What changed with CPRA
The California Privacy Rights Act (CPRA) amended CCPA effective 1 January 2023. The four main additions: (1) the new "sensitive personal information" category and the "Right to Limit" disclosure, (2) the "Do Not Sell or Share" terminology — sharing now covers cross-context behavioural advertising, (3) the California Privacy Protection Agency (CPPA) as a dedicated regulator, and (4) the 12-month look-back data inventory.
Who has to comply
For-profit entities doing business in California that meet at least one threshold: $25M+ annual gross revenue, buy/sell/share PI of 100,000+ consumers/households, or derive 50%+ revenue from selling/sharing PI. Non-profits and government bodies are exempt.
The eleven categories of personal information
- Identifiers (name, email, IP, device ID)
- Customer records (signed-up customers, contact info)
- Characteristics of protected classifications (race, religion, etc.)
- Commercial information (purchase history)
- Biometric information
- Internet or other electronic network activity
- Geolocation
- Sensory data (audio, electronic, thermal)
- Professional or employment-related information
- Education information
- Inferences drawn from the above
The seven consumer rights
- Right to know what is collected, used, disclosed, sold, or shared
- Right to delete
- Right to correct inaccurate information
- Right to opt out of sale or sharing
- Right to limit use of sensitive personal information
- Right to data portability
- Right to non-discrimination for exercising rights
Fines
$2,500 per violation, $7,500 per intentional violation or violation involving a minor. The Sephora fine ($1.2M, August 2022) was the first under CCPA. CPPA enforcement actions accelerated through 2024–2025.