The California Privacy Rights Act (CPRA) expands the CCPA and raises the bar for privacy compliance. If you already follow CCPA, you are partway there, but some important changes require attention.
What Changed
CPRA introduces a new enforcement agency, expands the definition of sensitive personal information, and strengthens consumer rights.
Sensitive Personal Information
Data like precise geolocation, government IDs, and racial or ethnic origin can trigger additional obligations and opt-out requirements.
Data Minimization and Purpose Limits
Collect only what you need for a stated purpose. CPRA makes this a central principle rather than a best practice.
Service Providers and Contractors
CPRA distinguishes between service providers, contractors, and third parties. Your contracts must reflect the correct role and required clauses.
What to Update Now
Update your privacy policy, review vendor contracts, and validate that your opt-out mechanisms cover both selling and sharing of data.
Bottom Line
CPRA does not replace CCPA; it enhances it. Treat it as an evolution and upgrade your processes early.