The California Consumer Privacy Act (CCPA) changed how businesses collect and disclose personal data. It introduced transparency and gave consumers more control over how their information is used. As consumers and regulators called for stronger accountability, a new law emerged: the California Privacy Rights Act (CPRA).
Where the CCPA focused on telling consumers what happens to their data, the CPRA demands proof. Compliance becomes a test of operational integrity — marketers must show governance is practiced, not just promised.
If you're new to California privacy, start with our primer on Understanding the CCPA and Marketing Compliance, then come back here for what CPRA changes in practice.
Enforcement Timeline:
Statutory CPRA provisions: enforceable from July 1, 2023
Trial court delay to March 29, 2024 was reversed by the Court of Appeal on Feb 9, 2024 (CalChamber v. CPPA); the CPPA resumed immediate enforcement of the 2023 regulations
Who Must Comply:
Companies with annual gross revenue exceeding $26.625 million (adjusted for inflation as of January 1, 2025), OR
Companies that buy, sell, or share personal information of 100,000+ California consumers or households annually, OR
Companies that derive 50% or more of annual revenue from selling or sharing consumers' personal information
Key Marketing Requirements:
Verifiable consent records where required (e.g., minors’ sale/sharing; sensitive data where state law requires opt-in)
Opt-out mechanisms that cascade across platforms as soon as feasible and no later than 15 business days for opt-out of sale/sharing; apply the same 15-business-day window to requests to limit (11 CCR § 7026(f)(1); § 7027(g)(1))
Automated request fulfillment (access, deletion, correction) within 45 days (one 45-day extension permitted) (Cal. Civ. Code § 1798.130(a)(2))
24-month recordkeeping for all consumer requests (11 CCR § 7101)
Vendor agreements ensuring CPRA compliance (contracts must prohibit vendors from selling or sharing PI and require deletion/opt-out obligations to flow down)
Maximum Penalties: $7,988 per intentional violation (and violations involving consumers known to be under 16); $2,663 per other violation
The CPRA, passed by California voters in November 2020 and effective January 1, 2023, amends and expands the CCPA, closing key gaps and aligning California's privacy framework more closely with Europe's GDPR principles. It codifies three critical concepts that directly impact marketing operations:
Data minimization: Collect only what's necessary for the stated purpose. If you're capturing phone numbers but never calling leads, that field shouldn't exist in your forms.
Purpose limitation: Data collected for one purpose can't be repurposed without new consent. Email addresses gathered for newsletter subscriptions can't automatically be added to promotional campaigns without explicit permission.
Risk assessment and cybersecurity audits: The CPPA finalized risk assessment, cybersecurity audit, and automated decision-making technology (ADMT) regulations in 2025. Risk assessment and cybersecurity audit rules take effect January 1, 2026; first annual submissions are due April 1, 2028 (with phase-ins by entity type). ADMT rules become effective January 1, 2027.
In practice, this means every data capture point, from website forms and cookies to CRM integrations, must have a clearly defined business purpose. If a marketer can't explain why a data field exists or how long the data is needed, that data shouldn't be collected.
As the California Privacy Protection Agency (CPPA) emphasized in its enforcement priorities, businesses must be able to “demonstrate both procedural and technical compliance through documentation, system audits, and response to consumer requests.” For marketers, that translates to traceability: being able to show how consent was gathered, how preferences are stored, and how opt-outs are honored across systems.
Since enforcement began on July 1, 2023, the CPRA has shifted marketing compliance from policy to execution. The most visible change is operational: consent management, preference tracking, and data access requests must now function seamlessly across every layer of a marketing stack.
Maintain verifiable records of consent for every lead and audience segment. This means timestamped logs showing when consent was obtained, what was consented to, and through which interface.
Ensure opt-outs cascade through all connected platforms, including ad networks, analytics tools, and third-party data providers. When a consumer opts out of data sharing, that preference must propagate to Google Ads, Meta audiences, email platforms, and any other system touching that consumer's data — as soon as feasibly possible but no later than 15 business days (11 CCR § 7026(f)(1); § 7027(g)(1)).
Keep detailed logs showing how personal and sensitive information moves between systems. Data mapping has become essential: marketers need flowcharts showing every system that touches consumer data, from initial capture through archival or deletion.
This has led many teams to modernize their workflows with privacy automation tools (like OneTrust, Transcend, or Osano), centralized consent management platforms, and built-in request handling in CRMs. The emphasis is on control at scale, a core principle of CPRA enforcement.
The CPRA's creation of the California Privacy Protection Agency fundamentally changes compliance risk. Unlike the Attorney General's office, which shared privacy oversight among broader responsibilities, the CPPA exists solely to enforce privacy law.
This dedicated agency can initiate audits, investigate consumer complaints, and issue fines up to $7,988 per intentional violation (and violations involving consumers known to be under 16) or $2,663 per other violation. The elimination of the 30-day "cure period" that existed under the CCPA means there's no longer an opportunity to fix problems after discovery for CPPA enforcement actions, compliance must be continuous.
Important note: The 30-day cure period still exists for consumers' private right of action in data breach cases (Cal. Civ. Code § 1798.150). Implementing reasonable security after a breach does not constitute a cure. Before a consumer can sue under the CPRA for a data breach, they must notify the business and allow 30 days to cure the violation.
What triggers an investigation?
Consumer complaints filed through the CPPA portal
Data breach notifications that reveal compliance gaps
Industry sweeps targeting specific sectors (for example, the CPPA's connected-vehicle enforcement sweep, announced July 31, 2023)
Referrals from the Attorney General's office
One major implication for marketers is the expanded definition of data sharing. California law defines "sharing" as disclosing personal information to a third party for cross-context behavioral advertising, even without money changing hands, such as retargeting campaigns and lookalike audience matching (Cal. Civ. Code §§ 1798.140(ah), 1798.140(k)).
Practical example: When a consumer visits your website and you place a Meta Pixel that enables you to show them ads on Instagram, that's data sharing. When you upload customer emails to Google Ads to create a similar audiences campaign, that's data sharing. Both require prominent "Do Not Share My Personal Information" opt-out options.
This means that cookies, pixels, and third-party ad integrations are all subject to opt-out requirements, even if no direct sale or revenue exchange occurs.
The CPRA builds on the CCPA's core rights — access, deletion, opt-out of sales, and non-discrimination — by adding two new protections:
The right to correct inaccurate personal data. Consumers can now request that businesses fix incorrect information in their records. For marketers, this means establishing processes to verify and update data across all systems within 45 days of a request (Cal. Civ. Code § 1798.130(a)(2)).
The right to limit how sensitive personal information is used or disclosed. This creates a new category beyond opt-out of sales — consumers can allow you to hold their sensitive data but restrict how you use it. Note that "limit use" is narrower than the blanket opt-in requirement in other states, but it still significantly constrains marketing uses. For example, using precise geolocation data (within a 1,850-foot radius) for location-based advertising would require respecting a consumer's limit-use request (Cal. Civ. Code § 1798.140(w)).
What qualifies as sensitive personal information under CPRA:
Social Security numbers, driver's license numbers, passport numbers
Account credentials and financial information
Precise geolocation (within a 1,850-foot radius)
Racial or ethnic origin, religious beliefs, union membership
Mail, email, and text message contents (unless you're the intended recipient)
Genetic data and biometric information
Health information and sex life or sexual orientation
Citizenship or immigration status
These categories directly affect marketing personalization. Using health-related browsing behavior to target supplement ads, or precise location data to trigger store-visit campaigns, now requires explicit consent or falls under "limit use of sensitive data" rights.
Identifying sensitive data in marketing systems:
Many marketers unknowingly collect sensitive data through:
Forms that include optional fields for demographic information
Location-enabled mobile apps that capture precise coordinates
Behavioral tracking that reveals health conditions (fertility apps, medical symptom searches)
Third-party data enrichment services that append demographic attributes
This new boundary forces marketers to rethink segmentation and targeting. Broad profiling based on inferred sensitive traits is no longer defensible. Instead, compliant marketing strategies rely on declared data — the information customers willingly share when they trust how it will be used. This shift supports more meaningful personalization and strengthens long-term loyalty.
For most organizations, CPRA compliance means turning abstract policy into measurable action. It's not enough to have a privacy statement; companies must be able to demonstrate control.
Effective programs share a few traits:
Integrated consent tools that distinguish between data sales, sharing, and sensitive data use. These typically present layered consent options: essential functions, analytics, advertising, and sensitive data use as separate toggles. Most teams surface notices and opt-outs through a consent manager that also honors GPC, rather than relying on generic cookie banners.
Automated fulfillment of access, correction, and deletion requests through CRM and analytics systems. Manual processes break down at scale — automation ensures the 45-day response deadline is consistently met (Cal. Civ. Code § 1798.130(a)(2)).
Vendor oversight that ensures ad platforms and data partners adhere to CPRA obligations. This includes Data Processing Addenda (DPAs) with contractual language requiring vendors to honor consumer opt-outs, delete data upon request, and — critically — prohibiting vendors from selling or sharing personal information. These obligations must flow down to any subcontractors.
Recordkeeping systems that log consumer requests and company responses for at least 24 months (11 CCR § 7101). Businesses handling 10 million or more California consumers' personal information must publish annual request metrics in their privacy policies (11 CCR § 7102).
Implementation timeline: Most mid-sized organizations report needing 6–12 months to achieve full CPRA compliance when starting from a basic CCPA foundation. This includes technology implementation, process documentation, staff training, and vendor negotiations.
Marketers who built strong CCPA programs have an advantage, as the foundation is similar. However, the CPRA demands more documentation, more granular control, and no margin for error.
"The CPRA only applies if we're based in California."
False. The CPRA applies to any business meeting the thresholds that collects data from California residents, regardless of where the business is located.
"We don't sell data, so the CPRA doesn't affect our marketing."
False. The CPRA's definition of "sharing" includes retargeting, audience matching, and cross-context behavioral advertising — activities nearly all digital marketers engage in (Cal. Civ. Code §§ 1798.140(ah), 1798.140(k)).
"B2B marketing is exempt from the CPRA."
False. California's B2B and employee exemptions expired on December 31, 2022; full CPRA rights apply from January 1, 2023. Business contact information is now covered under the CPRA, subject to standard exclusions like publicly available information.
"We have a year to respond to deletion requests."
False. Businesses must respond to verified requests within 45 days, with a possible 45-day extension if needed (total maximum: 90 days) (Cal. Civ. Code § 1798.130(a)(2)).
"Small businesses don't need to worry about CPRA."
False. While the revenue and volume thresholds exempt some small businesses, many small companies meet at least one threshold — especially those deriving significant revenue from ads or data monetization.
Ask yourself these questions:
Consent & Documentation
Can you prove consent for every contact in your database?
Do you maintain timestamped records showing when and how consent was obtained?
Can you demonstrate what each contact consented to (marketing emails vs. data sharing vs. sensitive data use)?
Technical Infrastructure
Can you fulfill a deletion request across all systems within 45 days?
Do opt-outs automatically sync across your ad platforms, CRM, and analytics tools?
Can you generate a report showing all personal data held about a specific consumer?
Vendor Management
Do your vendors sign Data Processing Addenda addressing CPRA requirements?
Can your ad platforms honor "Do Not Share" requests?
Do you have contractual provisions requiring vendors to delete data upon your request?
Process & Training
Does your team know the difference between "selling" and "sharing" data?
Have you documented your data retention policies by data type?
Can you produce your most recent privacy impact assessment?
If you answered "no" or "unsure" to more than two questions in any category, prioritize those areas for immediate attention.
Compliance alone doesn't build trust — consistency does. The CPRA invites marketers to treat privacy as a brand value rather than a legal burden.
When consumers see transparency in action — clear notices, easy opt-outs, honest communication — they're more likely to engage and share data voluntarily. That trust leads to cleaner data, higher engagement rates, and more reliable analytics.
Privacy teams consistently report opt-in rate improvements after simplifying consent interfaces and explaining data use in plain language. Rather than legal jargon, effective consent notices use straightforward statements like “We’ll use your email to send policy updates and helpful tips — about twice a month.” Privacy clarity doesn't reduce leads — it improves them.
Forward-looking marketers now see CPRA compliance as part of customer experience design. Every form, consent surface, and privacy notice is a chance to demonstrate respect — and earn permission that competitors can't buy.
California's privacy framework continues to influence national policy. As other states adopt similar laws, understanding the variations helps marketers prepare for multi-state compliance.
| Requirement | California (CPRA) | Virginia (CDPA) | Colorado (CPA) | Connecticut (CTDPA) |
|---|---|---|---|---|
| Effective Date | Jan 1, 2023 | Jan 1, 2023 | July 1, 2023 | July 1, 2023 |
| Revenue Threshold | $26.625M+ (CPI-adjusted 2025) | None | None | None |
| Data Volume Threshold | 100K+ consumers | 100K+ consumers | 100K+ consumers | 100K+ consumers |
| Sensitive Data Category | Yes (limit-use right) | Yes (opt-in) | Yes (opt-in) | Yes (opt-in) |
| Private Right of Action | Data breaches only | No | No | No |
| Universal Opt-Out Recognition | Required | Not required | Required | Required |
| Cure Period | No | 30 days | 60 days | No (expired Jan 1, 2025) |
Key takeaway: California's approach (limit use of sensitive data) differs from most other states (opt-in required for sensitive data). Marketers operating nationally should default to the stricter opt-in standard to ensure compliance across jurisdictions.
Universal opt-out mechanism requirements: California requires honoring Global Privacy Control (GPC) signals. Colorado requires honoring a universal opt-out mechanism as of July 1, 2024, and Connecticut as of January 1, 2025. These mechanisms allow consumers to transmit privacy preferences across websites automatically.
Note on revenue thresholds: California law requires biennial adjustment of monetary thresholds based on the Consumer Price Index. As of January 1, 2025, the revenue threshold increased from $25 million to $26.625 million.
As more states adopt comprehensive privacy laws, the CPRA's standards are becoming the de facto U.S. model for data protection. Proposed federal legislation often mirrors CPRA requirements, suggesting that businesses achieving CPRA compliance are simultaneously preparing for potential national standards.
Marketers who master CPRA compliance today will find themselves prepared for whatever comes next: federal privacy legislation, cross-state data sharing requirements, or AI-driven personalization frameworks that demand even greater transparency.
The future of marketing isn't about collecting more data. It's about collecting it right — with purpose, proof, and respect.
Several emerging trends signal where privacy regulation is headed:
AI and automated decision-making: The CPRA authorizes regulations on automated decision-making technology (ADMT). The CPPA finalized ADMT regulations in 2025, which become effective January 1, 2027. These rules will cover disclosure and opt-out evaluations. Marketers should monitor implementation as these requirements take effect.
Universal opt-out mechanisms: The Global Privacy Control (GPC) browser signal must be honored under CPRA. Colorado requires honoring a universal opt-out mechanism as of July 1, 2024, and Connecticut from January 1, 2025. Industry adoption is growing, making one-click opt-outs increasingly common across states.
Children's data protection: California's Age-Appropriate Design Code Act (though currently challenged in court) signals increasing scrutiny of marketing to young users.
Biometric data: As marketing incorporates face recognition, voice analysis, and emotion detection, expect heightened regulatory attention to biometric information.
What is the California Privacy Rights Act (CPRA)?
The CPRA is a 2020 amendment to the CCPA that strengthens consumer privacy rights, creates a dedicated enforcement agency (the California Privacy Protection Agency), and adds new obligations for businesses that collect personal and sensitive data from California residents. It took effect January 1, 2023.
Does the CPRA replace the CCPA?
No. The CPRA builds upon the CCPA, expanding its definitions, enforcement mechanisms, and consumer rights. Compliance with the CPRA automatically satisfies CCPA requirements, as the CPRA is technically an amendment to the original law.
How does the CPRA affect marketers?
It requires verifiable consent tracking, limits how sensitive data can be used for personalization, and classifies retargeting and audience sharing as data "sharing," triggering opt-out obligations. Marketers must implement processes for request fulfillment (access, deletion, correction) within specific timeframes.
What's the difference between "selling" and "sharing" data?
Selling involves exchanging personal information for monetary value. Sharing includes disclosing data for cross-context behavioral advertising (retargeting, lookalike audiences) even without monetary exchange. Both trigger opt-out rights, but the "sharing" definition captures more common marketing activities (Cal. Civ. Code §§ 1798.140(ah), 1798.140(k)).
What's considered sensitive personal information?
Data such as Social Security numbers, precise geolocation, race, religion, health status, sexual orientation, biometric identifiers, and account login credentials are treated as sensitive under CPRA and require explicit consent for use beyond what's necessary to provide requested services (Cal. Civ. Code § 1798.140(w)).
How do small businesses comply with the CPRA?
Businesses below the thresholds ($26.625M revenue as of 2025, 100K consumers, or 50% revenue from data sales/sharing) are technically exempt but should still follow best practices. If you meet any single threshold, full compliance is required. Consider starting with consent management tools, documented data policies, and vendor agreements.
What happens if a business fails to comply?
The California Privacy Protection Agency can impose fines up to $7,988 per intentional violation (and under-16 cases) or $2,663 per other violation, with no grace period for correction. Consumers also retain a private right of action for data breaches involving unencrypted personal information (Cal. Civ. Code § 1798.150).
How long do we have to respond to consumer requests?
Businesses must respond to verified consumer requests within 45 days, with one possible 45-day extension if needed (90 days maximum). You must inform the consumer of any extension within the initial 45-day period (Cal. Civ. Code § 1798.130(a)(2)).
Do we need to honor browser-based opt-out signals?
Yes. The CPRA requires businesses to recognize universal opt-out mechanisms like Global Privacy Control (GPC) as valid requests to opt out of data sales and sharing.
Primary Legal Sources:
California Civil Code § 1798.100 et seq. (California Privacy Rights Act statutory text)
California Civil Code §§ 1798.130(a)(2), 1798.140(ah), 1798.140(k), 1798.140(w), 1798.150
California Code of Regulations, Title 11, Division 6 (CCPA/CPRA Regulations), including 11 CCR §§ 7026, 7027, 7101, 7102
Agency Notices & Updates:
California Privacy Protection Agency, Updated Monetary Thresholds in CCPA (CPI adjustments effective Jan 1, 2025): revenue threshold $26.625M; penalties $7,988/$2,663
CalChamber v. CPPA (Feb 9, 2024 appellate decision; 2023 regulations enforceable)
CPPA Connected-Vehicle Enforcement Sweep announcement (July 31, 2023)
Regulations Finalized (2025):
CPPA Risk Assessment and Cybersecurity Audit Regulations (effective Jan 1, 2026; first annual submissions due Apr 1, 2028)
CPPA Automated Decision-Making Technology (ADMT) Regulations (effective Jan 1, 2027)
State Privacy Law Comparisons:
Colorado Privacy Act (CPA): Universal Opt-Out Mechanism required as of July 1, 2024
Connecticut Data Privacy Act (CTDPA): Universal Opt-Out Mechanism required as of Jan 1, 2025; no revenue threshold
Virginia Consumer Data Protection Act (VCDPA): No universal opt-out mechanism requirement; 30-day cure period
Industry Resources:
International Association of Privacy Professionals (IAPP) — CPRA enforcement & implementation analyses
Transcend.io — CPRA implementation benchmarks
TrustArc — Data governance in marketing systems
In short: The CPRA doesn't just expand California's privacy law — it redefines how marketers earn consumer trust. The best-prepared teams are those who already see privacy not as a cost of doing business, but as the foundation of customer relationships.
This article is for general information only and is not legal advice. Laws and regulations change and may apply differently to your situation; consult qualified legal counsel before taking any action.
We’ll send you practical tips and ideas that we use ourselves and show you how to apply them to your sales and marketing workflow
