Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM Faulkner Information Services Fulltext Sources Online InfoToday Europe KMWorld Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research

News & Events > NewsBreaks
Back Index Forward
Threads bluesky LinkedIn FaceBook RSS Feed

What to Expect From the Newly Enforced California Privacy Rights Act
Posted On September 12, 2023
The California Privacy Rights Act (CPRA), or Proposition 24, was a ballot measure approved by California voters on Nov. 3, 2020, to strengthen California consumers’ privacy. If the CPRA sounds familiar, it’s because it’s an amendment to the existing California Consumer Privacy Act (CCPA).


The CCPA, broadly speaking, is a legislative initiative that intends to enhance privacy rights and protect consumers who reside in the state of California. The legislation makes the consumer the owner of their personal data. On June 28, 2018, the CCPA was signed into law, with an effective date of Jan. 1, 2020. The CCPA provides consumers with certain rights that can be divided into the following categories:

  • Right to know (knowledge of the personal information collected by a business and how it is used or shared)
  • Right to opt out (opt out of the sharing or sale of personal information)
  • Right to request deletion (deletion of personal information, with some exceptions)
  • Right to equal services and prices (nondiscrimination for exercising CCPA rights as a consumer)

Examples of data covered by the CCPA include, but are not limited to, the following:

  • Identifying information such as names, addresses, IP addresses, and email addresses
  • Internet activity records (including browsing and search history)
  • Biometric information
  • Commercial information
  • Employment-related information

For additional information, see the State of California’s CCPA overview and FAQ page.


For-profit businesses that collect personal information, determine how and/or why information is processed, do business in California, and meet one or more of the following criteria must comply with the CCPA:

  • Gross annual revenue exceeding $25 million
  • Buys, sells, or shares personal information of 100,000 or more consumers or households
  • Derives 50% or more annual revenue from selling or sharing California residents’ personal information

In addition to for-profit businesses, some entities controlled by these businesses as well as certain joint ventures and partnerships are also subject to the CCPA. Generally, the CCPA does not apply to nonprofits or government agencies.


The short answer is no, the CPRA will not replace the CCPA. The CPRA is strictly an amendment to the CCPA in the California Civil Code that brings in new and additional privacy protection measures for consumers residing in California. Legally speaking, the CPRA is still referred to as “CCPA” or even “CCPA, as amended.”


The CPRA amendment established the California Privacy Protection Agency (CPPA). The CPRA’s creation of the CPPA means that this agency now has full administrative control, authority, and jurisdiction to enforce and administer the CPRA. The CPPA takes control away from the attorney general’s office. Additionally, the CPPA’s rulemaking must comply with California’s Administrative Procedures Act (APA) and with the Bagley-Keene Open Meeting Act. These acts promote public transparency. Conveniently, and in alignment with the aforementioned transparency, the CPPA has a Laws & Regulations website to document its regulation-based activities.


The CPRA amendment brings with it two new consumer rights in addition to the rights listed in the CCPA:

  1. Right to correct inaccurate personal information
  2. Right to limit use, including disclosure, of sensitive personal information

The CPRA added a new definition in the amendment for sensitive personal information, which, per the Office of the Attorney General, “is a specific subset of personal information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer’s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership. Consumers have the right to also limit a business’s use and disclosure of their sensitive personal information.” The new CPRA definition can be interpreted as a nod to the General Data Protection Regulation (GDPR) in Europe.


As noted, Jan. 1, 2023, was the date when all of the CPRA’s amendments to the CCPA went into effect. This was also the date that businesses were required to comply with the whole statute (CPRA and CCPA). With that understanding, the CPRA includes a provision that delayed enforcement until July 1, 2023. This enforcement date gave businesses some leeway to get their data ducks in a row to adhere to the new amendments of the CCPA. As of this writing, the CPPA now has the authority to enforce the CCPA, as amended. Therefore, businesses could face some significant penalties for noncompliance with the CPRA. Section 1798.155 of the CCPA, Administrative Enforcement, highlights the following potential fines:

  • A business, services provider, contractor, or other person in violation could be liable for an administrative fine not exceeding $2,500 for each violation, or
  • A $7,500 fine for each violation that is either intentional or involves children


The CPRA amendments bring additional privacy protections to the residents of California. Enforcement is in full effect, and it’s just a matter of time before we see what case examples the CPPA brings forward.


With so many acronyms presented in this article, this table will help define the relationship among the CCPA, CPRA, and CPPA.

AcronymWhat It Stands ForYear PassedBeginningsIntentEffective Date
CCPACalifornia Consumer Privacy Act2018California State Law (legislative)Enhance privacy rights and consumer protection for California residentsJan. 1, 2020
CPRACalifornia Privacy Rights Act2020California State Referendum (voter/ballot initiative, Proposition 24)Amends the CCPA to provide additional protections and address gapsJan. 1, 2023
CPPACalifornia Privacy Protection AgencyN/ACalifornia State Referendum (voter/ballot initiative)Creation of a five-member agency to administer and enforce California’s privacy actJan. 1, 2023 (enforcement started July 1, 2023)

Kelly LeBlanc is a knowledge management specialist at FireOak Strategies, where she specializes in OA, open data, data management, geographic information systems (GISs), and data/information governance issues. Prior to joining FireOak, LeBlanc was with the Digital Initiatives Unit at the University of Alberta, where she worked with GISs, metadata, and spatial and research data. She served in various municipal planning and development capacities working with GISs, municipal law, planning/zoning regulations, and resource management. LeBlanc holds an M.L.I.S. from the University of Alberta and a master of letters from the University of Glasgow.

Related Articles

12/6/2022The National FOI Summit 2022: Safeguarding the Right to Public Records
2/8/2022Data Colonialism: A New Way to Look at the Complex World of Information
10/13/2020'Google and Facebook Hate a Proposed Privacy Law ' by Jason Kint
3/31/2020Coronavirus Reshapes Law While Reshaping Society
7/30/2019ALA Disapproves of LinkedIn Learning's Terms of Service
5/15/2018Microsoft Trust Center Offers Resources on GDPR Compliance

Comments Add A Comment

              Back to top