California Privacy Rights Act (CPRA) vs CCPA: Critical Implementation Differences for Multi-State Operations

Understanding CPRA's Expanded Scope

The California Privacy Rights Act, which became fully effective January 1, 2023, represents the most significant expansion of US state privacy law since CCPA's 2020 implementation. While building on CCPA's foundation, CPRA introduces fundamental changes that require distinct compliance approaches, particularly for organisations operating across multiple states.

CPRA's revenue threshold remains $25 million annually, but the personal information processing thresholds have increased complexity. The law now covers businesses processing personal information of 100,000+ consumers (up from 50,000) or deriving 50% of revenue from selling personal information. However, the new "sensitive personal information" category creates additional obligations regardless of these thresholds.

New Sensitive Personal Information Category

CPRA's most significant operational change is the introduction of "sensitive personal information" (SPI) with enhanced consumer rights and business obligations. SPI includes:

• Biometric and genetic data: Fingerprints, faceprints, voiceprints, DNA analysis
• Precise geolocation: Location data accurate within 1,850 feet
• Identity documents: Social security numbers, driver's license numbers, passport numbers
• Account credentials: Usernames, passwords, security questions
• Health and sex life data: Medical information, sexual orientation, intimate relationships
• Protected characteristic data: Race, religion, sexual orientation, union membership

Consumers gain the right to limit use and disclosure of SPI, requiring businesses to implement granular consent mechanisms beyond simple opt-out procedures. This creates significant technical challenges for companies processing mixed data types within single systems.

Enhanced Consumer Rights Implementation

CPRA expands consumer rights beyond CCPA's basic framework, requiring new technical and operational capabilities:

Right to Correction Consumers can now demand correction of inaccurate personal information, not just deletion. Businesses must implement correction workflows that propagate changes to third parties who received the data. This requires detailed data lineage tracking and automated update mechanisms.

Right to Limit Use of Sensitive Personal Information A new right allowing consumers to restrict SPI processing beyond core business functions. Companies must implement preference management systems that distinguish between necessary processing (fraud prevention, security) and optional uses (marketing, analytics).

Expanded Right to Know CPRA requires disclosure of specific retention periods for each data category, not just general retention policies. Privacy notices must include detailed purpose statements and third-party sharing categories with corresponding data types.

Data Protection Impact Assessment Requirements

CPRA mandates Data Protection Impact Assessments (DPIAs) for specific high-risk processing activities, marking the first US state law to include such requirements. DPIAs are required for:

• Processing SPI likely to result in significant privacy risks
• Large-scale processing of personal information for targeted advertising
• Sale or sharing of SPI
• Profiling presenting foreseeable risk of substantial injury

DPIAs must be completed before processing begins and updated when processing purposes change. The California Privacy Protection Agency (CPPA) may audit DPIA quality and require public disclosure of results for certain processing activities.

Multi-State Compliance Strategy

Organisations operating in multiple states face increasing complexity as Virginia's Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and Connecticut's SB 6 create similar but distinct requirements. Key strategic considerations include:

Harmonized Privacy Framework Implement the most restrictive requirements across all states to avoid maintaining separate compliance programs. This typically means adopting CPRA's expanded consumer rights and SPI protections nationwide.

Centralized Data Subject Request Processing Develop unified request intake and processing systems that accommodate varying state law requirements. CPRA's 45-day response timeline (extendable to 90 days) sets the baseline, but other states may have different requirements.

Vendor Management Standardization Ensure third-party agreements include provisions for all applicable state laws rather than negotiating separate terms for each jurisdiction. This includes data processing addenda covering CPRA's contractor requirements and other states' similar provisions.

Enforcement and Penalties Landscape

The CPPA began active enforcement in July 2023, with penalty authority reaching $7,500 per intentional violation. Unlike CCPA's private right of action limited to data breaches, CPRA maintains this restriction while expanding the Attorney General's enforcement authority.

Early enforcement actions focus on:

• Privacy notice accuracy: Ensuring disclosures match actual data practices
• Consumer request processing: Verifying response times and completeness
• Third-party data sharing: Confirming contractual protections and disclosure accuracy
• SPI handling procedures: Reviewing consent mechanisms and use limitations

Practical Implementation Roadmap

Successful CPRA compliance requires systematic implementation across legal, technical, and operational domains:

• Data mapping updates to identify SPI within existing systems and databases
• Privacy notice revisions with detailed retention periods and SPI processing disclosures
• Consumer portal enhancements supporting correction requests and SPI use limitation
• Vendor agreement amendments incorporating CPRA contractor requirements and audit rights
• Staff training programs covering SPI identification, consumer request handling, and DPIA processes
• Automated monitoring systems for consent preference enforcement and data retention compliance

The key to sustainable compliance is building flexible systems that accommodate future state law changes rather than implementing point solutions for individual jurisdictions.