California CPRA vs CCPA

CPRA did not create a separate standalone privacy code that businesses can comply with instead of the CCPA. Proposition 24 amended Title 1.81.5, and the CPPA explains that it typically refers to the live law as "CCPA" or "CCPA, as amended."

That framing matters operationally. If internal policies, ticket flows, or training still treat CPRA as a future project or a separate overlay, teams miss duties that have already been operative since January 1, 2023.

A legacy CCPA scoping memo can now be wrong in multiple directions. The threshold test covers buying, selling, or sharing the personal information of 100,000 or more California residents or households, and California now adjusts the gross-revenue threshold on a CPI basis instead of freezing the original $25 million figure.

The exemption picture also changed. Employment-related and business-to-business carve-outs expired on December 31, 2022, so employee, applicant, vendor-contact, and business-customer data can no longer be treated as outside the programme by default.

CPRA added the right to correct inaccurate personal information, the right to limit certain uses and disclosures of sensitive personal information, and opt-out rights that explicitly cover sharing for cross-context behavioral advertising. It also made retention, purpose limitation, and data minimization more explicit by requiring businesses to disclose retention periods or criteria and to keep collection, use, retention, and sharing reasonably necessary and proportionate.

That means an older CCPA portal that only handles know and delete requests, a notice at collection that omits retention information, or a secondary-use review that never tests compatibility with context is no longer enough.

CPRA changed the consumer-facing product surface, not just the rights list. Depending on the data uses in play, businesses may need a Do Not Sell or Share link, a Limit link, a combined Your Privacy Choices experience, or a fully compliant opt-out preference signal implementation.

The practical failure mode is friction. Hiding the control inside a privacy policy, asking for unnecessary information, or treating browser-based signals as optional is inconsistent with the statute and regulations.

One of the biggest practical shifts is that sharing now captures disclosures for cross-context behavioral advertising even when money does not change hands. A legacy analysis that only asks whether a disclosure is a sale is too narrow for modern advertising, measurement, and audience-matching flows.

CPRA also narrows the service-provider and contractor safe zone. Under the regulations, a person providing cross-context behavioral advertising is a third party for that function, and a recipient without a compliant contract can push the disclosure back into sale-or-sharing territory.

CPRA created the CPPA and moved California beyond the earlier Attorney-General-only narrative. Under the current text, public enforcement now includes CPPA administrative enforcement as well as Attorney General civil enforcement.

The private lawsuit remains narrow. Section 1798.150 still applies to certain security-breach claims and still uses 30 days' written notice when a cure is possible. Teams should stop teaching a blanket rule that California either always has, or no longer has, a cure period.

If your California programme was built for the January 1, 2020 CCPA launch and then only lightly patched, the fastest route is a focused remediation sprint rather than a full rewrite. CPRA raised the cost of stale assumptions in notices, adtech, contract structure, and workflow evidence.

The control surfaces worth testing first are the ones consumers and regulators will touch immediately: scope decisions, notices, links, request handling, downstream propagation, vendor classification, and incident or complaint routing.