Iubenda logo
Start generating


Table of Contents

CCPA vs CPRA: Key Differences You Need to Know

The CPRA is a privacy law in California that took effect at the start of 2023. How does it relate to the CCPA, which came into effect in 2020? Understand the key differences between CCPA vs CPRA and what they may mean for your data privacy practices.

In 2018, California became the first state to pass comprehensive data privacy legislation with the California Consumer Privacy Act (CCPA). However, just two years later, the state passed the California Privacy Rights Act (CPRA), which significantly amends and expands upon the CCPA.


CCPA vs CPRA, What’s the Difference?

The CPRA builds on the protections provided by the CCPA, but it introduces new requirements for businesses. Here are a few key differences:

  • The CPRA has a broader scope than the CCPA.
  • The CPRA adds new categories of sensitive personal information, such as health data and precise geolocation.
  • The CPRA enhances consumer rights, adding the right to correct inaccurate information and the right to limit the use and disclosure of sensitive personal information.
  • The CPRA imposes additional requirements on businesses, such as the obligation to conduct regular risk assessments and to submit annual privacy audits to the California Privacy Protection Agency (CPPA).

Let’s now dive into each point to get a better understanding of CCPA vs CPRA.

CCPA stands for California Consumer Privacy Act. It is a data privacy law that came into effect on January 1, 2020, in the state of California, United States. CCPA compliance is designed to enhance privacy rights and consumer protection for California residents. The CCPA grants various rights to California residents and regulates the actions of businesses that collect or sell personal information.

The CCPA was reviewed, and this prompted an amendment to the CCPA, which has come to be known as the California Privacy Rights Act (CPRA).

The California Privacy Rights Act (CPRA), which became effective in January 2023, expands on a few key elements of the existing California Consumer Privacy Act (CCPA) by further protecting consumers’ privacy. The CPRA supplements – but does not replace nor repeal – the existing framework provided by the CCPA.

No. The CPRA amends the CCPA, bringing in new requirements and rights, for example. It does not create a separate, new law. As a result, the California Privacy Protection Agency typically refers to the law as “CCPA” or “CCPA, as amended.” The CPRA amendments to the CCPA are in effect as of January 1, 2023. But, in easy terms, any part left unchanged from the CCPA still applies to businesses and consumers.

CCPA vs CPRA Scope

To put it shortly, the scope of the CPRA is broader than the CCPA. 

The CCPA regulations only applies to businesses that meet certain criteria, such as those with annual gross revenue of over $25 million. While the CPRA (CCPA amendments) applies to businesses of all sizes that process personal data of California residents and meet certain thresholds.

Not sure if the CPRA applies to you?

👉 Do this free 1-min quiz to find out

Sensitive Personal Information

The CPRA introduced a different category of protected data to the mix: sensitive personal information (SPI). This idea is quite similar to Article 9 of the General Data Protection Regulation (GDPR), which asks for a higher level of data protection for the sensitivity of personal information. New categories of sensitive personal information include:

  • health data; and 
  • precise geolocation data, which require additional protections.

👀 See here for everything you need to know about Sensitive personal information under the CPRA.

CCPA vs CPRA: Consumer Rights

The CCPA amendments, the CPRA, enhances consumer rights. 

While the CCPA regulations grants consumers the right to know what personal information businesses collect and the right to request deletion of that information, the CPRA adds new rights:

  1. the right to correct inaccurate information; and
  2. the right to limit the use and disclosure of sensitive personal information;
  3. the right to opt-out of automated decision-making technology;
  4. access to information on automated decision-making.

Some other rights such as the right to know, the right to delete or the right to data transfer have been expanded/updated.

👀 See here the full list of Consumer rights.

Creation of the California Privacy Protection Agency

Another major change is the creation of a new enforcement agency, the California Privacy Protection Agency (CPPA), which will have more resources and power to enforce the privacy laws

The CCPA regulation was enforced by the state attorney general’s office, while the CPRA gives the CPPA sole authority to enforce the law and impose fines for violations.

Businesses’ Obligations

In terms of businesses’ obligations, the CPRA imposes additional requirements on businesses, such as:

  1. the obligation to conduct regular risk assessments; and
  2. submit annual privacy audits to the California Privacy Protection Agency (CPPA). 

The CPRA also establishes a new category of “contractors” who work with businesses and must comply with certain privacy requirements.

The CCPA amendments, The CPRA Compliance

CCPA vs CPRA: Navigating the changing data privacy landscape in California can be daunting, but understanding the differences between the CCPA and the CPRA is crucial for protecting your personal data. 

Businesses and consumers alike should have already familiarized themselves with the new legislation and have taken the necessary steps to comply with its requirements.

Do you need to comply with the CCPA amendments?

We make it easy for you, click below to

Comply with the CPRA