How California Privacy Rights Act Changed Consumers Data Protection Rules

Marketers used to be able to fully access and retain client data and use it to alter their marketing tactics, offers, and so on.

These practices, in the long run, generated concerns about the security of consumers’ data. As a result, additional regulations were required. This resulted in the creation of the GDPR for European citizens and the California Privacy Rights Act (CPRA) for Californians, two laws that govern the collection, use, and rights of users’ data.

Continue reading if you’re in a position in which you need to handle customer data but don’t know how. This article will explain how the California Privacy Rights Act changes consumer data protection rules.

Let’s get right to it.

What is California Privacy Rights Act (CPRA)?

Digital security. Caution notice on a keyboard.

The California Privacy Rights Act (CPRA) is a data privacy law that will go into effect on January 1, 2023, with the purpose of protecting consumers’ data.

The CPRA applies to businesses and organizations that gather personal information from California citizens. Its privacy standards are similar to the GDPR of the EU (General Data Protection Regulation).

Who does the CPRA apply to?

The CPRA applies to any legal entity that does business in California (regardless of location), gathers personal information from customers, and:

  • Has an annual gross revenue of over $25 million in the previous calendar year. 
  • Purchases, sells, or distributes personal information from 100,000 or more individuals or households (this is either alone or in combination with another company). 
  • Sells or shares personal information about its customers for 50% or more of its annual revenue.

What data does CPRA protect?

The CPRA only applies to personal data, which is any information that can be used to identify a person. Some of the most important data protected by the CPRA are as follows:

  • Name
  • IP address
  • Address
  • Identifiers for credit cards
  • Phone Number
  • Records of Medical Treatment
  • Email Address
  • Geolocation
  • Sexual orientation
  • Personal History Information
  • Date of birth
  • Data on Government IDs

CPRA penalties

Noncompliance with CPRA rules can have serious financial and legal implications for your company or organization. The consequences that you may face if you violate the rules are stated below.

Civil penalties

If non-compliant firms do not remedy their non-compliance within 30 days of being notified, the Attorney General of California and the newly formed California Privacy Protection Agency may seek injunctions against them. Civil fines are limited to $2,500 per violation or $7,500 for willful violations. Violations affecting children’s information will also face harsher sanctions.

Private action

Furthermore, consumers may file a lawsuit action for security breaches in order to recover between $100 and $750 in damages, or actual damages, injunctive or declaratory relief, or any other relief the court considers reasonable.  Again, they must wait 30 days after issuing written notice before addressing any violations of the law.

What are the users rights under CPRA?

The CPRA’s primary goal is to protect users’ sensitive data from potential misuse and malicious intent. It specifically grants users the following rights:

  • The right to know and be informed – Users must be informed of the data you intend to gather, how you plan to use it, and for what reason.
  • The right to access data – Users must have unrestricted access to their data at all times.
  • The right to deletion – Users may request the deletion of their data at any time.
  • The right to correct personal information – Users should be allowed to correct their information whenever and however they want.
  • The right to opt-out – Users can revoke the permissions they granted you in the beginning.
  • The right to limit the use and disclosure of sensitive personal information – Users have the right to request that you limit the use of their data and its sharing with third parties to their preferences.
  • The right to non-discrimination – This means that you (as a business) are not permitted to retaliate or discriminate against customers or workers who exercise their CPRA rights.

Obligations of businesses and organizations under the CPRA

Privacy policy. A web page on a laptop.

According to the CPRA, businesses must not only comply with the elements of the regulation that give consumers set rights, but they must also protect any data they do have from being damaged, modified, or falling into unauthorized hands.

The regulations offer extensive guidance for handling the emergency response if a data breach occurs. The following are the guidelines:

  • Any California citizen who has been affected by a data breach must be notified. If a single incident affects more than 500 California people, the company must also notify the Attorney General of the state by sending an electronic copy of the security breach notification.
  • Once a breach is discovered, companies must notify the government “without unreasonable delay.” The notice must be prepared in plain language, with the title “Notice of Data Breach” and the following information:
  • The reporting organization’s name and contact information;
  • An overview of what occurred.
  • Specifics on the sorts of personal data exposed in the breach.
  • Information on the breach’s timing (date, expected date, or date range).
  • If the breach exposes social security numbers, driver’s license information, or California identity card numbers, the phone numbers and addresses of major credit reporting agencies.
  • What the company has done to protect those who have been harmed by the breach.
  • Advice on how people who are affected can protect themselves.
  • If the company can show that delivering the notice would cost more than $250,000, that the number of people affected is greater than 500,000, or that the company lacks adequate contact information for individuals, the company must undertake all of the following:
  • Notification through email (if the organization has email addresses for the affected individuals).
  • For at least 30 days, visible posting on the organization’s website (i.e. featuring a link to the notice on the home page, made obvious with larger text or contrasting colors).
  • California-based enterprises must additionally notify the California Office of Information Security, as well as prominent statewide media.

How can organizations prepare for CPRA?

  • Stay up to date with changes

CPRA is a rule that is always evolving. As a result, things may shift rapidly and unexpectedly. Thus, to be compliant and avoid violations, you must be prepared and informed.

As a result, make sure to monitor news websites, official websites, and documents on a regular basis.

  • Protect users’ personal data using anti-fraud software

One of the first actions you should take to prevent significant fines for non-compliance and improve your cybersecurity is to protect your website and all of your customers’ and users’ data.

You can employ anti-fraud software to accomplish this. Such a system would prevent fraudulent transactions involving stolen credit card information and other sensitive data.

In other words, the tool will automatically monitor, examine, and ban suspected and legitimate fraudulent actions on your website.

  • Create and update your privacy policy regularly

A privacy policy is a legal document that explains how you manage your users’ personal information, from collection through storage.

To be more specific, a privacy policy should comprise the following:

  • Personal information. You must specify what type of PI your organization will gather.
  • Collection process. Describe how your business will collect data.
  • Usage. You must, of course, explain how you intend to use the data you acquire.
  • Security. This provision will spell out how your organization will safeguard all sensitive information.
  • Storage and sharing. Determine where you’ll store their information and whether you’ll share it with others.
  • Cookies. If you’re using cookies, users must know this.
  • Opting out and data subject rights. You must make it clear that consumers are not required to submit personal information. Make it clear that they have the right to object and have their information deleted at any moment.
  • Contact information. Finally, include contact information so that users may contact you or your team with any questions or concerns.

Naturally, if regulations change, you’ll need to update the policy to reflect the changes and how your organization will address them.

You’ll also need to update it should you decide to change the way you handle user data.

It will be your responsibility to notify all users of the changes. There are numerous options for doing so:

  • Include an update clause in your privacy policy.
  • Send an email to everyone notifying them of the changes.
  • Use a pop-up on your website to announce the changes.
  • Be sure your employees understand CPRA by training them

You can also keep your company compliant by informing and training your personnel on a regular basis.

Employees will almost certainly be managing sensitive data, therefore they must be knowledgeable of all legal practices, including what they may do, the rights of users, and what they cannot do.

For this reason, you should invest in their education. You may, for example, provide them with video courses or essential documentation that clearly explain the regulations. Ensure that all of these informational tools are available to your employees at all times. 


Governments and authorities have made protecting consumer data their top priority. Businesses must comply with new legislation in order to avoid financial and legal repercussions and maintain a positive reputation.

As you can see from this essay, there are numerous strategies to prepare your organization and ensure compliance with the CPRA. Beginning to implement all of the practice will save you time and work in the future and allow you to be prepared. Thank you for taking the time to read this blog post. Hopefully, it was informative and helpful to you.

If you want to read more, please check out this article on how to become and remain email compliant.


Flavia Silipo is a skilled SEO copywriter and digital marketing specialist with over two years of experience. You can find her on LinkedIn.