California Privacy Rights Act (CPRA)
View Law TextMaximum Fine
$7,500 per violation
Scope
State
Regulator
CPPA
Status
Active
Need Help with California Privacy Rights Act (CPRA) Compliance?
Get expert guidance on implementing CPRA requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
The California Privacy Rights Act amends and expands the CCPA, establishing new privacy rights for California residents and obligations for businesses.
Key Facts
- Effective January 1, 2023
- Enforced by the California Privacy Protection Agency
- Expands consumer privacy rights
- Creates new obligations for businesses
- Establishes dedicated privacy regulator
Key Principles
Consumer Rights
Enhanced privacy rights granted to California residents under CPRA.
Requirements
- Right to know
- Right to delete
- Right to correct
- Right to data portability
- Right to limit use of sensitive data
- Right to opt-out of sharing/selling
- Rights regarding automated decision-making
Examples
- Access request procedures
- Deletion mechanisms
- Correction processes
- Data portability tools
- Opt-out systems
Transparency
Enhanced disclosure requirements for businesses.
Requirements
- Privacy notice requirements
- Processing disclosures
- Retention schedules
- Automated decision-making disclosures
- Sensitive data processing notices
Examples
- Privacy policies
- Just-in-time notices
- Cookie banners
- Data retention schedules
Data Minimization
Collection and use limitations for personal information.
Requirements
- Purpose limitation
- Storage limitation
- Collection minimization
- Use restrictions
- Sharing limitations
Examples
- Data inventories
- Retention policies
- Processing records
- Purpose documentation
Compliance Requirements
Privacy Notice Requirements
Enhanced notice requirements including new disclosure obligations.
Implementation Steps
- Update privacy notices with new rights
- Include retention periods
- Disclose automated decision-making
- Add sensitive data processing details
- Describe sharing practices
Required Documentation
- Privacy policy
- Collection notices
- Cookie policies
- Retention schedules
- Processing records
Consumer Request Handling
Enhanced procedures for handling consumer rights requests.
Implementation Steps
- Implement new rights request systems
- Update verification procedures
- Train staff on new requirements
- Document response processes
- Maintain request logs
Required Documentation
- Request procedures
- Verification methods
- Training materials
- Response templates
- Request tracking system
Sensitive Data Processing
New requirements for processing sensitive personal information.
Implementation Steps
- Identify sensitive data
- Implement purpose limitations
- Create opt-out mechanisms
- Update processing procedures
- Enhance security measures
Required Documentation
- Data inventory
- Processing procedures
- Security protocols
- Consent records
- Impact assessments
Enforcement & Penalties
California Privacy Protection Agency
New dedicated privacy regulator with enhanced enforcement powers.
Penalty Categories
Administrative Fines
Up to $7,500 per intentional violation
For each intentional violation or violation involving minors
Civil Penalties
Up to $2,500 per violation
For each unintentional violation
Private Right of Action
$100-$750 per incident
For data breaches involving certain personal information
Example Cases
Example Case 1
$400,000
2023 - Multiple violations of consumer rights requirements
Example Case 2
$250,000
2023 - Failure to implement reasonable security measures
No Cure Period
Removal of 30-day cure period for violations.
Penalty Categories
Immediate Enforcement
Varies
No mandatory cure period before enforcement
Discretionary Cure
Varies
Agency may consider good faith efforts to cure
Example Cases
Example Case 3
$150,000
2023 - Immediate enforcement without cure period
Example Case 4
$100,000
2023 - Reduced fine due to voluntary remediation