Continue your mission
CCPA expansion introducing new consumer rights, the California Privacy Protection Agency, sensitive data restrictions, and data minimization principles effective January 2023.
The California Privacy Rights Act (CPRA), passed as Proposition 24 in November 2020 and fully effective January 2023, significantly amends and expands the CCPA. CPRA introduces new consumer rights, creates the California Privacy Protection Agency (CPPA) as a dedicated enforcement body, and establishes stricter obligations for businesses processing sensitive personal information.
CPRA introduces several key expansions beyond CCPA. The right to correct inaccurate personal information requires businesses to implement correction mechanisms. The right to limit use of sensitive personal information (SSN, financial data, precise geolocation, race, health, sexual orientation) allows consumers to restrict processing to purposes necessary for providing requested goods or services. Data minimization principles require collection limited to what is reasonably necessary and proportionate. Purpose limitation mandates that businesses not use personal information for purposes materially different from those disclosed at collection without additional notice. Storage limitation requires retention only as long as reasonably necessary. CPRA expands opt-out rights to cover "sharing" for cross-context behavioral advertising, not just "selling." The CPPA conducts rulemaking, enforcement, and audits as a fully funded independent agency. Automated decision-making provisions grant consumers the right to access information about and opt out of profiling decisions.
CPRA moves California privacy law significantly closer to GDPR in its scope and rigor. The creation of the CPPA as a dedicated enforcement agency dramatically increases enforcement capacity compared to relying solely on the Attorney General. CPRA's sensitive personal information category and associated restrictions mirror GDPR's special categories, requiring organizations to implement granular data handling controls. The CPPA's ongoing rulemaking on automated decision-making, cybersecurity audits, and risk assessments will continue expanding obligations through 2025 and beyond.
CDA maps CPRA compliance to the Data Protection and Sovereignty domain within C-BUILD and C-HARDEN campaigns. Our missions address sensitive personal information classification, purpose limitation controls, data minimization audits, and CPPA audit preparation to help organizations meet California's evolving privacy requirements.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.