CPRA Explained: What Changed from CCPA and What It Means for Your Website

What Is CPRA?

The California Privacy Rights Act (CPRA), effective January 1, 2023, is an amendment that significantly strengthens and expands the original CCPA. It's not a separate law — it modifies CCPA. When people reference "CCPA" today, they generally mean the CCPA as amended by CPRA.

Key Changes from CCPA to CPRA

1. New Category: Sensitive Personal Information

CPRA created a new category of "sensitive personal information" that gets enhanced protection. This includes: Social Security numbers, financial account details, precise geolocation, racial or ethnic origin, religious beliefs, biometric data, health information, sex life/sexual orientation, and contents of communications.

If your website collects any of these (e.g., through forms or payment processing), you must provide a separate "Limit the Use of My Sensitive Personal Information" link.

2. New Enforcement Agency: CPPA

The California Privacy Protection Agency (CPPA) was created specifically to enforce privacy laws. Previously, enforcement was solely the Attorney General's responsibility. The CPPA has a larger staff, dedicated budget, and has been more aggressive in enforcement than the AG was.

3. "Sharing" Added to "Selling"

CCPA only covered "selling" data. CPRA added "sharing" — defined as making personal information available to a third party for cross-context behavioural advertising. This closes the loophole where companies argued they weren't "selling" data because no money changed hands when they shared it with ad networks.

4. Data Minimisation

CPRA requires that businesses collect, use, and retain personal information only to the extent "reasonably necessary and proportionate" to the purpose for which it was collected. This mirrors GDPR's data minimisation principle.

5. Right to Correct

Consumers gained the right to correct inaccurate personal information, in addition to existing rights (access, deletion, opt-out).

6. Automated Decision-Making

CPRA gives consumers the right to opt out of automated decision-making technology, including profiling. The CPPA is still developing regulations on this, but the right exists in the statute.

7. Storage Limitation

Businesses must now disclose how long they retain each category of personal information and cannot keep it longer than "reasonably necessary" for the disclosed purpose.

What This Means for Your Website

If your website targets California consumers, you should:

• Update your privacy policy to reflect CPRA terminology ("selling and sharing")
• Add a "Do Not Sell or Share" link (not just "Do Not Sell")
• If you collect sensitive data, add a "Limit Use of Sensitive Information" link
• Review data retention practices and set defined periods
• Ensure you honour GPC signals (Global Privacy Control)
• Document your data minimisation practices

How LegalBanner Stays Current

LegalBanner's CCPA implementation reflects the CPRA amendments. The consent interface uses the current required language ("Do Not Sell or Share"), honours GPC signals, and adapts automatically to California visitors. As CPPA regulations evolve, LegalBanner updates to match — so you don't have to track regulatory changes yourself.