Thought Leadership

The CCPA Gets an Upgrade With the Passage of the CPRA

Client Updates

The California Privacy Rights Act (“CPRA”) passed the November 3 ballot and amends the California Consumer Privacy Act of 2018 (“CCPA),” the principle framework—and first-of-its-kind state law—that regulates and the collection and use of personal information collected from California residents.

The CPRA in Summary. The CPRA creates additional consumer rights, modifies existing CCPA rights, mandates a new category of consumer personal information with associated rules, and establishes a new privacy enforcement agency. The CPRA goes into effect on January 1, 2023, with a look back on personal information collected from January 1, 2022.

What Business Should Expect. The CPRA’s substantive provisions become effective January 1, 2023, and new regulations are expected to be introduced by July 1, 2022.  Covered businesses should, therefore, monitor regulatory developments and carefully review their compliance programs to address the law’s key changes.

What Business Can Do Now. To prepare for this next wave of privacy regulations, businesses should:

  • Update Data Maps: update or perform new data mapping efforts to determine which elements of personal information a business collects is “sensitive” and allow the business to 
  • Update Notices and Internal Policies: evaluate data retention policies internally and update privacy statements with newly required disclosures; and
  • Update Consumer Request Mechanisms: implement or update a mechanism for allowing consumers to request correction of inaccurate personal information.
  • Update Required Links: businesses should update their “Do Not Sell” mechanism to either include a second “Limit the Use of My Sensitive Personal Information” link or bundle both mechanisms under one link. In addition, businesses should update their “Do Not Sell My Personal Information” to read “Do Not Sell or Share My Personal Information.”

What the CPRA Substantively Changes.

  • Scope of Covered “Businesses”. The CPRA modifies the threshold requirements for a covered “business” that collects personal information by clarifying that: (1) gross revenues should be measured as of January 1 each calendar year for the preceding calendar year; (2) increases the number of “consumers” or “households” from whom a business annually buys, sells, or shares personal information from 50,000 to 100,000; and (3) requires businesses to include annual revenue derived from both “selling” and “sharing.”
  • Sensitive Personal Information. The CPRA creates a new category of data called “sensitive personal information,” which is a subcategory of “personal information.” Data under this subcategory includes government-issued identifiers, finance information, biometric data, health status, precise geolocation, contents of emails or texts, and race or ethnic origin. Consumers may, however, require businesses to limit the use of sensitive personal information to only that which is necessary to perform services “reasonably expected by an average consumer.”
  • Right to Opt-Out of the Sharing of Personal Information. Now, the CCPA requirements around “selling” also apply to “sharing”: consumers may opt-out of any sharing of their personal information whether there has been a “sale,” which may close a perceived loophole in the CCPA.
  • Right to Correct. In addition to the right to request access and right to delete that currently exist under the CCPA, consumers will now have the right to request that a business correct inaccurate personal information.
  • Privacy Enforcement Agency: The CCPA and privacy regulations in California are currently subject to enforcement actions by the California Attorney General. The CPRA will, however, creates a dedicated agency to oversee enforcement of California privacy regulations. This agency will have the power to enforce both the CCPA and CPRA, and will be empowered to issue related regulations.

The CPRA also includes more general modifications and obligations, such as expanded disclosure obligations, affirmative requirements to implement “reasonable security procedures and practices”, limitations on the “collection, use, retention, and sharing” of personal information to that which is “reasonably necessary and proportionate” to conduct disclosed purposes, and expanding the scope of the private right of action for personal information security breaches to include unauthorized disclosure of the combination of email and account password or security question and answer that could permit account access.

For more information, please contact the Baker Botts Privacy and Data Security team.

Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit

Related Professionals