CPRA: The Follow-Up to the CCPA

What is the CPRA?

The California Privacy Rights Act (CPRA), approved by ballot in California on November 3, 2020, expands and replaces parts of the California Consumer Privacy Act (CCPA).


Most of the substantive law goes into effect January 1, 2023, although the expanded “right to know” begins for personal information collected on or after January 1, 2022.

I am a small to medium sized business owner. Do I need to care about the CCPA/CPRA?

The CCPA/CPRA applies to businesses that meet one of the following criteria:

  1. A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that 1) collects consumers' personal information 2) does business in the State of California, and 3) satisfies one or more of the following thresholds:

  2. annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year

  3. Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households

  4. Derives 50 percent or more of its annual revenues from selling, or sharing consumers' personal information.

  5. Any entity that controls or is controlled by such business, and that shares common branding with the business and with whom the business shares consumers' personal information.

  6. A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest.

I am already compliant with the CCPA. What has changed with the passing of CPRA?

The CPRA expands and, when in conflict, replaces the scope of CCPA. Some key changes are as follows:

  1. Defines “sensitive personal information” separately and requires separate disclosure, opt-out/opt-in requirements, and purpose limitation .

  2. Modifies the right to know, delete, opt-out of third-party sales and sharing, and nondiscrimination from the CCPA.

  3. Adds the right to limit use and disclosure of sensitive personal information, rectification, access about automated decision-making, opt-out of automated decision-making, restrict sensitive personal information, and audit obligations to the business.

  4. Adopts the General Data Protection Regulation (GDPR) principles of data minimization, purpose limitation, consent, and storage limitation (this is unlikely to result in any changes for businesses that are already GDPR-compliant).

Does the CCPA/CPRA apply to me if I am not in California? How do I comply?

CCPA/CPRA requires compliances from businesses that meet the above listed criteria. If you are a business that collects California consumer information and the criteria look similar to your business activities, it is best to discuss this with an attorney experienced in this area of law. Emerald Law can provide you with legal assistance to ensure you are compliant with the latest data privacy regulations. We know data privacy regulations can be overwhelming, and we have extensive knowledge helping businesses who are just starting out on their journey.


For more information on how we can help you with your data privacy requirements, contact us today.