{"id":1072,"date":"2020-11-25T13:21:00","date_gmt":"2020-11-25T13:21:00","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?p=1072"},"modified":"2026-03-30T17:58:12","modified_gmt":"2026-03-30T15:58:12","slug":"cpra","status":"publish","type":"post","link":"https:\/\/www.cookiebot.com\/en\/cpra\/","title":{"rendered":"California Privacy Rights Act (CPRA)"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"h-california-privacy-rights-act-cpra-quick-summary\"><strong>California Privacy Rights Act (CPRA),<\/strong> quick summary<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-california-privacy-rights-act-cpra-what-when-and-consequences-for-your-website\">California Privacy Rights Act (CPRA) \u2013 what, when and consequences for your website?<\/h3>\n\n\n\n<p>The <strong>California Privacy Rights Act (CPRA)<\/strong>&nbsp;is a state-wide data privacy bill passed into law on November 3, 2020.<\/p>\n\n\n\n<p>The CPRA underscores California\u2019s position as the US frontier in data privacy legislation, as it <strong>significantly expands<\/strong>&nbsp;upon the existing <a href=\"\/en\/ccpa\/\">California Consumer Privacy Act (CCPA)<\/a>&nbsp;that took effect on January 1, 2020.<\/p>\n\n\n\n<p><strong>In short, the California Privacy Rights Act (CPRA) works as an addendum to the CCPA<\/strong>&nbsp;\u2013 strengthening rights of California residents, tightening business regulations on the use of personal information (PI), and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA), among key changes to the Golden State\u2019s data privacy regime.<\/p>\n\n\n\n<p>The California Privacy Rights Act (CPRA) became fully effective on<strong>&nbsp;January 1, 2023<\/strong>. Enforcement is scheduled to begin on <strong>July 1, 2023<\/strong>&nbsp;\u2013 with a so-called lookback period to <strong>January 1, 2022<\/strong>, meaning data collected from that date on is liable for compliance.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2020\/11\/cb_blog_900x450_California-Privacy-Rights-Act-quick-summary.svg\" alt=\"\" class=\"wp-image-16999\" \/><figcaption class=\"wp-element-caption\">California Privacy Rights Act (CPRA) breaks dawn on a new and updated data privacy regime on the West Coast.<\/figcaption><\/figure>\n\n\n\n<p><strong>California Privacy Rights Act (CPRA) quick breakdown<\/strong>&nbsp;\u2013<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>CPRA<\/strong>&nbsp;establishes the <strong>California Privacy Protection Agency (CPPA)<\/strong>&nbsp;as lead enforcer and supervisor of the CPRA\/CCPA data privacy regime.<\/li>\n\n\n\n<li><strong>CPRA<\/strong>&nbsp;changes the <strong>definition of business<\/strong>&nbsp;to exclude smaller businesses and include bigger businesses that generate a large income from collection, sharing and\/or selling of Californians\u2019 personal information (PI).<\/li>\n\n\n\n<li><strong>CPRA<\/strong>&nbsp;empowers California residents with <strong>four brand-new rights<\/strong>&nbsp;and <strong>five modified rights<\/strong>.<\/li>\n\n\n\n<li><strong>CPRA<\/strong>&nbsp;creates the new category <strong>sensitive personal information (SPI)<\/strong>&nbsp;that is regulated separately and stronger than personal information (PI).<\/li>\n\n\n\n<li><strong>CPRA<\/strong>&nbsp;changes the opt-out right to specifically regulate <strong>cross-contextual behavioral advertising<\/strong>&nbsp;and its use of personal information.<\/li>\n\n\n\n<li><strong>CPRA<\/strong>&nbsp;makes a business<strong>&nbsp;responsible for how third parties use<\/strong>, share or sell personal information that the business collected in the first place.<\/li>\n\n\n\n<li><strong>CPRA<\/strong>&nbsp;adds <strong>GDPR-like provisions<\/strong>&nbsp;to the CCPA.<\/li>\n\n\n\n<li><strong>CPRA<\/strong>&nbsp;expands the requirement for <strong>consent<\/strong>&nbsp;to cover more scenarios.<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/oag.ca.gov\/system\/files\/initiatives\/pdfs\/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">The California Privacy Rights Act (CPRA) law text (PDF)<\/a><\/p>\n\n\n\n<p><strong>Timeline for California Privacy Rights Act (CPRA) \u2013<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>January 1, 2021<\/strong>&nbsp;- California Privacy Rights Act (CPRA) goes into law and the California Privacy Protection Agency (CPPA) is established.<\/li>\n\n\n\n<li><strong>July 1, 2021<\/strong>&nbsp;\u2013 process for formulating and adopting CPRA regulations begins.<\/li>\n\n\n\n<li><strong>January 1, 2022<\/strong>&nbsp;\u2013 PI collection becomes liable under the CPRA\u2019s one-year lookback period.<\/li>\n\n\n\n<li><strong>July 1, 2022<\/strong>&nbsp;\u2013 deadline for final CPRA regulations to be adopted by the CPPA.<\/li>\n\n\n\n<li><strong>January 1, 2023<\/strong>&nbsp;\u2013 CPRA enters into full force.<\/li>\n\n\n\n<li><strong>July 1, 2023<\/strong>&nbsp;\u2013 Enforcement of the CPRA begins under the CPPA.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ccpa-vs-cpra-why-two-data-privacy-acts\">CCPA vs CPRA \u2013 why two data privacy acts?<\/h3>\n\n\n\n<p>You might be wondering how the <strong>California Privacy Rights Act (CPRA)<\/strong>&nbsp;works with the existing<a href=\"\/en\/ccpa\/\">&nbsp;California Consumer Privacy Act (CCPA)<\/a>?<\/p>\n\n\n\n<p>A simple answer is that California has <strong>one, overarching legal data privacy regime<\/strong>&nbsp;that was established by the CCPA on January 1, 2020, and to which the CPRA is an overlay more than a new law in itself.<\/p>\n\n\n\n<p>Where <strong>the CCPA<\/strong> was a whole new foundation being paved across California\u2019s digital infrastructures, <strong>the CPRA<\/strong> is a renovation of this foundation \u2013 cleaning up potholes of ambiguities, adding additional regulations for traffic, and constructing new safeguards for end-users traveling along.<\/p>\n\n\n\n<p>In this way, California doesn\u2019t really have two separate data privacy laws, but <strong>one data privacy regime consisting of the CCPA\/CPRA setup<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-style-default\"><img decoding=\"async\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2020\/11\/cb_blog_900x450_CCPA-vs-CPRA-\u2013-why-two-data-privacy-acts.svg\" alt=\"\" class=\"wp-image-17000\" \/><figcaption class=\"wp-element-caption\">Amending the CCPA law text, the California Privacy Rights Act (CPRA) is literally a rewrite.<\/figcaption><\/figure>\n\n\n\n<p>That\u2019s because the CPRA is written in such a way that it only refers to the existing CCPA foundation \u2013 sometimes expanding existing provisions, sometimes adding entirely new ones, but always referring back to the original CCPA law text itself.<\/p>\n\n\n\n<p>Being the frontier of US data privacy law, the CCPA paved a road which the CPRA is now reinforcing.<\/p>\n\n\n\n<p><a href=\"\/en\/ccpa\/\">Learn more about the California Consumer Privacy Act (CCPA)<\/a><\/p>\n\n\n\n<p><a href=\"\/en\/ccpa\/\">Learn more about CCPA compliance with Cookiebot CMP<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-compliance-with-cookiebot-cmp\">Compliance with Cookiebot CMP<\/h2>\n\n\n\n<p>Cookiebot CMP&nbsp;is the world\u2019s leading consent management platform (CMP), offering <a href=\"\/en\/ccpa\/\">compliance with the California Consumer Privacy Act (CCPA)<\/a>&nbsp;today.<\/p>\n\n\n\n<p>Our solution will continue to offer full compliance with the new and updated data privacy regime.<\/p>\n\n\n\n<p>In fact, our CMP offers plug-and-play compliance with all major data privacy laws \u2013 from the EU\u2019s GDPR\/ePR to California\u2019s CCPA\/CPRA, Brazil\u2019s LGPD and South Africa\u2019s POPIA.<\/p>\n\n\n\n<p>Our solution is built around a powerful website scanner that detects all cookies, trackers and third-party trojan horses on your domain \u2013 giving you full transparency and control over your website\u2019s collection and sharing of personal information.<\/p>\n\n\n\n<p>The <a href=\"\/\">Cookiebot CMP<\/a>&nbsp;geotargeting feature automatically determines the location of your users, allowing your website to accurately present each end-user with the correct compliance solution specific to the data privacy regime \u2013 GDPR\/ePR if users are from EU, CCPA\/CPRA is users are from California.<\/p>\n\n\n\n<p><a href=\"\/en\/google-consent-mode\/\">Try Cookiebot CMP with Google Consent Mode<\/a>&nbsp;for full compliance without breaking your website\u2019s analytics.<\/p>\n\n\n\n<p><a href=\"\/\">Scan your website for free to see if you have users from California<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/admin.cookiebot.com\/signup\">Try Cookiebot CMP free for 14 days<\/a> \u2013 or forever if you have a small website<\/p>\n\n\n\n<p><a href=\"\/en\/ccpa\/\">Learn more about CCPA compliance with Cookiebot CMP<\/a><\/p>\n\n\n\n<p><a href=\"\/en\/gdpr-cookies\/\">Learn more about GDPR compliance with Cookiebot CMP<\/a><\/p>\n\n\n\n<p><a href=\"\/en\/google-consent-mode\/\">Get started with Google Consent Mode and Cookiebot CMP<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-california-privacy-rights-act-cpra-in-detail\">California Privacy Rights Act (CPRA), in detail<\/h2>\n\n\n\n<p>Let\u2019s break down the<strong>&nbsp;California Privacy Rights Act (CPRA)<\/strong>&nbsp;into even smaller pieces to understand exactly how it changes, expands and renews the state-wide CCPA-established data privacy regime that has been in place and in effect since January 1, 2020.<\/p>\n\n\n\n<p>As mentioned, the California Privacy Rights Act (CPRA) is <strong>an addendum<\/strong>&nbsp;to the California Consumer Privacy Act (CCPA), and so functions as a series of significant amendments to the existing CCPA law text.<\/p>\n\n\n\n<p>The <strong>major changes<\/strong>&nbsp;that the CPRA makes to the CCPA consist of \u2013<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Changing the CCPA\u2019s definitions of PI<\/li>\n\n\n\n<li>Creating a new category called sensitive personal information (SPI)<\/li>\n\n\n\n<li>Changing the scope of the CCPA<\/li>\n\n\n\n<li>Changing the CCPA rights for California residents and adding new rights<\/li>\n\n\n\n<li>Changing regulatory area of focus towards behavioral advertisement<\/li>\n\n\n\n<li>Establishing a new government enforcement agency<\/li>\n\n\n\n<li>Adding GDPR-like features to the CCPA<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2020\/11\/cb_blog_900x450_California-Privacy-Rights-Act-CPRA-in-detai.svg\" alt=\"\" class=\"wp-image-16998\" \/><figcaption class=\"wp-element-caption\">Solidifying data privacy in California, the CPRA is resistant to most legal attempts at loosening its strength.<\/figcaption><\/figure>\n\n\n\n<p>In addition, the <strong>California Privacy Rights Act (CPRA)<\/strong>&nbsp;also secures data privacy law in California in a different way than the CCPA did, since the CPRA includes provisions requiring <strong>any amendments to the law to be consistent with its purpose and intent<\/strong>, making it almost legally impossible to be watered down.<\/p>\n\n\n\n<p>This is perhaps one of the most significant changes, since it makes the law practically waterproof from any attempts to dilute its privacy protections or water down business regulations from industry pressure or special interests.<\/p>\n\n\n\n<p>The passing of a federal data privacy law or a future ballot initiative barred California's updated data privacy regime (CCPA\/CPRA) seem to be here to stay for a while.<\/p>\n\n\n\n<p>Let\u2019s break down the new CPRA changes!<\/p>\n\n\n<div class=\"cta-block cta-block--size-s cta-block--only-buttons cb-ctx--blue\">\n        <div class=\"cta-block__glass\">\n        <div class=\"cta-block__inner\">\n            <div class=\"cta-block__left-column\">\n                                                    <h2 class=\"cta-block__title no-default-margin like-h4\">\n                        Privacy protection in California and across the U.S.                    <\/h2>\n                                                    <div class=\"cta-block__description like-text-md\">\n                        <p>Manage evolving U.S. privacy laws right out of the box. Start for free with Cookiebot \u2014 no code or lawyers needed.<\/p>\n                    <\/div>\n                                                                                                                                                        <\/div>\n                            <div class=\"cta-block__right-column\">\n                                                                <div class=\"cta-block__buttons\">\n                                                    <div class=\"cta-block__buttons__button-wp\">\n                                <a id=\"04ccde2c-9abb-476d-9501-c4ddd163f5b3\" class=\"cb-button cb-button-size-l cb-button-contained  no-default-link-decoration cb-button-icon-right cta-block__buttons__button\" href=\"https:\/\/admin.cookiebot.com\/signup\" target=\"_blank\">\n<span>Start free<\/span><\/a>\n                                                            <\/div>\n                                                                        <\/div>\n                                                        <\/div>\n                    <\/div>\n    <\/div>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-cpra-creates-sensitive-personal-information-spi\">CPRA creates sensitive personal information (SPI)<\/h3>\n\n\n\n<p>In California, the CPRA creates a <strong>new category<\/strong>&nbsp;of personal information \u2013 the so-called <strong>sensitive personal information (SPI)<\/strong>.<\/p>\n\n\n\n<p>Sensitive personal information (SPI) includes \u2013<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Data on race and ethnicity<\/li>\n\n\n\n<li>Religious beliefs, political and philosophical convictions<\/li>\n\n\n\n<li>Data on sex life or sexual orientation<\/li>\n\n\n\n<li>Genetic and biometric data<\/li>\n\n\n\n<li>Health data<\/li>\n\n\n\n<li>Geolocation<\/li>\n\n\n\n<li>Social security number and driver\u2019s license<\/li>\n\n\n\n<li>Financial information<\/li>\n<\/ul>\n\n\n\n<p><strong>Sensitive personal information (SPI)<\/strong>&nbsp;is regulated separately from normal personal information with users having expanded rights over how their SPI is used, including the right to have collected SPI disclosed, to opt-out of SPI use, and subsequent consent to use SPI if users already opted out.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-cpra-requires-new-links-on-your-website\">CPRA requires new links on your website<\/h3>\n\n\n\n<p>The California Privacy Rights Act (CPRA) rewrites the requirements for how your website enables consumers to opt out of having their PI sold or shared and adds a requirement for how your website enables users to exercise their right to <strong>limit the use of their SPI<\/strong>.<\/p>\n\n\n\n<p>The CPRA amends the CCPA\u2019s Do Not Sell-button, so that your website will have to provide a link titled <strong>\u201cDo Not Sell Or Share My Personal Information\u201d<\/strong>&nbsp;\u2013 adding or sharing, as the CPRA does in many other places.<\/p>\n\n\n\n<p>The CPRA also creates a new, similar requirement for your website to provide a link titled<strong>&nbsp;\u201cLimit The Use Of My Sensitive Personal Information\u201d<\/strong>&nbsp;that enables California residents to limit the use and disclosure of their SPI.<\/p>\n\n\n\n<p>In addition, the CPRA encourages businesses to make <strong>\u201ca single, clearly-labeled link\u201d<\/strong>&nbsp;that easily allows a consumer to simultaneously opt-out of sale or sharing of PI and limit the use or disclosure of the consumer\u2019s SPI.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-cpra-gives-new-scope-to-ccpa\">CPRA gives new scope to CCPA<\/h3>\n\n\n\n<p>The California Privacy Rights Act (CPRA) changes who is liable under the CCPA.<\/p>\n\n\n\n<p>The CPRA amends the CCPA\u2019s definition of business to be a website, company or organization that (<strong>changes in bold<\/strong>) \u2013<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>as of January 1 has an annual gross revenue exceeding $25 million<\/li>\n\n\n\n<li>buys, sells or shares the personal information of <strong>more than 100,000 consumers or households per year<\/strong><\/li>\n\n\n\n<li>derives 50% or more of its annual revenues from selling <strong>or sharing<\/strong> consumers\u2019 personal information<\/li>\n<\/ul>\n\n\n\n<p>These changes are likely to<strong>&nbsp;tilt compliance from smaller companies to larger ones<\/strong>, whose businesses are more heavily reliant on the collection and sharing of personal information, both in <strong>scope<\/strong>&nbsp;(from 50,000 to 100,00) and in <strong>method<\/strong>&nbsp;(from only covering selling to include sharing).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-cpra-creates-and-expands-ccpa-rights\">CPRA creates and expands CCPA rights<\/h3>\n\n\n\n<p>The California Privacy Rights Act (CPRA) creates four new rights and modifies five existing rights for California residents.<\/p>\n\n\n\n<p>The <strong>four new CPRA rights<\/strong>&nbsp;are \u2013<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Right to correction<\/strong>, meaning that users can request to have their PI and SPI corrected if they find them to be inaccurate.<\/li>\n\n\n\n<li><strong>Right to opt-out of automated decision making<\/strong>, meaning that California residents can say no to their PI and SPI being used to make automated inferences, e.g. in profiling for targeted, behavioral advertisement online.<\/li>\n\n\n\n<li><strong>Right to know about automated decision making<\/strong>, meaning that California residents can request access to and knowledge about how automated decision technologies work and what their probable outcomes are.<\/li>\n\n\n\n<li><strong>Right to limit use of sensitive personal information<\/strong>, meaning that California residents can make businesses restrict their use of this separate category of personal information, particularly around third-party sharing.<\/li>\n<\/ul>\n\n\n\n<p>The <strong>five modified CPRA rights<\/strong>&nbsp;are \u2013<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Right to delete<\/strong>, where California residents can request deletion of PI and business now have to notify third parties to delete this as well.<\/li>\n\n\n\n<li><strong>Right to know<\/strong>, where California residents can now request access to PI collected beyond the original 12-month limit in the CCPA.<\/li>\n\n\n\n<li><strong>Right to opt-out<\/strong>, where California residents can now opt out of businesses sharing and selling their PI specifically for behavioral advertisement, and not only of the sale of PI, as in the CCPA.<\/li>\n\n\n\n<li><strong>Rights of minors<\/strong>, where the opt-in requirement for businesses when dealing with minors is extended to include the sharing of PI for behavioral advertising.<\/li>\n\n\n\n<li><strong>Right to data portability<\/strong>, where California residents can request to have their PI transported to other businesses or organizations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-cpra-regulates-behavioral-advertising\">CPRA regulates behavioral advertising<\/h3>\n\n\n\n<p>The California Privacy Rights Act (CPRA) amends the CCPA to specifically <strong>regulate behavioral advertising<\/strong>&nbsp;that uses personal information to target California residents with marketing based on profiling.<\/p>\n\n\n\n<p>Where the CCPA defined the right to opt out as restricting the use, selling and sharing of personal information <strong>for advertising purposes<\/strong>&nbsp;in exchange for money, the CPRA creates two separate types of advertising \u2013 <strong>cross-context behavioral advertising and non-personalized advertising<\/strong>.<\/p>\n\n\n\n<p>The former is regulated by the<strong>&nbsp;right to opt-out<\/strong>, whereas the latter isn\u2019t.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2020\/11\/cb_blog_900x450_CPRA-regulates-behavioral-advertising.svg\" alt=\"\" class=\"wp-image-17002\" \/><figcaption class=\"wp-element-caption\">Behavioral advertisement is a billion-dollar industry, now being regulated tighter in California.<\/figcaption><\/figure>\n\n\n\n<p>Having the right to opt out of behavioral advertising means that California residents can ask businesses to <strong>stop sharing and selling their personal information<\/strong>&nbsp;with third parties to avoid being targeted with advertisement that is based on behavioral data, from their search, browser and purchase history, online preferences, device settings, geolocation to how they scroll and click on a website.<\/p>\n\n\n\n<p><strong>Non-personalized advertisement<\/strong>, on the other hand, is defined by the CPRA as a business purpose, and therefore exempt from any requirements for opting out.<\/p>\n\n\n\n<p>Rather than the CCPA opt-out right for personal information in general that California residents enjoy today, the CPRA now specifies its regulations to concern only PI used for behavioral advertisement.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-cpra-creates-the-california-privacy-protection-agency-cppa\">CPRA creates the California Privacy Protection Agency (CPPA)<\/h3>\n\n\n\n<p>As a first in the US, California will have<strong>&nbsp;a data protection authority<\/strong>&nbsp;comparable to the GDPR-mandated national DPA\u2019s that supervise and enforce the EU\u2019s data privacy laws.<\/p>\n\n\n\n<p>The <strong>California Privacy Protection Agency (CPPA)<\/strong>&nbsp;will become the leading enforcer and supervisor of the CCPA\/CPRA with authority to investigate and fine violations.<\/p>\n\n\n\n<p>By establishing the California Privacy Protection Agency (CPPA), the CPRA moves the enforcement responsibilities currently resting with the <a href=\"https:\/\/oag.ca.gov\/\" target=\"_blank\" rel=\"noreferrer noopener\">Office of the Attorney General<\/a>&nbsp;to the new government agency, which will <strong>start enforcement from July 1, 2023<\/strong>.<\/p>\n\n\n\n<p>The California Privacy Protection Agency (CPPA) has <strong>full enforcement authority<\/strong>&nbsp;over the CCPA\/CPRA regime, as well as <strong>authority to investigate<\/strong>&nbsp;potential breaches and violations, and to <strong>draft enforcement regulations<\/strong>.<\/p>\n\n\n\n<p>In addition, the CPRA&nbsp;<strong>cancels the grace period<\/strong>&nbsp;of 30 days that businesses have after being notified of an alleged breach or violation, and raises the maximum on fines for violations.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-cpra-introduces-gpdr-like-requirements\">CPRA introduces GPDR-like requirements<\/h3>\n\n\n\n<p>In another first for California, the CPRA introduces <strong>three additional requirements<\/strong>&nbsp;for business that are closely modeled after the EU\u2019s GDPR regime:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>data minimization<\/strong><\/li>\n\n\n\n<li><strong>purpose limitation<\/strong><\/li>\n\n\n\n<li><strong>storage limitation<\/strong><\/li>\n<\/ul>\n\n\n\n<p>Under the CPRA-amended data privacy regime in California, a website or business can <strong>only collect<\/strong>, <strong>use<\/strong>&nbsp;and <strong>share<\/strong>&nbsp;Californians\u2019 personal information if it\u2019s in accordance with what is <strong>reasonably necessary<\/strong>&nbsp;and <strong>proportionate<\/strong>&nbsp;to the collection purpose (<strong>data minimization<\/strong>).<\/p>\n\n\n\n<p>In other words, you\u2019re not allowed to collect, share or sell more data than what is strictly necessary for your stated purpose of collection.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2020\/11\/cb_blog_900x450_CPRA-introduces-GPDR-like-requirements.svg\" alt=\"\" class=\"wp-image-17001\" \/><figcaption class=\"wp-element-caption\">Bringing California closer to the GDPR\u2019s data privacy standards could yield a future adequacy decision from the EU.<\/figcaption><\/figure>\n\n\n\n<p>Likewise, a website or a business is not allowed to collect, use, share or sell Californians\u2019 PI for <strong>a new purpose without first stating so<\/strong>, just like you\u2019re not allowed to collect or share data without any stated purpose at all (<strong>purpose limitation<\/strong>).<\/p>\n\n\n\n<p>The CPRA also amends the CCPA so that a website or business will be required to notify (at the point of collection) California residents <strong>about the retention time of each collected category of personal information<\/strong>, meaning that users have a right to know for how long their data will be stored after collection (<strong>storage limitation<\/strong>).<\/p>\n\n\n\n<p>The California Privacy Rights Act (CPRA) also<strong>&nbsp;expands the CCPA\u2019s current consent requirements<\/strong>, perhaps the most GDPR-like feature of California\u2019s data privacy law, to include \u2013<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Consent needed for the selling or sharing personal information after a user has already opted out<\/li>\n\n\n\n<li>Consent needed when selling or sharing the personal information of minors<\/li>\n\n\n\n<li>Consent needed for secondary use, selling or sharing of sensitive personal information after a user has opted out<\/li>\n\n\n\n<li>Consent needed for research exemptions<\/li>\n\n\n\n<li>Consent needed to opt-in to financial incentive<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-summary-california-privacy-rights-act-cpra\">Summary: California Privacy Rights Act (CPRA)<\/h2>\n\n\n\n<p>With the passing into law of the <strong>California Privacy Rights Act (CPRA)<\/strong>, California\u2019s data privacy regime has been significantly updated \u2013 only a year after the <a href=\"\/en\/ccpa\/\">California Consumer Privacy Act (CCPA)&nbsp;<\/a>went into force.<\/p>\n\n\n\n<p>The <strong>California Privacy Rights Act (CPRA)<\/strong>&nbsp;is a clear signal that the Golden State is moving full speed ahead on the US frontier of data privacy.<\/p>\n\n\n\n<p>Now that the CPRA is in full effect (since January 1, 2023) websites, businesses and organizations, who have users from California should prepare for compliance.<\/p>\n\n\n\n<p>Cookiebot CMP&nbsp;already offers full CCPA compliance for your website's cookies and trackers - alongside compliance with other major data privacy laws like the <a href=\"\/en\/gdpr\/\">EU\u2019s GDPR<\/a>, <a href=\"\/en\/lgpd\/\">Brazil\u2019s LGPD<\/a>&nbsp;and <a href=\"\/en\/popia\/\">South Africa\u2019s POPIA<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>California Privacy Rights Act (CPRA), quick summary California Privacy Rights Act (CPRA) \u2013 what, when and consequences for your website? The California Privacy Rights Act (CPRA)&nbsp;is a state-wide data privacy bill passed into law on November 3, 2020. The CPRA underscores California\u2019s position as the US frontier in data privacy legislation, as it significantly expands&nbsp;upon [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":17003,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"inline_featured_image":false,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1072","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"acf":[],"thumbnail_status":false,"thumbnail_url":"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2020\/11\/CPRA_hero_900x450_1200x630_ffffff.png","_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/1072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/comments?post=1072"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/posts\/1072\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media\/17003"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media?parent=1072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/categories?post=1072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/tags?post=1072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}