California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) is a state-wide data privacy bill approved by California voters on November 3, 2020. The CPRA significantly amends and expands the existing California Consumer Privacy Act (CCPA).

The main changes introduced by the CPRA include:

  • Establishing a new government agency for state-wide data privacy enforcement, the California Privacy Protection Agency (CPPA).
  • Creating a category of sensitive personal information (SPI), which is regulated separately and requires stronger security measures than personal information. SPI includes Social Security Number, driver’s license, financial account information and login credentials, precise geolocation data, biometric or health information, etc.
  • Changing the definition of companies that are subject to the regulation – excluding smaller businesses and including bigger ones.
  • Modifying existing rights and adding four new ones: the rights to correction, opting out of automated decision-making, knowing about automated decision-making, and limiting the use of sensitive personal information.
  • Regulating cross-context behavioral advertising from which users can opt out and ask businesses to stop sharing and selling their personal information with third parties to avoid being targeted with ads based on behavioral data.
  • Adding GDPR-like requirements of data minimization, purpose limitation, and storage limitation.
  • Making a business responsible for how third parties use, share or sell personal information that the business collected in the first place.

For more information on the CPRA, CCPA, and other laws in the US, check out our blog content: