--- title: "CPRA vs CCPA" canonical_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/ccpa-vs-cpra" source_url: "https://www.sorena.io/artifacts/us/california-privacy-rights-act/ccpa-vs-cpra" author: "Sorena AI" description: "A practical CPRA vs CCPA delta guide grounded in the current California statute, CPPA regulations, Proposition 24, and official agency guidance." published_at: "2026-02-22" updated_at: "2026-02-22" keywords: - "CPRA vs CCPA" - "CPRA changes" - "California privacy delta" - "CPRA amended CCPA" - "California privacy rights" - "CPRA" - "CCPA" - "California privacy" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # CPRA vs CCPA A practical CPRA vs CCPA delta guide grounded in the current California statute, CPPA regulations, Proposition 24, and official agency guidance. *Deep Dive* *CPRA* ## California CPRA vs CCPA Use the actual legal and operational deltas when upgrading an original California CCPA programme into the current regime. Focused on rights expansion, purpose limitation, retention, notices, adtech classification, contracts, and enforcement using current California sources. From a CPRA perspective, the useful question is what changed inside an older CCPA build once Proposition 24 became operative on January 1, 2023. The answer is not just new labels. CPRA tightened scope, added correction and sensitive-personal-information controls, expanded opt-out logic to sharing, imposed retention and purpose limits, created the CPPA, and changed how teams should classify adtech and vendor relationships. ## Treat CPRA as the amendment set inside the current law CPRA did not create a separate standalone privacy code that businesses can comply with instead of the CCPA. Proposition 24 amended Title 1.81.5, and the CPPA explains that it typically refers to the live law as "CCPA" or "CCPA, as amended." That framing matters operationally. If internal policies, ticket flows, or training still treat CPRA as a future project or a separate overlay, teams miss duties that have already been operative since January 1, 2023. - Replace internal references that describe CPRA as not yet effective or optional. - Base current controls on the live statute, current regulations, and current agency guidance rather than archived 2020 materials alone. - Keep separate trackers for already-effective duties versus any still-moving California rulemakings. - Review privacy notices, training decks, request macros, and vendor templates for stale pre-January 1, 2023 assumptions. Sources for this answer: - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for the CPPA's framing that CPRA amended the CCPA, did not create a separate law, and became operative on January 1, 2023. - [Proposition 24 voter guide summary](https://vig.cdn.sos.ca.gov/2020/general/pdf/topl-prop24.pdf?ref=sorena.io) - Used for the original voter-facing description of the CPRA amendments and the creation of the CPPA. ## Scope, thresholds, and exemptions changed in practical ways A legacy CCPA scoping memo can now be wrong in multiple directions. The threshold test covers buying, selling, or sharing the personal information of 100,000 or more California residents or households, and California now adjusts the gross-revenue threshold on a CPI basis instead of freezing the original $25 million figure. The exemption picture also changed. Employment-related and business-to-business carve-outs expired on December 31, 2022, so employee, applicant, vendor-contact, and business-customer data can no longer be treated as outside the programme by default. - Rerun applicability using the 100,000 residents-or-households test and the broader sale-or-sharing language. - Use California's current CPI-adjusted revenue threshold rather than hard-coding the original statutory amount. - Bring employee, applicant, and B2B-related data flows back into notices, inventories, and request-routing analysis. - Document for each flow whether the entity is acting as a business, service provider, contractor, or third party. Sources for this answer: - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for the current threshold summary, the CPI-adjusted revenue-threshold example, and the explanation that employee, applicant, and B2B contacts are California residents with CCPA rights. - [California Attorney General CCPA overview and FAQs](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - Used for the public-facing explanation that employment-related and B2B exemptions expired on December 31, 2022 and that businesses meeting the 100,000 threshold are subject to the law. ## CPRA added rights and purpose controls that old CCPA workflows do not cover CPRA added the right to correct inaccurate personal information, the right to limit certain uses and disclosures of sensitive personal information, and opt-out rights that explicitly cover sharing for cross-context behavioral advertising. It also made retention, purpose limitation, and data minimization more explicit by requiring businesses to disclose retention periods or criteria and to keep collection, use, retention, and sharing reasonably necessary and proportionate. That means an older CCPA portal that only handles know and delete requests, a notice at collection that omits retention information, or a secondary-use review that never tests compatibility with context is no longer enough. - Add a correction workflow that can intake supporting context, assess accuracy, and preserve an evidence trail. - Maintain an inventory of sensitive personal information so teams know when the right to limit is actually triggered and when statutory exceptions apply. - Publish retention periods or retention criteria for each category of personal information and sensitive personal information collected. - Review each new or secondary use against the disclosed purpose, compatibility with context, or valid consumer consent. Sources for this answer: - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Used for Sections 1798.100, 1798.106, and 1798.121 on retention disclosure, reasonably-necessary-and-proportionate use, correction, and sensitive-personal-information limitation. - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for the January 1, 2023 rights set and the CPPA's explanation that businesses must comply with purpose limitation and data minimization rules. - [Proposition 24 voter guide summary](https://vig.cdn.sos.ca.gov/2020/general/pdf/topl-prop24.pdf?ref=sorena.io) - Used for the original amendment text adding correction rights, sharing, SPI controls, retention disclosure, and proportionality language. ## Choice architecture, links, and preference signals became first-class compliance surfaces CPRA changed the consumer-facing product surface, not just the rights list. Depending on the data uses in play, businesses may need a Do Not Sell or Share link, a Limit link, a combined Your Privacy Choices experience, or a fully compliant opt-out preference signal implementation. The practical failure mode is friction. Hiding the control inside a privacy policy, asking for unnecessary information, or treating browser-based signals as optional is inconsistent with the statute and regulations. - Provide the correct footer or header link, alternative link, or equivalent mechanism if sale or sharing and/or SPI limitation rights apply. - Honor opt-out preference signals at least for the browser or device and more broadly when the consumer is known to the business. - Do not require account creation or unnecessary identity information to submit opt-out or limit requests. - QA California timing: confirm delete, correct, and know requests within 10 business days, respond within 45 calendar days unless properly extended, and complete opt-out and limit requests within 15 business days. Sources for this answer: - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Used for Section 1798.135 on link requirements, opt-out preference signals, no-account-creation rules, and the 12-month wait before re-requesting authorization. - [CCPA Regulations effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - Used for Sections 7013, 7014, 7015, 7021, 7025, 7026, and 7027 on links, notice placement, opt-out preference signals, and response timing. - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for the practical explanation of Global Privacy Control, footer-link labels, and the 10-business-day, 45-day, and 15-business-day response timings. ## Sharing and vendor classification are where CPRA becomes operational One of the biggest practical shifts is that sharing now captures disclosures for cross-context behavioral advertising even when money does not change hands. A legacy analysis that only asks whether a disclosure is a sale is too narrow for modern advertising, measurement, and audience-matching flows. CPRA also narrows the service-provider and contractor safe zone. Under the regulations, a person providing cross-context behavioral advertising is a third party for that function, and a recipient without a compliant contract can push the disclosure back into sale-or-sharing territory. - Map each adtech or analytics recipient by actual function rather than by the label in the MSA or DPA. - Treat pixels, audience matching, retargeting, and similar cross-context advertising flows as candidate sharing until you can justify a narrower classification. - Update service-provider and contractor terms to include sale or sharing prohibitions, same-level-of-protection language, monitoring rights, notice of non-compliance, and remediation rights. - Verify that opt-out, deletion, correction, and limit instructions are actually propagated downstream and checked in practice. Sources for this answer: - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Used for the definitions of share, cross-context behavioral advertising, service provider, contractor, business purpose, and the statutory contract requirements in Sections 1798.100 and 1798.140. - [CCPA Regulations effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - Used for Sections 7050, 7051, and 7053, including the rule that a person providing cross-context behavioral advertising is a third party rather than a service provider or contractor for that activity. ## Enforcement changed, but not into a single cure rule CPRA created the CPPA and moved California beyond the earlier Attorney-General-only narrative. Under the current text, public enforcement now includes CPPA administrative enforcement as well as Attorney General civil enforcement. The private lawsuit remains narrow. Section 1798.150 still applies to certain security-breach claims and still uses 30 days' written notice when a cure is possible. Teams should stop teaching a blanket rule that California either always has, or no longer has, a cure period. - Separate private breach claims under Section 1798.150 from public enforcement under Sections 1798.155 and 1798.199.90. - Keep notices, request logs, suppression testing, contract files, and governance records ready for regulator review rather than assuming remediation can wait. - Treat complaints involving businesses, service providers, contractors, and third parties as potential CPPA or Attorney General inputs. - Split incident-response playbooks from privacy-request and privacy-governance remediation work. Sources for this answer: - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Used for Section 1798.150 on private security-breach claims and 30 days' written notice, Section 1798.155 on CPPA administrative enforcement, and Section 1798.199.90 on Attorney General civil enforcement. - [California Attorney General CCPA overview and FAQs](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - Used for the public-facing explanation that most CCPA violations are not privately actionable and for complaint-routing guidance. - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for the statement that businesses, service providers, contractors, and third parties may be the subject of a complaint under the CCPA. *Recommended next step* *Placement: after the enforcement section* ## Use California CPRA vs CCPA as a cited implementation workflow Research Copilot can take California CPRA vs CCPA from a legal delta page into a reusable implementation workflow inside Sorena. Teams can keep owners, evidence, and remediation steps aligned without rebuilding this guidance in separate documents. - [Open Research Copilot for California CPRA vs CCPA](/solutions/research-copilot.md): Start from California CPRA vs CCPA and answer scope, timing, enforcement, and implementation questions with cited outputs. - [Talk through California CPRA](/contact.md): Review your current California process, evidence gaps, and next steps for CPRA vs CCPA remediation. ## Practical CPRA upgrade checklist If your California programme was built for the January 1, 2020 CCPA launch and then only lightly patched, the fastest route is a focused remediation sprint rather than a full rewrite. CPRA raised the cost of stale assumptions in notices, adtech, contract structure, and workflow evidence. The control surfaces worth testing first are the ones consumers and regulators will touch immediately: scope decisions, notices, links, request handling, downstream propagation, vendor classification, and incident or complaint routing. - Replace old 50,000-threshold references and any pre-January 1, 2023 exemption assumptions. - Update privacy notices, notices at collection, and footer controls to the current rights set, retention disclosures, and SPI logic. - Add correction and SPI-limit workflows to intake, escalation, downstream instructions, and QA testing. - Reclassify advertising, analytics, and activation vendors by actual behavior and contract posture, not by legacy labels. - Test Global Privacy Control or other valid opt-out preference signals, response timing, and downstream deletion, correction, and limit propagation in live systems. - Keep an evidence pack for public enforcement review: policies, ticket logs, suppression proofs, contract versions, training, and governance records. Sources for this answer: - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Used for the current rights, link obligations, contract restrictions, retention and proportionality language, private-action section, and public-enforcement sections. - [CCPA Regulations effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - Used for the operational detail on notices, request-handling, opt-out preference signals, timing, and service-provider implementation. - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Used for public-facing workflow expectations on thresholding, rights methods, response timing, and complaints. ## Primary sources - [Proposition 24 voter guide summary](https://vig.cdn.sos.ca.gov/2020/general/pdf/topl-prop24.pdf?ref=sorena.io) - Primary historical source for what the CPRA amendments were intended to change in the CCPA, including sharing, correction, SPI limits, retention, and the creation of the CPPA. - Quote: "Establishes California Privacy Protection Agency." - [CPPA FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Primary current guidance used for the operative legal framing, thresholds, rights, timing, and opt-out preference signal handling. - Quote: "The CPRA amended the CCPA" - [California Civil Code - Title 1.81.5 (current CCPA text)](https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?lawCode=CIV&division=3.&title=1.81.5.&part=4.&ref=sorena.io) - Primary statutory source used for retention, proportionality, correction, SPI limitation, link duties, contract obligations, private action, and public enforcement. - Quote: "reasonably necessary and proportionate" - [CCPA Regulations effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - Primary regulatory source used for notices, request methods, response timing, opt-out preference signals, and vendor-classification rules. - Quote: ""Your Privacy Choices"" - [California Attorney General CCPA overview and FAQs](https://oag.ca.gov/privacy/ccpa?ref=sorena.io) - Used for the public-facing explanation of scope, the end of the employee and B2B exemptions, and the distinction between private actions and public enforcement. - Quote: "You cannot sue businesses for most CCPA violations." ## Related Topic Guides - [CPPA Regulations Tracker | California Rulemaking Tracker](/artifacts/us/california-privacy-rights-act/cppa-regulations-tracker.md): Track the California rules that changed the operating baseline in 2026 and the related regulator outputs. - [CPRA Applicability Test | California Scope and Trigger Guide](/artifacts/us/california-privacy-rights-act/applicability-test.md): Confirm California scope and then identify which CPRA specific obligations activate. - [CPRA Checklist | California Privacy Rights Act Checklist](/artifacts/us/california-privacy-rights-act/checklist.md): Track the California privacy workstreams that changed under CPRA and the 2026 rules. - [CPRA Compliance Program | California Operating Model](/artifacts/us/california-privacy-rights-act/compliance.md): Run a California programme that can absorb ongoing CPPA rules without constant redesign. - [CPRA Consumer Rights Workflow | California Rights Operations](/artifacts/us/california-privacy-rights-act/consumer-rights-workflow.md): Run California rights operations across delete, correct, know, opt out, and limit. - [CPRA Contracts, Contractors, and Service Providers](/artifacts/us/california-privacy-rights-act/contracts-contractors-and-service-providers.md): Draft California recipient contracts that support both baseline CPRA compliance and the newer assurance obligations. - [CPRA Deadlines and Compliance Calendar | California Privacy Calendar](/artifacts/us/california-privacy-rights-act/deadlines-and-compliance-calendar.md): Use the dates that matter for the current California privacy regime. - [CPRA FAQ | Practical California Privacy Rights Answers](/artifacts/us/california-privacy-rights-act/faq.md): Answer the California questions that stall CPRA implementation decisions. - [CPRA Penalties and Fines | California Enforcement Exposure](/artifacts/us/california-privacy-rights-act/penalties-and-fines.md): Understand what makes California exposure larger, faster, and harder to defend. - [CPRA Requirements | California Control Requirements](/artifacts/us/california-privacy-rights-act/requirements.md): Translate the current California regime into control statements that teams can build and test. - [CPRA Risk Assessment Template | California Risk Assessment Guide](/artifacts/us/california-privacy-rights-act/cpra-risk-assessment-template.md): Use a California specific template that matches the current rule structure instead of a generic DPIA form. - [CPRA Risk Assessments and Cybersecurity Audits | California Assurance Guide](/artifacts/us/california-privacy-rights-act/risk-assessments-and-cybersecurity-audits.md): Prepare for the California assurance duties that now have real structure, timing, and evidence requirements. - [CPRA Sensitive Personal Information | California SPI Guide](/artifacts/us/california-privacy-rights-act/sensitive-personal-information.md): Handle SPI with the level of design and evidence the California rules now expect. - [CPRA vs Colorado Privacy Act | State Privacy Comparison](/artifacts/us/california-privacy-rights-act/cpra-vs-colorado-privacy-act.md): Compare the California and Colorado models before reusing a state privacy template across both. - [CPRA vs Virginia VCDPA | State Privacy Comparison](/artifacts/us/california-privacy-rights-act/cpra-vs-virginia-vcdpa.md): Compare California and Virginia privacy models before reusing contracts or request flows across both. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/us/california-privacy-rights-act/ccpa-vs-cpra