CPRA

The California Privacy Rights Act amended and significantly expanded the CCPA, creating the California Privacy Protection Agency and adding rights around sensitive personal information and automated decision-making.

CPRA in relation to CCPA

The California Privacy Rights Act (Proposition 24, passed November 2020, effective January 2023) is an amendment package to the California Consumer Privacy Act (CCPA). It is often described as "CCPA 2.0." The combined statute is still called CCPA in code (Cal. Civ. Code § 1798.100 et seq.) but the substantive changes were significant enough that practitioners refer to the post-2023 regime as CPRA. CPRA created the California Privacy Protection Agency (CPPA), the first U.S. state-level privacy regulator with rulemaking authority.

What CPRA added

Key CPRA additions: a new category of "sensitive personal information" (SSN, government IDs, financial account credentials, precise geolocation, race, religion, union membership, contents of communications, genetic data, biometrics, health information, sexual orientation) with the right to limit its use; expanded data minimization and purpose limitation requirements; opt-out rights for automated decisionmaking (with rules still being finalized as of 2026); contracting requirements for vendors that resemble GDPR processor agreements; and the right to correct inaccurate personal information.

AI procurement implications

For AI vendors handling California consumer data: do you sign a CPRA-compliant service provider agreement (with the required limitations on use, retention, and sub-processor flow-down), can you respond to consumer rights requests within 45 days, do you support the right to limit use of sensitive personal information, and does your platform expose enough information about automated decisions that the buyer can comply with the upcoming CPPA ADMT (automated decision-making technology) regulations. The CPPA issued draft ADMT regulations in 2024 and final regulations are expected to be in force during 2026.