California Privacy Rights Act (CPRA) vs CCPA: Critical Implementation Differences for Multi-State Operations

Understanding CPRA's Expanded Scope

The California Privacy Rights Act, which became fully effective January 1, 2023, represents the most significant expansion of US state privacy law since CCPA's 2020 implementation. While building on CCPA's foundation, CPRA introduces fundamental changes that require distinct compliance approaches, particularly for organisations operating across multiple states.

CPRA's revenue threshold remains $25 million annually, but the personal information processing thresholds have increased complexity. The law now covers businesses processing personal information of 100,000+ consumers (up from 50,000) or deriving 50% of revenue from selling personal information. However, the new "sensitive personal information" category creates additional obligations regardless of these thresholds.

New Sensitive Personal Information Category

CPRA's most significant operational change is the introduction of "sensitive personal information" (SPI) with enhanced consumer rights and business obligations. SPI includes:

• Biometric and genetic data: Fingerprints, faceprints, voiceprints, DNA analysis
• Precise geolocation: Location data accurate within 1,850 feet
• Identity documents: Social security numbers, driver's license numbers, passport numbers
• Account credentials: Usernames, passwords, security questions
• Health and sex life data: Medical information, sexual orientation, intimate relationships
• Protected characteristic data: Race, religion, sexual orientation, union membership

Consumers gain the right to limit use and disclosure of SPI, requiring businesses to implement granular consent mechanisms beyond simple opt-out procedures. This creates significant technical challenges for companies processing mixed data types within single systems.

Enhanced Consumer Rights Implementation

CPRA expands consumer rights beyond CCPA's basic framework, requiring new technical and operational capabilities:

Right to Correction Consumers can now demand correction of inaccurate personal information, not just deletion. Businesses must implement correction workflows that propagate changes to third parties who received the data. This requires detailed data lineage tracking and automated update mechanisms.

Right to Limit Use of Sensitive Personal Information A new right allowing consumers to restrict SPI processing beyond core business functions. Companies must implement preference management systems that distinguish between necessary processing (fraud prevention, security) and optional uses (marketing, analytics).