California Privacy Rights Act (CPRA) vs CCPA: Critical Implementation Differences for Multi-State Operations
The California Privacy Rights Act significantly expands CCPA requirements with new data categories, expanded consumer rights, and mandatory Data Protection Impact Assessments. Organisations operating across multiple states must understand these changes alongside emerging state privacy laws to avoid a compliance patchwork that creates operational inefficiencies and legal risks.
Understanding CPRA's Expanded Scope
The California Privacy Rights Act, which became fully effective January 1, 2023, represents the most significant expansion of US state privacy law since CCPA's 2020 implementation. While building on CCPA's foundation, CPRA introduces fundamental changes that require distinct compliance approaches, particularly for organisations operating across multiple states.
CPRA's revenue threshold remains $25 million annually, but the personal information processing thresholds have increased complexity. The law now covers businesses processing personal information of 100,000+ consumers (up from 50,000) or deriving 50% of revenue from selling personal information. However, the new "sensitive personal information" category creates additional obligations regardless of these thresholds.
New Sensitive Personal Information Category
CPRA's most significant operational change is the introduction of "sensitive personal information" (SPI) with enhanced consumer rights and business obligations. SPI includes:
- Biometric and genetic data: Fingerprints, faceprints, voiceprints, DNA analysis
- Precise geolocation: Location data accurate within 1,850 feet
- Identity documents: Social security numbers, driver's license numbers, passport numbers
- Account credentials: Usernames, passwords, security questions
- Health and sex life data: Medical information, sexual orientation, intimate relationships
- Protected characteristic data: Race, religion, sexual orientation, union membership
Consumers gain the right to limit use and disclosure of SPI, requiring businesses to implement granular consent mechanisms beyond simple opt-out procedures. This creates significant technical challenges for companies processing mixed data types within single systems.
Enhanced Consumer Rights Implementation
CPRA expands consumer rights beyond CCPA's basic framework, requiring new technical and operational capabilities:
Right to Correction Consumers can now demand correction of inaccurate personal information, not just deletion. Businesses must implement correction workflows that propagate changes to third parties who received the data. This requires detailed data lineage tracking and automated update mechanisms.
Right to Limit Use of Sensitive Personal Information A new right allowing consumers to restrict SPI processing beyond core business functions. Companies must implement preference management systems that distinguish between necessary processing (fraud prevention, security) and optional uses (marketing, analytics).
Frequently Asked Questions
Explore this topic on our compliance platform
Our platform covers 692 compliance frameworks with 819,000+ cross-framework control mappings. Start free, no credit card required.
Try the Platform Free →