The California Privacy Rights Act (CPRA), also known as Proposition 24, is an amendment to the California Consumer Privacy Act (CCPA). It came into effect on January 1, 2023. CPRA strengthens and extends consumer data privacy protections in California, aligning more closely with international regulations like the GDPR. It introduces new rights for consumers and increases accountability for businesses.

Key Enhancements Over CCPA

CPRA adds the right to correct inaccurate personal data and the right to limit the use of sensitive personal information, such as geolocation, race, and health data. It also requires businesses to clearly disclose the categories of sensitive data collected and allow users to opt out of its use. Another major addition is the concept of “sharing” data (for targeted advertising), which must be disclosed and allowed to be opted out of—separate from “selling” data.

The CPRA also redefines “contractors,” “service providers,” and “third parties,” requiring stricter agreements to prevent misuse of data. It applies to businesses with 100,000+ consumers or households, down from 50,000 in the CCPA.

Enforcement and Compliance

A major change is the creation of the California Privacy Protection Agency (CPPA), the first dedicated U.S. privacy regulator. It oversees compliance, conducts audits, and issues fines. The CPRA eliminates the 30-day cure period and introduces more detailed rules around risk assessments and cybersecurity audits.

CPRA represents a maturing of California’s privacy law landscape, raising the bar for businesses nationwide.