Key aspects of the California Consumer Privacy Act (CCPA) for legal professionals
California law · California Privacy Rights Act
Highlights
- CPRA extended California's privacy law, adding sensitive personal information protections and consumer rights.
- Businesses must comply with expanded obligations including data correction, portability, and automated decision-making transparency.
- California Privacy Protection Agency enforces the law through investigations and collaboration with regulators.
Voters approved the California Privacy Rights Act (CPRA) in November 2020. The CPRA extended and strengthened the California Consumer Privacy Act of 2018 (CCPA), a groundbreaking law that had taken effect less than a year before. The privacy law is still generally referred to as the CCPA because the CPRA didn’t create a new law or replace the CCPA. The CPRA amendments took effect in March 2023.
Weighing in at 34 pages, the CPRA changes are extensive. They include additional rights for consumers and new obligations for businesses. A notable CPRA change is the creation of the California Privacy Protection Agency (CPPA) that’s responsible for implementing and enforcing the law.
Jump to ↓
What does the California Privacy Rights Act protect?
Who must comply with the California Privacy Rights Act?
Consumer rights under the California Privacy Rights Act
Business obligations under the California Privacy Rights Act
What does the California Privacy Rights Act protect?
The CCPA protects the privacy rights of California consumers, granting them various rights to their personal information that businesses collect. These include the right to:
- Know about personal information that businesses collect from them
- Know how that information is used and shared
- Delete the information (with some exceptions)
- Opt out of the sale and sharing of the information
- Exercise their CCPA rights without facing discrimination
The CPRA added a new category — sensitive personal information — to the CCPA’s existing 11 categories of personal information that the Act covers. Sensitive personal information includes:
- Social Security numbers
- Driver’s license, state ID, or passport numbers
- Account log-in information
- Precise geolocation
- Racial or ethnic origin
- Union membership
- Religious beliefs
- Genetic data
- Contents of mail, email, or text messages if the business is not the intended recipient
- Biometric information used to identify an individual
- Information collected and analyzed about a consumer’s health, sex life, or sexual orientation
The CPRA did not extend the already broad definition of California consumers, which includes:
- California residents, except those who are in the state temporarily
- People domiciled in California, but temporarily out of the state
- Business customer or vendor contacts
Who must comply with the California Privacy Rights Act?
For-profit entities doing business in California that collect consumers’ personal information, determine the purpose and means of processing it, and meet certain thresholds must comply with the CCPA, with some exceptions. The CPRA changed the thresholds that determine whether a business is subject to the CCPA, including the method for calculating gross revenue and how many consumers a business must reach.
Consumer rights under the California Privacy Rights Act
In addition to the rights originally granted under the CCPA, new consumer rights under the CPRA include the right to:
- Correct a business’s inaccurate personal information
- Access information or opt-out of automated decision-making
- Opt-out of sharing information
- Request data portability
- Limit the use and disclosure of sensitive personal information
Business obligations under the California Privacy Rights Act
Business obligations under the CCPA include:
- Protecting personal information with reasonable security practices
- Making all required public notice disclosures
- Providing a notice of the right to opt out
- Establishing procedures to respond to consumers’ privacy rights requests
- Reviewing personal information practices to prevent discrimination
- Complying with requirements for record-keeping and training employees in privacy practices
- Reviewing third-party data sharing and service provider contracts for privacy rights alignment
The California Privacy Rights Act added new business obligations to those already existing in the CCPA, including informing consumers of:
- Whether their information is sold or shared
- The purpose for collecting sensitive personal information
- How long the business intends to retain the information or how that will be determined
Covered businesses also have new obligations to ensure their personal information collection, use, sharing, and retention are reasonably necessary and proportionate. Additional rules also cover what they must do when selling or sharing personal information with a third party.
CPRA enforcement
The California Privacy Rights Act established the California Privacy Protection Agency (CPPA), which conducts investigations and stops the unlawful use of consumers’ personal information.
The CPPA collaborates with national and international regulators and works closely with attorneys general in other states and the California Department of Justice. It conducts periodic investigative sweeps of high-risk industries, businesses, and practices.
CPRA private right of action
The CCPA permits a private right of action in some circumstances for data breaches of certain types of personal information. The definition of “personal information” is narrower in the data breach liability section than in the rest of the CCPA.
The CPRA added another item to the definition of personal information for private right of action cases: an email address combined with a password or security question used to access an online account. The CPRA also clarified that reasonable practices after a breach do not cure the breach.
Recent updates
On Jan. 1, 2024, Assembly Bill 947 went into effect, extending the definition of sensitive personal information to include a consumer’s citizenship or immigration status.
On Jan. 1, 2025, a series of bills further amending the CCPA and CPRA went into effect, including:
- AB1008, which specified that personal information can exist in physical, digital, and abstract digital forms
- SB1223, which added neural data as a type of sensitive personal information
- AB801, which provided additional protection for student data, and AB1971, which applies to standardized testing
In November 2025, the CPPA created a Data Broker Enforcement Strike Force to investigate violations in the data broker industry.
On Jan. 1, 2026, the state launched the Delete, Request, and Opt-Out Platform (DROP). This consumer-facing website gives Californians the ability to tell data brokers to delete and not sell their personal information.
Looking ahead
In January 2027, the California Opt Me Out Act will go into effect, enabling consumers to easily tell websites not to sell or share their personal information. The law will require companies that operate web browsers in California to provide opt-out preference signals (OOPS) that let consumers protect their information across the internet rather than one site at a time.
Understanding the California Consumer Privacy Act
Over 650 full-time experienced attorney editors globally keeping you up to date
Access with free trial ↗
