In 2021, Black Kite reported leaks of personal information (PI) from 1.5 billion users originating from third-party breaches. This raises an important question: What data privacy laws are in place to prevent these types of data breaches and help consumers keep their private information from the eyes of malicious attackers?

This is where the CPRA regulations, also known as the California Privacy Rights Act, and the CCPA (California Consumer Privacy Act) come into play. These regulations were established to address the growing concerns around data privacy and provide stronger protections for individuals. What are these regulations, how does the CPRA build upon the foundation of the CCPA and what additional safeguards does it introduce to enhance data privacy in California?

What are the CPRA Regulations and Why are They Important?

In order to understand the CPRA, you first need to understand the CCPA, the initial California privacy regulation. The CCPA, enacted in 2018, aimed to empower California consumers by granting them rights over personal information collected from them, making it the pioneering legislation in the United States focused on consumer privacy. The CPRA enhances and expands the current regulations from the CCPA to include additional data privacy laws for California citizens. The CPRA draft regulations, also known as Proposition 24, were voted on by California citizens in 2020 to deliver additional data privacy protection that the CCPA (California Consumer Privacy Act) already enforces for California citizens. Both the CCPA and the CPRA give customers the right to know, opt in or out and delete personal information collected by an organization. The CPRA, however, extends consumer rights to include the right to correct any information that was inaccurate and limit the use of sensitive personal information for purposes that might harm a consumer as well as targeted or cross-context behavioral advertising.

The final regulations of the CPRA went into effect in April 2023.

How Does the CPRA Define Sensitive Personal Information?

The CPRA expands the protection of consumer’s personal information already provided in the CCPA to include sensitive personal information.

Sensitive personal information is defined as information that reveals a consumer’s:

  • Identification. This includes social security or other government ID, drivers’ licenses and passport numbers.
  • Finances. This includes debit or credit card numbers, account login, or passwords, codes or credentials that allow access to an account.
  • Geolocation. The exact location of a consumer.
  • Race, religion and union membership. Racial or ethnic origin, religious or philosophical beliefs and/or union affiliation.
  • Communications. The content of a consumer’s email, text message or mail.
  • Health and genetic information. Personal information related to a consumer’s health or genetic data.
  • Biometric information. Information that allows you to identify a particular consumer.
  • Sexual orientation. This includes information related to a consumer’s sexual identity or preference.

What Does the CPRA Amend in the CCPA?

The CPRA regulations extend the existing regulations of the CCPA to raise the standard for how businesses approach data security.

The new regulations:

  • Include penalties for violating data rights of minors. The penalty is $2500 for each unintentional violation and $7500 for an intentional violation of the CCPA. It is $7500 per violation of the CPRA whether intentional or unintentional if it involves children under the age of 16.
  • Expand the scope for personal information. While the CCPA applies to organizations that collect the personal data of more than 50,000 customers, the CPRA applies to organizations that collect the personal data of more than 100,000 consumers. The CCPA also applies to businesses that generate 50% of their revenue by selling consumer information while the CPRA applies to businesses that generate 50% of their revenue from selling or conducting targeted advertising (which it refers to as cross-context behavioral advertising) with consumer’s personal information.
  • Extend consumer rights to information. The CPRA gives consumers the right to correct inaccurate personal information and limit how this data is used to prevent harm to consumers. Businesses must also limit the retention of data and delete it after its use.
  • Recognize opt-out preference signals. Consumers can request to opt out of the sale or sharing of personal information and limit the use of sensitive personal information. This includes opt out rights related to targeted advertising.
  • Allow consumer requests and obtain consent. Companies that wish to comply with the CPRA must provide methods for consumers who are California residents to make consumer requests. Companies must reply to these consumer requests within ten days. Consumer consent must be straightforward and avoid any manipulation to the consumer as this may not constitute consumer consent.

How Does the California Privacy Protection Agency Enforce the Regulations?

The CPRA transfers authority from the California attorney general to the California Privacy Protection Agency (CPPA), a new agency that gives full administrative power to enforce the CCPA. The CPPA approved the final rulemaking package to implement the CPRA on March 29, 2023.

How Panorays Will Help

As the amended and updated CPRA regulations near full implementation, it is crucial to ensure that not only your organization is CPRA-compliant, but that your third-parties are too. Panorays’ automated security management platform makes it easy for you to verify specific security parameters amongst your third-parties including those pertaining to CPRA. Furthermore, any discrepancies will be easily and quickly solved with real-time collaboration with your third-parties right inside the app.

Want to learn more? Open a free account today and see for yourself how Panorays can help strengthen the cybersecurity posture of your third parties.


What is CPRA?

The CPRA, or the California Privacy Rights Act, is administrative law that extends the consumer’s right to protect personal information provided in the CCPA (California Consumers Privacy Act) to include sensitive personal information. It also includes the right of consumers to limit and correct the use of their data for the purposes of targeted or behavioral advertising. These proposed regulations, aimed at protecting the data privacy of consumers not covered in the CPPA, are sometimes referred to as the CPPA 2.0.

What’s the difference between the CPRA and the CCPA?

The CPRA extends the data privacy of consumers currently enforced by the CCPA to include:
1) The data rights of minors. Violating the CCPA now carries a $7500 penalty per violation, whether unintentional or intentional, if the consumer is under 16.
2) A greater scope of personal information. This now includes companies with personal information of over 100,000 consumers and those that generate 50% of their revenue from selling or conducting targeted advertising with this personal information.
3) The demand that businesses recognize opt-out preference signals. Targeted advertising is just one example of a type of opt-out consumers must now be able to request. Businesses must make opt out requests easy to identify on their business website or browser. 
4) An extension of consumer rights to information. This includes a consumer’s right to correct and/or limit the use of their personal information. Businesses must also limit the retention of and delete personal information after its use.
5) The requirement that consumers be able to make consumer requests and grant consent. Businesses must make these requests simple to understand and use data without manipulating consumers.

When does the California Privacy Rights Act (CPRA) go into effect?

The proposed CPRA regulations were voted on in November of 2020 as an extension of the California Consumer Privacy Act passed in 2018. The CPRA started to go into effect in January 2023 and will fully be in effect by July 2023. The CPRA is fully enforced by the California Privacy Protection Agency (CPPA), which transferred authority from the state attorney general to the agency, giving it full administrative power.