CCPA vs CPRA: What Is the Difference Between CCPA and CPRA?

Understanding the Relationship Between CCPA and CPRA

The California Consumer Privacy Act (CCPA) was signed into law in 2018 and took effect on 1 January 2020, making California the first US state to enact comprehensive consumer privacy legislation. The California Privacy Rights Act (CPRA), passed by voter ballot in November 2020, is not a separate law — it amends and expands the CCPA significantly. Since 1 January 2023, what most people refer to as 'the CCPA' is technically the CCPA as amended by the CPRA.

For compliance teams, the practical question is straightforward: if you were fully compliant with the original CCPA, what new obligations does the CPRA amendment introduce? The answer spans new consumer rights, expanded definitions, a dedicated enforcement agency, and significantly more prescriptive requirements around data minimisation and purpose limitation.

New Consumer Rights Introduced by CPRA

The original CCPA established four core rights: the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale of personal information, and the right to non-discrimination for exercising these rights.

CPRA adds three new rights that significantly expand consumer control. The right to correction allows consumers to request that inaccurate personal information be corrected. The right to limit the use and disclosure of sensitive personal information lets consumers restrict how businesses use data categories like precise geolocation, race, health information, and financial account details. The right to opt out of sharing for cross-context behavioural advertising closes a gap in the original CCPA that only covered the 'sale' of data — now, sharing data with third parties for targeted advertising is equally restricted, even when no money changes hands.

Sensitive Personal Information: A New Category

One of the most consequential changes CPRA introduces is the concept of 'sensitive personal information' — a category that simply did not exist under the original CCPA. This category includes government identifiers (Social Security numbers, driver's licence numbers), financial account credentials, precise geolocation data, racial or ethnic origin, religious beliefs, contents of mail or text messages, genetic data, biometric information, health data, and information about sex life or sexual orientation.

Businesses that collect sensitive personal information must provide consumers with a 'Limit the Use of My Sensitive Personal Information' link, and must honour consumer requests to restrict processing of this data to purposes that are necessary for the service being provided. This creates a practical obligation to classify your data inventory by sensitivity level — something the original CCPA did not require.

Data Minimisation and Purpose Limitation

The original CCPA was largely a transparency and opt-out framework: tell consumers what you collect, let them opt out of sales, and delete their data on request. It did not meaningfully constrain what data you could collect or how long you could keep it.

CPRA introduces genuine data minimisation and purpose limitation principles that are far closer to GDPR's approach. Businesses may only collect personal information that is 'reasonably necessary and proportionate' to achieve the purpose for which it was collected. Retention must be limited to what is 'reasonably necessary' for the disclosed purpose. These are enforceable obligations, not aspirational principles. For teams accustomed to the original CCPA's 'collect what you want, just disclose it' approach, this is a fundamental shift in compliance posture.

The California Privacy Protection Agency (CPPA)

Under the original CCPA, enforcement was solely the responsibility of the California Attorney General. CPRA creates the California Privacy Protection Agency — the first dedicated privacy enforcement body in the United States. The CPPA has rulemaking authority, investigative power, and the ability to bring enforcement actions independently of the Attorney General.

This change is significant for two reasons. First, a dedicated agency with focused resources is likely to pursue enforcement more aggressively and consistently than an AG office balancing privacy against dozens of other priorities. Second, the CPPA has rulemaking power, meaning the regulatory landscape will continue to evolve through agency regulations that interpret and extend the statutory text. Compliance teams need to monitor CPPA rulemaking activity, not just the statute itself.

Expanded Scope: Contractors and Cross-Context Sharing

The original CCPA distinguished between businesses and 'service providers' — entities that process data on behalf of a business under contractual restrictions. CPRA adds a third category: 'contractors', who receive personal information pursuant to a written contract but are not service providers. Contractors must contractually agree not to sell or share the data, not to retain or use it beyond the contract, and to comply with the CCPA.

CPRA also redefines 'sharing' as a distinct activity from 'selling'. Under the original CCPA, transferring data to a third party for advertising purposes was only regulated if it qualified as a 'sale' (which required valuable consideration). CPRA closes this gap by creating opt-out rights over 'sharing' — defined as making data available to a third party for cross-context behavioural advertising, regardless of whether money or other consideration is exchanged.

What This Means for Your Compliance Programme

If your organisation was compliant with the original CCPA, you have a strong foundation but meaningful work ahead. At minimum, you need to: implement the right to correction and the right to limit sensitive personal information use; add a 'Limit the Use of My Sensitive Personal Information' link alongside your existing 'Do Not Sell' link; classify your data inventory to identify sensitive personal information; review retention schedules against the new purpose limitation requirements; audit data sharing arrangements that may not have constituted 'sales' under the original CCPA but are now regulated; and update contracts with new 'contractor' entities.

Organisations building CCPA compliance programmes from scratch should treat the CPRA-amended version as the baseline — there is no practical value in understanding the original CCPA in isolation, since the amended version is what regulators enforce.