CCPA vs CPRA: Key differences for businesses to know

The CCPA and CPRA give consumers control over their personal information and impose obligations on businesses. This guide explains differences between the two laws, ways the CPRA amends or replaces the CCPA, new consumer rights under the CPRA, and businesses’ compliance requirements.
Resources / Blog / CCPA vs CPRA: Key differences for businesses to know
Published by Usercentrics
14 mins to read
Dec 3, 2024

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are consumer privacy laws that aim to safeguard California residents’ personal information. Businesses that operate in California must understand these regulations to protect consumer privacy, maintain trust, and avoid potential litigation and penalties.

In this guide, we look at the California privacy laws, the changes introduced by the CPRA, and how businesses can achieve compliance.

What is the CCPA and CPRA?

The California Consumer Privacy Act (CCPA) passed in 2018 and has been in effect since January 1, 2020. It’s the first comprehensive consumer privacy law passed in the US. It grants California’s nearly 40 million residents greater control over their personal information and imposes obligations on businesses that handle this information.

The California Privacy Rights Act (CPRA), approved by ballot on November 3, 2020, does not entirely replace the CCPA. Instead, the CPRA strengthens and expands the CCPA with enhanced protections for the state’s residents, known as “consumers” under the laws, and new obligations for businesses. The CPRA went into effect on January 1, 2023, but legal challenges delayed enforcement until February 2024.

The CPRA brings the California privacy law closer to the European Union’s General Data Protection Regulation (GDPR) in some ways. Together, the two California privacy laws are often referred to as “the CCPA, as amended by the CPRA” or simply the “CCPA/CPRA.”

Understanding the CCPA

The CCPA set a new standard for consumer data privacy in the US, empowering California residents with control over their personal information and requiring businesses to comply with strict data handling practices.

Who must comply with the CCPA?

For-profit businesses operating in California must comply with the CCPA if they:

  • collect or process the personal information of California residents

and

  • meet at least one of the following thresholds:
    • have annual gross revenues exceeding USD 25 million
    • handle personal information of 50,000 or more consumers, households, or devices
    • earn more than 50 percent of their annual revenue from selling consumers’ personal information

Importantly, the law has extraterritorial jurisdiction, meaning it applies to businesses outside California if they meet these criteria. Under the CPRA there have been changes to these criteria, outlined below.

Who does the CCPA protect?

The CCPA protects individuals who meet the following legal definition of a California resident:

  • those who are in the state for purposes other than a temporary or transitory reason
  • those who are domiciled in California while temporarily outside the state, such as for vacation or work

Individuals who meet this legal definition remain protected even when they are temporarily outside the state. However, individuals who are only temporarily in California, e.g. for vacation, are not protected under the law.

The definition of who qualifies as a California resident may shift as courts interpret the CCPA in response to legal challenges and privacy lawsuits.

What does the CCPA protect?

The CCPA safeguards the personal information of California residents, which is defined under the law as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

This broad definition covers a wide range of information, including a consumer’s real name, telephone number, email address, alias, IP address, browsing history, and search history.

Key consumer rights under the CCPA

The CCPA gives California consumers significant control over their personal information by introducing specific rights:

  • Right to know: Consumers can request details about the personal information a business has collected about them in the previous 12 months.
  • Right to delete: Consumers can request the deletion of their personal information that has been collected by a business, with some exceptions.
  • Right to opt out: Consumers can opt out of the sale of their personal information to third parties.  
  • Right to non-discrimination: Businesses cannot deny services, charge different prices, or offer lower-quality goods or services to consumers who exercise their CCPA rights.
  • Right to file civil proceedings: The CCPA grants consumers a private right of action in the event of a data breach. If a business fails to implement and maintain reasonable security measures, leading to the unauthorized access, theft, or disclosure of nonencrypted or nonredacted personal information, consumers can file a civil lawsuit against the business.

The CPRA updates some of these rights and adds additional ones as well, outlined below.

Key CCPA compliance requirements for businesses

Under the CCPA, businesses must meet specific requirements to achieve compliance with consumer privacy rights.

Privacy notices

Businesses must provide clear and detailed privacy notices to consumers at or before the point of collection of their personal information. The CCPA requires businesses to inform consumers of the categories of personal information they collect and the purposes for which each category will be used. Businesses are not required to obtain user consent prior to collecting personal information under many circumstances, however.

Opt-in rights for minors

Businesses collecting personal information from minors must obtain explicit consent before selling or sharing their data. For minors aged 13 to 16, opt-in consent must be obtained directly from the minor. For children under 13 years old, opt-in consent must be secured from a parent or legal guardian.

Provisions for opting out of sale

Businesses must enable consumers to opt out of the sale of their personal information through an easily accessible link titled “Do Not Sell My Personal Information” on their website. This has also been updated and expanded under the CPRA.

Enforcement of the CCPA

Before the CPRA amendment, under the CCPA, enforcement responsibilities rested solely with the California Attorney General (AG). When a business was found to be in violation of the law, the AG was required to notify the business, giving it 30 days to address and resolve the alleged violation (known as a cure period).

The maximum penalties for noncompliance under the CCPA are:

  • USD 2,500 for each unintentional violation 
  • USD 7,500 for each intentional violation

Understanding the CPRA

The CPRA builds on the CCPA, introducing new and expanded rights for consumers and additional obligations for businesses. It marks a significant step forward in safeguarding California residents’ personal information.

Who must comply with the CPRA?

The CPRA updated some compliance thresholds for businesses while retaining certain aspects of the CCPA’s criteria. The annual gross revenue threshold remains at USD 25 million, while the personal information handling threshold has increased from 50,000 to 100,000 California residents. Interestingly, more recently passed state-level data privacy laws have excluded a revenue-only threshold entirely.

For-profit businesses that collect or process the personal information of California residents must meet at least one of the following conditions to be subject to the CPRA:

  • generate annual gross revenues exceeding USD 25 million in the previous calendar year
  • buy, sell, or share the personal information of 100,000 or more California residents or households
  • derive over 50 percent of their annual revenue from selling or sharing consumers’ personal information

Under the CPRA, the definition of “business” now includes for-profit entities that share consumers’ personal information, not just those that sell it. Sharing refers to any activity that involves the transfer of personal information to a third party for cross-context behavioral advertising, regardless of monetary or other valuable consideration, including transactions for the benefit of the business where there is no exchange of money.

Like the CCPA, the CPRA applies to businesses regardless of their location if they meet the listed thresholds. Businesses operating outside California but handling data belonging to its residents are still required to comply.

Establishment of the California Privacy Protection Agency (CPPA)

The CPRA created the California Privacy Protection Agency (CPPA) to enforce California’s updated privacy laws. This new body works alongside the Attorney General without replacing the AG’s authority. While the CPPA has independent enforcement powers, it is required to halt actions or investigations if requested by the AG. To prevent overlapping penalties, businesses cannot be fined by both the CPPA and the AG for the same violation.

Categorization of sensitive personal information under the CPRA

The CPRA introduced the category of “sensitive personal information,” which includes personal information that, if misused, could result in significant harm to consumers. This category includes, but is not limited to:

  • Social Security numbers, driver’s license numbers, state ID card numbers, and passport numbers
  • precise geolocation data that can identify a person’s location within a radius of 1850 feet (563 meters)
  • debit or credit card numbers when combined with passwords or credentials needed to access the account
  • information about racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, and union membership
  • genetic data
  • biometric data processed for the purpose of uniquely identifying a consumer
  • personal information concerning a consumer’s health, sex life, or sexual orientation 
  • the contents of a consumer’s postal mail, email, and text messages, unless specifically directed to the business

Under the CPRA, businesses must disclose when they collect sensitive personal information and must provide consumers with the option to limit its use. Consumers can restrict the use or disclosure of sensitive personal information to purposes necessary for providing services or goods. To meet this requirement, businesses must include a clearly labeled link on their website titled “Limit The Use Of My Sensitive Personal Information.”

New consumer rights under the CPRA

The CPRA grants consumers additional rights to enhance control over their personal information.

  • Right to correct inaccurate personal information: Consumers can request corrections to any personal information a business holds about them.
  • Right to limit the use and disclosure of sensitive personal information: Consumers can restrict the use of sensitive personal information to purposes essential for delivering goods or services.
  • Right to data portability: Consumers can request their personal information in a “structured, commonly used, machine‐readable format” to transfer it to another service or business.
  • Right to access information about automated decision-making or profiling: Consumers are entitled to know if automated processes or profiling are used in decisions that affect them, along with details about the likely outcomes of these processes.
  • Right to opt out of automated decision-making: Consumers can refuse the use of their personal information in automated decision-making.

Expanded consumer rights under the CPRA

The CPRA builds on some of the existing CCPA consumer rights and enhances their scope. 

  • Right to know: Consumers can request access to personal information collected beyond the original 12-month limit set by the CCPA, as long as the information was collected on or after January 1, 2022.
  • Right to delete: Businesses must not only delete a consumer’s personal information upon request, they must also notify any service providers, contractors, or third parties holding the data to delete it from their records, with exceptions.
  • Right to opt out: Consumers can now opt out of both the sale and sharing of their personal information. Business websites must include a link that states “Do Not Sell or Share My Personal Information.” Additionally, consumers can opt out of their data being used for targeted advertising or profiling.
  • Private right of action: Consumers can bring civil lawsuits against a business if their email address, combined with a password or security question that could grant access to their account, is breached. This expands the private right of action introduced by the CCPA to address new types of data security risks.
Table presenting Consumer rights under the CCPA and CPRA

CPRA obligations pertaining to minors

The CPRA strengthens the protections for minors established by the CCPA, which required businesses to obtain opt-in consent from minors aged 13 to 16 or from their parent or legal guardian if the minor is under 13 before selling or sharing their personal information.

Under the CPRA, if a minor does not consent to their personal information being shared or sold, businesses must wait 12 months before requesting consent again. This provision prevents businesses from repeatedly soliciting consent after an opt-out decision.

The CPRA also increases penalties for violations involving minors. For each instance of noncompliance related to a minor’s personal information, businesses can face fines of up to USD 7,500.

Like the other US state-level data privacy laws, the CCPA operates on an opt-out model, meaning that in most cases prior consent is not required to collect consumers’ personal information. There are certain exceptions, such as collecting a minor’s personal information.

The CPRA broadens the CCPA’s consent requirements. Businesses must now obtain consent in several key areas:

  • selling or sharing personal information after a consumer has opted out
  • secondary use of sensitive personal information, including selling or sharing such data after a consumer opts out
  • processing personal information for research purposes
  • participation in financial incentive programs

The definition of consent under the CPRA is more closely aligned with that under the GDPR as “a freely given, specific, informed, and unambiguous indication of a consumer’s wishes” that signifies agreement to the processing of their personal information for a specific purpose.

Enhanced CPRA notice at collection requirements

The CPRA expands the required information businesses must include in their notice at collection to give consumers greater transparency about how their personal information is handled. The notice must now specify:

  • whether the collected personal information is sold or shared  
  • categories of sensitive personal information collected 
  • purposes for collecting or using sensitive personal information
  • the amount of time each category of personal information and sensitive personal information will be retained

Data minimization requirements under the CPRA

Businesses that must comply with the CPRA can collect only personal information that is “reasonably necessary and proportionate” to achieve the disclosed purposes or for another disclosed purpose that is “compatible with the context in which the personal information was collected.” Personal information cannot be processed for any purpose that is incompatible with that which has been disclosed to consumers.

The CPRA also restricts how long businesses can retain personal information. Retention periods must be limited to the time necessary to fulfill the purpose for which the information was collected, while accounting for other regulatory requirements. 

These new CPRA requirements align with the data minimization and storage limitation principles under the GDPR.

Risk assessment requirements under the CPRA

Where the processing of consumers’ personal information poses a “significant risk to consumers’ privacy or security,” businesses must conduct annual cybersecurity audits and regular risk assessments. These assessments must evaluate whether the processing involves sensitive personal information and weigh the benefits of the processing against potential risks to consumer rights. Risk assessments conducted under the CPRA must be submitted to the CPPA for review. Formal rules detailing how businesses should implement these measures are still under development.

Contractual obligations under the CPRA

The CPRA requires businesses that share, sell, or disclose consumers’ personal information to contractors, service providers, or third parties to enter into official agreements with these entities. The agreement or contract must contain the following provisions.

  • Limited use: The contract must specify that personal information is sold or disclosed only for limited and specified purposes.
  • Compliance requirements: The contract must require the receiving entity to comply with the CPRA and maintain the same level of privacy protection as required by the law.
  • Notification of noncompliance: The receiving entity must notify the business if they can no longer meet their obligations under the CPRA.
  • Monitoring rights: The contract must grant the business the right to take reasonable and appropriate steps to ensure that the receiving entity uses personal information in a way that is consistent with the business’s obligations under the CPRA.
  • Remediation rights: The business must be granted the authority to take reasonable and appropriate steps to stop and address any unauthorized use of personal information, provided notice is given to the receiving entity.

Enforcement of the CPRA

The California Privacy Protection Agency (CPPA), established by the CPRA, shares enforcement authority with the Attorney General. The CPPA’s powers complement, rather than limit, the AG’s ability to enforce privacy laws.  

The CCPA dictated that a business in violation of the law had a 30-day cure period to address and correct any alleged violation after being notified by the AG. The CPRA removes this automatic 30-day cure period for violations, although it can still be applied at the discretion of the authorities.

For private actions brought by consumers due to data breaches, the 30-day cure period still applies. This provision allows businesses an opportunity to resolve the issue before penalties are imposed.

Table presenting the Enforcement of the CCPA and CPRA

CCPA/CPRA comparison chart

CCPA/CPRA Compliance Checklist

This checklist is designed to help your business align with CCPA/CPRA compliance requirements. We highly recommend consulting with a legal and/or privacy expert to achieve and maintain compliance.

Enable consumer opt-outs

Display clear links on your website to enable visitors to exercise their rights, labeled:

  • “Do Not Sell or Share My Personal Information” for data sales and sharing opt-outs
  • “Limit the Use of My Sensitive Personal Information” to enable consumers to control use of their sensitive data

Provide notice at collection

Display a notice at or before the point of collection, which specifies:

  • types of personal and sensitive personal information collected
  • purpose(s) for data collection
  • whether personal information will be shared or sold to third parties

Maintain and update privacy policy

Publish and annually update (or as often as changes are required) a privacy policy on your website that:

  • explains all consumer rights, including the handling of personal and sensitive information
  • discloses cookie usage within the privacy policy or through a separate cookie policy
  • explains how consumers can exercise their rights under the law

Have a system in place for Data Subject Access Requests (DSAR)

Establish two or more channels, such as a toll-free number, email, or form submission, through which consumers can easily exercise their rights and receive a timely response, and set up an identity verification system for users submitting requests.

Manage opt-out requests efficiently

Process opt-out requests within 15 days, and stop data sales or sharing immediately upon receiving a request. Notify any third parties that received the consumer’s data in the previous 90 days to halt further processing.

Obtain consent for personal information from minors

For consumers under 16, obtain opt-in consent before selling or sharing their data as follows:

  • for minors aged 13 to 16 years, obtain opt-in consent from the minor
  • for minors under 13 years old, obtain opt-in consent from their parent or legal guardian

Provide access to personal information records

On request, give consumers a report of their personal information collected over the past 12 months, free of charge.

Respond promptly to consumer requests

Acknowledge and process requests for data disclosure or deletion within 45 days of receipt, and provide confirmation of how the request will be handled.

Review financial incentives

Only offer financial incentives or differentiated services if they are reasonably related to the value the consumer’s personal information brings to the business.

Ensure non-discriminatory practices

Ensure that consumers are not penalized for exercising their rights under the California privacy laws, including the right to opt out of data collection and processing. This includes access to the website.

CCPA/CPRA compliance with Usercentrics CMP

If your business meets the CCPA/CPRA thresholds, using a consent management platform (CMP) like Usercentrics CMP can help you achieve compliance.

A CMP enables websites to offer cookie consent banners where you can display a “Do Not Sell or Share My Personal Information” link, enabling users to easily exercise their opt-out rights under the CCPA/CPRA. When a user opts out, the CMP can automatically block cookies and other tracking technologies to honor their privacy choices.

In addition to managing opt outs, Usercentrics CMP supports transparent communication with users about data practices. Clearly inform users about the categories of data collected, why the data is collected, and any third parties that may receive it. This transparency aligns with the requirements of the CCPA/CPRA and other data privacy laws, making it easier for your business to achieve compliance and build trust with consumers.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Frequently asked questions

What is the difference between the CCPA and CPRA?

The CCPA, enacted in 2020, is the first comprehensive consumer privacy law in the US, giving California residents control over their personal information and placing obligations on businesses. The CPRA strengthens and expands the CCPA by introducing new consumer rights, expanding existing ones, and adding stricter business compliance requirements, such as data minimization, enhanced notices, and protections for sensitive personal information. The CPRA came into effect on January 1, 2023 and became enforceable in February of 2024. The CPRA does not replace the CCPA, and both laws are currently in effect.

What new consumer rights did the CPRA introduce?

The CPRA introduces rights like the right to correct inaccurate personal information, the right to limit the use and disclosure of sensitive personal information, the right to data portability, and the right to access information about and opt out of automated decision-making or profiling.

Does the CPRA replace the CCPA?

The CPRA does not replace the CCPA. It builds upon the law, granting new and expanded rights to consumers and imposing additional obligations on businesses to protect consumers’ personal information. The California privacy laws are often referred to as “the CCPA as amended by the CPRA” or just “CCPA/CPRA.”

How has the right to opt out of the sale of personal information expanded under the CPRA?

The CPRA updates the right to opt out to include not only selling but also sharing personal information. Sharing is defined as transferring personal information to a third party for cross-context behavioral advertising, even if no money changes hands. Businesses must now display an opt-out link titled “Do Not Sell or Share My Personal Information” to enable consumers to exercise this right.

How does the CPRA align with GDPR principles?

The CPRA aligns with the GDPR by incorporating principles like data minimization and storage limitation. Businesses are required to collect only the information necessary for the disclosed purpose and retain the data only for as long as is needed to fulfill that purpose. The CPRA’s consent requirements for certain types of data processing, like the use of sensitive personal information, also mirror GDPR standards.

What is the role of the California Privacy Protection Agency (CPPA)?

The CPRA established the California Privacy Protection Agency (CPPA) to enforce California’s privacy laws alongside the Attorney General. The CPPA has authority to investigate violations, review risk assessments, and impose penalties. While the CPPA operates independently, it does not limit the AG’s enforcement authority.

What are the penalties for noncompliance with the CCPA/CPRA?

Under the CCPA, maximum penalties are USD 2,500 per unintentional violation and USD 7,500 for intentional violations. The CPRA maintains these penalty amounts but increases the fines to up to USD 7,500 per incident involving minors, regardless of intention. Businesses that fail to comply may face investigations and penalties from the CPPA, lawsuits from consumers in cases of data breaches, and reputational harm.

What is personal information under the CCPA and CPRA?

Personal information under the CCPA and CPRA is defined as any information that identifies, relates to, or can be reasonably linked to a particular consumer or household. Examples include names, email addresses, IP addresses, browsing history, and search history. The CPRA builds on this by introducing the category of “sensitive personal information,” which includes Social Security numbers, precise geolocation data, genetic data, and more, granting consumers the ability to limit its use and disclosure.

Dec 27, 2024
Change in data privacy continued full steam ahead in 2024. Government regulation and business requirements got a lot more intertwined, further proving that data privacy is no longer a “nice to have”. It’s critical for customer satisfaction and sustainable growth. Let’s look ahead to 2025.
Dec 20, 2024
The Video Privacy Protection Act (VPPA) was passed in 1988 to protect video rental history and viewing data. Today, its application extends to online video platforms like streaming services. Learn how US courts are interpreting the law and what steps to take for your business to comply.
Dec 13, 2024
The European Accessibility Act (EAA) sets accessibility standards for products and services across the EU, aiming to improve inclusion for people with disabilities and older adults. Learn what it covers, who must comply, and how to prepare for the June 2025 enforcement deadline.