Does the CPRA replace the CCPA entirely?

No. The CPRA amends the CCPA rather than replacing it. The original CCPA obligations remain in effect. CPRA adds new consumer rights (correction, limiting sensitive PI use, opting out of automated decisions), creates the California Privacy Protection Agency as a dedicated enforcer, introduces the sensitive personal information category, and imposes data minimization and purpose limitation requirements. Think of CPRA as CCPA 2.0 — everything in CCPA still applies, with significant additions on top.

What are the CCPA/CPRA thresholds for businesses in 2026?

A business must comply if it meets any one of three thresholds: annual gross revenue exceeding 25 million dollars (adjusted for inflation), buying, selling, or sharing the personal information of 100,000 or more California consumers or households annually, or deriving 50 percent or more of annual revenue from selling or sharing consumer personal information. Note that CPRA changed the second threshold from 50,000 to 100,000 and added "sharing" alongside selling.

What is the difference between selling and sharing personal information under CPRA?

Under the original CCPA, "sale" meant exchanging personal information for monetary consideration. CPRA broadened coverage by adding "sharing," defined as making personal information available to a third party for cross-context behavioral advertising, regardless of whether money changes hands. This means passing data to advertising partners for targeted ads counts as sharing even if no payment occurs, and consumers must be given the ability to opt out of both.

How does the CPPA differ from the California Attorney General in enforcement?

The CPPA is a dedicated privacy agency with full administrative enforcement powers. Unlike the AG, the CPPA can issue its own regulations, conduct investigations, hold administrative hearings, and impose fines directly without going through litigation. The AG retains the right to bring civil actions, but the CPPA handles routine enforcement, complaint processing, and rulemaking. The CPPA has already issued major regulations on automated decision-making, cybersecurity audits, and risk assessments.

Do I need to comply with CCPA/CPRA if my business is not in California?

Yes, if your business meets the thresholds and collects personal information from California residents. The law applies based on where the consumer is located, not where the business is headquartered. An e-commerce company in Texas that sells to 100,000 California customers annually must fully comply. This extraterritorial reach is similar to GDPR — the consumer location is what matters.

CCPA vs CPRA: What Changed and How to Comply in 2026

When California passed the California Consumer Privacy Act (CCPA) in 2018, it became the first comprehensive state privacy law in the United States. Then in November 2020, California voters approved Proposition 24 — the California Privacy Rights Act (CPRA) — which significantly expanded and amended the CCPA. The CPRA took effect on January 1, 2023, with a lookback period to January 1, 2022.

If you are still treating your privacy program as "CCPA-only," you are already behind. The CPRA introduced new consumer rights, a new enforcement agency, a new category of data requiring extra protections, and stricter obligations around data minimization, purpose limitation, and automated decision-making. This guide walks through every material change, explains what it means for your compliance program, and gives you a practical checklist to get current in 2026.

The CCPA Foundation — What Stayed the Same

Before diving into changes, it helps to understand what remained intact. The CPRA did not repeal the CCPA — it amended it. All original CCPA obligations still apply:

Right to know — consumers can request disclosure of the categories and specific pieces of personal information a business has collected about them in the preceding 12 months
Right to delete — consumers can request deletion of personal information collected from them, subject to certain exceptions (legal obligations, security, internal analytics)
Right to opt out of sale — consumers can direct a business to stop selling their personal information to third parties
Right to non-discrimination — businesses cannot deny goods or services, charge different prices, or provide a different quality of service because a consumer exercised a privacy right
Privacy notice requirements — businesses must disclose at or before the point of collection the categories of personal information collected and the purposes for which they will be used

The business applicability thresholds also evolved. Under the original CCPA, the second threshold was 50,000 consumers, households, or devices. CPRA raised this to 100,000 consumers or households (removing devices), which actually exempted some smaller businesses. However, CPRA also expanded the first threshold concept by adding "sharing" alongside "selling" for the revenue test.

Three New Consumer Rights Under CPRA

The CPRA added three entirely new rights that did not exist in the original CCPA. Each one creates new compliance obligations for businesses.

Right to Correct Inaccurate Personal Information

Under CCPA Section 1798.106 (added by CPRA), consumers can now instruct a business to correct inaccurate personal information. This goes beyond knowing and deleting — it means businesses need a process to receive correction requests, verify the consumer's identity, evaluate whether the information is actually inaccurate, and update records accordingly.

The practical impact: you need to be able to trace where a piece of data came from, determine whether the consumer's assertion of inaccuracy is valid, and propagate corrections to any service providers or contractors who received the original data. If you use personal information in automated decision-making, correction requests become especially important because inaccurate data feeding into automated systems can cause real harm.

Right to Limit Use of Sensitive Personal Information

This is one of the CPRA's biggest additions. Consumers can now limit how businesses use their sensitive personal information (SPI) — a brand-new data category that the original CCPA did not recognize. We cover SPI in detail in the next section, but the key point is that when a consumer exercises this right, the business can only use their SPI for purposes that a consumer would reasonably expect: completing a transaction, providing a requested service, ensuring security, and similar necessary functions.

Businesses that collect SPI must display a "Limit the Use of My Sensitive Personal Information" link on their website, similar to the "Do Not Sell or Share My Personal Information" link.

Right to Opt Out of Automated Decision-Making Technology

The CPRA gives consumers the right to opt out of automated decision-making technology (ADMT), including profiling. The CPPA issued draft regulations on ADMT in late 2024 and finalized them in 2025, creating detailed requirements around when businesses must provide access to the logic of their automated systems, when they must offer a right to opt out, and when a human review option must be available.

This right is particularly relevant for businesses using AI-powered systems for decisions about employment, credit, insurance, housing, education access, or similar areas with significant effects on individuals.

CPRA added three new consumer rights and expanded the definition of covered data practices to include sharing for cross-context behavioral advertising.

Sensitive Personal Information — The New Data Category

The original CCPA treated all personal information more or less the same way. CPRA created a distinct category called sensitive personal information (SPI) that triggers additional protections when collected or processed. SPI includes:

Government identifiers — Social Security numbers, driver's license numbers, state ID numbers, passport numbers
Financial account credentials — account numbers combined with access codes, passwords, or credentials that allow account access
Precise geolocation — any data that identifies a consumer's location within a radius of 1,850 feet (approximately one-third of a mile)
Racial or ethnic origin
Religious or philosophical beliefs
Union membership
Contents of mail, email, and text messages — unless the business is the intended recipient
Genetic data
Biometric data — used to uniquely identify a consumer (fingerprints, face geometry, voiceprints)
Health information
Sex life or sexual orientation

When a business collects SPI, it must disclose the categories of SPI collected and the purposes for which they are used or disclosed. Consumers can exercise the right to limit use, restricting the business to using SPI only for performing the service or providing the goods requested, ensuring security, preventing fraud, and similar necessary purposes.

The practical compliance requirement is straightforward but requires work: you must inventory all data fields you collect, identify which ones qualify as SPI under the CPRA definitions, implement a separate consent and limitation mechanism, and add the "Limit the Use of My Sensitive Personal Information" link alongside your "Do Not Sell or Share" link.

One of the CPRA's most impactful changes was adding the concept of "sharing" alongside "sale." Under the original CCPA, a "sale" meant disclosing, making available, or transferring personal information to a third party for monetary or other valuable consideration. This left a significant loophole: businesses could pass consumer data to advertising platforms for targeted ads without receiving direct monetary payment and argue it was not a "sale."

CPRA closed this loophole by defining "sharing" as making personal information available to a third party for cross-context behavioral advertising purposes, regardless of whether money changes hands. Cross-context behavioral advertising means targeting ads to a consumer based on their activity across different businesses, websites, apps, or services.

Here is what this means for common business scenarios:

Meta Pixel / Facebook tracking — installing the Meta Pixel on your site and passing visitor data to Meta for ad targeting is now classified as "sharing" under CPRA, even if you are not receiving money from Meta for that data
Google Analytics with ads features — if you use Google Analytics with advertising features enabled (remarketing audiences, Demographics and Interests reports), that data flow to Google constitutes sharing
Third-party cookies for retargeting — any data collected via third-party cookies that enables retargeting across different websites falls under the sharing definition
Data clean rooms — contributing consumer data to a data clean room for advertising matching purposes qualifies as sharing

The compliance impact is significant. Your "Do Not Sell My Personal Information" link must now read "Do Not Sell or Share My Personal Information" (or provide separate links). Your privacy policy must disclose sharing activities separately from sales. And you must honor opt-out requests for sharing just as you do for sales.

The California Privacy Protection Agency — New Sheriff in Town

One of the CPRA's most structurally significant changes was creating the California Privacy Protection Agency (CPPA), the first dedicated state-level privacy enforcement agency in the United States. Under the original CCPA, enforcement was handled exclusively by the California Attorney General's office, which had limited bandwidth for privacy cases alongside all of its other responsibilities.

The CPPA has several powers that make it a more formidable enforcer:

Administrative enforcement — the CPPA can investigate violations, issue subpoenas, hold administrative hearings, and impose fines directly without filing lawsuits
Rulemaking authority — the CPPA can issue binding regulations that interpret and implement the CCPA/CPRA, effectively creating new compliance obligations through the regulatory process
No cure period — under the original CCPA, businesses had a 30-day cure period after receiving a notice of violation. CPRA eliminated this automatic cure right as of January 1, 2023
Higher processing volume — as a dedicated agency, the CPPA can handle more complaints, conduct more investigations, and issue more enforcement actions than the AG's office could when privacy was just one of many portfolios

Penalty amounts remain the same as under the original CCPA: up to 2,500 dollars per non-intentional violation and up to 7,500 dollars per intentional violation or per violation involving a minor under 16. The per-violation structure means that a single failure affecting thousands of consumers could result in penalties ranging from millions to tens of millions of dollars. In 2025, the CPPA completed its first independent enforcement action, a 1.2 million dollar settlement with a location data broker that failed to register as a data broker and honor opt-out requests.

Data Minimization and Purpose Limitation

The original CCPA did not include data minimization or purpose limitation principles — businesses could collect as much data as they wanted and use it for any disclosed purpose. CPRA changed this with two new requirements that mirror GDPR principles:

Data Minimization

Under CPRA Section 1798.100(c), a business's collection, use, retention, and sharing of personal information must be "reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed." This means you can no longer justify collecting every possible data point just because you disclosed it in your privacy policy. Each data element you collect must serve a specific, documented purpose, and the scope of collection must be proportionate to that purpose.

Purpose Limitation

CPRA also added Section 1798.100(c), stating that personal information collected for a particular purpose cannot be further processed in a manner incompatible with that purpose. If you collect an email address for order confirmations, you cannot repurpose it for marketing without additional notice and (potentially) consent. This limits the "collect now, find uses later" approach that many businesses relied on.

Together, data minimization and purpose limitation fundamentally change the data strategy conversation. Instead of asking "what data can we collect?" the question becomes "what data do we actually need, and for specifically what purpose?"

Service Provider, Contractor, and Third-Party Distinctions

The original CCPA distinguished between businesses and service providers. CPRA added a third category — contractors — and tightened the requirements for all downstream entities.

Service provider — processes personal information on behalf of a business pursuant to a written contract that limits them to performing services for the business. Same as CCPA, but CPRA tightened the contractual requirements
Contractor — new under CPRA. Similar to a service provider, but the information is made available to them rather than collected on the business's behalf. Contractors must agree by contract not to sell or share the PI, not to retain, use, or disclose PI outside the business relationship, and to comply with CCPA/CPRA obligations
Third party — anyone who is not a service provider, contractor, or the business itself. Disclosures to third parties trigger sale or sharing obligations and consumer opt-out rights

The practical implication: review every vendor and partner relationship and classify each entity correctly. Your contracts with service providers and contractors must now include specific CPRA-mandated provisions, including the right to monitor compliance and the obligation to notify you if the downstream entity can no longer meet its CCPA/CPRA obligations.

Cybersecurity Audits and Risk Assessments

CPRA Section 1798.185(a)(15) directs the CPPA to issue regulations requiring businesses whose processing presents "significant risk to consumers' privacy or security" to perform regular cybersecurity audits and submit risk assessments to the CPPA on a regular basis.

The CPPA finalized these regulations in phases through 2024 and 2025. Key requirements include:

Cybersecurity audit — an annual audit assessing the sufficiency of the business's cybersecurity program, covering risk assessment, technical safeguards, access controls, incident response, vendor management, and employee training. The audit must be performed by a qualified, independent professional or internal team with appropriate expertise
Risk assessment — required before initiating any processing activity that presents significant risk. "Significant risk" processing includes selling or sharing PI of 100,000 or more consumers, processing SPI, using ADMT for decisions that produce legal or similarly significant effects, and processing PI of consumers known to be under 16
Risk assessment content — each assessment must identify the categories of PI processed, the purposes, the benefits and risks of the processing to both the business and the consumer, and the safeguards implemented to mitigate identified risks

These requirements should not surprise anyone familiar with GDPR's Data Protection Impact Assessment (DPIA) framework. The structure is similar: identify high-risk processing, evaluate the necessity and proportionality, assess risk to individuals, and implement safeguards.

The transition from CCPA to CPRA spanned several years of legislation, rulemaking, and phased enforcement.

Opt-Out Preference Signals and Global Privacy Control

The CCPA originally required businesses to provide a "Do Not Sell My Personal Information" link. CPRA expanded this to "Do Not Sell or Share My Personal Information" and added a critical requirement: businesses must honor opt-out preference signals sent via a consumer's browser or device.

In practice, this means Global Privacy Control (GPC). GPC is a browser setting and browser extension standard (supported by Firefox, Brave, DuckDuckGo, and available as extensions for Chrome and Edge) that sends a signal to every website the consumer visits, essentially saying "I opt out of the sale and sharing of my personal information."

Key compliance points for GPC:

Treat GPC as legally valid — under the CPPA's regulations, a GPC signal must be processed as a valid opt-out of sale and sharing request. You cannot require additional action from the consumer
Apply across the consumer's relationship — if you can identify the consumer behind the GPC signal (through login, cookie matching, etc.), you must apply the opt-out to their entire profile, not just the current browsing session
Conflict resolution — if a known consumer has previously consented to sale or sharing but later starts sending a GPC signal, the most recent signal controls. GPC wins
Technical implementation — your website needs to detect the Sec-GPC: 1 HTTP header or the navigator.globalPrivacyControl JavaScript property and suppress any sale or sharing of PI for that visitor

The AG's office has already enforced GPC requirements. In 2022, Sephora paid a 1.2 million dollar settlement partly because it failed to process GPC opt-out signals. Since then, the CPPA has signaled that GPC violations are a priority enforcement area.

Private Right of Action — What Changed and What Did Not

The original CCPA created a limited private right of action under Section 1798.150 — consumers can sue a business directly (without waiting for the AG) only for data breaches caused by the business's failure to implement reasonable security measures. Statutory damages range from 100 to 750 dollars per consumer per incident, or actual damages, whichever is greater.

CPRA expanded this in one important way: the private right of action now covers breaches of email address combined with password or security question and answer, not just the categories in the original CCPA (Social Security number, driver's license, financial account, medical, health insurance). This reflects the reality that email-password combinations are among the most commonly breached data types and enable cascading account takeover attacks.

What did not change: the private right of action is still limited to data breach scenarios. Consumers cannot sue for other CCPA/CPRA violations (failure to honor opt-out requests, missing privacy notices, etc.) — those remain the domain of the CPPA and AG. However, the 30-day cure period that used to apply to private right claims was also eliminated by CPRA, removing a significant defense that businesses previously relied on.

Children's Data — Enhanced Protections

Both CCPA and CPRA provide heightened protections for children under 16. The penalty for violations involving children's data is 7,500 dollars per violation (the "intentional violation" rate), regardless of whether the violation was intentional. CPRA added or strengthened several child-related provisions:

Opt-in for ages 13 to 16 — a business cannot sell or share PI of a consumer between 13 and 16 without the consumer's affirmative opt-in
Parental opt-in for under 13 — a business cannot sell or share PI of a consumer under 13 without the parent or guardian's verifiable opt-in consent
Triple penalty period — if a business fails to cure a violation involving a child's data within 30 days of notification, the CPPA can apply a penalty of up to 7,500 dollars per violation with the maximum applied retroactively
ADMT protections for minors — the CPPA's automated decision-making regulations include additional safeguards when ADMT is used to process data of consumers known to be under 16

Businesses that knowingly collect data from users under 13 must also comply with the federal Children's Online Privacy Protection Act (COPPA), which has its own set of requirements around verifiable parental consent, data minimization, and data retention limits.

Major CCPA/CPRA Enforcement Actions to Date

Enforcement has accelerated significantly since the CPPA became operational. Here are the key enforcement actions that illustrate how regulators are interpreting and applying the law:

Sephora — 1.2 million dollar settlement (2022) — the AG's first major CCPA enforcement action. Sephora sold consumer data through its website to advertising partners without providing required notices, failed to provide a "Do Not Sell" mechanism, and did not process GPC opt-out signals. The case established that passing data to ad tech companies for analytics and advertising purposes constitutes a "sale"
DoorDash — 375,000 dollar fine (2023) — the AG fined DoorDash for selling consumer data to a marketing cooperative without consumer consent. The case notable because the data sharing happened through a cooperative arrangement rather than a direct business-to-business transaction
CPPA's first independent action — data broker (2025) — the CPPA completed its first enforcement action against a location data company that failed to register as a data broker under California's data broker registration law (which CPRA connected to the CCPA framework) and failed to honor opt-out requests. The settlement reached 1.2 million dollars
Multiple GPC enforcement sweep (2024-2025) — the CPPA conducted an enforcement sweep focused on businesses failing to honor GPC signals. Several businesses received notices of violation and entered settlement discussions. The outcomes reinforced that GPC compliance is not optional

2026 CCPA/CPRA Compliance Checklist

Use this checklist to evaluate and strengthen your compliance program. Each item reflects a specific CCPA or CPRA obligation.

Privacy Notices and Links

Privacy policy updated to reflect CPRA terminology and all current data practices including sharing for cross-context behavioral advertising
"Do Not Sell or Share My Personal Information" link prominently displayed
"Limit the Use of My Sensitive Personal Information" link displayed (if you collect SPI)
At-collection notice lists categories of PI collected, purposes, whether PI is sold or shared, and retention periods for each category
Privacy policy discloses categories of PI sold or shared in the preceding 12 months and identifies the third parties to whom each category was disclosed

Consumer Rights Infrastructure

At least two methods for submitting requests (including a toll-free number for businesses that interact with consumers offline)
Identity verification process for know, delete, and correct requests
Response within 45 days (extendable to 90 with notice to consumer)
Process for handling correction requests, including propagating corrections to service providers and contractors
Process for limiting SPI use upon consumer request
Mechanism for opting out of automated decision-making (if applicable based on CPPA regulations)

Data Handling

Data inventory completed identifying all categories of PI and SPI collected, the sources, the purposes, and the recipients
Data minimization review performed — each data element collected serves a documented purpose and collection scope is proportionate
Purpose limitation controls in place — PI collected for one purpose is not repurposed without additional notice
Data retention schedule established and disclosed in privacy policy, with records of retention periods for each category of PI

Vendor and Third-Party Management

All downstream entities classified as service providers, contractors, or third parties
Written contracts with service providers and contractors that include CPRA-mandated provisions (restrictions on use, obligation to comply, right to audit, obligation to notify of inability to meet obligations)
Contracts updated to reflect "sharing" obligations alongside "sale" obligations
Mechanism to propagate consumer opt-out requests downstream to entities that received the consumer's PI

Technical Compliance

GPC signal detection implemented (Sec-GPC: 1 header and navigator.globalPrivacyControl)
GPC signal triggers suppression of sale and sharing for the visitor
Consent management platform configured to handle sale, sharing, and SPI limitation separately
Data broker registration filed with California AG (if applicable — businesses that buy or sell PI of consumers with whom they have no direct relationship)

Audits and Assessments

Annual cybersecurity audit conducted by qualified personnel (if processing presents significant risk to consumer privacy)
Risk assessments completed for each high-risk processing activity before processing begins
Risk assessment documentation retained and available for CPPA review upon request

Side-by-Side Comparison: CCPA vs CPRA

Feature	CCPA (Original)	CPRA (Amended)
Consumer Rights	4 rights (know, delete, opt-out, non-discrimination)	7 rights (added correct, limit SPI, opt-out ADMT)
Covered Data Practices	Sale only	Sale and sharing (cross-context behavioral advertising)
Sensitive Data Category	None	Sensitive Personal Information (11 categories)
Business Threshold	50,000 consumers/households/devices	100,000 consumers/households (no devices)
Data Minimization	Not required	Required — collection must be reasonably necessary
Purpose Limitation	Not required	Required — no incompatible further processing
Enforcement Body	California Attorney General only	CPPA (primary) + AG (civil actions)
Cure Period	30 days after notice	Eliminated (as of Jan 2023)
Downstream Entities	Service providers only	Service providers + contractors + third parties
Cybersecurity Audits	Not required	Required for high-risk processing
Risk Assessments	Not required	Required for significant-risk processing
Opt-Out Preference Signals	Not specifically addressed	Must honor GPC and similar signals
Data Retention Disclosure	Not required	Must disclose retention period for each PI category
Private Right of Action	Breach of SSN, DL, financial, medical	Added email + password/security Q&A breaches

The Five Most Common Compliance Gaps in 2026

After analyzing enforcement actions, CPPA guidance, and industry audit reports, these are the compliance failures that catch businesses most often:

1. Treating Advertising Data Flows as Non-Sales

Many businesses still classify their Meta Pixel, Google Ads, and programmatic advertising data flows as "analytics" or "service provider relationships" rather than sales or sharing. The Sephora case made clear that passing consumer data to ad tech companies for their advertising purposes constitutes a sale or share. If a third-party advertising company uses the data you make available for their own purposes including targeting, it is a sale or share — full stop.

2. Missing GPC Implementation

Technical teams often deprioritize GPC signal detection because adoption has been relatively low (estimated at 10-15 percent of browsers in 2026). But adoption rate is irrelevant — the law requires you to honor the signal regardless of how many consumers send it. And the enforcement trend is clear: regulators are actively checking.

3. No Separate SPI Handling

Businesses that treat sensitive personal information the same as regular PI — without a separate limitation mechanism and disclosure — are non-compliant. The "Limit" link and separate SPI disclosures in your privacy policy are distinct requirements, not optional additions.

4. Stale Service Provider Contracts

Contracts executed before CPRA took effect often lack the new required provisions: contractor designations, sharing restrictions (not just sale restrictions), the right to audit, and the obligation to notify you of compliance failures. A 2022-era service provider agreement does not meet 2026 requirements.

5. No Data Retention Disclosures

CPRA requires businesses to disclose retention periods for each category of PI they collect. Generic statements like "we retain your data as long as necessary" do not satisfy this requirement. Businesses must specify time periods or criteria for determining retention periods, broken down by category.

Tools for CCPA/CPRA Compliance

Compliance at scale requires tooling, particularly for consent management, data mapping, and consumer rights fulfillment. Here are the leading options by function:

OneTrust — the most widely deployed enterprise privacy platform. Handles consent management, GPC detection, cookie scanning, "Do Not Sell or Share" and "Limit My SPI" links, and integrates with major ad tech and analytics platforms. Comprehensive but the highest cost tier with enterprise pricing starting at tens of thousands of dollars annually
Osano — designed for mid-market businesses with simpler compliance needs. Provides consent management, vendor risk monitoring, and a "no legalese" privacy policy generator. A more accessible option, with pricing starting at about 200 dollars per month for their business tier
CookieYes — budget-friendly option for small businesses. Handles cookie consent, "Do Not Sell or Share" links, and GPC detection. The free plan covers up to 100 pages and 25,000 monthly pageviews

Data Mapping and Discovery

Securiti — AI-powered data intelligence platform that automatically discovers and maps personal information across structured and unstructured data sources, cloud environments, and SaaS applications. Particularly strong for SPI identification
BigID — data discovery and intelligence platform with deep classification capabilities. Excellent for identifying sensitive personal information categories matching the CPRA definitions and tracing data flows across the enterprise
Transcend — focuses on automated data mapping with direct API integrations to popular data systems. Connects to your actual infrastructure (databases, SaaS tools, APIs) and maps data flows programmatically rather than relying on manual surveys

Consumer Rights Fulfillment

DataGrail — automates the end-to-end consumer rights request workflow: intake, identity verification, data discovery across systems, fulfillment, and response delivery. Integrates with over 2,000 systems
Ethyca (Fides) — open-source privacy engineering platform built for developer teams. Handles consent management, data mapping, and access/deletion request automation through code-first configuration. Free to use with enterprise support available

How CCPA/CPRA Relates to Other State Privacy Laws

California's law does not exist in isolation. As of 2026, 20 US states have enacted comprehensive privacy laws, and most of them have drawn from both the CCPA/CPRA model and the Virginia CDPA model. Key differences to be aware of:

Opt-out vs opt-in for sensitive data — CPRA uses an opt-out model for SPI (consumers can limit use after the fact), while most other state laws like Virginia, Colorado, and Connecticut require opt-in consent before processing sensitive data. If you operate across states, you may need to implement opt-in for sensitive data to satisfy the strictest requirements
Universal opt-out mechanisms — Colorado, Connecticut, Texas, Montana, and several other states explicitly require honoring universal opt-out mechanisms like GPC. California's requirement came through CPPA regulation rather than the statute itself, but the outcome is the same
Private right of action — most state privacy laws do not include a private right of action. California's limited private right of action for data breaches is still unusual. Illinois BIPA (biometric data) has both a private right of action and uncapped damages, making it arguably more aggressive in that specific area
Revenue thresholds — most state laws use a combination of consumer count and revenue percentage thresholds. California's 25 million dollar gross revenue threshold is unique and covers businesses that might fall below other states' processing thresholds

For businesses operating nationwide, the practical approach is to build a compliance baseline at the strictest state standard and then layer state-specific adjustments as needed. In most areas, satisfying CPRA and Colorado's CPA will cover the requirements of the remaining states.

Looking Ahead: Federal Privacy Legislation

The American Privacy Rights Act (APRA) introduced in the US Congress in 2024 would create a nationwide privacy standard, potentially preempting parts of state laws including the CCPA/CPRA. However, California's legislative delegation has consistently negotiated for a carve-out protecting the CCPA/CPRA from federal preemption. As of 2026, federal privacy legislation remains stalled, and the CCPA/CPRA continues to function as the de facto national standard that businesses use as their compliance North Star.

Regardless of whether federal legislation passes, the investments you make in CPRA compliance are transferable. The rights frameworks, data mapping, consent infrastructure, and vendor management practices required by CPRA will satisfy most future federal requirements. Building for CPRA today means you are building for whatever comes next.

The Bottom Line

CPRA was not a minor update to the CCPA. It fundamentally expanded California's privacy framework by adding new consumer rights, creating a dedicated enforcement agency with rulemaking authority, introducing the sensitive personal information category, requiring data minimization and purpose limitation, mandating cybersecurity audits and risk assessments, and closing the advertisement-data loophole through the "sharing" concept.

If your compliance program was built for the 2020 CCPA, it is incomplete. The 2026 landscape requires updated privacy notices with new links and disclosures, a system for handling correction, limitation, and ADMT opt-out requests, GPC signal detection and processing, SPI identification and separate handling, updated vendor contracts with CPRA-mandated provisions, and regular cybersecurity audits and risk assessments for high-risk processing.

The elimination of the 30-day cure period means there is no grace period. The CPPA is actively enforcing. And with per-violation penalties of up to 7,500 dollars that multiply across every affected consumer, the financial risk of non-compliance dwarfs the cost of getting compliant.