Key takeaways
- The California Privacy Rights Act (CPRA) expanded the original privacy framework, with most provisions operative as of January 1, 2023.
- Consumers hold core rights to access, delete, correct, and opt out of the sale or sharing of their personal information.
- Businesses must honor opt-out preference signals and provide specific links for consumers to limit the use of sensitive personal information.
- The law eliminates the original 30-day cure period, allowing immediate regulatory enforcement by the newly created California Privacy Protection Agency.
- Consumers possess a limited private right of action exclusively for certain data breaches, allowing for statutory damages between $100 and $750 per incident.
The Law
The State of California maintains a comprehensive statutory framework governing the collection, use, and protection of consumer data. The original framework, the California Consumer Privacy Act (CCPA), took effect on January 1, 2020. Following its implementation, voters approved the California Privacy Rights Act (CPRA, Proposition 24) in 2020. This voter initiative substantially amended and expanded the original statute, with most of the new provisions becoming operative on January 1, 2023.
The statutory regime applies to specific commercial entities based on their revenue and data processing volume. A business is generally covered by the law if it does business in California and meets at least one of three specific statutory thresholds. First, the law applies to any business that generates $25 million or more in annual gross revenue. This threshold captures large corporate entities regardless of whether data monetization is their primary business model. Second, the law covers any business that buys, sells, or shares the personal information of 100,000 or more consumers or households. This specific volume threshold captures smaller companies, application developers, and digital services that process massive amounts of user data despite having lower gross revenues. Third, a business falls under the statute if it derives 50 percent or more of its annual revenue from selling or sharing personal information. This final threshold specifically targets data brokers and entities whose primary commercial purpose is the aggregation and monetization of consumer profiles.
Why It Matters
The amendments introduced by the CPRA represent a fundamental shift in corporate accountability and regulatory enforcement. The most significant structural change for corporate compliance is the elimination of the statutory grace period. The CPRA removed the CCPA's original 30-day cure period for enforcement. Previously, companies that received a notice of alleged noncompliance had a guaranteed window to correct the issue—such as updating a privacy policy or fixing a broken opt-out link—before facing regulatory action. Under the amended framework, businesses can face penalties without an automatic opportunity to fix a violation first. This strict liability approach requires companies to maintain continuous, proactive compliance rather than relying on a reactive notice-and-cure strategy.
Furthermore, the amendments restructured the regulatory authority overseeing privacy in the state. The CPRA created the California Privacy Protection Agency (CPPA). This newly formed entity possesses dedicated rulemaking and enforcement authority, operating alongside the California Attorney General. The creation of a specialized administrative body dedicated exclusively to privacy enforcement signals a high probability of aggressive regulatory scrutiny.
The amended law also fundamentally changes how companies must classify consumer data. The CPRA added a specific category of "sensitive personal information," which requires heightened protections and grants consumers specific rights to restrict its use. This forces companies to conduct extensive data mapping to isolate sensitive data from general personal information, fundamentally altering backend data architecture and consumer-facing privacy mechanisms.
Who Should Care
For lawyers
Corporate counsel, compliance officers, and defense litigators face a demanding regulatory environment under the amended statute. The removal of the 30-day cure period means that legal departments must ensure privacy compliance programs are flawless upon implementation, as regulatory investigations can trigger immediate liability. Lawyers advising corporate clients must conduct thorough data inventory assessments to determine if the client meets the $25 million revenue threshold, the 100,000 consumer/household volume threshold, or the 50 percent data-revenue threshold.
Beyond regulatory compliance, litigators must manage substantial class action exposure. The statute contains a highly specific, limited private right of action exclusively for certain data breaches. Under Civil Code section 1798.150, a consumer may sue for statutory damages when nonencrypted and nonredacted personal information is subject to a data breach resulting from a business's failure to maintain reasonable security. The statute sets these damages between $100 and $750 per consumer per incident, or actual damages if greater. Because plaintiffs do not need to prove actual financial injury to recover statutory damages, this provision drives significant class action litigation following any corporate security incident involving California residents' data.
For consumers/parties
California residents possess extensive, legally enforceable rights regarding their personal data and digital privacy. The amended law grants consumers core rights to control how corporations handle their information. Consumers have the right to know and access the specific data a company holds about them, the right to delete that data, the right to correct inaccurate information, the right to opt out of the sale or sharing of their personal information, and the right to limit the use of sensitive personal information.
Consumers can force companies to erase their digital footprints. Under Civil Code section 1798.105, a consumer may request that a business delete personal information it has collected, subject to enumerated exceptions. Furthermore, consumers possess the right to demand transparency before a company even gathers their data. Under Civil Code section 1798.100, a consumer has the right to know what personal information a business collects and how it is used and shared, and the business must inform consumers at or before the point of collection. These mechanisms empower individuals to monitor, restrict, and erase the data profiles compiled by commercial entities.
Legal Background
The original California Consumer Privacy Act established the baseline for consumer data rights in the state, serving as the first comprehensive privacy statute in the United States. The initial framework focused heavily on transparency and the right to stop the direct monetization of consumer data.
The foundational element of the original law was the transparency mandate. As codified in Civil Code section 1798.100, the statute established that a consumer has the right to know what personal information a business collects and how it is used and shared, and the business must inform consumers at or before collection. This required companies to implement comprehensive privacy policies and provide "just-in-time" notices when gathering data.
The original law also introduced the right to deletion. As established in Civil Code section 1798.105, a consumer may request that a business delete personal information it has collected, subject to enumerated exceptions. These exceptions generally allow a business to retain data if it is necessary to complete a transaction, detect security incidents, or comply with other legal obligations.
Under the original 2020 framework, enforcement rested solely with the California Attorney General. The law also included a mandatory 30-day cure period. If the Attorney General notified a business of a violation, the business had 30 days to remedy the noncompliance. If the business cured the violation and provided an express written statement that the violation had been resolved and would not recur, the Attorney General was precluded from initiating an enforcement action for that specific incident. This provided a significant safety net for businesses adapting to the novel statutory requirements.
What the Legislature Did
Through the approval of Proposition 24, voters significantly expanded the statutory framework, transforming the CCPA into the CPRA. The amendments introduced several new consumer rights and imposed stricter obligations on covered businesses.
First, the amendments added the right to correct inaccurate information. Consumers can now demand that a business rectify errors in their personal data profiles.
Second, the amendments expanded the opt-out right. The original law allowed consumers to opt out of the "sale" of personal information, which some businesses interpreted narrowly to mean only the exchange of data for direct monetary compensation. The CPRA explicitly closed this loophole by granting consumers the right to opt out of the "sale or sharing" of personal information. The addition of "sharing" specifically captures the transfer of data for cross-context behavioral advertising, regardless of whether money changes hands.
Third, the CPRA added a new category of "sensitive personal information" with heightened protections. This category includes highly private data points, specifically: a Social Security number, precise geolocation, race, health information, and the contents of communications. Because the exposure or misuse of this data poses a higher risk of harm, the law grants consumers the right to restrict its processing.
To facilitate these rights, the amended statute mandates specific consumer-facing mechanisms. Businesses must post clear and conspicuous links on their internet homepages. Specifically, companies must provide a "Do Not Sell or Share My Personal Information" link and a "Limit the Use of My Sensitive Personal Information" link.
Furthermore, the law requires businesses to honor opt-out preference signals. Consumers can utilize automated tools, such as the Global Privacy Control, to broadcast their privacy preferences across the internet. When a covered business detects an opt-out preference signal from a consumer's browser or device, the business must treat that signal as a valid request to opt out of the sale or sharing of personal information, eliminating the need for the consumer to manually click links on every individual website they visit.
How It May Be Applied
The enforcement of the amended statute operates on two distinct tracks: regulatory enforcement and a limited private right of action.
General privacy violations are enforced by the state. If a business fails to post the required "Do Not Sell or Share My Personal Information" link, ignores a Global Privacy Control signal, or fails to provide notice at or before collection under Civil Code section 1798.100, consumers cannot file a lawsuit. Instead, these violations are enforced by the California Privacy Protection Agency or the Attorney General. These regulatory bodies can seek civil penalties against noncompliant businesses. The statute mandates higher penalties for violations involving the personal information of minors. Because the CPRA removed the 30-day cure period, regulators can initiate enforcement actions and seek civil penalties immediately upon discovering a violation.
The second enforcement track is the limited private right of action, which is strictly confined to data breaches. Under Civil Code section 1798.150, a consumer may sue for statutory damages when nonencrypted and nonredacted personal information is subject to a data breach resulting from a business's failure to maintain reasonable security.
The specific language of this section is highly consequential for litigation. The data must be "nonencrypted and nonredacted" to trigger liability. If a company suffers a breach, but the stolen data was properly encrypted, the private right of action does not apply. Furthermore, the breach must result from a failure to maintain "reasonable security." If a company implements highly sophisticated security measures but is nonetheless breached by an advanced state-sponsored actor, the company may argue it maintained reasonable security and is therefore not liable for statutory damages.
When liability does attach, the financial exposure is massive. The statute sets damages between $100 and $750 per consumer per incident, or actual damages if greater. In a class action involving hundreds of thousands of California residents, the statutory damages calculation under Civil Code section 1798.150 can easily reach tens or hundreds of millions of dollars, making data security a primary corporate risk management priority.
Statutory Comparison
| Feature | Original Law (CCPA) | Amended Law (CPRA) |
|---|---|---|
| Enforcement Authority | Attorney General only | CPPA and Attorney General |
| Cure Period | Mandatory 30-day cure period | 30-day cure period removed |
| Opt-Out Scope | Right to opt out of "sale" | Right to opt out of "sale or sharing" |
| Data Categories | General personal information | Adds "sensitive personal information" |
| New Consumer Rights | Right to know, delete, opt-out | Adds right to correct, right to limit sensitive data |
| Required Links | "Do Not Sell My Personal Information" | "Do Not Sell or Share..." and "Limit the Use..." |
Plain-English Summary
California law gives residents powerful tools to control their personal data. Companies that meet specific revenue or data-volume thresholds must tell you what information they collect and allow you to delete it, correct it, or stop them from selling or sharing it. The law places extra protections on highly sensitive data, like your Social Security number, precise location, race, health details, and private communications. You can use automated signals on your browser to opt out of data sharing across the web, and companies must respect those signals. If a company fails to protect your unencrypted data and suffers a breach, you have the right to sue them for specific monetary damages ranging from $100 to $750 per incident. A dedicated state agency, alongside the Attorney General, enforces the rest of the rules and can penalize companies immediately for violations.
This article is general legal information and commentary about developments in California law. It is not legal advice, does not address your specific situation, and is not a substitute for advice from a licensed attorney. Reading this article and contacting us through this website do not create an attorney-client relationship.
Sources & authorities
- Civil Code section 1798.100 — source
- Civil Code section 1798.105 — source
- Civil Code section 1798.150 — source
Further reading
Additional perspectives (a link is not an endorsement):