Skip to content

What is the CPRA?

The California Privacy Rights Act (CPRA) is California’s state legislation to protect the privacy rights of California residents. The CPRA went into effect on January 1, 2023 and mandates all businesses to audit their data collection, storage, processing, and sharing mechanisms to ensure they are in compliance with the law.

The CPRA builds on an earlier piece of legislation known as the California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020. With the introduction of the CPRA, California will be the first US State to introduce a dedicated data protection authority, similar to those more commonly found in Europe: the California Privacy Protection Agency (CPPA).

What thresholds apply to the CPRA?

The California Privacy Rights Act (CPRA) applies to businesses dealing with the personal information of Californian residents which meets one of the three following criteria:

One: Businesses that share the personal information of at least 100,000 consumers or households will be subject to the CPRA.

Two: Businesses that make $25 million in gross revenue by January 1 of the preceding year are subject to compliance with the California Privacy Rights Act.

Three: Businesses that receive 50% or more of their gross revenues from sharing or selling personal information are also subject to the CPRA.

By when must you comply with the CPRA?

Businesses have until January 1, 2023, to comply with this new regulation.

The CPPA (California Privacy Protection Agency) will only begin enforcements from July 1, 2023. However note these can be applied retrospectively to January 1, 2023.