CCPA vs CPRA: How California's Privacy Law Evolved and What Changed
CCPA vs CPRA: How California's Privacy Law Evolved and What Changed
TL;DR — Quick Answer
1 min readThe CPRA significantly strengthened the CCPA by adding data minimization requirements, sensitive data protections, expanded opt-out rights, and a dedicated enforcement agency.
The California Privacy Rights Act (CPRA) of 2020 significantly amended the original California Consumer Privacy Act (CCPA) of 2018. Born from a ballot initiative demonstrating strong public support for privacy protections, the CPRA introduced several important changes.
Key Changes Introduced by the CPRA
Data minimization: Personal information can only be processed and retained when reasonably necessary and proportionate for its collection purpose, or for a compatible purpose the consumer has been informed about. This single principle effectively covers what the GDPR addresses through two separate principles (data minimization and purpose limitation).
Sensitive information protections: The CPRA introduced a legal definition of sensitive information covering precise geolocation, religious beliefs, ethnic origin, communication contents, genetic and biometric data, health information, and sexual orientation. Consumers gained the right to limit use of this data to what is strictly necessary.
Expanded opt-out rights: The original CCPA allowed consumers to opt out of data "sales." The CPRA expanded this to cover both selling and sharing, explicitly clarifying that sharing data for cross-context behavioral advertising falls within scope. This settled a debate about whether analytics cookie usage constituted a sale.
Right to correction: The CCPA originally included rights to know and delete but oddly omitted the right to correct personal information. The CPRA filled this gap with a 45-day compliance window (extendable by another 45 days).
Global Privacy Control compliance: Businesses must honor GPC signals from browsers, streamlining the opt-out process for consumers.
Establishment of a dedicated enforcement agency: The California Privacy Protection Agency (CPPA) was created to enforce the law alongside the Attorney General. The agency can adopt regulations to flesh out the CCPA's provisions.
Enforcement Timeline
The CPRA took effect January 1, 2023, though a court decision delayed enforcement of CPPA regulations until March 2024.
Was this article helpful?
Let us know what you think!
Before you go...
Related Articles
Your Privacy Rights Under the CCPA: A Consumer's Guide
A comprehensive guide to the six key consumer rights under the California Consumer Privacy Act, including how the CCPA compares to the GDPR.
California's Delete Act: A One-Stop Shop for Erasing Your Data from Brokers
How California's Delete Act creates a centralized system for consumers to request deletion of personal data from all registered data brokers in a single request.
The Case for Banning Targeted Advertising
Targeted advertising requires mass surveillance and its costs to privacy, democracy, and society increasingly outweigh the benefits. Here's why banning it makes sense.