AuditXYZ

Lesson 4 of 5

CPRA Amendments: What Changed and Why It Matters

10 min readIntermediate

CPRA Amendments

The California Privacy Rights Act (CPRA) was passed by voters in November 2020 and took effect on January 1, 2023, with a lookback period to January 1, 2022. CPRA significantly amended the CCPA, adding new consumer rights, new business obligations, and creating a dedicated enforcement agency.

Sensitive Personal Information

CPRA introduced the concept of sensitive personal information (SPI), which includes Social Security numbers, driver's license numbers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, health data, sex life or sexual orientation, biometric information, and mail, email, and text message contents.

Consumers can limit the use of SPI to what is necessary for providing the requested service. Businesses using SPI for other purposes must provide a "Limit the Use of My Sensitive Personal Information" link on their website.

California Privacy Protection Agency

CPRA created the California Privacy Protection Agency (CPPA), a dedicated enforcement body replacing the Attorney General as the primary CCPA enforcer. The CPPA has rulemaking and enforcement authority, including the ability to issue fines. The agency has been actively issuing regulations and enforcement guidance since its establishment.

New Consumer Rights

CPRA added the right to correction, the right to limit use of sensitive personal information, and expanded opt-out rights to cover sharing (cross-context behavioral advertising) in addition to selling.

Data Minimization and Retention

CPRA introduced data minimization and storage limitation principles — businesses must collect, use, and retain only what is reasonably necessary and proportionate. Businesses must also disclose retention periods in their privacy policies and not retain personal information longer than reasonably necessary.

Contractor and Service Provider Changes

CPRA expanded the categories of data recipients to include "contractors" alongside service providers and third parties. Each category has specific contractual and compliance requirements. The distinctions affect how data can flow and what obligations apply.

Audit Requirements

CPRA authorizes the CPPA to require businesses engaged in processing that presents significant risk to consumer privacy to perform annual cybersecurity audits and submit risk assessments. Regulations specifying these requirements continue to develop.

In the next lesson, we will cover building a CCPA compliance program.