Requirements For Businesses Under The California Privacy Rights Act

Digital platforms are nothing new, but evolving legislation constantly pushes businesses to comply with more and more technology-related policies. In November 2020, California voters passed the California Privacy Rights Act (CPRA) to amend and expand upon the California Consumer Privacy Act (CCPA), and these changes went into effect as of January 2023. This post will review some of these changes, and the implications they will have for California’s business owners.


What Is The California Privacy Rights Act?

Much like the current privacy laws that have been enacted in the European Union, the CPRA grants certain rights to California residents including, but not limited to:


  • Limiting the use of sensitive personal information, such as Social Security and driver’s license numbers.
  • Receiving information about automated decision-making processes that affect them.
  • Being informed about the type of data that is collected about them, how long it will be used, shared, or sold, as well as preventing the sale of the collected information.
  • Requesting the deletion of personal information and having access to their personal information.


The CPRA also created a new agency called the California Privacy Protection Agency, which is responsible for enforcing the law and imposing penalties for violations. These penalties can be quite steep, running up to thousands of dollars per violation, with each affected consumer potentially counting as a separate violation. Companies may also face litigation costs now too as individuals can sue businesses for failing to comply with CPRA requirements, especially if there is a data breach caused by a cyber attack.


How Does The CPRA Impact Businesses?

Any business that meets one of the following criteria must be in compliance with the requirements of the CPRA:


  • Have a gross annual revenue of over $25 million;
  • Buy, sell, or share the personal information of 100,000 or more California residents or households; or
  • Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.

Company owners might assume their enterprise is exempt because they don’t have the records of 100,000 Californians on file, but you need to be careful because using third-party cookies counts too. 

Complying with the CPRA will be fairly easy for some companies and quite difficult for others, depending on that company’s underlying data collection processes. The CPRA provides new rules about how much information you can gather, of what type, how it may be used, and how long it can be stored. It also dictates the privacy notices and options you need to provide to your customers, as well as the procedures you must follow if someone opts out of having their data collected.


The impact on California’s businesses could be quite significant, both in terms of time and money. At a minimum, most companies should modify their data collection processes and update their privacy policies and procedures. Some may need to hire new personnel, review their service provider contracts, or even conduct a data security assessment in order to bring themselves into compliance.


Getting Help

California’s privacy laws are rapidly evolving, and while it can be hard to keep up with all the changes, it can be prohibitively expensive if you fail to do so. The good news is that IGC can help. For legal guidance on how best to protect your business, contact our office online, or call (925) 399-1529 (1LAW) for a free consultation.

Integrated General Counsel
Latest posts by Integrated General Counsel (see all)