AuditXYZ

Compliance Framework

California Privacy Rights Act of 2020

The CPRA amends and expands the CCPA, introducing new consumer rights, the concept of sensitive personal information, the California Privacy Protection Agency, and mandatory cybersecurity audits for high-risk businesses.

$10,000–$150,0002–8 monthsAudit Required2020 (enforced January 1, 2023)
Request a ConsultationSee process
Issuing BodyCalifornia Voters (Ballot Proposition 24) / California Privacy Protection Agency
First Published2020-11-03
Latest Version2020 (enforced January 1, 2023)
Typical Cost$10,000–$150,000
Typical Timeline2–8 months
Audit RequiredYes
Audit FrequencyAnnual cybersecurity audits required for businesses whose processing presents significant risk to consumer privacy. Risk assessments required for high-risk processing.
Geographyus-california

CPRA: The Complete Guide

The California Privacy Rights Act, passed by California voters as Proposition 24 in November 2020, significantly strengthens and amends the CCPA. Effective January 1, 2023, the CPRA introduces new consumer rights, creates a dedicated enforcement agency, and imposes obligations that more closely align California's privacy regime with the GDPR.

What the CPRA Adds

The CPRA introduces several concepts absent from the original CCPA. It creates the category of "sensitive personal information" — including Social Security numbers, precise geolocation, racial or ethnic origin, and biometric data — and grants consumers the right to limit its use. New rights also include the right to correct inaccurate information and the right to opt out of automated decision-making technology.

The law codifies data minimization and purpose limitation principles, requiring businesses to collect only personal information that is reasonably necessary and proportionate to the disclosed purpose. It also extends the lookback period for consumer requests to twelve months.

The California Privacy Protection Agency

The CPRA established the California Privacy Protection Agency (CPPA), the first dedicated state privacy enforcement body in the United States. The CPPA has rulemaking authority and administrative enforcement power, supplementing the California Attorney General's existing enforcement role.

Who Needs to Comply

The CPRA modifies the CCPA's applicability thresholds. It applies to for-profit businesses that collect California residents' personal information and meet one of three criteria: annual gross revenue over $25 million, buying, selling, or sharing personal information of 100,000 or more consumers or households, or deriving 50% or more of annual revenue from selling or sharing consumers' personal information.

Practical Compliance Steps

  1. Gap assessment — Identify new CPRA requirements beyond existing CCPA compliance
  2. Sensitive data inventory — Map all sensitive personal information processing
  3. Consumer rights updates — Implement correction and automated decision-making opt-out mechanisms
  4. Data minimization review — Evaluate collection practices against necessity and proportionality
  5. Vendor agreements — Update contracts to reflect CPRA requirements for service providers, contractors, and third parties
  6. Cybersecurity audit program — Establish annual audit procedures if processing presents significant risk
  7. Risk assessments — Conduct and document assessments for high-risk processing activities

Organizations already compliant with the CCPA have a head start, but the CPRA's expanded requirements — particularly around sensitive data, data minimization, and audit obligations — demand additional compliance investment.

Get the CPRA starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

ccpagdprvcdpacpactdpa

Get matched with a CPRA auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CCPA
Framework
The CCPA is California's landmark consumer privacy law granting residents the right to know, delete, and opt out of the sale of their personal information. This guide covers applicability thresholds, consumer rights, and practical compliance steps.
View
CPA
Framework
The Colorado Privacy Act grants residents rights over personal data and requires businesses to honor universal opt-out mechanisms, conduct data protection assessments, and obtain consent for sensitive data processing.
View
CTDPA
Framework
The CTDPA is Connecticut's comprehensive data privacy law, closely modeled on the VCDPA and CPA, with additional provisions for universal opt-out mechanisms and loyalty program disclosures.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
VCDPA
Framework
The VCDPA is Virginia's comprehensive consumer data protection law, granting residents rights over their personal data and imposing obligations on businesses regarding data processing, consent, and protection assessments.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View