CCPA Was Just the Starting Point
When the California Consumer Privacy Act went into effect back in 2020, a lot of businesses treated it as a finish line. Get the privacy policy updated, add a "Do Not Sell" link to the footer, call it done.
That was never going to hold. And with the California Privacy Rights Act now fully in effect, the landscape has shifted in ways that catch people off guard.
I have spent the last several months helping clients navigate CPRA requirements, and the gap between what businesses think they need to do and what the law actually demands is wider than most people expect.
What Changed From CCPA to CPRA
CPRA did not replace CCPA. It amended and expanded it. But the changes are substantial enough that treating CPRA as a minor update is a mistake.
Here are the shifts that matter most:
Sensitive personal information is now its own category. Under the original CCPA, there was no distinction between general personal information and sensitive data. CPRA changed that. Sensitive personal information now includes:
- Social Security numbers, driver's license, passport numbers
- Account credentials (username or email combined with a password or security question)
- Precise geolocation within a 1,850-foot radius
- Racial or ethnic origin, religious beliefs, union membership
- Contents of personal mail, email, and text messages (when the business is not the intended recipient)
- Genetic data and biometric information used for identification
- Health information, sex life, or sexual orientation
If you collect any of this, consumers can now limit how you use and disclose it. That is a meaningful new right that did not exist under CCPA alone.
New consumer rights that require real operational changes:
| Right | What It Means |
|---|---|
| Right to Correct | Consumers can demand you fix inaccurate personal information |
| Right to Limit Use of Sensitive PI | Consumers can restrict use of sensitive data to what is necessary to provide the service |
| Right to Know About Automated Decision-Making | Consumers can access information about how automated systems profile them |
| Right to Opt Out of Automated Decision-Making | Consumers can refuse to be subject to automated profiling in certain contexts |
The correction right alone has been a headache for companies running legacy systems. I worked with one company that had customer records spread across four databases with no single source of truth. When a correction request came in, they had no mechanism to propagate the change. That is a compliance gap that will get flagged.
The California Privacy Protection Agency Is Not a Paper Tiger
This is the part I keep emphasizing to clients. Under CCPA, enforcement sat with the California Attorney General. That office has a lot on its plate. Enforcement was real but not exactly aggressive for most businesses.
CPRA created the California Privacy Protection Agency, or CPPA. It is a standalone, fully funded agency with dedicated staff whose sole job is privacy enforcement. They have rulemaking authority. They conduct audits. They investigate complaints.
The CPPA has already taken enforcement actions in early 2026 targeting:
- Dark patterns that undermine consumer opt-out choices
- Failure to honor Global Privacy Control signals sent by browsers
- Misleading privacy notices that do not reflect actual data practices
- Weak security measures contributing to breaches involving sensitive data
Penalties remain $2,500 per violation and $7,500 for intentional violations or those involving minors. But with a dedicated enforcement body actively looking for violations, the risk profile has changed significantly.
What I Tell Clients to Do Right Now
Run a sensitive data inventory immediately. Go through every system that touches personal information and flag anything that qualifies as sensitive PI under CPRA definitions. Most businesses have no idea how much sensitive data they are sitting on until they actually look.
Review your consent mechanisms. CPRA requires consent to be freely given, specific, informed, and unambiguous. Pre-checked boxes and buried consent language will not cut it. If your opt-in flow relies on dark patterns or confusing toggles, fix it before the CPPA comes knocking.
Implement support for Global Privacy Control. GPC is a browser-level signal that communicates a consumer's opt-out preference. Under CPRA regulations, businesses must honor it. I am still seeing companies that either ignore GPC signals entirely or have no technical mechanism to detect them.
Audit your automated decision-making systems. If you use algorithms to make decisions about consumers, whether for pricing, eligibility, advertising targeting, or content delivery, you need to be prepared to explain how those systems work and give consumers a way to opt out.
Update your service provider and contractor agreements. CPRA introduced a new "contractor" category alongside service providers. Both require specific contractual provisions limiting how they can use personal information. Old CCPA-era agreements likely need updating.
The Bigger Picture
CPRA is not just a California story. Other states are watching and modeling legislation after it. Virginia, Colorado, Connecticut, Utah, and several others have passed their own privacy statutes, many influenced by CCPA and CPRA.
For anyone working in cybersecurity or data privacy, understanding CPRA is not optional. It sets the floor for what comprehensive privacy legislation looks like in the United States. Businesses that get ahead of it now will spend less time scrambling when similar requirements show up in other jurisdictions.
Darren Chaker is a cybersecurity consultant and digital privacy advocate based in Beverly Hills, California. Learn more at about.me/darrenchakerprivacy.
Top comments (0)