CPRA (California Privacy Rights Act)
The California Privacy Rights Act (CPRA) expands and strengthens the California Consumer Privacy Act (CCPA), enhancing consumer rights, defining sensitive data, and establishing California’s dedicated privacy regulator.
What is the CPRA?
The California Privacy Rights Act (CPRA) is a 2020 amendment to the CCPA that enhances consumer data protections and establishes the California Privacy Protection Agency (CPPA) to enforce state privacy law. The CPRA introduces new rights, including correction of personal information, data minimization, and limits on the use of sensitive personal data. It also increases transparency obligations for businesses and extends compliance requirements to service providers and contractors. The CPRA took effect on January 1, 2023, marking a significant evolution of U.S. privacy regulation.
Why the CPRA matters
The CPRA modernizes U.S. privacy regulation by introducing concepts similar to the EU’s General Data Protection Regulation (GDPR) , such as data minimization and purpose limitation. It requires organizations to strengthen their data governance programs, update privacy policies, and maintain auditable records of consumer rights requests.
The law applies to businesses that process personal information about California residents and meet certain thresholds, such as revenue or volume of data processing. Compliance with the CPRA not only reduces enforcement risk but also supports consumer trust by demonstrating transparency and accountability.
Organizations operating across states increasingly use CPRA compliance as a foundation for broader U.S. privacy strategies, enabling scalability and alignment with upcoming state laws like the Colorado Privacy Act and Virginia Consumer Data Protection Act.
How the CPRA is used in practice
- Updating privacy notices to include new consumer rights and data use disclosures
- Implementing processes to limit and manage sensitive personal data
- Responding to correction and opt-out requests under the “Do Not Sell or Share” requirement
- Enhancing vendor management programs to ensure compliance across service providers
- Maintaining records of consumer rights requests for reporting and audit readiness
- Integrating CPRA requirements into enterprise-wide privacy management frameworks
Related laws & standards
- California Privacy Rights Act (CPRA)
- Colorado Privacy Act (CPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Utah Consumer Privacy Act (UCPA)
How OneTrust helps with the CPRA
OneTrust enables organizations to meet CPRA obligations by centralizing consent and preference management, automating consumer rights workflows, and tracking sensitive data across systems. The platform’s configurable workflows support data correction, deletion, and opt-out requests while maintaining full audit trails for compliance readiness.
[Explore Solutions →]
FAQs about the CPRA
The CPRA amends and expands the CCPA, adding new consumer rights and creating the California Privacy Protection Agency (CPPA) for dedicated enforcement. It also establishes stricter rules for sensitive personal information and cross-context behavioral advertising.
Businesses operating in California or targeting California residents must comply if they meet revenue thresholds, process data on 100,000 or more consumers, or derive at least 50% of revenue from selling or sharing personal information.
Businesses operating in California or targeting California residents must comply if they meet revenue thresholds, process data on 100,000 or more consumers, or derive at least 50% of revenue from selling or sharing personal information.
