Consumer privacy is a big topic for businesses of all sizes in the United States and around the world. A strong driver of new and evolving legislation is the California Privacy Rights Act (CPRA). The CPRA amends and expands the California Consumer Privacy Act (CCPA). Although the CCPA’s provisions remain in effect and enforceable until the CPRA goes into effect on January 1, 2023, this is an important time for businesses to prepare for compliance. Businesses should update their notices, policies, and assessments now in order to be ready to comply with the expanded regulations.

Who Must Comply with the CPRA?

Businesses must comply with the CPRA if they process the personal information of California residents and:

  • Process the data of 100k+ consumers;
  • Earned $25 million in worldwide revenue the previous year; or
  • Derive more than 50% of revenue from selling or sharing personal information.

The CPRA created the California Privacy Protection Agency (CPPA), a governing body in the process of creating new regulations to amend California’s privacy laws and issue clarifications as to how businesses can comply with these rules. Passed as a ballot initiative in 2020, the CPRA can only be amended by the legislature in order to “further the purpose and intent” of the CPRA.

Consumer Rights | CCPA vs. CPRA

Under the CCPA, individuals already had the right to a notice of what’s happening with their data. They also had the right to know what personal information is being collected and for what purposes, the right to access their personal information, the right to delete it, the right to know what personal information is sold to other entities, and the right to opt out of the sale of their personal data.

Under the CPRA, new notice requirements include an explanation as to the purposes for which sensitive personal information is collected and used, as well as whether their personal information is not only sold, but also shared for cross-context behavioral advertising and to whom. Individuals also have the right to correct their personal information, and the right to have their data “ported,” or sent from one service provider to another. They also have the right to opt out of sharing their personal information for cross-context behavioral advertising. Consumers also have the right to limit use and disclosure of sensitive personal information.

Policies and Documents

There are four key documents that businesses must have to comply with the CPRA:

1. Website notice
2. Data handling policy
3. Data processing addendum
4. Risk assessment

Website Notice

The most important component of a website privacy notice is accuracy. So when businesses post their new privacy notice on January 1, 2023, and it says that consumers have a right to opt out of sharing, for example, then the business needs to be prepared to accommodate the opt-out option. Do not post the updated privacy notice until the mechanisms are in place to follow through with updated privacy support.

Data Retention

Data retention is an important new topic in privacy regulations. If a company does not already have a retention policy, now is a good time to create one. Creators of this policy will want to ensure that they understand the behind-the-scenes mechanisms for what types of data the company retains and for how long. Businesses may not retain personal information for longer than is reasonably necessary for the disclosed purpose. The retention period must be proportionate to the purpose for collecting the data.

Under the CPRA, businesses must disclose their data retention time. Businesses may do that either by specifying a length of time that they intend to retain the categories of personal information, or by explaining the criteria they are using to determine data retention time. 

Sensitive Data

Under the CPRA, sensitive data is a newly defined category of personal information. Businesses must provide notice to consumers when sensitive data is involved, their purpose for collecting it, and whether that information will be sold or shared. They must also provide consumers with a link to “limit the use of my sensitive personal information,” and keep the sensitive data no longer than “reasonably necessary.” Sensitive data includes:

  • Biometrics
  • Communications (the contents of a consumer’s private communications, unless the company is the intended recipient)
  • Finances 
  • Genetics
  • Geolocation (precise location within ⅓ mile)
  • Government ID
  • Health (including data related to the pandemic)
  • Race, religion and union membership
  • Sex life or sexual orientation

SixFifty Solutions

SixFifty’s CPRA privacy toolset is ready to help you prepare now for updated regulations that will go into effect on January 1, 2023. Although you won’t want to post your new policies or notices until they go live, SixFifty can help you generate your documents now in order to get ready to implement them this winter. The CPPA will continue to release new and updated regulations for compliance. As they do, we will update our toolkit in real time to fully support your policies, contracts, and documents.


Meili Bell

Written by Meili Bell

Meili Bell is the Content Manager at SixFifty. She spends her workdays writing, editing, project managing and reading about the intersection of law and technology. Meili comes to SixFifty from Gifted Music School, a nonprofit music school for the most dedicated young musicians in the region, where she was program director of the school’s flagship program for the last ten...

Full Bio and other articles by