:format(avif))
:format(avif))
When we talk about compliance and privacy legislation, it’s the internationally recognized names that come to mind. GDPR is popular, while fewer might have heard of PCI DSS. However, there’s one state-level legislation that companies should not ignore if they want to do business in the US—the California Privacy Rights Act, or the CPRA. Today, we’ll learn about the evolution of the CCPA, see what the CPRA regulations entail, and make an action plan to ensure your business complies with this legislation.
Contents:
Understanding California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act was first introduced by the California State Legislature in 2018, and officially came into effect in January 2020. Compared to federal legislation, California privacy rights are more clearly defined, and offer more protection to the consumer. While it does not bar companies from collecting personal information, it oversees how businesses can use this data and how consumers can withdraw their consent.
Under this law, all residents of California are considered protected consumers, and their households and families also fall under data protection. Personal data is defined as information that can identify or be associated with the protected consumer, including the consumer's name, personal and online identifiers, IP and email addresses, social media profile information, biometric data, and some physical documents. However, publicly available information is not considered personal.
If the consumer is a minor under the age of 13, the business must obtain consent from their parents or guardians to share data. Protected consumers can request companies to provide transparent access reports displaying exactly which personal information is being used and how. They have the right to demand the company delete all personal information.
In a sense, the CCPA is similar to the European Union’s General Data Protection Regulation (GDPR) regarding the users’ rights to access and manage their personal data. In this case, personal data can be any information used to identify the customer or their related persons. The CCPA protects consumers against data use without consent and prevents discrimination based on personal data like race or disability. The criteria established by the CCPA are considered the most extensive consumer data privacy legislation in the country.
The CCPA is the first of its kind and may act as the standard for other states developing their own consumer protection legislation. It’s unique in that, despite being a state law, not a federal one, it requires international compliance. It provides criteria for large businesses that wish to operate in the state and need to handle customer data.
California Privacy: the shift from CCPA to CPRA
In 2020, California residents voted in favor of Proposition 24, or the California Privacy Rights Act (CPRA). This amendment to the CCPA aimed to add more consumer protections and clarify the concept of personal information. It officially took effect in January 2023.
The CPRA added a very important criterion—sensitive personal information—to the data management limitations. This addition expanded the criteria for protected information to include:
Consumers’ genetic data
Race and ethnicity;
Religion
Sexual orientation
Precise geolocation
Union membership status
Information regarding identifying documents like Social Security numbers or passports
Private communications, including the content of emails or text messages, excluding communications that directly involve the business in question
Financial account information related to access codes and credentials
Health information
The business criteria were also changed by increasing the legal threshold of buying, selling, and sharing personal information from 50,000 consumers and households to 100,000. The amendment states that companies must provide a clear opt-in or opt-out option to consumers. Another new addition to the CCPA amendment was the rules for sharing personal information. It defines sharing as any exchange of data for purposes other than monetary gain.
In total, the CCPA and CPRA legislation provide 7 consumer protection rights:
The right to know what personal information businesses collect regarding the consumer, the purpose of this collection, and whether or to whom it's sold.
The right to delete personal information held by the business.
The right to opt out of the selling or sharing of personal information.
The right to opt in to the sharing or selling of personal information if the consumer is under the age of 16.
The right to non-discriminatory treatment for exercising CCPA and CPRA rights.
The right to initiate a private cause of action if the business experiences a data breach that impacts the consumer.
The right to correct any inaccurate personal information.
The right to limit the use and disclosure of sensitive personal information.
Does the CPRA replace the CCPA?
In short, no. The CPRA is not a new law but rather an amendment to the existing CCPA legislation, and is explicitly referred to as such by the State of California and the enforcing entities. Ensuring CPRA compliance mandates adhering to the CCPA as a whole.
Who needs to comply with CPRA?
Large businesses that want to operate in California are the focus. The law offers more leeway for smaller businesses, as companies that must meet CPRA compliance requirements exceed $26,625,000 million in gross annual sales. At least half of that revenue must come from selling their customer data. At least 100,000 consumers and their devices must have reported transactions of purchasing, selling, sharing, or collecting data.
The law requires all businesses to provide full transparency over what type of consumer-related data they collect and the purposes for which they use it. Organizations that fail to comply with the CCPA and CPRA face severe legal repercussions, as well as reputational damage. As of 2025, the company must pay up to $799 in monetary damages per consumer per incident or up to $7,988 in administrative or civil penalties for each intentional violation.
What rights does California’s CPRA provide to consumers?
Two of the main angles of the California privacy rights are “the right to know” and “the right to delete.” Consumers have the right to request disclosure of how businesses handle their personal information—what precise information the business has, where it’s stored, whether it’s being sold, and whom it’s sold to.
The law simplifies the process of demanding access to personal information and its deletion. Businesses must rectify data mismanagement or other violations within 30 days of the report; otherwise, the consumer can take legal action.
The CPRA amendment has granted new rights for consumers to pursue legal action if their login credentials are exposed in a data breach impacting the company from which they purchased goods or services. It also offers data protections akin to GDPR, like restricting how customer data can be used or how businesses can store their clients’ personal information.
How are CCPA and CPRA reshaping business practices?
With over 38 million residents, the State of California alone has a massive purchasing power in the US, making it a lucrative market for local and international businesses alike. The CCPA ensures that businesses wishing to operate in California must follow transparent and compliant data management practices. It also grants consumers more freedom and a better understanding of personal data.
According to the 2023 Annual Report of Activity Under the California Consumer Protection Law, the Department of Financial Protection and Innovation (DFPI) received 2,246 complaints related to the CCPA. This was an increase of 70% compared to 2022, showing increasing data privacy awareness among consumers in California. Nearly half of these complaints were related to cryptocurrency and other crypto assets. Other complaints included debt collection and student loans.
The introduction of the CCPA and CPRA regulations in California was unprecedented, creating a new vision of how consumers can be in charge of their data at the state level. Therefore, if you’re a business owner, it’s a good idea to follow state-level legislation updates as well as federal developments.
Bottom line
Five years since the CCPA came into effect, businesses that want to run in California have no excuse for a lack of preparedness. Whether they’re already handling the data of California consumers or merely looking to emerge, they need to ensure they’ve sorted the right practices for handling personal information. The legislation protects consumers from damages inflicted by data breaches and incentivizes businesses to follow practices that can prevent these breaches in the first place. Setting up secure data storage is an essential step to help with compliance, and a password manager is the fitting tool to get it sorted.
Using the NordPass password manager, your organization can work toward meeting CCPA and CPRA requirements. NordPass allows organizations to centralize their password management policies, ensuring the use of unique and complex passwords for all company-related accounts.
NordPass provides XChaCha20-encrypted storage for all login credentials, including passkeys, as well as other sensitive information, like credit card numbers or personal ID and visa details, and protects both employee and customer data, even in the event of a data breach in the organization. It aligns with secure sharing standards by letting employees share credentials in-app and customize their sharing settings to restrict visibility or limit the sharing time. Curious to see NordPass in action? Find the right plan for your organization and start your free trial today.