California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) is a state-wide data privacy bill approved by California voters on November 3, 2020. The CPRA significantly amends and expands the existing California Consumer Privacy Act (CCPA).

The main changes introduced by the CPRA include:

  • Establishing a new government agency for state-wide data privacy enforcement, the California Privacy Protection Agency (CPPA).
  • Creating a category of sensitive personal information (SPI), which is regulated separately and requires stronger security measures than personal information. SPI includes Social Security Number, driver’s license, financial account information and login credentials, precise geolocation data, biometric or health information, etc.
  • Changing the definition of companies that are subject to the regulation – excluding smaller businesses and including bigger ones.
  • Modifying existing rights and adding four new ones: the rights to correction, opting out of automated decision-making, knowing about automated decision-making, and limiting the use of sensitive personal information.
  • Regulating cross-context behavioral advertising from which users can opt out and ask businesses to stop sharing and selling their personal information with third parties to avoid being targeted with ads based on behavioral data.
  • Adding GDPR-like requirements of data minimization, purpose limitation, and storage limitation.
  • Making a business responsible for how third parties use, share or sell personal information that the business collected in the first place.

For more information on the CPRA, CCPA, and other laws in the US, check out our blog content:


  • PHI and PII

    PHI and PII: How they impact HIPAA compliance and your marketing strategy

    Personally identifiable information (PII) and protected health information (PHI) may seem similar. However, there are critical distinctions between the two. While PII is a catch-all term for any information that can be associated with an individual, PHI applies specifically to HIPAA-covered entities dealing with identifiable patient information. Keeping HIPAA compliant and protecting patient information requires…

  • How can healthcare organizations benefit from using a customer data platform (CDP)

    Like many industries, healthcare has been undergoing significant change and is under immense pressure. Patients expect personalized healthcare experiences, but are increasingly aware of their privacy rights and demand that their data is safe and not misused. Healthcare providers have been seeking ways to connect, scale, and leverage customer data more effectively to meet consumers’…