California's CCPA 2.0 Passed: Everything You Need to Know About the New CPRA

In November 2020, California voters passed Proposition 24, the California Privacy Rights Act (CPRA). It amended and expanded the CCPA, creating what most observers call "CCPA 2.0." Most of its operative provisions took effect on 1 January 2023, with enforcement starting 1 July 2023.

If your business handles personal data on California residents, CPRA changed enough that a refresh is overdue.

What the CPRA changed

A dedicated enforcement agency

The biggest structural change: the law created the California Privacy Protection Agency (CPPA), the first dedicated privacy regulator in the United States. The Attorney General still enforces, but the CPPA has rulemaking authority and its own investigative powers. Enforcement has been more active than under the original CCPA.

A new category: sensitive personal information

CPRA carved out a class of "sensitive personal information" that gets stronger protection. It includes:

• Government IDs (SSN, driver's licence, passport).
• Financial-account credentials.
• Precise geolocation.
• Race, ethnicity, religion, union membership.
• Genetic data, biometric identifiers, health data.
• Sex life or sexual orientation.
• Contents of mail, email, and text messages.

Consumers have the right to limit the use of sensitive personal information to what is necessary to provide the service they asked for.

New consumer rights

• Right to correct. Consumers can require correction of inaccurate personal information.
• Right to limit use of sensitive personal information. See above.
• Right to know about automated decision-making. Meaningful information about the logic and likely outcomes.
• Right to opt out of profiling. Especially for decisions that produce legal or similarly significant effects.

Data minimisation and retention

CPRA put on the books what GDPR has long required: collect only what you need, retain it only as long as necessary, and tell consumers up-front how long that is.

Contractual obligations on service providers

Vendor contracts now have to include specific privacy clauses. "Standard" data-processing agreements that worked under CCPA need updating to cover CPRA's new requirements around purpose limitation and onward transfer.

Expanded data-breach liability

The private right of action for breaches now extends to email addresses combined with a password or security question. Statutory damages of $100 to $750 per consumer per incident still apply.

Higher thresholds

The applicability threshold for data-broker-style businesses rose to 100,000 consumers or households, up from 50,000. Small businesses get some relief; data-driven businesses get more obligations.

What to actually do

• Audit your data inventory. Tag any field that meets the new sensitive personal information definition.
• Add a "limit use of sensitive personal information" link alongside the existing "do not sell or share" link.
• Update privacy notices with retention periods, sensitive-data disclosures, and details of any automated decision-making.
• Refresh vendor contracts to include CPRA-mandated terms.
• Build or update the "right to correct" flow into your data-subject-rights tooling.
• Re-train customer-facing teams on the new rights and response timelines.

The bigger trend

CPRA is part of a wider shift. At least a dozen US states have followed with their own privacy laws, each with its own quirks but a converging set of consumer rights. Building one privacy programme that meets the strictest applicable bar (usually CPRA or GDPR) is far cheaper than maintaining a patchwork. Plan accordingly.