Data Privacy

CPRA: A look at the state of California’s data privacy law

A look at California’s new and more robust data privacy legislation - California Privacy Rights Act (CPRA).


It’s a little difficult to look at the overall state of data privacy across the US, mainly because there is no universal privacy legislation at a federal level. Instead, regulations surrounding data privacy are an assortment of varying state laws catering to various sectors with different definitions of data breaches. Some advancements have been made in states like Colorado and Virginia who have both passed consumer privacy legislation in 2021. But the front-runner for privacy protection is the state of California. 

California passed the California Consumer Privacy Act (CCPA) back in 2018, and is introducing another, more robust data privacy legislation - California Privacy Rights Act (CPRA). The law comes into effect on 1st January 2023, with “right to know” requests applicable from January 1, 2022.

The law is set to drive more changes for businesses, after having already adjusted the way they collect and use consumer data under CCPA. It means more operational and administrative costs.

California Privacy Rights Act (CPRA) vs CCPA

The CCPA was introduced with the intention of improving consumer protections, following in the footsteps of GDPR. A major focus of the CCPA was that it applied to ‘controllers’ (institutions or organisations) doing business in the state, to the extent that those businesses process data of Californian residents. It provided four main pillars of privacy rights for consumers; the right to know, the right to delete, the right to opt-out, and the right to non-discrimination for exercising CCPA rights. Ultimately, the CCPA was a framework for businesses operating in California regarding their privacy practices.

The aim of the CPRA is to bolster existing privacy law and grant greater control to Californian consumers, and address the use of ‘sensitive information’. Starting from 2023, ‘consumers’ will be defined as a broader group, applying to Californian employees and people involved in a company’s trade and business contacts. The additional privacy rights being included are the right to correct inaccurate information, the right for data minimisation and purpose limitation, and the right to receive notice of personal information use with the choice to opt out.

To continue reading this article register now