The CPRA (California Privacy Rights Act) did not replace the CCPA. It amended and strengthened it. Regulators now call the result the CCPA, as amended. The amendment added tougher rules on sensitive data, a new opt-out for data sharing, three more consumer rights, and a dedicated enforcement agency.
This page covers every material change the CPRA made to the CCPA, a side-by-side comparison table, and what those changes require from a covered website. It also shows where a consent banner fits and where it falls short.
What's the Difference Between the CCPA and CPRA?
The CCPA (California Consumer Privacy Act of 2018) set California's first comprehensive consumer-privacy baseline, effective January 1, 2020, with enforcement from July 1, 2020. It is part of the broader shift in data privacy laws globally, though its opt-out model differs from GDPR's opt-in default. The CPRA (California Privacy Rights Act of 2020) is an amendment, not a separate law. It took effect January 1, 2023. It added a sensitive-personal-information category, extended the opt-out right to data sharing as well as sale, and created three new consumer rights. It also established the California Privacy Protection Agency (CPPA) as a dedicated enforcement body.
They are one law, not two competing ones. Both the California Attorney General and the CPPA describe the result as the CCPA, as amended. A business compliant under the original CCPA still needs to meet the CPRA additions.
What Is the CCPA?
The California Consumer Privacy Act of 2018 was the first US state law to give residents broad rights over their personal information. It took effect January 1, 2020, and Attorney General enforcement began July 1, 2020 (the CCPA, source: oag.ca.gov).
What the CCPA Does
The original CCPA gave California residents four core rights.
- Right to know: request what personal information a business collected, sold, or disclosed
- Right to delete: ask a business to delete personal information it holds
- Right to opt out of sale: direct a business to stop selling personal information via a "Do Not Sell My Personal Information" link
- Right to non-discrimination: receive equal service and pricing regardless of exercising privacy rights
Who the CCPA Applies To
The CCPA applies to any for-profit business in California that meets at least one of three thresholds.
- Gross annual revenue over $25 million; OR
- Buys, sells, or shares the personal information of 100,000 or more California residents or households; OR
- Derives 50 percent or more of its annual revenue from selling California residents' personal information
Businesses based outside California are not exempt. If they handle data about California residents and meet a threshold, they must comply (source: cppa.ca.gov, FAQ #4, and oag.ca.gov, FAQ A.5).
Limitations of the Original CCPA
The original CCPA had four significant gaps the CPRA later addressed.
- No "sharing" opt-out: companies could pass data to ad networks without payment and claim they were not "selling" it, bypassing the opt-out right
- No sensitive-data category: health, biometric, and precise-geolocation data had no separate protection
- No right to correct: consumers could delete inaccurate records but not fix them
- Automatic 30-day cure period: the AG had to give businesses 30 days to fix violations before pursuing penalties, reducing enforcement teeth
What Is the CPRA?
The California Privacy Rights Act was enacted by California voters as Proposition 24 in November 2020. It took effect January 1, 2023, amending the CCPA rather than creating a separate statute (source: cppa.ca.gov, FAQ #1, and oag.ca.gov).
What the CPRA Added
The CPRA added or strengthened eight elements.
- Sensitive personal information (SPI): new data subcategory with its own right to limit use
- Right to correct: consumers can fix inaccurate personal information
- Opt-out of sharing: extends the opt-out right to cover cross-context behavioral advertising, even when no money changes hands
- Right to opt out of automated decision-making: applies under the 2026 ADMT regulations
- California Privacy Protection Agency (CPPA): a dedicated enforcement body with primary authority over the CCPA
- Removal of the 30-day cure period: violations occurring after July 1, 2023 can be penalized without a mandatory grace window (for CPPA enforcement)
- Employee and B2B data now covered: temporary exemptions expired December 31, 2022
- Data minimization and retention limits: businesses cannot retain personal information beyond what is reasonably necessary for disclosed purposes (source: cppa.ca.gov, FAQ #27)
Who the CPRA Applies To
The threshold structure is still the same three prongs. The CPRA made one significant change. The consumer-count threshold doubled from 50,000 to 100,000, and "devices" were removed. A business that cleared the original 50,000-device count may now fall below the threshold.
The revenue prong also now reads "selling or sharing" rather than "selling" alone. The revenue floor itself was updated to $26.625 million effective January 1, 2025 (source: cppa.ca.gov, FAQ #4).
What the CPRA Did Not Change
Not everything shifted. These rights and structures carried over unchanged.
- Right to know (including access to specific pieces of information)
- Right to delete (with its existing exceptions)
- Right to opt out of sale (the original "Do Not Sell" obligation)
- Right to non-discrimination
- The three-prong business threshold structure
- The data-breach private right of action (consumers can still sue for qualifying breaches; other violations remain agency-enforcement only)
CCPA vs CPRA: A Side-by-Side Comparison
Here is how the original CCPA compares with the CCPA as amended by the CPRA:
| Dimension | CCPA (2018, enforced from 2020) | CPRA (as amended, from Jan 1, 2023) |
|---|---|---|
| Passed | 2018, California legislature | November 2020, voters (Proposition 24) |
| Effective / enforcement | Effective Jan 1, 2020; enforced from Jul 1, 2020 | January 1, 2023 |
| Consumer-count threshold | 50,000 consumers, households, or devices | 100,000 consumers or households (devices removed) |
| Revenue threshold | Over $25 million | Over $26.625 million (from Jan 1, 2025) |
| Sensitive personal information | No separate category | 9 SPI categories; Right to Limit added |
| Opt-out of data "sharing" | No (only "sale" covered) | Yes: sharing for behavioral advertising included |
| Right to correct | No | Yes (CPRA added) |
| Right to limit SPI use | No | Yes (CPRA added) |
| Right to opt out of ADMT | No | Yes (effective Jan 1, 2026; compliance Jan 1, 2027) |
| Data minimization | No explicit requirement | Yes (CPRA added) |
| Data retention limits | No explicit requirement | Yes (CPRA added) |
| Employee and B2B data | Temporarily exempt | Fully covered (exemption expired Dec 31, 2022) |
| Enforcement body | Attorney General only | AG + CPPA (CPPA has primary authority) |
| Consumer complaint channel | AG only | AG + CPPA (since July 1, 2023) |
| 30-day cure period | Yes (for AG enforcement) | Removed for CPPA enforcement |
| Penalties per violation (unintentional) | Up to $2,500 | Up to $2,500 (unchanged) |
| Penalties per violation (intentional) | Up to $7,500 | Up to $7,500 (unchanged) |
| Penalties involving minors | Up to $7,500 | Up to $7,500; intent no longer required |
Sources: cppa.ca.gov (CPPA FAQ) and oag.ca.gov (California Attorney General).
New Consumer Rights the CPRA Added
The CPRA gave California residents three rights the original CCPA lacked.
- Right to correct: direct a business to fix inaccurate personal information it holds
- Right to limit use of sensitive personal information: restrict how a business uses SPI to only what is necessary to provide the requested service
- Right to opt out of automated decision-making technology (ADMT): available under regulations effective January 1, 2026
The original four rights (know, delete, opt out of sale, and non-discrimination) remain in full force alongside these additions (source: oag.ca.gov and cppa.ca.gov, FAQ #3).
Sensitive Personal Information: The CPRA's New Data Category
Sensitive personal information is a CPRA-created subcategory covering data that carries greater risk if misused. Consumers can direct businesses to limit its use to what the requested service needs. This control limits use rather than requiring deletion (source: cppa.ca.gov, FAQ #5).
The nine SPI categories are:
- Social Security numbers, driver's license, state ID card, or passport numbers
- Account log-in, financial account, debit card, or credit card numbers combined with required security credentials
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- Contents of mail, email, or text messages (unless the business is the intended recipient)
- Genetic data
- Biometric information used to uniquely identify a consumer
- Health information
- Sex life or sexual orientation
The "right to limit" is not an opt-out from all use. It restricts SPI to the minimum use necessary for the specific service requested. Businesses using SPI for advertising, profiling, or purposes beyond the primary transaction must provide a separate disclosure and honor a consumer's limit request.
Sale vs Sharing: How the CPRA Closed the Advertising Loophole
The original CCPA gave consumers the right to opt out of the "sale" of personal information, meaning disclosures for money or valuable consideration. Companies sharing data with ad platforms at no charge argued they were not "selling" and therefore did not need to offer an opt-out.
The CPRA closed that gap by adding "sharing" to the opt-out. Sharing means disclosing personal information for cross-context behavioral advertising, whether or not money changes hands (source: cppa.ca.gov, FAQ #6).
The practical change is direct. A "Do Not Sell My Personal Information" link is no longer enough. The legally required control is now the Do Not Sell or Share My Personal Information link. Advertising and analytics tags that fire before a visitor chooses are a sharing event. A site running Google Ads, Facebook Pixel, or behavioral retargeting must treat those scripts as subject to the opt-out, even when the platform pays nothing.
The CPPA: A Dedicated Enforcement Agency (and the End of the Cure Period)
The CPRA created the California Privacy Protection Agency (CPPA), the first US state agency dedicated solely to consumer privacy. The CPPA now holds primary enforcement authority over the CCPA, while the California Attorney General retains concurrent authority. Either body can investigate, audit, and fine businesses (source: cppa.ca.gov, FAQ #2).
Penalties per violation stand at up to $2,500 for an unintentional breach and up to $7,500 for an intentional one. For any violation involving a minor's data, the higher $7,500 amount applies without proof of intent (source: cppa.ca.gov, FAQ #15).
The CPPA's creation also ended the universal 30-day cure period for enforcement. Under the original CCPA, the AG had to give a business 30 days to fix a violation before pursuing penalties. For CPPA enforcement actions covering violations from July 1, 2023 onward, that mandatory grace window is gone. A violation can draw a penalty without a guaranteed fix-it period.
Consumers can file complaints directly with the CPPA for violations occurring on or after July 1, 2023. The private right of action remains limited to qualifying data breaches only (source: oag.ca.gov).
What Changed in 2026: Automated Decision-Making and New Rules
California's privacy rules did not stop at 2023. The CPPA adopted regulations on automated decision-making technology (ADMT), cybersecurity audits, and risk assessments. These regulations became effective January 1, 2026, with compliance deadlines phased across 2027 and 2028. The specific ADMT compliance deadline is January 1, 2027 (source: cppa.ca.gov, FAQ #24 and FAQ #14).
ADMT covers any technology that uses computation to execute or substantially replace a human decision. That includes hiring algorithms, credit-scoring models, insurance-pricing tools, and targeted-advertising profiles. Consumers now have the right to access information about ADMT use and to opt out of it in certain contexts.
Most competitor articles covering "CCPA vs CPRA" were written before 2026 and do not address these rules. If your business uses AI-driven profiling or automated scoring, ADMT compliance is a live obligation, not a future one.
Is It CCPA or CPRA Now? What to Call the Law
Regulators call it "the CCPA, as amended." The CPRA amended the CCPA rather than enacting a separate statute. Both the California Attorney General's office and the CPPA use "CCPA" and "CCPA, as amended" interchangeably (source: oag.ca.gov and cppa.ca.gov, FAQ #1). "CPRA" is the name of the 2020 ballot measure; the underlying law is still the CCPA.
One disambiguation worth noting: "CPRA" also refers to the California Public Records Act, a separate 1968 government-records-disclosure law. That law and California's consumer privacy law are entirely distinct. If you arrived here looking for public-records access rights, this page covers the privacy law only.
What CCPA vs CPRA Means for Your Website and Cookies
For a covered website, the CCPA as amended requires five concrete actions:
- Post a compliant privacy policy disclosing what personal information you collect, for what purposes, and how long you retain it (the CPRA added explicit data-minimization and retention-limit requirements)
- Provide a "Do Not Sell or Share My Personal Information" opt-out link visible to California visitors (not just "Do Not Sell" as required under the original CCPA)
- Block advertising and analytics scripts before the visitor's choice is recorded (scripts that fire before consent are a sharing event for cross-context behavioral advertising purposes)
- Honor the Global Privacy Control (GPC) signal as a valid opt-out request; covered businesses must treat a GPC signal from a California visitor as a "Do Not Sell or Share" request (source: oag.ca.gov, FAQ B.8, and cppa.ca.gov, FAQ #7-8)
- Keep consent records as an audit trail in case the CPPA or AG requests evidence of compliance
For a step-by-step action list, see a full CCPA compliance checklist.
Note on GPC: honoring GPC requires your web stack to detect the browser signal and translate it into a blocked opt-out state. A consent banner alone does not handle GPC detection; that is a separate technical layer the site's implementation must address.
How Consently Helps You Meet CCPA and CPRA Opt-Out Requirements
Because the CCPA and CPRA are one law, they are one compliance obligation. Consently runs the consumer-facing opt-out layer for California visitors through the CCPA / US State Laws opt-out template. A geotargeted banner shows California visitors a Do-Not-Sell-or-Share control, while EU visitors see a GDPR opt-in model and other regions see the appropriate default.
Consently's CCPA and US state-law opt-out tools cover three specific requirements. Cookie and script auto-blocking stops advertising tags from firing before a visitor's choice is recorded, so sharing scripts cannot run without a signal. Consent logs with export create a dated record of each opt-out choice, useful if the CPPA or Attorney General requests evidence. Policy generators for cookie, privacy, and terms documents produce the disclosures the law requires.
One requirement Consently does not cover is automatic Global Privacy Control detection. Honoring GPC is a legal obligation, and it requires your web stack to detect the browser-level signal and block sale or sharing scripts accordingly. Consently handles the banner-based opt-out flow; GPC detection requires separate technical configuration. Consently does not claim to make a site fully "CPRA compliant." It supports specific consent-collection and disclosure tasks, and legal compliance remains the business's responsibility.
Try Consently free with a 14-day trial, every feature on every plan, no credit card required.
FAQs
Is the CPRA the same as the CCPA?
The CPRA is not a separate law. It is an amendment to the CCPA. Regulators at the CPPA and the California Attorney General's office call the result the CCPA, as amended. The two names refer to the same statute at different points in its development.
Did the CPRA replace the CCPA?
No. The CPRA amended, expanded, and strengthened the CCPA without creating a separate law. Every right and obligation that existed under the original CCPA remains in place. The CPRA added to them. Source: cppa.ca.gov, FAQ #1, and oag.ca.gov.
What are the main differences between the CCPA and CPRA?
The CPRA made five significant changes to the CCPA.
- A new sensitive personal information (SPI) category with a separate right to limit its use
- Extending the opt-out right to cover data sharing for behavioral advertising (not just sale for money)
- Two new consumer rights: right to correct inaccurate personal information and right to limit SPI use
- A dedicated enforcement agency, the CPPA, with primary enforcement authority
- Removal of the automatic 30-day cure period for CPPA enforcement actions
Who has to comply with the CCPA and CPRA?
Any for-profit business doing business in California that meets at least one threshold must comply. One threshold is $26.625 million or more in gross annual revenue. A second is handling the data of 100,000 or more California residents or households. A third is earning 50 percent or more of revenue from selling or sharing that data. Businesses outside California are not exempt (source: cppa.ca.gov, FAQ #4).
When did the CPRA take effect?
The CPRA's amendments to the CCPA became effective and required compliance as of January 1, 2023. The original CCPA became enforceable on July 1, 2020. The California Privacy Protection Agency took over as primary enforcement body and began accepting consumer complaints on July 1, 2023.
What is sensitive personal information under the CPRA?
Sensitive personal information is a CPRA-created subcategory. It covers Social Security numbers, precise geolocation, financial credentials, and health, biometric, and genetic data. It also covers message contents and data on race, religion, sexual orientation, or union membership. Consumers can direct businesses to limit SPI use to what the requested service needs (source: cppa.ca.gov, FAQ #5).
What is the difference between selling and sharing data under the CPRA?
Selling personal information means disclosing it for money or other valuable consideration. Sharing means disclosing it for cross-context behavioral advertising, even when no money changes hands. The opt-out right covers both under the CPRA. The required link is now "Do Not Sell or Share My Personal Information," not just "Do Not Sell" (source: cppa.ca.gov, FAQ #6).
Is there still a cure period under the CPRA?
Not for CPPA enforcement. The CPRA removed the universal 30-day cure period that previously required the Attorney General to give businesses time to fix violations before pursuing penalties. For violations falling under CPPA enforcement from July 1, 2023 onward, a penalty can proceed without a mandatory grace window. A limited cure mechanism may still apply in narrow consumer lawsuit contexts.
Is the CPRA the same as the California Public Records Act?
No. The California Public Records Act is a separate 1968 law that lets the public access records held by state and local agencies. It shares the abbreviation "CPRA" but has nothing to do with consumer data privacy. This page covers the California Privacy Rights Act (the 2020 amendment to the CCPA) only.
---
The CCPA and CPRA are one law, and the current obligations are the CPRA version. To build out the consumer-facing opt-out side, start with how California's rules compare with GDPR. It shows where the EU opt-in model and the California opt-out model diverge.
Sites also serving EU visitors should review GDPR cookie consent requirements and the how to be GDPR compliant guide. Those cover the opt-in obligations that apply alongside your California opt-out setup.

