CCPA vs CPRA: Key Differences Explained (2026)
California's consumer privacy framework has evolved significantly since the California Consumer Privacy Act (CCPA) first took effect in 2020. In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which amended the CCPA to strengthen consumer protections, create new rights, and establish a dedicated enforcement agency.
The CPRA did not replace the CCPA. It built on it. The official statute is still titled the "California Consumer Privacy Act of 2018," but its provisions now include every change the CPRA introduced. Understanding what changed, and when, is essential for businesses navigating California privacy compliance in 2026.
Timeline: From CCPA to CPRA
Understanding the timeline helps clarify which provisions apply and when they took effect.
| Date | Event |
|---|---|
| June 28, 2018 | Governor Brown signs AB 375, the California Consumer Privacy Act |
| January 1, 2020 | CCPA takes effect |
| July 1, 2020 | California Attorney General begins CCPA enforcement |
| November 3, 2020 | California voters approve Proposition 24 (CPRA) with 56.2% of the vote |
| January 1, 2023 | CPRA amendments to the CCPA take effect; apply to data collected on or after January 1, 2022 |
| March 29, 2023 | CPPA finalizes first set of CCPA regulations |
| July 1, 2023 | CPPA begins enforcement operations, sharing authority with the Attorney General |
| January 1, 2025 | CPI-adjusted penalty amounts take effect |
| September 23, 2025 | CPPA finalizes regulations on cybersecurity audits, risk assessments, and ADMT |
| January 1, 2026 | New regulations take effect; DROP platform launches |
| January 1, 2027 | ADMT requirements become enforceable |
Side-by-Side Comparison: CCPA (Original) vs. CPRA Amendments
The following table compares the original CCPA provisions with what the CPRA changed or added.
| Feature | CCPA (Original, 2020) | After CPRA Amendments (2023+) |
|---|---|---|
| Consumer right to know | Yes | Yes (unchanged) |
| Right to delete | Yes | Yes (unchanged) |
| Right to opt out of sale | Sale only | Sale AND sharing for cross-context behavioral advertising |
| Right to correct | No | Yes |
| Right to limit sensitive PI use | No | Yes |
| Right to access ADMT info | No | Yes (effective 2027) |
| Non-discrimination | Yes | Yes (unchanged) |
| Sensitive personal information | Not defined separately | Defined as distinct category with special protections |
| Enforcement body | Attorney General only | Attorney General AND CPPA |
| Penalty amounts | $2,500 / $7,500 per violation | CPI-adjusted biennially ($2,663 / $7,988 as of 2025) |
| Service provider rules | Basic requirements | Expanded obligations for service providers AND new "contractor" category |
| Risk assessments | Not required | Required for high-risk processing (regulations effective 2026) |
| Cybersecurity audits | Not required | Required for certain businesses (regulations effective 2026) |
| Opt-out preference signals | Not explicitly required | Businesses must honor GPC and similar signals |
| Data minimization | Not explicit | Businesses may only collect data reasonably necessary for disclosed purposes |
| Cure period | 30-day cure period before AG enforcement | Eliminated (CPPA can fine without cure period) |
New Consumer Rights Under the CPRA
The CPRA added two entirely new rights and expanded an existing one.
Right to Correct Inaccurate Personal Information
Consumers can now request that a business correct inaccurate personal information it maintains. The business must use commercially reasonable efforts to correct the data after receiving a verified request.
This right did not exist under the original CCPA. It mirrors similar provisions in the European Union's General Data Protection Regulation (GDPR).
Right to Limit Use of Sensitive Personal Information
The CPRA created the concept of sensitive personal information as a distinct legal category. Consumers can direct businesses to limit their use of sensitive PI to what is strictly necessary to perform the services or provide the goods the consumer requested.
Sensitive personal information includes:
- Government identifiers (Social Security numbers, driver's license numbers)
- Financial account credentials
- Precise geolocation
- Racial or ethnic origin, religious beliefs, union membership
- Contents of private communications (mail, email, texts)
- Genetic and biometric data
- Health, sex life, or sexual orientation data
- Neural data (added by SB 1223 in 2024)
Businesses that use or disclose sensitive personal information beyond what is necessary must post a "Limit the Use of My Sensitive Personal Information" link on their homepage.
Expanded Opt-Out: Sale AND Sharing
The original CCPA gave consumers the right to opt out of the "sale" of their personal information. The CPRA expanded this to include "sharing," which the statute defines as making personal information available to a third party for cross-context behavioral advertising.
This change closed a significant loophole. Under the original CCPA, some businesses argued that transferring data to advertising partners was not a "sale" because no money changed hands. The CPRA's broader definition of "sharing" captures these data transfers regardless of whether monetary consideration is involved.
The required homepage link changed from "Do Not Sell My Personal Information" to "Do Not Sell or Share My Personal Information."
The CPPA: A New Enforcement Agency
One of the CPRA's most significant structural changes was creating the California Privacy Protection Agency, the first agency in the United States dedicated solely to consumer data privacy.
CPPA vs. Attorney General Enforcement
| Aspect | Attorney General | CPPA |
|---|---|---|
| Authority | Civil penalties via court action | Administrative fines via CPPA proceedings |
| Cure period | Originally had 30-day cure period (eliminated by CPRA) | No cure period from the start |
| Enforcement start | July 1, 2020 | July 1, 2023 |
| Scope | CCPA plus other consumer protection laws | CCPA-specific enforcement plus rulemaking |
| Rulemaking | Adopted initial CCPA regulations | Now has primary rulemaking authority |
The CPPA has already demonstrated active enforcement. In 2025, the agency settled cases against American Honda Motor Co. ($632,500), Tractor Supply Company ($1.35 million), and Todd Snyder, Inc. ($345,178).
Elimination of the 30-Day Cure Period
Under the original CCPA, the Attorney General had to give businesses a 30-day notice to "cure" violations before bringing enforcement action. The CPRA eliminated this cure period entirely. The CPPA can now issue fines immediately upon finding a violation.
Contractor Obligations: A New Category
The original CCPA regulated "businesses" and "service providers." The CPRA added a third category: "contractors."
Service Providers vs. Contractors
| Feature | Service Provider | Contractor |
|---|---|---|
| Relationship | Processes data on behalf of the business | Receives data from the business via written contract |
| Contract requirement | Yes | Yes |
| Can sell/share data | No | No |
| Must delete on request | Yes | Yes |
| Certification requirement | Basic contractual terms | Must certify understanding and compliance with CCPA restrictions |
| Sub-processing | May engage sub-processors with equivalent protections | Similar restrictions |
Businesses must include specific CCPA-compliant provisions in their contracts with both service providers and contractors, including prohibitions on selling or sharing the data, retention limitations, and requirements to assist with consumer rights requests.
Risk Assessments and Cybersecurity Audits
The CPRA directed the CPPA to develop regulations requiring certain businesses to conduct privacy risk assessments and cybersecurity audits. The CPPA finalized these regulations in September 2025, effective January 1, 2026.
Risk Assessment Requirements
Businesses must conduct risk assessments for processing activities that present "significant risk" to consumer privacy. This includes:
- Selling or sharing personal information
- Processing sensitive personal information
- Using automated decisionmaking technology for significant decisions
- Processing personal information of children or consumers the business knows to be under 16
Risk assessments must weigh the benefits of the processing against the potential risks to consumer privacy. Businesses must submit attestations and summaries to the CPPA by April 1, 2028.
Cybersecurity Audit Requirements
Certain businesses must conduct annual cybersecurity audits that assess whether their security practices are appropriate for the nature and volume of personal information they process. The audit must evaluate the business's ability to:
- Protect personal information from unauthorized access, destruction, use, modification, or disclosure
- Identify and address security gaps
- Respond to security incidents
Opt-Out Preference Signals
The CPRA codified the concept of opt-out preference signals (OOPS), requiring businesses to treat browser-level privacy signals as valid opt-out requests.
Global Privacy Control (GPC)
The most widely used opt-out preference signal is Global Privacy Control (GPC), available as a built-in feature in browsers like Mozilla Firefox, DuckDuckGo, and Brave, or as a browser extension.
When GPC is enabled, it automatically sends a signal to every website the consumer visits indicating they want to opt out of the sale and sharing of their personal information. Businesses must honor this signal the same way they would honor a consumer clicking the "Do Not Sell or Share My Personal Information" link.
The Attorney General's enforcement action against Sephora in 2022 was partly based on the company's failure to recognize GPC signals. In 2025, the AG and CPPA launched a joint investigative sweep with Colorado and Connecticut to investigate businesses refusing to honor opt-out preference signals.
Alternative Opt-Out Links
Businesses that process opt-out preference signals can use a single, combined link (such as "Your Privacy Choices") instead of separate "Do Not Sell or Share" and "Limit the Use of My Sensitive Personal Information" links, provided the response to the signal is frictionless for the consumer.
Automated Decisionmaking Technology (ADMT)
The CPRA's most forward-looking provision addresses automated decisionmaking technology. Under regulations finalized in 2025:
- Businesses that use ADMT to make "significant decisions" about consumers must provide pre-use notice
- Consumers can request information about how ADMT was used in decisions affecting them
- Consumers can opt out of certain ADMT uses
- These requirements take effect January 1, 2027
Significant decisions include those that produce legal or similarly significant effects concerning access to financial services, housing, insurance, education, employment, health care, or essential goods and services.
Data Minimization and Purpose Limitation
The CPRA introduced explicit data minimization requirements that the original CCPA lacked. Under the amended statute, businesses:
- May only collect personal information that is "reasonably necessary and proportionate" to achieve the purposes for which it was collected or processed
- Cannot retain personal information longer than reasonably necessary for the disclosed purpose
- Cannot use personal information for purposes incompatible with those disclosed at the time of collection without providing new notice
These requirements align California law more closely with the GDPR's data minimization principles.
Practical Impact for Businesses
The shift from the original CCPA to the CPRA-amended version affects day-to-day operations in several concrete ways:
- Privacy policies need updating to address new rights (correction, sensitive PI limitation) and new categories (contractors)
- Homepage links changed from "Do Not Sell My Personal Information" to "Do Not Sell or Share My Personal Information" with an optional "Limit the Use of My Sensitive Personal Information" link
- Vendor contracts must distinguish between service providers and contractors with appropriate CCPA terms
- Technical infrastructure must detect and honor opt-out preference signals like GPC
- Risk assessment programs are now mandatory for businesses that process data in high-risk ways
- Employee training must cover new rights, new categories of data, and new enforcement realities
For a step-by-step guide to meeting these requirements, see our CCPA Compliance Checklist.
Related California Privacy Topics
- What Is CCPA? (comprehensive CCPA overview)
- California Data Privacy Laws (parent hub)
- CCPA Compliance Checklist
- CCPA Opt-Out Rights
- California Biometric Privacy Laws
- California Data Breach Notification Laws
This article provides general legal information, not legal advice. Privacy regulations evolve frequently, and enforcement interpretations change. Consult an attorney for advice specific to your situation.
More California Laws
Sources and References
- CCPA Full Text (Cal. Civ. Code 1798.100-1798.199.100)(leginfo.legislature.ca.gov).gov
- CPPA Law & Regulations Portal(cppa.ca.gov).gov
- CCPA Overview (California Attorney General)(oag.ca.gov).gov
- CPPA FAQ(cppa.ca.gov).gov
- CCPA Statute Effective January 1, 2026(cppa.ca.gov).gov
- CPI-Adjusted Monetary Thresholds(cppa.ca.gov).gov
- CCPA Updates: Cybersecurity Audits, Risk Assessments, ADMT(cppa.ca.gov).gov
- CPPA Finalizes Privacy Regulations (Sept 2025)(cppa.ca.gov).gov
- Global Privacy Control (GPC)(oag.ca.gov).gov
- AG Sephora Settlement ($1.2M)(oag.ca.gov).gov
- CPPA Honda Settlement ($632,500)(cppa.ca.gov).gov
- Joint Investigative Sweep: CA, CO, CT (Opt-Out Compliance)(cppa.ca.gov).gov
- CPPA Consumer Privacy Act Regulations(cppa.ca.gov).gov
- DELETE Act: Drop Platform(cppa.ca.gov).gov
- SB 1223 (Neural Data)(leginfo.legislature.ca.gov).gov