In California, the California Privacy Rights Act (CPRA) is the latest amendment to California’s consumer privacy law, the California Consumer Privacy Act (CCPA). The CPRA provides consumers with additional rights. As a New York business owner, what do you need to know?

What is the CCPA and the CPRA?

The CCPA “gives consumers more control over the personal information that business[es] collect about them and the CCPA regulations provide guidance on how to implement the law.”[1] The CCPA, which went into effect in January 2020, created “an array of consumer privacy rights and business obligations with regard to the collection and sale of personal information.”[2]

In 2020, California voters approved the California Privacy Rights Act (CPRA). The CPRA amended the CCPA adding new privacy protections, amongst other things.

The protections, which became effective in January 2023, give consumers new rights in addition to those provided in the original CCPA, such as: (1) the right to correct inaccurate personal information that a business has about them, and (2) the right to limit the use and disclosure of sensitive personal information collected about them.[3]  The CPRA defines “sensitive personal information” as:

  1. Government identifiers, including Social Security numbers and driver’s licenses;
  2. Account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account;
  3. Precise geolocation;
  4. Contents of mail, email, and text messages;
  5. Genetic data;
  6. Biometric information processed to identify a consumer;
  7. Information concerning a consumer’s health, sex life, or sexual orientation; or
  8. Information about racial or ethnic origin, religious or philosophical beliefs, or union membership.

Further, the CPRA creates a dedicated agency that has the power to investigate, enforce, and create rules. Additionally, there is no cure period under the CPRA. Therefore, businesses do not get the benefit of being notified of a violation before enforcement.

Who is subject to the CPRA?

The CPRA applies to “businesses” that collect personal information of California residents. The specific definition of “businesses” is:

  • A for-profit legal entity that
    • collects consumers’ personal information, or on the behalf of which such information is collected,
    • that does business in the State of California,
    • and satisfies one or more of the following thresholds:
      • Has a gross revenue in excess of $25 million,
      • Buys, sells, or shares the personal information of 100,000 or more consumers or households, or
      • Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

What responsibilities do businesses subject to the CPRA and CCPA have?

Businesses that are subject to the CCPA and CPRA must do several things, including:

  1. Notify consumers of their rights,
  2. Comply with all regulations regarding the consumer rights,
  3. Fulfill disclosure and retention obligations,
  4. Facilitate consumer’s requests regarding their rights, and
  5. Implement security safeguards.[4]


Please contact us for more detailed guidance or with any questions.

Thank you to Joseph Townsend for his research and writing assistance.

[1]California Consumer Privacy Act (CCPA), State of Cal. Dep’t of Just. Off. of the Att’y Gen. (Feb. 15, 2023), https://oag.ca.gov/privacy/ccpa.

[2] CCPA vs CPRA: What’s the Difference?, Bloomberg L. (Jan. 23, 2023), https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-consumer-privacy-act-ccpa/.

[3] Id.

[4] Id.