SecurePrivacy Logo

California Privacy Rights Act (CPRA)

View Law Text
Maximum Fine
$7,500 per violation
Scope
State
Regulator
CPPA
Status
Active

Need Help with California Privacy Rights Act (CPRA) Compliance?

Get expert guidance on implementing CPRA requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The California Privacy Rights Act amends and expands the CCPA, establishing new privacy rights for California residents and obligations for businesses.

Key Facts

  • Effective January 1, 2023
  • Enforced by the California Privacy Protection Agency
  • Expands consumer privacy rights
  • Creates new obligations for businesses
  • Establishes dedicated privacy regulator

Key Principles

Consumer Rights

Enhanced privacy rights granted to California residents under CPRA.

Requirements

  • Right to know
  • Right to delete
  • Right to correct
  • Right to data portability
  • Right to limit use of sensitive data
  • Right to opt-out of sharing/selling
  • Rights regarding automated decision-making

Examples

  • Access request procedures
  • Deletion mechanisms
  • Correction processes
  • Data portability tools
  • Opt-out systems

Transparency

Enhanced disclosure requirements for businesses.

Requirements

  • Privacy notice requirements
  • Processing disclosures
  • Retention schedules
  • Automated decision-making disclosures
  • Sensitive data processing notices

Examples

  • Privacy policies
  • Just-in-time notices
  • Cookie banners
  • Data retention schedules

Data Minimization

Collection and use limitations for personal information.

Requirements

  • Purpose limitation
  • Storage limitation
  • Collection minimization
  • Use restrictions
  • Sharing limitations

Examples

  • Data inventories
  • Retention policies
  • Processing records
  • Purpose documentation

Compliance Requirements

Privacy Notice Requirements

Enhanced notice requirements including new disclosure obligations.

Implementation Steps

  • Update privacy notices with new rights
  • Include retention periods
  • Disclose automated decision-making
  • Add sensitive data processing details
  • Describe sharing practices

Required Documentation

  • Privacy policy
  • Collection notices
  • Cookie policies
  • Retention schedules
  • Processing records

Consumer Request Handling

Enhanced procedures for handling consumer rights requests.

Implementation Steps

  • Implement new rights request systems
  • Update verification procedures
  • Train staff on new requirements
  • Document response processes
  • Maintain request logs

Required Documentation

  • Request procedures
  • Verification methods
  • Training materials
  • Response templates
  • Request tracking system

Sensitive Data Processing

New requirements for processing sensitive personal information.

Implementation Steps

  • Identify sensitive data
  • Implement purpose limitations
  • Create opt-out mechanisms
  • Update processing procedures
  • Enhance security measures

Required Documentation

  • Data inventory
  • Processing procedures
  • Security protocols
  • Consent records
  • Impact assessments

Enforcement & Penalties

California Privacy Protection Agency

New dedicated privacy regulator with enhanced enforcement powers.

Penalty Categories

Administrative Fines
Up to $7,500 per intentional violation
For each intentional violation or violation involving minors
Civil Penalties
Up to $2,500 per violation
For each unintentional violation
Private Right of Action
$100-$750 per incident
For data breaches involving certain personal information

Example Cases

Example Case 1
$400,000
2023 - Multiple violations of consumer rights requirements
Example Case 2
$250,000
2023 - Failure to implement reasonable security measures

No Cure Period

Removal of 30-day cure period for violations.

Penalty Categories

Immediate Enforcement
Varies
No mandatory cure period before enforcement
Discretionary Cure
Varies
Agency may consider good faith efforts to cure

Example Cases

Example Case 3
$150,000
2023 - Immediate enforcement without cure period
Example Case 4
$100,000
2023 - Reduced fine due to voluntary remediation