California continues to lead the United States in consumer privacy protection, establishing the nation’s most comprehensive data privacy framework. According to the California Privacy Protection Agency, the CPRA amended the CCPA rather than creating a separate law, with amendments taking effect on January 1, 2023. For businesses serving California residents, understanding the distinction between CCPA compliance requirements and CPRA enhancements is essential for avoiding penalties that can reach $7,988 per intentional violation.

According to the California Attorney General, the CCPA was the first comprehensive consumer privacy law passed in the United States when it took effect January 1, 2020. The law gave consumers certain rights over their personal information and required businesses to inform consumers about data collection practices. However, privacy advocates quickly identified gaps in protection, particularly around cross-context behavioral advertising and sensitive personal information handling.

This comprehensive guide examines the California Consumer Privacy Act evolution, CPRA changes, and what these California privacy law requirements mean for ecommerce companies, digital marketers, and any business processing data from California residents. We’ll explore CCPA vs CPRA differences in consumer rights, enforcement mechanisms, and compliance obligations.

What is the California Consumer Privacy Act (CCPA)?

The California Consumer Privacy Act represents groundbreaking privacy legislation that established fundamental consumer data rights. According to the International Association of Privacy Professionals, Governor Jerry Brown signed the CCPA into law on June 28, 2018, with an effective date of January 1, 2020.

Original CCPA Requirements

The CCPA originally applied to for-profit businesses that collected data from California residents and met any of these thresholds:

• Annual gross revenue exceeding $25 million
• Collection, purchase, or sale of personal information from 50,000 or more consumers, households, or devices
• Deriving 50% or more of annual revenue from selling consumers’ personal information

Core Consumer Rights Under Original CCPA

According to the California Attorney General, the original CCPA granted California residents four primary rights:

• Right to Know: Consumers could request disclosure of categories and specific pieces of personal information collected, sources of information, purposes for collection, and third parties receiving the data
• Right to Delete: Consumers could request deletion of their personal information held by businesses
• Right to Opt-Out: Consumers could direct businesses not to sell their personal information
• Right to Non-Discrimination: Businesses could not discriminate against consumers exercising their privacy rights

Understanding the California Privacy Rights Act (CPRA)

The California Privacy Rights Act emerged from continued advocacy for stronger consumer protections. According to the International Association of Privacy Professionals, Alastair Mactaggart, who was instrumental in getting the CCPA enacted, launched the CPRA ballot initiative that appeared on the November 2020 ballot. California voters approved Proposition 24 on November 3, 2020.

When CPRA Takes Effect

According to the California Privacy Protection Agency, the majority of CPRA provisions entered into force on January 1, 2023, with a lookback to January 2022. However, enforcement mechanisms faced legal challenges. The California Chamber of Commerce argued that since the CPPA didn’t finalize CPRA requirements until March 2023, enforcement should be delayed. According to Osano, on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial regulations and retroactively setting the enforcement effective date to July 1, 2023.

CPRA’s Relationship to CCPA

According to the California Privacy Protection Agency, the CPRA amended the CCPA and did not create a separate, new law. As a result, the Agency typically refers to the law as “CCPA” or “CCPA, as amended.” This distinction is important for understanding California privacy law compliance – businesses need not track two separate regulations but rather understand how CPRA modifications enhance the existing CCPA framework.

CCPA vs CPRA: Key Differences That Matter for Your Business

While the CPRA builds upon the CCPA foundation, several critical differences impact business compliance obligations. Understanding these CCPA vs CPRA differences helps organizations adapt their privacy programs effectively.

Changes to Applicability Thresholds

According to the California Privacy Protection Agency, the CPRA modified the thresholds that determine which businesses must comply:

According to Transcend, the CPRA requires comprehensive contracts between businesses and any third parties with whom data is being shared or sold. These contracts must specify the purpose for data sharing and place third parties under the same CPRA obligations as the business.

Introduction of “Sharing” Personal Information

According to Termly, the CPRA introduced the concept of sharing personal data, which addresses a significant gap in the original CCPA. This change closes loopholes where businesses claimed they were “sharing” rather than “selling” data to avoid compliance requirements. Under CPRA requirements, sharing for cross-context behavioral advertising now triggers the same consumer rights as selling data.

Establishment of the California Privacy Protection Agency

One of the most significant CPRA changes involves enforcement authority. According to the International Association of Privacy Professionals, the CPRA established the California Privacy Protection Agency to implement and enforce the law. The Attorney General also retains civil enforcement authority.

According to Luthor, the CPPA’s creation represents a game-changer in California privacy law enforcement. The dedicated agency has exclusive rulemaking authority and the resources to pursue violations systematically. On July 24, 2025, according to the California Privacy Protection Agency, the CPPA Board unanimously voted to adopt proposed regulations concerning cybersecurity audits, risk assessments, and automated decision-making technology, which are being reviewed by the Office of Administrative Law.

Expanded Consumer Rights Under CPRA

According to the California Attorney General, as of January 1, 2023, California residents gained four additional privacy rights beyond the original CCPA protections. These new rights represent substantial enhancements to consumer control over personal information.

Right to Correct Inaccurate Information

According to Lewis Brisbois, businesses must correct inaccurate personal information regarding a consumer within 45 days of receiving a verifiable consumer request. This right addresses a significant gap in the original CCPA, which allowed consumers to delete data but not correct errors. For businesses serving California residents, implementing data correction workflows is now mandatory for CCPA compliance.

Right to Limit Use of Sensitive Personal Information

According to the California Privacy Protection Agency, consumers now have the right to limit the use and disclosure of sensitive personal information collected about them. This represents one of the most significant CPRA requirements, particularly for businesses handling health data, financial information, or other sensitive categories.

According to Bryan Cave Leighton Paisner, the CPRA requires organizations to provide consumers with the right to limit the use and disclosure of their sensitive personal information to uses necessary to perform services or provide goods reasonably expected by an average consumer. Where required, organizations must provide a “Limit the Use of My Sensitive Personal Information” link on their homepage.

Right to Opt-Out of Sharing for Cross-Context Behavioral Advertising

According to Osano, the CPRA strengthens opt-out protections by covering not just sales but also sharing of personal information for cross-context behavioral advertising. Businesses must provide a “Do Not Sell or Share My Personal Information” link on their homepage.

Enhanced Data Access Rights

According to the California Attorney General, the right to know was enhanced under CPRA to provide consumers with more detailed information about data collection practices, including the categories of third parties with whom businesses share personal information and the specific categories of information disclosed to each type of third party.

Updated Business Obligations Under California Privacy Law

Privacy Policy and Notice Requirements

According to Secure Privacy, CPRA introduced critical new requirements including sensitive personal information protections, data retention disclosures, and enhanced consumer rights. Privacy policies created before 2023 likely violate current CCPA privacy policy requirements.

According to Secure Privacy, businesses must now specify how long they retain each category of personal information or explain how they determine retention periods. This CPRA requirement represents a critical component that catches many businesses unprepared. Category-specific timelines should reflect different data types based on business needs, legal obligations, or regulatory requirements.

Contract Requirements with Third Parties

According to Transcend, the CPRA requires comprehensive contracts between businesses and any third parties with whom data is being shared or sold. These contracts must specify the purpose for data sharing and place the third party under the same CPRA obligations as the business, meaning third parties must comply with CPRA privacy protection requirements.

Data Minimization and Purpose Limitation

According to Cookiebot, businesses must disclose the categories of sensitive personal information collected, the purposes for collection, whether the information is shared or sold, and retention periods for sensitive personal information. This transparency requirement ensures consumers can make informed decisions about data sharing.

Employee and B2B Data

According to the California Attorney General, the exemptions for employment-related personal information and personal information reflecting business-to-business transactions expired on December 31, 2022. This change means businesses must now extend privacy notices and request handling to HR data and B2B contacts, significantly expanding California privacy law compliance scope.

Understanding Sensitive Personal Information Under CPRA

The CPRA’s introduction of sensitive personal information as a distinct regulated category represents one of its most important innovations. According to CookieYes, if personal information is your door lock, sensitive personal information is your fireproof safe.

Categories of Sensitive Personal Information

According to the California Privacy Protection Agency, sensitive personal information includes:

• Government identifiers: Social security numbers, driver’s license numbers, passport numbers
• Financial account information: Credit card numbers, financial account numbers with security codes or passwords
• Precise geolocation data: Location information accurate to within 1,850 feet
• Communication contents: Contents of mail, email, and text messages (unless the business is the intended recipient)
• Genetic data: Genetic information processed for identification
• Biometric information: Unique identifiers used for authentication
• Protected classification characteristics: Information about race or ethnic origin, religious or philosophical beliefs, or union membership
• Personal health information: Health data, sex life, or sexual orientation information

Business Obligations for Sensitive Data

According to TermsFeed, businesses collecting sensitive personal information must inform consumers before collection about categories being collected, purposes for collection or use, whether the information is shared or sold, and retention periods. This notice must occur before or at the point of collection.

According to Osano, if a business collects sensitive personal information, they are required to provide a link on their homepage titled “Limit the Use of My Sensitive Personal Information” where consumers can exercise their rights to opt-out of uses beyond what’s necessary to provide requested services.

Exceptions to the Right to Limit

According to Bryan Cave Leighton Paisner, the right to limit does not apply in certain circumstances defined by CPRA regulations. For example, a consumer’s precise geolocation may be used by a mobile application providing directions to a specific location, but may not be used by a gaming application without offering the right to limit where the average consumer would not expect the application to need this sensitive information.

Enforcement Mechanisms and Penalties

Updated Fine Structures for 2025

According to Freeman Mathis & Gary, the California Privacy Protection Agency announced significant updates to fines and penalties under CCPA compliance requirements, effective January 1, 2025. These changes are part of biennial adjustments mandated by the CCPA to align with the Consumer Price Index.

According to Freeman Mathis & Gary, the updated penalty structure for 2025 includes:

• Monetary damages per consumer per incident: $107 to $799 (adjusted from $100 to $750)
• Administrative fines for violations: Up to $2,663 per violation
• Intentional violations or violations involving minors: Up to $7,988 per violation
• Business coverage threshold: $26,625,000 in annual revenue (adjusted from $25,000,000)

Enforcement Authority Structure

According to Usercentrics, the California Attorney General and the California Privacy Protection Agency are responsible for enforcing California’s privacy laws. According to Osano, the CPRA amendment empowers the California Attorney General, California’s 62 different district attorneys, and the CPPA to enforce the law.

Elimination of Cure Period

According to Usercentrics, the CPRA eliminated the 30-day cure period that was previously applied under the CCPA. Allowing a cure period can still happen but is only at the authorities’ discretion. This change means increased enforcement speed for companies in violation of the law.

Private Right of Action

According to Transcend, the CCPA and CPRA are the only US state privacy laws that afford the private right of action – Colorado, Virginia, and Utah don’t provide this right under any circumstance. According to Scytale, if there’s a data breach due to a business’s failure to implement proper security measures, consumers can sue for damages between $107 and $799 per consumer per incident, or actual damages, whichever is greater.

Recent Enforcement Actions

According to Byte Back Law, on May 6, 2025, the California Privacy Protection Agency announced its second non-data broker enforcement action, requiring a national retailer to pay a $345,178 administrative fine and implement remedial actions for CCPA violations. This followed the Agency’s first enforcement action requiring a vehicle manufacturer to pay a $632,500 administrative fine.

According to Usercentrics, Sephora became the first company to face a significant fine under CCPA in 2022, agreeing to pay $1.2 million to settle allegations that it failed to disclose the sale of consumer data and did not offer a proper mechanism for consumers to opt out. According to Usercentrics, DoorDash faced a fine of $375,000 in 2024 for violating CCPA by sharing customers’ personal information with other businesses as part of a marketing cooperative without proper consent.

Steps to Achieve CCPA Compliance in 2025

Assess Your Business’s Applicability

According to the California Privacy Protection Agency, businesses must determine if they meet any of the three threshold criteria: gross annual revenue of $26,625,000 or more for the preceding calendar year; buying, selling, or sharing personal information of 100,000 or more California residents or households; or deriving 50% or more of annual revenue from selling or sharing California residents’ personal information.

Update Privacy Policies and Notices

According to Secure Privacy, businesses must maintain detailed privacy policies explaining data collection, usage, and retention practices. Privacy policies should specify category-specific retention timelines and explain how retention periods are determined. Policies must be updated at least annually or whenever significant changes occur.

Implement Required Opt-Out Mechanisms

According to Osano, businesses must provide clear and conspicuous links on homepages titled “Do Not Sell or Share My Personal Information” and, if collecting sensitive personal information, “Limit the Use of My Sensitive Personal Information.” According to Osano, businesses must also use universal opt-out mechanisms like Global Privacy Control to honor consumer preference signals automatically.

Establish Consumer Request Processes

According to Secure Privacy, businesses must provide at least two methods for consumers to submit requests, including toll-free phone numbers, email addresses, and web portals. Response times must meet CCPA requirements – typically 45 days with the possibility of a 45-day extension when reasonably necessary.

Conduct Risk Assessments and Security Audits

According to Cookiebot, the CPRA introduces requirements for businesses to conduct annual cybersecurity audits and regular risk assessments where processing of consumers’ personal information presents significant risk to consumers’ privacy or security. Risk assessments must identify whether processing involves sensitive personal information and must weigh benefits against potential risks to consumer rights. According to Strobes, in July 2025, the CPPA finalized updates focusing on Automated Decision-Making Technology, Cybersecurity Audits, and Risk Assessments.

Train Staff on Privacy Obligations

According to Byte Back Law, businesses must develop, implement, and maintain procedures to ensure personnel handling personal information are informed of the business’s requirements under the CCPA. Regular training ensures compliance across all departments handling consumer data.

Review Third-Party Contracts

According to Transcend, comprehensive contracts with third parties must specify the purpose for data sharing and place third parties under the same CPRA obligations as the business. Contracts should be reviewed and updated to ensure compliance with current California privacy law requirements.

Conclusion: Navigating California Privacy Law in 2025

Understanding the relationship between CCPA compliance and CPRA requirements is essential for businesses serving California residents. According to the California Privacy Protection Agency, the CPRA amended rather than replaced the CCPA, creating a unified privacy framework with enhanced protections effective January 1, 2023.

The key CCPA vs CPRA differences – including expanded consumer rights, the introduction of sensitive personal information protections, establishment of the California Privacy Protection Agency, and stricter penalties – require businesses to update their privacy programs comprehensively. According to Freeman Mathis & Gary, with penalties reaching $7,988 per intentional violation as of 2025 and the elimination of automatic cure periods, proactive compliance is more important than ever.

Businesses should focus on implementing required opt-out mechanisms, updating privacy policies with detailed disclosures, establishing robust consumer request processes, conducting cybersecurity audits and risk assessments, and training staff on California privacy law obligations. According to recent enforcement actions, the CPPA is actively pursuing violations across industries, making compliance a critical business priority.

For ecommerce companies, digital marketers, and any organization processing data from California residents, investing in CCPA compliance infrastructure protects not only against regulatory penalties but also builds consumer trust through transparent data practices. The California Consumer Privacy Act framework, as amended by the CPRA, represents the most comprehensive state-level privacy regulation in the United States and continues to influence privacy legislation nationwide.

Resources and Official Sources

This article was researched using authoritative sources to ensure accuracy and reliability. Below are the primary resources referenced throughout this guide:

Official California Government Sources

• California Privacy Protection Agency (CPPA) – cppa.ca.gov
  • Frequently Asked Questions – Comprehensive FAQs about CCPA/CPRA
  • Law & Regulations – Current and proposed CCPA regulations
  • 2025 CCPA Fines and Penalties Announcement
• California Attorney General – oag.ca.gov/privacy/ccpa – Official CCPA information and consumer rights
• Privacy.ca.gov – privacy.ca.gov – Consumer-focused privacy rights information

Legal and Compliance Analysis

• International Association of Privacy Professionals (IAPP) – CCPA and CPRA Resources – Comprehensive coverage and analysis
• Freeman Mathis & Gary LLP – Key Updates to CCPA Fines and Penalties for 2025
• McCune Law Group – Updates to the CCPA and CPRA in 2025
• Bryan Cave Leighton Paisner – Sensitive Personal Information Compliance Guide
• Lewis Brisbois – CPRA’s Definition and Treatment of Sensitive Personal Information
• Byte Back Law – CPPA Announces New CCPA Enforcement Action

Privacy Technology and Compliance Solutions

• Transcend – CPRA vs CCPA: Unpacking the Differences
• Osano – Guide to California Data Privacy Law
• Cookiebot – CCPA vs. CPRA: What’s Different and What’s the Same?
• CookieYes – CCPA vs CPRA: Key Differences and Compliance Guide
• CookieYes – What is CPRA Sensitive Personal Information?
• CookieYes – CCPA Fines & Penalties: What Happens if You Fail to Comply?
• CookieYes – Top CPRA Fines You Should Know About
• Usercentrics – CCPA Penalties and Fines: Consequences of Noncompliance
• Termly – CCPA vs. CPRA: What’s Different?
• TermsFeed – CCPA (CPRA) Penalties: What We Know So Far
• TermsFeed – How to Comply With CPRA’s “Limit the Use of My Sensitive Personal Information” Requirement

Business Compliance Resources

• Secure Privacy – CCPA Privacy Policy Requirements 2025: Complete Compliance Guide
• Strobes – California Consumer Privacy Act (CCPA) Essentials for 2025
• Scytale – What are CCPA Penalties for Violating Compliance Requirements?
• Captain Compliance – CCPA Fines Overview: Everything You Need to Know
• Luthor – CPRA vs CCPA: Key Differences in Data Privacy
• WP Legal Pages – CPRA vs CCPA – A Detailed Comparison for 2025
• California CCPA – CCPA/CPRA Fines and Penalties Increase for 2025