What is California Privacy Rights Act?

CPRA represents the most significant expansion of CCPA since its original enactment. Key changes include the creation of the California Privacy Protection Agency (CPPA), a dedicated enforcement body with rulemaking authority that replaces the Attorney General as the primary regulator. CPRA introduced several new consumer rights: the right to correct inaccurate information, the right to limit use of sensitive personal information, and expanded the right to opt-out to cover "sharing" for cross-context behavioral advertising in addition to "sales." The law also established new business obligations including mandatory risk assessments for high-risk processing, annual cybersecurity audits for businesses whose processing presents significant risk, and enhanced requirements for contracts with service providers and contractors. CPRA's enforcement provisions include administrative fines of $2,500 per unintentional violation and $7,500 per intentional violation or violation involving minors, with the CPPA having independent authority to investigate and enforce. Organizations should note that CPRA also extended the lookback period for consumer requests, added data minimization and purpose limitation principles, and introduced the concept of "contractors" as a new data recipient category.