California Privacy Rights Act: CPRA Compliance
What is the CPRA?
The California Privacy Rights Act (CPRA) amends and expands the prior California Consumer Privacy Act (CCPA), creating additional data privacy rights for consumers and data processing responsibilities for companies.
The CPRA came into effect January 1, 2023. Enforcement began in February 2024, managed by the California Privacy Protection Agency (CPPA).
Visit the common CPRA questions and answers
COMPLIANCE
How to comply with the California data privacy law
The CCPA regulated the sale of California residents’ personal data. The CPRA added sharing of data to those rules, along with consumers’ right to opt out of the use of their data for targeted advertising or profiling. Consent to process data that is sensitive or belongs to minors must be obtained in advance.
RISKS
What are the consequences of CPRA noncompliance?
Organizations must ensure that they and third-party processors have robust security policies and processes to protect personal data and processing. More sensitive data and higher processing volumes require more robust security measures for staff, contractors, and systems.
The California Privacy Protection Agency can pursue civil penalties up to $2,663 per unintentional violation or up to $7,988 per intentional violation or violation involving minors. Individuals can sue companies for violations related to data breach events affecting them and seek statutory damages between $107 and $799 per incident.
your questions answered
Contact our expert team
We’re happy to answer questions about data privacy, compliant marketing operations, and the CPRA. Usercentrics’ Consent Management Platform helps you build trust and avoid penalties. Learn more today.
- Interested in how privacy compliance benefits user experience and your marketing strategies?
- Not sure if your business is privacy-compliant in California?
- Need clarity on what your company’s compliance responsibilities are?
- Looking to partner with us?
Learn more
Frequently asked questions
What are consumer rights under the CPRA?
In addition to the rights granted to California residents under the CCPA, with the CPRA consumers were granted these additional rights:
- Right to correct: any incomplete or inaccurate personal information that a business holds about them be corrected
- Right to limit: consumers have the right to limit the use or disclosure of their sensitive personal information
- Right to opt out: consumers have the right to opt out of the sale, sharing, or use of their personal information for profiling or targeted advertising
What are the penalties for CPRA noncompliance?
The California Privacy Protection Agency was created with the CPRA, and they or the Attorney General can levy civil penalties up to USD 2,663 per unintentional violation, or up to USD 7,988 per intentional violation or for violations involving minors (as of 2025). Individuals can use a private right of action to sue companies for violations related to data breach events affecting them and their personal information, and can seek statutory damages between USD 107 and USD 799 per incident.
What is CPRA compliance software?
CPRA compliance software enables companies to comply with the requirements of the CCPA and CPRA, like providing consumers with information about data processing and exercising their rights, obtain consent for the use of children’s information, and enabling consumers to opt out of the sale or sharing of their personal information, or its use for targeted advertising or profiling, or limit the use of their sensitive personal information.
Can a consent management platform enable CPRA compliance?
A consent management platform (CMP) is a type of CPRA compliance software that can enable data privacy compliance for websites and apps. A CMP consent banner presents users with information about the cookies and other tracking technologies in use that collect personal information, and enable granular user consent choices. It also securely stores and documents consent information over time.