The California Privacy Rights Act (CPRA)

Elizabeth Crooks, Consultant, Privacy, Coalfire

What is the CPRA?

The California Privacy Rights Act (CPRA) was passed in November by voters in California. Adding another entry to the alphabet soup that is privacy regulations, the CPRA (known as Proposition 24 when it was on the ballot) expands on the state’s landmark consumer privacy law, the California Consumer Privacy Act (CCPA). The CCPA formally came into effect on January 1, 2020, and the final text of the implementing regulations has been released by the California attorney general’s office. The CPRA both expands the protections put in place by the CCPA and makes it harder for businesses to sell or share personal information.

What is new in CPRA?

  • The CPRA creates (and funds to the tune of $10 million) a California Privacy Protection Agency that will be in charge of enforcing California privacy laws. This agency takes over the responsibility that currently rests with the California attorney general’s office. The funding and establishment of the new Privacy Protection Agency will likely take place very soon.
  • The fines for violations of the privacy protections around the data of children (those under the age of 16) have been tripled.
  • The CPRA establishes a new category of “sensitive personal information” that is similar to the European GDPR’s (General Data Protection Regulation) sensitive information – including race, medical data, geolocation data, information about sexual orientation or sex life, biometrics, etc. Consumers will have the ability to tell businesses not to use categories of sensitive information about them. There are also additional notification obligations around the categories of sensitive personal data collected.
  • The Act expands the right to opt-out of data sharing. This makes the “Do Not Sell My Data” even more explicit, so it is much closer to “Do Not Share.”
    • Businesses will likely be required to respect a “global opt-out mechanism,” something that might look a lot like the recently proposed Global Privacy Control (essentially an updated Do-Not-Track).
  • CPRA cuts “targeted ads” from the list of approved “business purposes.”
  • It adds new requirements for data minimization and purpose limitation.
  • It places limits on data retention.
  • It calls for annual audits and risk assessments for “high-risk processing.”

When does the CPRA take effect?

The CPRA takes effect in January 2023. So, there is still some time before organizations have to be fully up to speed, but that groundwork should begin now. For any organizations that have already spent time getting ready for CCPA, that time has not been wasted. Becoming compliant with the CPRA will be a matter of adding some sophistication and a few more layers to privacy programs that are already in place.

The regulations making up exactly how the CPRA will be implemented will be released and iterated on (similar to the CCPA process) during 2021-2022. The new Privacy Protection Agency may begin exercising its rulemaking authority as early as July 1, 2021, or six months after the agency provides notice to the California attorney general that it is prepared to begin rulemaking. The final regulations must be adopted by July 1, 2022.

What about federal privacy legislation?

The CPRA passing in California once again raises the specter of national privacy legislation, an issue that has been quietly simmering for some time. We’ve seen drafts proposed from both sides of the aisle – two of the most recent are Sen. Wicker’s SAFE DATA Act proposed in September and Sen. Gillibrand’s Data Protection Act put forth in February. The two biggest sticking points seem to be: 1) whether to have a private right of action (meaning that individuals could sue companies for violations), and 2), whether or not a federal law would preempt state laws like California’s. It remains to be seen how much of an appetite the next congress will have for tackling this thorny issue.

In the meantime, states are continuing to tackle the issue of privacy regulation without waiting for action at the federal level. In addition to California’s CPRA, the Washington Privacy Act in Washington state is likely to be reintroduced in the next legislative session. Stay tuned – the Coalfire Privacy Team will continue to provide updates as we get them.

Elizabeth Crooks


Elizabeth Crooks — Consultant, Privacy, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 CPRA credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS