CCPA vs. CPRA – What has changed?

November 10, 2020

Blue and violet gradient

On November 4, 2020, California voters passed the California Privacy Rights and Enforcement Act (CPRA or CCPA 2.0). The CPRA amends various parts of the existing California Consumer Privacy Act (CCPA), with the changes going into effect on January 1, 2023. Many businesses have wondered what differences there are between the CCPA and the CPRA. Below, some of the differences between the two are described.

Want to take a deeper dive? Register for the webinar CPRA vs. CCPA: What You Need to Know

Threshold Application

For-profit businesses that collect personal information from California residents, determines the purposes in California and meet any of the following:

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

For-profit businesses that collect personal information from California residents, determines the purposes in California and meet any of the following:

  • Have a gross annual revenue of over $25 million;
  • Buy, sell, or share the personal information of 100,000 or more California residents or households; or
  • Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.
Employee and B2B ExemptionExpires on Jan. 1, 2021Expires on Jan 1, 2023
Consumer Rights
  • Right to Know/Access
  • Right to Delete
  • Right to Opt-out of Sale
  • Right to Non-Discrimination

All rights under the CCPA, plus:

  • Right to Rectification
  • Right to Limit Use and Disclosure of Sensitive Personal Information
Covered Personal Information“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.Personal information, as well as “Sensitive Personal Information” which includes information such as SSN, driver license numbers, biometric information, precise geolocation, and racial and ethnic origin.
Third Parties“Service Provider” – an entity that processes personal information on behalf of a business pursuant to a written contract.Also includes “Contractor” – an entity ‘to whom a business makes available a consumer’s personal Information for a business purpose pursuant to a written contract with the business’
  • Attorney General can pursue violations
  • Consumers have a private right of action for a breach of certain information
  • Businesses have a 30-day cure period before being fined for a violation by the AG
  • Creation of the California Privacy Protection Agency for enforcement and guidance
  • Consumers have a private right of action for a breach of certain information
  • Businesses no longer have a 30-day cure period before being fined for a violation by the CPPA
Definition – Sell vs. Share“Sell” – for monetary or other valuable consideration.
  • “Sell” – for monetary or other valuable consideration
  • “Share” – share by a business to a third party for cross-context behavioral advertising for the benefit of a business where no money is exchanged.
Use LimitationN/ACollection, retention, and use should be limited to what is necessary to provide goods or service.
Private Right of ActionAvailable when a consumer’s unredacted or unencrypted personal information has been breached due to a lack or maintenance of reasonable security measures.In addition to unredacted and unencrypted personal information, a private right of action is available if an email address and password or security question and answer that would allow access to the account is breached.
Personal Information of MinorsFines for violations of the personal information for minors is the same as the fines for other types of personal information – $2,500 for each unintentional and $7,500 for each intentional violationAutomatic $7,500 fine for a violation involving the personal information of minors
Required Cybersecurity AuditsN/AAnnual cybersecurity audit required for businesses whose processing presents a significant risk to consumer privacy or security
Required Risk AssessmentsN/ABusinesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA
Profiling and Automated Decision MakingN/A

“Profiling” – any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person, such as work performance, health, reliability, etc.

Regulations are expected to give additional information on access and opt-out rights for the use of automated decision making.

Some of these changes are dependent on future regulations, which will be released by the soon-to-be-created California Privacy Protection Agency. Therefore, we can expect additional changes before the CPRA’s effective date of January 1, 2023.

Want to learn more about the CPRA and how it will impact your privacy program? Find out here

Further reading on CCPA vs CPRA:

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on the CCPA and the CPRA.

You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more


Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more