Examining the Difference Between CPRA and CCPA Regulations

The most significant component of the California Privacy Rights Act (CPRA) is its focus on enforcement, absent from the original California Consumer Privacy Act (CCPA).

The California Consumer Privacy Act (CCPA) made history when it came into effect on January 1, 2020, as it was the first comprehensive data privacy law in the United States. It was designed to grant California residents greater control over their personal information and ensure businesses are transparent in handling consumer data. It also came with certain penalties for organizations that failed to adhere to its guidelines, adding new layers to data privacy compliance within the scope of cyber liability insurance.

person using fingerprint scanner

This historic legislation triggered a domino effect that many states are still grappling with as they continue to develop their own versions of data privacy laws.


While the CCPA was groundbreaking, it came with several limitations and was subject to plenty of criticism. In response to these concerns, California voters approved the California Privacy Rights Act (CPRA) in November 2020. The CPRA went into effect on January 1, 2023, with certain provisions applying only to data collected on or after January 1, 2022.

The CPRA built upon the existing CCPA framework and introduced new provisions that aim to enhance consumer privacy rights and strengthen enforcement mechanisms, essentially improving upon the original legislation in virtually every area.

Before going into the differences, let’s first look at the major points of the CCPA when it was introduced.

Key Aspects of the CCPA

The CCPA applied to for-profit entities that conduct business in California and meet one or more of the following criteria:

  • Generate annual gross revenue of more than $25 million
  • Buy, receive, sell, or share personal information of 50,000 or more consumers, households, or devices
  • Derive at least 50% of their annual revenue from selling consumer personal information

Under the CCPA, consumers in California were granted the right to:

  • Know what personal information is collected, used, shared, or sold by businesses
  • Delete personal information held by businesses
  • Opt out of the sale of their personal information
  • Non-discrimination in terms of price or service when a consumer exercises their privacy rights

Key Differences Between the CCPA and the CPRA

Creation of the California Privacy Protection Agency (CPPA)

The most significant component of the CPRA was its focus on actual enforcement, something that was lacking with the original CCPA due to the burden on the California Attorney General's Office. The CPRA establishes a new regulatory agency, the CPPA, which is responsible for enforcement. The CPPA has the power to investigate, audit, and impose fines on businesses that violate the law.

Expansion of Consumer Rights

The CPRA expands the rights provided by the CCPA in several ways:

  • Right to Correct: Consumers have the right to request businesses to correct inaccurate personal information.
  • Sensitive Personal Information: The CPRA introduced a new category called "sensitive personal information," which includes data such as Social Security numbers, driver's license numbers, precise geolocation, race, religion, and biometric data. Consumers have the right to limit the use and disclosure of this sensitive personal information.
  • Right to Data Portability: Consumers have the right to receive their personal information in a readily usable format, enabling them to transmit it to another entity.

Strengthening of Data Breach Liability

The CPRA expands the scope of data breach liability to include unauthorized access or disclosure of an individual's email address and password or security question that could lead to unauthorized access to the account.

New Obligations for Businesses

The CPRA introduced several new obligations for businesses, including:

  • Data Minimization: Businesses must limit the collection, use, retention, and sharing of personal information to what is necessary for the specific purpose for which it was collected.
  • Annual audits and risk assessments: Businesses with significant data processing activities must perform annual cybersecurity audits and submit regular risk assessments to the CPPA.
  • Contractual requirements: Businesses now need to enter into specific contracts with third parties, service providers, and contractors that process personal information on their behalf, ensuring that these entities comply with the CPRA requirements and provide sufficient guarantees to protect personal information.

Introduction of "Sharing" Personal Information

The CPRA introduced the concept of "sharing" personal information, which refers to the disclosure or communication of personal information to a third party for "cross-context behavioral advertising." This practice involves targeting advertising to consumers based on their activity across different websites, applications, or services. Consumers have the right to opt out of the sharing of their personal information for this purpose.

Changes to the Threshold for Applicability

The CPRA modifies the criteria for businesses subject to the law. While the $25 million annual gross revenue threshold remains the same, the number of consumers, households, or devices for which a business must buy, receive, sell, or share personal information increases from 50,000 to 100,000. Additionally, the threshold for businesses deriving at least 50% of their annual revenue from selling consumer personal information now includes sharing personal information as well.

Increased Fines for Violations Involving Minors

The CPRA imposes greater penalties for violations involving the personal information of minors. Fines for such violations can be up to three times the amount of the standard penalties under the law.

No More 30-Day Cure Period for Data Breaches

The CCPA had what was known as a 30-day cure period. This was a time frame that businesses had to remedy or "cure" a violation after receiving written notice from a consumer or the California Attorney General. If the business could demonstrate that it had addressed and rectified the violation within 30 days of receiving the notice, it often avoided penalties or statutory damages.

Although the CPRA does not specifically mention a 30-day cure period, it does retain certain provisions related to the opportunity for businesses to address violations before facing legal consequences. The CPRA grants the CPPA the discretion to give businesses a reasonable time to cure a violation, depending on the specific circumstances of each case.

It's important to note that the CPRA eliminates the 30-day cure period for data breaches, which was previously present in the CCPA. Under the CPRA, businesses may be held strictly liable for statutory damages in the event of a data breach—without the opportunity to cure the violation within 30 days.

Your Cyber Insurance Policy Should Always Acclimate to New Guidelines

The intricacies of the CPRA have certainly added new burdens and liabilities for organizations regarding compliance with data privacy, further complicating cyber insurance policies and creating ambiguity on what’s covered and what’s not. For instance, wrongful collection and wrongful use of personal information policies often cover wrongful disclosure penalties, but unless you’ve explicitly added them, you may have limited coverage.

Not all cyber insurance policies are created equal, and having an insurance broker trained in the nuance of this line of insurance can be a valuable partnership for any business.

For more insights into cyber coverage, be sure to check out these Woodruff Sawyer resources:



Table of Contents