November 10, 2022

Last Updated on January 15, 2024

The California Consumer Privacy Act (CCPA), now revised and expanded as the California Privacy Rights Act (CPRA), goes into effect on January 1, 2023. This legislation gives consumers important new rights, to be enforced by the new California Privacy Protection Agency in parallel with the California Attorney General’s office. Companies that do business in California need to comply to avoid significant penalties—as Sephora recently learned after being fined $1.2 million for CCPA violations.


Who is affected?

All for-profit businesses that own property in, have employees in, and/or sells goods or services to California residents are subject to CPRA if they meet one or more of these criteria:

  • Annual revenue greater than $25 million
  • Collect personal data on more than 100,000 California residents
  • Derive 50% or more of annual revenue from selling personal data


What are the potential penalties?

The California AG and California Privacy Protection Agency can levy civil penalties up to $7,500 for each intentional violation. There is also a private right to action for consumers and employees whose personal data is exposed due to a data breach.

These risks represent a huge incentive for covered orgs to protect personal data and establish CPRA compliant policies and procedures.


What are the privacy program impacts?

Even if your org has been compliant with the original CCPA, you’ll need to implement significant new controls and processes to meet the impending CPRA requirements. Consumers are getting additional rights, including a Right to Correction and a Right to Limit the Use and Disclosure of Sensitive Personal Information. In addition, the right to opt out of the sale of personal information has been expanded to encompass information sharing with third parties doing cross-context behavioral advertising.

Besides addressing these new rights, companies also have new obligations to ensure and demonstrate a robust privacy posture. These include annual security audits, regular risk assessments, and data minimization practices. Plus, your website must support the Global Privacy Control (GPC) specification to make it easier for consumers to specify privacy preferences.



What actions should you take?

Some of the steps businesses should take if they haven’t already to meet CPRA requirements include:

  • Update your privacy policy and associated consumer forms
  • Make sure your website homepage includes the required privacy notice and opt-out links
  • Update your website to support Global Privacy Control
  • Make the needed changes to your IT and business processes so you can respond to data subject access requests (DSARs), opt-out requests, etc.
  • Inform and train staff on new workflows, policies, etc.

This is far from a comprehensive list, but these are among the most critical tasks. A gap assessment leading to a prioritized to-do list will be an important early step for many orgs.


What’s next?

With CPRA rules and enforcement taking effect in less than 60 days, now is the only time left to ensure your business is compliant. Note that even the 30-day “right to cure” under the original CCPA is eliminated with CPRA.


If you need help assessing or advancing your CPRA compliance posture, contact Pivot Point Security.