Back to Blog

CPRA (California Privacy Rights Act): An expansion to CCPA

April 22, 2021
CCPA Expansion

It’s not even a decade or half, but just 15 months back, the Californian Government enforced a data protection regulation named CCPA (California Consumer Privacy Act). With a pleasant surprise (might be a dismal surprise for organizations!), another Act was announced recently named CPRA (California Privacy Rights Act).

Data Privacy Peers see the new regulation as an extension to CCPA, or you can say it CCPA 2.0. CPRA will come into the force from 1st January 2023, so businesses have enough time (almost two years) to fine-tune their processes and people. This time Privacy-Pro Californian citizens voted in the General election and passed ‘Proposition 24’ with 9,384,625(56.23%) votes in favor of CPRA. The same group also played a vital role for CCPA by gathering 6,29,000 signatures demanding an act for consumer data privacy in the country’s most populous state.

Now coming to the main topic, what’s new in the CPRA, and how will it foolproof Californians’ privacy?

Small or Mid-size businesses having 100,000 or fewer consumers or households are exempted; the same threshold was 50,000 in CCPA.

CPRA unveils a new category, ’Sensitive Personal-Information’ including the Social Security Number (SSN), driver’s license, credit or debit card number with login credentials, religious or philosophical beliefs, union membership, race or ethnicity, mail, email, text messages communication, genetic or biometric data, health information, sex life or sexual orientation information, and precise geolocation. Now consumers have new rights to limit the usage and purpose of their sensitive PI (Personal Information) being held by businesses. In order to comply with this Sensitive PI clause, Businesses have to revise privacy policy disclosure and develop an opt-in/out mechanism for this sensitive PI.

CCPA (California Consumer Privacy Law) is enforced by the California Office of Attorney General (OAG); no dedicated regulatory agency as GDPR has for implementation. However, the latest CPRA (California Privacy Rights Act) comes up with an agency named California Privacy Protection Agency (CPPA) with investigative, enforcement, and rule-making powers. Additionally, businesses have to conduct privacy risk assessments and cybersecurity audits for high-risk activities, and audit reports must be submitted to the authority on a ’Regular Basis.’ The dedicated agency will strengthen the enforcement of CPRA, say, experts.

CPRA triples the non-compliance penalty ($7500 per compromised record) concerning minors (under 16). So companies holding personal information of Kids have to be more alert.

Businesses reap the benefit of a 30-days cure period (after being notified about the alleged violation by the regulator) under CCPA, but it has been removed in the new regulation CPRA.

Right to Correction: Consumers may request to correct the Personal Information (PI) (if they find it inaccurate or old) held by businesses.

Right to opt-out of Automated Decision-making Technology: Consumers have the right to opt-out of the use of automated decision-making technology for their data held by an organization. This right may impact behavioral advertising and some other activities derived from personal preferences.

Additionally, CPRA adopts certain GDPR principles like Data Minimization, Purpose Limitation, and Storage limitation. To get more information about CPRA, click here.

CPRA Compliance Readiness Plan for enterprises

  • Enterprise Data Mapping

    Enterprise data are widespread across various business applications like ERP, HRMS, Collaboration software, Emails, and Messaging platforms. Especially in this remote working era, the data is widely placed across various geolocation too. First and foremost, identify the sources from where data being produced, stored and shared. Understand the interconnections between various sources. The Data Mapping exercise will give the complete visibility (on paper!) of data. This could be a combined exercise of the compliance/legal team and IT team. Cooperation from various other teams is exceptionally required.

  • Optimize Business Processes – Operational Governance

    By optimizing business processes, organizations enhance efficiency and reduce the volume of data generated. The cost of storing and managing sensitive business information is surging, so this activity also lowers the infrastructure expenditure to a certain extent.

  • Employee Training

    The fine-tuning of people, processes, and technology results in a compliance-ready organization, according to CPRA. Enterprises can hire process designers to define and optimize business processes and also invest in modern technology solutions. However, this won’t make much difference without a defined employee training program because, at last, the employees are the ones who follow processes and use technologies. Suppose every single employee understands the importance of data and how sensitive. In that case, it is in this digital world that you will build a zero-tolerance information management eco-system.

  • Revise Data Privacy Policy and its Enforcement

    In order to comply with the latest regulation CPRA, enterprises need to revise data privacy policy, and the same has been conveyed to new and existing customers with no delay. The enterprises should engage a legal expert in drafting the new data privacy policy and a technical expert for its implementation.

  • Put a robust Information Governance program into practice

    Information Governance expert Joe Bartolo observed behaviors of organizations as proactive, reactive, and inactive in terms of handling information [read his insightful article in Spring Issue of ILTA’s Peer-to-Peer magazine]. Most organizations are reactive in behavior because they wait for litigation or data privacy obligations to look into the data they hold. Now, the time is to be proactive in terms of governing information. A robust Information Governance should be in place that ensures data archival, data retention, automated purging of irrelevant or outdated data, and PII analytics & identification. Several other aspects like data subject access rights (DSAR), enterprise-wide granular permission mechanism, and redaction techniques should be considered while putting the IG program into practice. The specialized GRC (Governance, Risk, and Compliance) solution like ‘Knovos GRC’ helps to implement a robust Information Governance program across the organization. Interested in a personalized demo? Schedule it now.

Wrap Up

One more time, an absence of a federal law of data protection became a topic of debate with recently announced state-wide regulations. California and some other states like Virginia and Oklahoma also passed regulations. New York is on its way to passing the NYDATA (New York Data Accountability and Transparency Act) for their states’ citizens.


Knovos has dedicated its engineering resources to automate, integrate and innovate solutions for legal information management.