PrivacyLawMap
Back to Blog
GuidesMarch 28, 202610 min read

CCPA vs CPRA: What Changed and What It Means for Your Business

Share:

CCPA and CPRA: Two Names, One Evolving Law

If you have been researching California privacy compliance, you have likely seen both "CCPA" and "CPRA" used, sometimes interchangeably. Here is the relationship: the California Consumer Privacy Act (CCPA) was the original law, effective January 1, 2020. The California Privacy Rights Act (CPRA) was a ballot initiative (Proposition 24) approved by voters in November 2020, which substantially amended and expanded the CCPA. The CPRA changes took effect January 1, 2023.

Today, the law is technically still the CCPA as amended by the CPRA. Most practitioners refer to it as "CCPA/CPRA" or simply "CPRA" when discussing the current version.

Key Differences Between CCPA and CPRA

1. New Consumer Rights

The CPRA added several rights that did not exist under the original CCPA:

  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information — a new category covering Social Security numbers, financial accounts, precise geolocation, race, health data, and more
  • Right to opt out of automated decision-making technology (ADMT) for decisions with legal or similarly significant effects

2. Sensitive Personal Information

The original CCPA did not distinguish between regular and sensitive personal information. The CPRA created the "sensitive personal information" category with heightened protections. Consumers can now direct businesses to limit the use and disclosure of sensitive data to what is necessary to provide the requested service.

3. Dedicated Enforcement Agency

The CPRA created the California Privacy Protection Agency (CPPA), the first dedicated privacy enforcement agency in the United States. Under the original CCPA, only the Attorney General could enforce the law. The CPPA now has independent rulemaking and enforcement authority, and has already imposed fines exceeding $4 million in 2026 alone.

4. Stricter Business Obligations

The CPRA introduced several new business requirements:

  • Data minimization — businesses must limit collection to what is reasonably necessary and proportionate
  • Purpose limitation — personal information cannot be used for purposes incompatible with the original collection purpose
  • Storage limitation — businesses must disclose retention periods and not keep data longer than reasonably necessary
  • Cybersecurity audits — required for businesses whose processing presents significant risk
  • Risk assessments — required for processing activities that present significant risk to consumer privacy

5. Changed Applicability Thresholds

The CPRA modified one key threshold: the original CCPA applied to businesses that buy, receive, or sell the personal information of 50,000 or more consumers, households, or devices. The CPRA raised this to 100,000 consumers or households (removing "devices" from the count). The revenue threshold ($25 million) and data-sale revenue threshold (50%) remained the same.

6. Expanded "Sharing" Concept

The original CCPA focused on the "sale" of personal information. The CPRA added the concept of "sharing" for cross-context behavioral advertising. Even if no money changes hands, making personal information available to a third party for targeted advertising now triggers consumer opt-out rights.

7. Service Provider and Contractor Distinctions

The CPRA created a new "contractor" category alongside "service provider." Both must enter written agreements with businesses, but the requirements differ. Contractors face additional restrictions on combining personal information from multiple sources.

What This Means for Compliance

If you were compliant with the original CCPA but have not updated your practices since the CPRA took effect, you likely have gaps. The most common areas where businesses fall behind:

  1. No mechanism to handle sensitive personal information limitation requests
  2. Missing "Limit the Use of My Sensitive Personal Information" link on website
  3. Not honoring Global Privacy Control (GPC) signals as valid opt-out requests
  4. Privacy policy missing CPRA-required disclosures (retention periods, sensitive data categories)
  5. No data minimization or purpose limitation review process

Use our privacy law calculator to check whether California's law applies to your business, and review the California compliance checklist for a step-by-step guide to full CCPA/CPRA compliance.

Last updated: March 28, 2026.

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.