When we talk about compliance and privacy legislation, it’s the internationally recognized names that come to mind. GDPR is popular, while fewer might have heard of PCI DSS. However, there’s one state-level legislation that companies should not ignore if they want to do business in the US—the California Privacy Rights Act, or the CPRA. Today, we’ll learn about the evolution of the CCPA, see what the CPRA regulations entail, and make an action plan to ensure your business complies with this legislation.
Contents:
Understanding California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act was first introduced by the California State Legislature in 2018, and officially came into effect in January 2020. Compared to federal legislation, California privacy rights are more clearly defined, and offer more protection to the consumer. While it does not bar companies from collecting personal information, it oversees how businesses use the sensitive personal information collected and how consumers can withdraw their consent.
Under this law, all residents of California are considered protected consumers, and their households and families also fall under data protection. Personal data is defined as information that can identify or be associated with the protected consumer, including the consumer's name, personal and online identifiers, IP and email addresses, social media profile information, biometric data, and some physical documents. However, publicly available information is not considered personal.
If the consumer is a minor under the age of 13, the business must obtain consent from their parents or guardians to share data. Protected consumers can request companies to provide transparent access reports displaying exactly which personal information is being used and how. They have the right to demand the company delete all personal information.
In a sense, the California Consumer Privacy Act is similar to the European Union's General Data Protection Regulation (GDPR) regarding the users' rights to access and manage their personal data. In this case, personal data can be any information used to identify the customer or their related persons. The CCPA protects consumers against data use without consent and prevents discrimination based on personal data like race or disability. The criteria established by the CCPA are considered the most extensive consumer data privacy legislation in the country.
The CCPA is the first of its kind and may act as the standard for other states developing their own consumer protection legislation. It's unique in that, despite being a state law, not a federal one, it requires international compliance. It provides criteria for large businesses that wish to operate in the state and need to handle customer data.
California Privacy: the shift from CCPA to CPRA
In 2020, California residents voted in favor of Proposition 24, or the California Privacy Rights Act (CPRA). This amendment to the CCPA aimed to add more consumer protections and clarify the concept of sensitive personal information. The CPRA officially took effect in January 2023.
The business criteria were also changed when the legal threshold for buying, selling, and sharing sensitive personal information increased from 50,000 to 100,000 consumers and households. The amendment states that companies must provide a clear opt-in or opt-out option to consumers. Another new addition to the California Consumer Privacy Act amendment was the inclusion of rules for sharing personal information. It defines sharing as any exchange of data for purposes other than monetary gain.
Now that we’ve established the basics, let’s take a closer look at what qualifies as sensitive personal information under the CPRA and walk through some specific examples.
What is sensitive personal information (SPI)?
Sensitive personal information is a specific subcategory of data that demands a much higher level of protection. Under the CPRA, it encompasses data points that are uniquely susceptible to misuse, which can result in discrimination, potential harm, or a serious invasion of privacy. Think of data such as racial or ethnic origin, health information, government-issued identifiers, and precise geolocation.
In an increasingly digital world, many people share this data with platforms and businesses without a second thought, often unaware of the potential risks. When this information falls into the wrong hands, it can be exploited for malicious purposes such as identity theft and fraud, or lead to reputational damage and personal embarrassment. The CPRA shifts the power back to the individual by imposing strict obligations on businesses and granting consumers the specific right to limit how their most sensitive data is used.
The examples of sensitive personal information
To truly understand why sensitive personal information under the CPRA is so highly protected, let’s look at specific examples of this data:
Government-issued identifiers. This includes documents such as a Social Security number, passport, driver’s licence, or state ID card. These numbers hold keys to a person’s legal identity.
Financial and account access. This refers to a consumer’s account logins, financial accounts, or debit/credit card numbers in combination with any required security codes or passwords that allow access to the account.
Precise geolocation. Any data that tracks an individual is considered sensitive due to its ability to reveal a person’s daily habits and routines.
Identity and beliefs. All information regarding religious beliefs, racial and ethnic origin, and other similar characteristics is considered sensitive personal information. Revealing such information without the person’s consent can potentially lead to discrimination, stigmatization, or racial profiling. And yes, this also includes union membership.
Private communications. Content of emails or text messages, excluding communications that directly involve the business in question.
Health, genetics, and biometrics. Any information covering genetic data or processing biometric information, such as fingerprints or face recognition, is considered sensitive personal information. This includes data on consumers' health, physical disabilities, sex lives, and sexual orientations.
Does the CPRA replace the CCPA?
In short, no. The CPRA is not a new law but rather an amendment to the existing CCPA legislation, and is explicitly referred to as such by the State of California and the enforcing entities. Ensuring CPRA compliance mandates adhering to the CCPA as a whole.
Who needs to comply with CPRA?
Large businesses that want to operate in California are the focus. The law offers more leeway for smaller businesses, as companies that must meet CPRA compliance requirements exceed $26,625,000 million in gross annual sales. At least half of that revenue must come from selling their customer data. At least 100,000 consumers and their devices must have reported transactions of purchasing, selling, sharing, or collecting data.
The law requires all businesses to provide full transparency over what type of consumer-related data they collect and the purposes for which they use it. Organizations that fail to comply with the CCPA and CPRA face severe legal repercussions, as well as reputational damage. As of 2025, the company must pay up to $799 in monetary damages per consumer per incident or up to $7,988 in administrative or civil penalties for each intentional violation.
Penalties for non-compliance
The CPRA is a legal mandate enforced by the California Privacy Protection Agency and the state Attorney General. This means that every business operating in California—or any business that collects personal data from Californians and meets specific thresholds—can face severe penalties for failing to maintain CPRA compliance.
For example, the California Attorney General fined the multinational retailer Sephora $1.2 million for data privacy violations. The agency found that Sephora failed to recognize the Global Privacy Control (GPC)—a universal opt-out signal—and was selling customer data without proper disclosure. Specifically, Sephora allowed third-party trackers to collect data on products viewed and precise locations in exchange for advertising analytics.
Even though Sephora was given a 30-day window to fix these issues, they failed to do so. As a result, in addition to the $1.2 million fine, they were legally ordered to inform customers about the data sales through its privacy policy and notice at collection, implement a universal/global opt-out, provide “Do not sell my personal information” link on its website, and establish effective customer request mechanisms via an active email address, toll-free number, or online portals.
Beyond administrative fines, the law gives consumers the right to take legal action if a data breach occurs due to a failure to maintain reasonable security measures. In these cases, businesses may be required to pay statutory damages between $107 and $799 per consumer, per incident. Because the CPRA has eliminated the automatic 30-day grace period that previously allowed companies to fix issues before being fined, regulators now have the power to initiate enforcement actions and impose penalties the moment a violation is identified.
What rights does California's CPRA provide to consumers?
Two of the main angles of the California privacy rights are the right to know and the right to delete. Consumers have the right to request that businesses disclose how they handle sensitive personal information, including what information is stored, where it is stored, whether it is being sold, and to whom. It also simplifies the process of demanding access to sensitive personal information and its deletion. Businesses must rectify data mismanagement or other violations within 30 days of receiving a report; otherwise, the consumer can take legal action.
In total, the CCPA and CPRA legislation provide 7 consumer protection rights:
The right to know what sensitive personal information businesses collect regarding the consumer, the purpose of this collection, and whether or to whom it's sold.
The right to delete personal information held by the business.
The right to opt out of the selling or sharing of personal information.
The right to non-discriminatory treatment for exercising CCPA rights.
The right to correct inaccurate personal information.
any inaccurate personal information.
The right to limit the use and disclosure of sensitive personal information.
How are CCPA and CPRA reshaping business practices?
With over 38 million residents, the State of California alone has a massive purchasing power in the US, making it a lucrative market for local and international businesses alike. The CCPA ensures that businesses wishing to operate in California must follow transparent and compliant data management practices. It also grants consumers more freedom and a better understanding of personal data.
According to the 2023 Annual Report of Activity Under the California Consumer Protection Law, the Department of Financial Protection and Innovation (DFPI) received 2,246 complaints related to the CCPA. This was an increase of 70% compared to 2022, showing increasing data privacy awareness among consumers in California. Nearly half of these complaints were related to cryptocurrency and other crypto assets. Other complaints included debt collection and student loans.
The introduction of the CCPA and CPRA regulations in California was unprecedented, creating a new vision of how consumers can be in charge of their data at the state level. Therefore, if you're a business owner, it's a good idea to follow state-level legislation updates as well as federal developments.
Bottom line
Five years since the CCPA came into effect, businesses that want to run in California have no excuse for a lack of preparedness. Whether they're already handling the data of California consumers or merely looking to emerge, they need to ensure they've sorted the right practices for handling personal information. The legislation protects consumers from damages inflicted by data breaches and incentivizes businesses to follow practices that can prevent these breaches in the first place. Setting up secure data storage is an essential step to help with compliance, and a password manager is the fitting tool to get it sorted.
Using the NordPass password manager, your organization can work toward meeting CCPA and CPRA requirements. NordPass allows organizations to centralize their password management policies, ensuring the use of unique and complex passwords for all company-related accounts.
NordPass provides XChaCha20-encrypted storage for all login credentials, including passkeys, as well as other sensitive information, like credit card numbers or personal ID and visa details, and protects both employee and customer data, even in the event of a data breach in the organization. It aligns with secure sharing standards by letting employees share credentials in-app and customize their sharing settings to restrict visibility or limit the sharing time. Curious to see NordPass in action? Find the right plan for your organization and start your free trial today.