5 Biggest Changes Included in the CPRA


The California Consumer Privacy Act (CCPA) has been in effect since 2018, but starting on January 1, 2023, it’s getting a major update. Passed by voters in 2020, the California Privacy Rights Act (CPRA) adds a lot to the existing privacy law.

Here are the five biggest changes going into effect in 2023.

New Privacy Requests

The CPRA has added two new privacy rights for consumers, and along with them come two new privacy requests that businesses must respond to.

  • Request to Correct - Consumers now have the right to correct inaccurate personal information about them, which means businesses must be willing to make those corrections. This should not be much of a burden, though, as most businesses already have an interest in maintaining accurate records.
  • Request to Limit - The CPRA has introduced the concept of “sensitive personal information,” i.e., categories of data such as ID numbers, geolocation data, and health information that warrant special care. Consumers can request that businesses limit the use and disclosure of sensitive personal information to what it is necessary and reasonably expected.

Responding to these requests within the allowed time limit will take prior planning, especially in the case of requests to limit.

Global Privacy Control

Global Privacy Control (GPC) is a browser signal that indicates a website visitor’s privacy preferences, in particular their desire to opt out of targeted advertising. 

It is not a new concept introduced by the CPRA. The basic idea hearkens back to the failed Do Not Track standard that was developed in 2009 but never widely adopted. The term global privacy control actually comes from the original CCPA, which discusses the possibility that such a signal could exist in the future. In response to this, a consortium of tech companies developed the GPC standard, and it has already been implemented on many major websites.

What the CPRA has done is make it mandatory that businesses respond to the GPC signal from consumers’ browsers (and any other similar technology that may be developed in the future), and treat it as a valid request to opt out. There was some initial confusion about this, but the California Privacy Protection Agency has since clarified that respecting the GPC signal is not optional.

The California Privacy Protection Agency

One of the changes in the CPRA that may have the farthest reaching consequences is the creation of the California Privacy Protection Agency (CPPA). As a first-of-its-kind government office in the United States, the CPPA is dedicated exclusively to CCPA enforcement. 

With the power to impose administrative fines and create new regulations, the CPPA will have great influence over the privacy landscape. Once it fully takes over duties from the California Attorney General’s Office in July 2023, there is every reason to believe that CCPA enforcement will increase significantly.

New Contract Requirements

Contract review will be a major component of CCPA compliance going forward. The law already required that contracts with service providers contain certain limitations on the use of personal information; the CPRA introduces contract requirements for all disclosures to third parties, contractors, and service providers.

Contracts must state that personal information is being disclosed for limited purposes, require the recipient to comply with all legal obligations under the CCPA, and give the business authority to verify the recipient’s compliance. Any disclosure not made pursuant to such a contract is unlawful.

Purpose Limitation

An often-overlooked change included in the CPRA is the new purpose-limitation rule. Businesses must restrict their processing of consumers’ personal data to what is necessary and proportionate to achieve the purpose for which it was collected. If the business uses the data for another purpose, it must be compatible with the context in which it was originally collected.

For example, if a business collects personal information in order to provide cloud storage for photos, further using that data to develop facial recognition software would not be compatible with the original purpose, unless it was made very clear to consumers in advance.

Prepare for CPRA Compliance and More

Privacy compliance is a moving target for businesses. Every year, laws are amended and new laws are passed, and trying to thread a needle through all of the requirements becomes increasingly complicated. This is especially true for small and medium-sized businesses that don’t have an in-house legal team or tens of thousands of dollars to spend on attorneys. 

TrueVault US simplifies privacy compliance across multiple jurisdictions. From a single dashboard, businesses can guide themselves to compliance—even if they are starting from scratch—and stay compliant with minimal effort.

Contact our team to learn more and schedule a demo.

Schedule Call