Sign in

Sign up
Sign up

Sign in

California Privacy Rights Act (CPRA) Guide for New Businesses

November 27, 2025

Back to Resources

Summary

This article explains the California Privacy Rights Act, how it expands the earlier CCPA, and what it means for businesses handling personal data. It outlines key changes, consumer rights, compliance requirements, and the impact on file sharing practices. The article also covers best practices and shows how secure file transfer tools like SureSend can support CPRA compliance by providing encryption, access controls, and audit trails.

Table of Content

The California Privacy Rights Act (CPRA) represents a significant development in data privacy legislation that businesses handling sensitive information need to understand.

If you’re sending confidential files or managing customer data in California, the CPRA introduces important new obligations you can’t afford to ignore.

With data breaches becoming increasingly common and expensive, understanding these regulations isn’t just about compliance – it’s about protecting your business and maintaining customer trust.

In this comprehensive guide, we’ll explore what the CPRA means for your organisation, how it differs from its predecessor (CCPA), and practical steps for ensuring your data handling practices align with these regulations.

Understanding the California Privacy Rights Act (CPRA)

The California Privacy Rights Act, commonly referred to as CPRA, was approved by California voters in November 2020.

It significantly amends and expands the California Consumer Privacy Act (CCPA) that went into effect in January 2020.

The CPRA represents California’s effort to strengthen consumer privacy protections and brings California’s privacy laws closer to the European Union’s General Data Protection Regulation (GDPR).

The CPRA took effect on January 1, 2023, giving businesses time to adapt their practices to the new requirements.

Key Provisions of the California Privacy Rights Act (CPRA)

The CPRA introduces several important changes to California’s data privacy framework:

1. Creation of the California Privacy Protection Agency (CPPA)

One of the most significant changes is the establishment of a dedicated enforcement agency.

The CPPA is the first agency in the United States dedicated exclusively to privacy regulation.

This represents a shift from the previous approach where the California Attorney General’s office was responsible for enforcing the CCPA.

2. New Consumer Rights

The CPRA expands consumer rights regarding their personal information:

  • Right to correct inaccurate personal information
  • Right to limit use and disclosure of sensitive personal information
  • Right to opt out of automated decision-making technology
  • Enhanced right to delete (businesses must notify third parties)

3. Introduction of “Sensitive Personal Information”

The CPRA creates a new category of “sensitive personal information” that includes:

  • Government identifiers (SSN, driver’s licence, passport)
  • Financial account information
  • Precise geolocation
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
  • Contents of mail, email, and text messages
  • Genetic data
  • Biometric information
  • Health information
  • Sexual orientation information

Consumers can limit the use and disclosure of this sensitive information to purposes necessary to perform the services.

4. Data Minimisation and Purpose Limitation

Businesses must collect, use, retain, and share consumer personal information only as “reasonably necessary and proportionate” to the purposes disclosed.

This places the burden on businesses to justify their data collection practices.

California Consumer Privacy Act (CCPA) vs. California Privacy Rights Act (CPRA): What’s Changed?

While the CPRA builds upon the CCPA framework, there are several key differences organisations should understand:

Threshold for Businesses Subject to the Law

Under the CCPA, businesses that collected personal information of 50,000 or more California consumers were subject to the law.

The CPRA increases this threshold to 100,000 consumers or households, potentially exempting some smaller businesses.

However, the revenue threshold remains at $25 million, and businesses that derive 50% or more of their annual revenue from selling or sharing consumers’ personal information are still covered.

Data Sharing

The CPRA expands regulations beyond just the “sale” of data to include “sharing” of personal information for cross-context behavioural advertising, even when no money changes hands.

This closes a significant loophole in the CCPA.

Expanded Private Right of Action

The CPRA extends the private right of action to include data breaches involving email addresses in combination with passwords or security questions that would permit access to an account.

This is in addition to the CCPA’s private right of action for certain data breaches.

Extended Exemptions

The CPRA initially extended the CCPA’s partial exemptions for employee and business-to-business data until January 1, 2023.

Now, these exemptions have expired, meaning businesses must address CPRA compliance for employee and B2B personal information as well.

CPRA Regulations and Compliance Requirements

The CPRA regulations provide more detailed guidance on how businesses should implement the law’s requirements.

Here are key compliance considerations:

Privacy Notices

Businesses must update their privacy notices to include:

  • Description of new consumer rights
  • Categories of sensitive personal information collected
  • Purposes for collecting sensitive personal information
  • Whether personal information is sold or shared
  • Retention periods for each category of personal information

Data Processing Agreements

The CPRA requires specific contractual provisions with service providers, contractors, and third parties who access personal information.

These agreements must include:

  • Prohibitions on selling or sharing the personal information
  • Limitations on use of the personal information
  • Compliance certification requirements
  • Rights to take reasonable steps to remediate unauthorised use

Risk Assessments and Cybersecurity Audits

Businesses engaging in “high-risk” processing activities must perform regular risk assessments and submit them to the CPPA.

High-risk activities include processing that presents significant risk to consumer privacy or security.

Additionally, businesses must conduct annual cybersecurity audits if their processing presents significant risk to consumers’ security.

Opt-Out Mechanisms

Businesses must provide “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links on their websites.

They must also recognise and process opt-out preference signals sent by browsers or devices.

Who Needs to Comply with the CPRA?

The CPRA applies to for-profit businesses that do business in California and meet at least one of these criteria:

  • Have annual gross revenue exceeding $25 million;
  • Buy, sell, or share the personal information of 100,000 or more California consumers or households; or
  • Derive 50% or more of their annual revenue from selling or sharing California consumers’ personal information.

Importantly, you don’t need a physical presence in California to be subject to the law.

If you collect data from California residents and meet the thresholds, you’re likely required to comply.

Practical Steps for CPRA Compliance

Here are actionable steps businesses can take to align with CPRA requirements:

1. Data Mapping and Inventory

Conduct a comprehensive inventory of personal information your business collects, including identifying sensitive personal information under the new definition.

Document where this data is stored, how it’s processed, and with whom it’s shared.

2. Update Privacy Policies

Revise your privacy notices to include all required disclosures, especially regarding sensitive personal information and new consumer rights.

3. Implement Rights Management Processes

Establish or update procedures for handling consumer rights requests, including the new right to correct inaccurate information and limit use of sensitive personal information.

4. Review and Update Vendor Contracts

Ensure all agreements with service providers, contractors, and third parties include the specific provisions required by the CPRA.

5. Establish Data Retention Policies

Develop clear data retention schedules that specify how long different categories of personal information will be retained and ensure these are documented in your privacy policy.

6. Conduct Risk Assessments

If your business engages in high-risk processing activities, implement regular risk assessment procedures to identify and mitigate potential risks to consumer privacy.

7. Secure Data Transfers

When sharing sensitive information, use secure methods like SureSend that employ industry-grade encryption (TLS in transit, AES-256 at rest) to protect data during transfers and storage.

Penalties for Non-Compliance

The CPRA maintains the CCPA’s enforcement structure while introducing some changes:

Administrative fines can reach up to $2,500 per violation or $7,500 per intentional violation or violations involving minors’ personal information.

The private right of action for data breaches allows consumers to seek statutory damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater.

The establishment of the CPPA likely means more consistent enforcement compared to the previous approach under the CCPA.

How SureSend Helps with CPRA Compliance

Secure file transfers are an essential component of privacy compliance.

When sharing sensitive personal information as defined by the CPRA, businesses need secure methods to protect this data in transit and at rest.

SureSend provides robust security measures that support your CPRA compliance efforts:

  • Industry-grade encryption: Files are secured using TLS encryption in transit and AES-256 encryption at rest on SureSend’s servers
  • Access controls: Ensure only authorised recipients can access sensitive information
  • Expiring links: Set file availability windows to ensure data isn’t accessible indefinitely
  • Audit trails: Track file access for compliance documentation

By implementing SureSend for file transfers containing sensitive personal information, your organisation demonstrates a commitment to appropriate security measures that align with CPRA requirements for reasonable security procedures.

Conclusion: Embracing Privacy as a Business Advantage

The California Privacy Rights Act represents a significant evolution in U.S. privacy law, bringing stronger protections for consumers and new compliance requirements for businesses.

While achieving and maintaining compliance requires investment, it also creates opportunities to build customer trust and differentiate your business.

The risks of non-compliance extend beyond financial penalties to include reputational damage and loss of customer confidence.

Using secure solutions like SureSend for sharing sensitive information demonstrates your commitment to privacy and security.

By properly implementing strong data protection measures, including secure file transfer mechanisms with robust encryption, businesses can not only comply with the CPRA but also establish themselves as responsible stewards of personal information in an increasingly privacy-conscious marketplace.

Understanding and implementing the California Privacy Rights Act requirements is no longer optional for businesses handling California consumer data – it’s an essential aspect of operating in today’s digital economy.

To learn more about the California Privacy Rights Act, visit https://thecpra.org/.

Frequently Asked Questions About the California Privacy Rights Act (CPRA)

Does the CPRA apply to my business if I’m not based in California?

Yes, if you collect personal information from California residents and meet any of the thresholds (annual revenue exceeding $25 million, buying/selling/sharing personal information of 100,000+ California consumers, or deriving 50%+ revenue from selling/sharing California consumers’ information), you’re subject to the CPRA regardless of your business location.

What’s the difference between “selling” and “sharing” under the CPRA?

“Selling” involves exchanging personal information for monetary or other valuable consideration, while “sharing” refers to transferring personal information to a third party for cross-context behavioural advertising, even without monetary exchange.

The CPRA regulates both activities.

How does the CPRA impact employee data?

As of January 1, 2023, the partial exemptions for employee and B2B data have expired.

This means businesses must now apply CPRA protections to employee personal information, including providing privacy notices and honoring rights requests.

How can secure file transfer solutions help with CPRA compliance?

Secure file transfer solutions like SureSend help protect sensitive personal information during sharing and storage through encryption and access controls.

This addresses the CPRA’s requirements for implementing reasonable security procedures appropriate to the nature of the personal information.

What should I do if I discover a data breach under the CPRA Regulations?

If you experience a breach that involves certain personal information, you may have notification obligations to affected California residents.

Be aware that consumers have a private right of action for data breaches resulting from a business’s failure to implement reasonable security practices.

Related Posts