity protection through:

  • Stricter requirements for identity verification
  • Enhanced security measures for personal data
  • Greater control over automated processing
  • Mandatory breach notification requirements
  • Specific protections for sensitive personal information

"The law marks a significant advancement in U.S. privacy protection, establishing a comprehensive framework for digital identity management and data protection."

Projects Following this Regulation

If you are featured in the Web of Trust Map and wish to exercise your GDPR rights, including the right to be forgotten, visit the privacy policy page