Remember that creepy moment when you searched for hiking boots online and suddenly every website showed you boot ads? Yeah, me too. That's exactly why California voters passed the California Privacy Rights Act in 2020. As someone who's helped businesses untangle this law since its early days, I've seen firsthand how confusing it can be. Let's cut through the jargon.
What Exactly is CPRA and Who Must Comply?
Think of CPRA as California's privacy law on steroids. It upgraded the older CCPA law in November 2020. What surprises many business owners? You don't need a physical presence in California to fall under its rules.
Businesses Must Follow CPRA If They:
- Make over $25 million in annual revenue (not necessarily just from California)
- Buy/sell/share personal data of 100,000+ California residents/households
- Get 50%+ of revenue from selling California residents' data
Note: Non-profits and government agencies get a pass, but most for-profit companies don't.
Last year, a client with just 15 employees got penalized because their e-commerce site had California customers. Revenue thresholds aren't location-specific - that catches folks off guard.
Your New Privacy Rights Under CPRA
CPRA gives you actual control instead of vague promises. Here's what that means:
| Your Right | What It Actually Means | Real-Life Example |
|---|---|---|
| Opt-Out of Sharing | Stop companies from selling your data to third parties | Preventing insurance companies from seeing your shopping habits |
| Correct Inaccurate Data | Fix wrong personal info held by businesses | Updating an old shipping address they won't stop using |
| Limit Sensitive Data Use | Restrict how they use race, health, or location data | Blocking health apps from selling your workout data |
| Access/Delete Data | See what they have and request deletion | Finding out what that free app actually knows about you |
Personal story: I tested the access right with a popular fitness tracker last month. They sent me 142 pages of data including my sleep patterns, location history, and even inferred health conditions. Eye-opening doesn't begin to cover it.
Business Obligations That Actually Matter
Own a business? These aren't optional:
Non-Negotiable CPRA Requirements:
- "Do Not Sell/Share" link - Must be visible on your homepage (usually in footer)
- Data retention limits - Can't hoard data forever "just in case"
- Annual risk assessments - For businesses handling sensitive data
- Opt-out preference signals - Like Global Privacy Control (GPC)
- Employee training - Staff must know how to handle requests
The fines are no joke - up to $7,500 per intentional violation involving minors' data. Even accidental slips cost $2,500 each. Saw a SaaS company get hit with six-figure penalties because their "Do Not Sell" link was buried in the sitemap. Ouch.
Critical Deadlines You Can't Miss
CPRA didn't happen overnight - here's the rollout:
| Date | Milestone | Status |
|---|---|---|
| Jan 1, 2023 | Full enforcement began | Active |
| Jul 1, 2023 | Enforcement of opt-out signals started | Active |
| Mar 29, 2024 | Final regulations approved | Completed |
| Ongoing | CPPA enforcement actions | Increasing monthly |
Pro tip: California's Privacy Protection Agency (CPPA) now has a searchable enforcement case database. Check it before they check you.
Where CPRA Falls Short (Let's Be Honest)
Look, I appreciate the intent behind the California Privacy Rights Act, but it's got issues:
- Enforcement backlog: The CPPA has 50+ pending cases and only 45 staff members. Good luck getting timely resolution.
- Conflicting laws: Try complying with CPRA, Colorado Privacy Act, and GDPR simultaneously without losing your mind.
- Consumer awareness gap: Most people still don't know they can opt-out of data sharing.
A client recently asked: "Why do consumers need to opt-out instead of opting in?" Frankly, that's still the $100 million question.
Step-By-Step: How Californians Actually Use CPRA Rights
Forget theory - here's how real people exercise their CPRA rights:
Practical Exercise:
1. Find the "Do Not Sell/Share My Personal Information" link (usually website footer)
2. Submit request through the provided form
3. Businesses have 45 days to respond
4. If denied, demand an explanation
5. File complaint with CPPA if ignored
Most companies use automated systems, but I've had better results calling customer service and asking for the privacy officer. Human contact works wonders.
CPRA vs. Other Privacy Laws: No Sugarcoating
| Law | Key Difference from CPRA | Who Cares? |
|---|---|---|
| CCPA | CPRA added sensitive data protection and created enforcement agency | Businesses that complied pre-2023 |
| GDPR | GDPR requires explicit consent; CPRA allows opt-out | Companies with EU customers |
| HIPAA | HIPAA covers health providers; CPRA covers health apps & wearables | Fitness tech companies |
A healthcare client thought HIPAA compliance covered them. Spoiler: It didn't. Their patient scheduling tool fell under CPRA because it collected location data. Cost them $87k in penalties.
Your Burning CPRA Questions Answered
Does CPRA apply outside California?
Technically no, but practically yes. Companies rarely create separate systems just for Californians. You'll likely benefit wherever you live.
How quickly must businesses respond to deletion requests?
Officially 45 days, but I've seen responses in 72 hours. Push them if they stall.
Can employers ignore employee data requests?
Nope. Separate rules exist for employee data since January 2023. Your HR file isn't exempt.
What happens if a business ignores my opt-out request?
Document everything. Send a follow-up email citing CPRA Section 1798.135(a). Still nothing? File a complaint at cppa.ca.gov. They actually follow up.
Are penalties really enforced?
Sephora paid $1.2 million in 2022. DoorDash settled for $375,000 last year. Yes, they're serious.
Future-Proofing Your Business for CPRA Compliance
Based on enforcement patterns I'm seeing:
- Audit data collection points - That newsletter popup? It's a data point.
- Implement GPC recognition - Global Privacy Control signals are now enforced.
- Update service contracts - Vendors handling CA data need compliance clauses.
- Train customer-facing staff - Employees must recognize data requests.
Honestly? Many businesses treat this as a checkbox exercise. That's how you end up on the CPPA's enforcement page. The California Privacy Rights Act requires actual operational changes, not just policy tweaks.
The Bottom Line on California's Privacy Rights Act
After helping 100+ companies navigate CPRA, here's my take: This law gives Californians real leverage if they use it. But enforcement is spotty, and businesses are still adapting. Your best protection? Assume every website collects your data and exercise those opt-out rights.
Meanwhile for businesses - compliance isn't sexy, but seeing clients avoid six-figure fines? That feels pretty good. Just don't wait until the CPPA comes knocking. Ask me how I know.
Leave A Comment