What does the California Privacy Rights Act (CPRA) Mean?

by | Jan 21, 2021

With the passing, in November 2020, of the California Privacy Rights Act, came a range of new obligations for businesses operating in the State. They must now move swift to make sure that every member of staff is conscious of their obligations in order to avoid large scale financial penalties being sanctioned against their company.

In order to assist you in coming to terms with the new rules we have put together a short article detailing the main things that you need to be aware of moving forward. To read more about the introduction of the new data privacy legislation you can read the news story from last November here.

1. Sensitive Personal Information Obligations
The CPRA states that consumers have the power to request a business to not share sensitive personal information. Further to this, there a now a range of rules in relation to ‘sensitive personal information’. This is defined as specific identification numbers including:

  • Social Security details
  • Account credentials
  • Identity card or passport numbers
  • Communications content in emails and text messages (if a business is not the recipient of the communication)
  • Driver’s license data
  • Credit card information
  • Geolocation information
  • Data elements that fall in line with the European Union’s GDPR provisions including religious and philosophical beliefs; union membership details; health, genetic, and biometric data; and details linked to sexual habits or sexual orientation.

2. The Creation of the California Privacy Protection Agency (CPPA)
This body has been established in order to police data privacy in the jurisdiction. It will be comprised of by a five-person board. The member of this board will be appointed by the California State Assembly, Senate, and Attorney General. The remaining two members of the board will be nominated by the Governor of California. Among its duties it will be responsible for conducting investigations and subsequent hearings, into breaches of the CPRA. Additionally is will also apply necessary penalties arising from these breaches and assist companies in their attempts to become CCPA compliant.

3. Additional CPRA Data Breach Requirements
It is considered that a breach of the CPRA has taken place when unauthorized access is granted to information which is non-encrypted/non-redacted information, password details or log-in information. In this wevent the CPRA will permit those impacts to seek compensation via the judiciary.

4. Data Collected for Advertising Controlled by Consumers 
The vast majority of companies now rely on cross-context behavioral advertising to profile specific consumers for advertising purposes. There is a legal right, in the CPRA, for consumers to opt out of this gathering or personal data. Due to this businesses must also change the way that they allow consumers to opt out of this activity.

5. Data & Consumer Rights
In relation to the data that businesses choose to use, the CPRA now empowers consumers with a number of rights. These include:

  • The right of correction which allows individuals to seeks the amendment of incorrect inaccurate personal information held by a business
  • The extension of the right to deletion to ensure businesses complete deletion requests and maintain a confidential record of deletion requests for future reference.
  • Along with the right to a copy of the data a business has collected in relation to about them during the year before the request was submitted consumers can now seek a copy of data collected in relation to them before this time if the business still has it available

There is a lot to take into account in order to avoid a breach of the new rules. it is most important that all staff members are aware of the obligations under the CPRA in order to avoid a breach occurring due to a lack of knowledge of the obligations that your company must meet.


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy