CPRA
What is CPRA?
CPRAThe California Privacy Rights Act of 2020, which amends and expands the CCPA and took full effect on 1 January 2023.
The California Privacy Rights Act (CPRA, Proposition 24) was approved by California voters in November 2020 and substantively amends the California Consumer Privacy Act (CCPA). Most operative provisions took effect on 1 January 2023, with enforcement starting 1 July 2023. CPRA introduces a new category of sensitive personal information, adds rights to correct inaccurate data and to limit the use of sensitive information, imposes data minimisation and purpose limitation duties, and requires risk assessments and cybersecurity audits for high-risk processing. It also created the California Privacy Protection Agency (CPPA), the first dedicated US state privacy regulator, which issues regulations and enforces the law alongside the California Attorney General.
● Examples
- 01
A retailer offering a 'Limit the Use of My Sensitive Personal Information' link on its homepage as required by CPRA.
- 02
A B2B SaaS company conducting an annual cybersecurity audit under draft CPPA regulations.
● Frequently asked questions
What is CPRA?
The California Privacy Rights Act of 2020, which amends and expands the CCPA and took full effect on 1 January 2023. It belongs to the Compliance & Frameworks category of cybersecurity.
What does CPRA mean?
The California Privacy Rights Act of 2020, which amends and expands the CCPA and took full effect on 1 January 2023.
How does CPRA work?
The California Privacy Rights Act (CPRA, Proposition 24) was approved by California voters in November 2020 and substantively amends the California Consumer Privacy Act (CCPA). Most operative provisions took effect on 1 January 2023, with enforcement starting 1 July 2023. CPRA introduces a new category of sensitive personal information, adds rights to correct inaccurate data and to limit the use of sensitive information, imposes data minimisation and purpose limitation duties, and requires risk assessments and cybersecurity audits for high-risk processing. It also created the California Privacy Protection Agency (CPPA), the first dedicated US state privacy regulator, which issues regulations and enforces the law alongside the California Attorney General.
How do you defend against CPRA?
Defences for CPRA typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for CPRA?
Common alternative names include: California Privacy Rights Act, Proposition 24.
● Related terms
- compliance№ 149
CCPA
The California Consumer Privacy Act, a U.S. state privacy law granting California residents rights over their personal information held by businesses.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- privacy№ 856
Privacy by Design
An engineering and governance approach that embeds privacy considerations into systems, processes, and defaults from the earliest design stages rather than bolting them on later.
- privacy№ 857
Privacy Impact Assessment (PIA)
A structured process to identify, evaluate, and mitigate privacy risks of a system, project, or data-processing activity before it goes live.
- compliance№ 356
DPA
A Data Processing Agreement is the binding contract required by GDPR Article 28 between a data controller and processor when personal data is processed on the controller's behalf.
- privacy№ 280
Data Minimization
A privacy principle requiring organizations to collect, process, and retain only the personal data that is strictly necessary for a defined, lawful purpose.