CPRA and What Changed After the CCPA

The California Privacy Rights Act amended the CCPA, took full effect on January 1, 2023, and became enforceable on July 1, 2023. It applies to a for-profit business that meets any one of three tests, namely more than $25 million in annual gross revenue, buying, selling, or sharing the personal information of at least 100,000 California consumers or households, or earning at least half its revenue from selling or sharing personal information, and it expanded California's duties enough that a business already running a CCPA page has to ask what changed.

The change with the widest reach was sensitive personal information, which California now defines separately and ties to a right, in some circumstances, for a consumer to limit how it is used and disclosed. A business that collects precise geolocation, account credentials, financial information, government identifiers, or other sensitive categories has to confirm that the page reflects what it holds and that the privacy choices path describes the limit right accurately.

The CPRA also split selling from sharing, treating the sale of personal information and the sharing of it for cross context behavioral advertising as two separate questions, which is why a covered site may need a Do Not Sell or Share link, a visible opt out, and privacy choices language that matches what the ad stack does. For many ecommerce and SaaS businesses this exposed the widest distance between the page and the operation, because a policy built on generic third party language can miss the sale or share question entirely even while pixels and audience syncing run in the background.

The CPRA added the right to correct inaccurate information and raised the bar on retention and data minimization, so the notice at collection now has to state retention periods or the criteria that set them, which makes an open-ended page that lists categories forever harder to defend. The page has to track the retention logic and the rights workflow closely enough that a reader can tell how the business handles personal information after it is collected.

California's Civil Code and the CPPA regulations put significant weight on how a consumer exercises choices, so a business can comply through a single plainly labeled link or through qualifying opt out preference signals, but the design has to be plain, symmetrical, and truthful, and the test is whether the public path works the way the page says. The CPRA is an implementation statute as much as a disclosure statute, so a polished policy still fails if the choices interface is hard to find, harder to use than the data sharing path, or out of step with the footer and the notice.