CCPA vs CPRA: What Actually Changed

California passed the CCPA in 2018. Voters approved the CPRA in 2020, which took full effect in January 2023. Here is what changed, what stayed the same, and what it means if your business serves California residents.

What the CPRA Added

A new enforcement agency

The CPRA created the California Privacy Protection Agency (CPPA) — the first dedicated privacy enforcement agency in the US. Before the CPRA, the California Attorney General handled all enforcement. The CPPA now has independent authority to investigate, audit, and fine businesses. This significantly increases enforcement capacity and the real-world risk of non-compliance.

New consumer rights

The CPRA added two rights that did not exist under the original CCPA:

• Right to Correct — Consumers can request correction of inaccurate personal information you hold about them. You must make reasonable efforts to correct it.
• Right to Limit Use of Sensitive Personal Information — Consumers can direct you to limit your use of their sensitive data to only what is necessary to provide your service.

Sensitive personal information — a new category

The CPRA created a distinct category called "sensitive personal information" (SPI) with heightened protections. This includes:

• Social Security numbers, driver's license, passport numbers
• Financial account credentials
• Precise geolocation data
• Racial or ethnic origin, religious beliefs, union membership
• Contents of personal communications
• Genetic data, biometric data processed for identification
• Health information, sexual orientation or sex life

If you collect any of these categories, you have additional disclosure obligations and must honor requests to limit their use.

Data minimization and purpose limitation

The CPRA introduced explicit data minimization requirements. You may only collect personal information that is "reasonably necessary and proportionate" to the purposes you disclosed. You cannot use data for purposes that are "incompatible" with why you collected it. This means your data practices must be documented and defensible — not just in your privacy policy, but in your actual operations.

Expanded contract requirements

Contracts with third parties, service providers, and contractors must now include specific provisions about data use limitations, deletion rights, and consumers' ability to exercise rights. If your vendor contracts predate 2023, they likely need to be updated.

What Did Not Change

The basic consumer rights framework from the original CCPA remains in place: the right to know, the right to delete, the right to opt out of the sale of personal information, and the right to non-discrimination for exercising rights. The CPRA built on top of these — it did not replace them.

The business thresholds also remain largely similar: the law applies to for-profit businesses that do business in California and meet at least one of these thresholds: annual gross revenues over $25 million; buying, selling, or sharing the personal information of 100,000 or more consumers or households; or deriving 50% or more of annual revenues from selling or sharing personal information.

What This Means for Your Business

If you serve California residents and your business meets any of the CCPA thresholds, you need to assess your current practices against the CPRA's expanded requirements. Specific areas to review:

• Do you collect any sensitive personal information? If so, have you updated your privacy notice and added a "Limit the Use of My Sensitive Personal Information" link?
• Are your vendor contracts updated to include CPRA-required provisions?
• Do you have a process for handling Right to Correct requests?
• Can you demonstrate that your data collection is limited to what is reasonably necessary?

Related Resources