Adapting to the CPRA: Best Practices for Compliance
- June 12, 2023
The California Consumer Privacy Act (CCPA) provides consumers with greater control and transparency
over the personal information and data that businesses collect. In November of 2020, proposition 24,
the California Privacy Rights Act (CPRA), was passed to provide additional privacy protections for
What is the CPRA?
The California Privacy Rights Act (CPRA) amends and expands the existing California Consumer Privacy
Act (CCPA). CPRA builds on the existing provisions of the CCPA by creating new consumer rights,
imposing additional obligations on businesses that collect personal information, defining different types
of “personal information”, and creating a new enforcement agency called the California Privacy
Protection Agency. The CCPA and CPRA set the standard for the way many businesses will approach
privacy and data security.
When will enforcement of the CPRA begin?
Enforcement of the CPRA regulations have been delayed until March 29, 2024. This is the result of a
California Chamber of Commerce lawsuit that held that enforcement should be delayed until one year
following the issuance for the existing regulations. The CPPA regulations were supposed to be enforced
July 1, 2022, and the CPRA to be enforced a year later (July 1, 2023). The CPPA regulations were not
issued until March 29, 2023, thus delaying the enforcement date of the CPRA to March 29, 2024.
What types of data or information are covered by the CPRA?
The CPRA and CCPA protect the personal information of California consumers. This can include
information such as names, addresses, social security numbers, commercial information, biometric
information, internet activity, education and employment information, and audio and visual files.
Additionally, the CPRA protects sensitive personal information that requires greater protection. This
includes personal data such as passport details, driver’s license details, race and ethnic information, and
Which Organizations Does the CPRA Apply To?
For-profit organizations that do business in the State of California must meet one or more of the
following criteria to be subject to the CPRA:
- As of January 1st of the preceding year, have $25 million in annual gross revenues.
- Sell, buy, or share at least 100,000 California households’ or consumers’ personal information.
- Derive 50% or more of its annual revenue from sharing or selling personal information.
While these thresholds exempt some small businesses from CPRA regulations, this law will likely apply to
organizations that produce a majority of their revenues from sharing personal information.
Joint ventures, partnerships, and commonly controlled entities will also be subject to the CPRA. Joint
ventures and partnerships where each business has at least 40% interest will be considered a single
separate business and thus CPRA regulations will apply. Commonly controlled entities include entities
that control a covered business, entities that have access to personal information of the business’s
consumers, and entities that share common branding with the covered business. Even if a business
doesn’t meet any of these thresholds, it can still comply with the CPRA.