February 7, 2023

Volume XIII, Number 38


February 06, 2023

Subscribe to Latest Legal News and Analysis

The CCPA Wheels Keep Turning: The Addition of CPRA

By ballot initiative, California residents recently approved Proposition 24, or the California Privacy Rights Act (CPRA), with approximately 56 percent voting in favor. CPRA significantly amends the CCPA by expanding individual rights, introducing new GDPR-style governance measures, and establishing a new enforcement agency (among other things). Importantly, CPRA does not replace or repeal CCPA, but rather augments it.  Further, no new private right of action will be added by CPRA.  The substantive provisions of CPRA do not take effect until January 1, 2023.

How did we get here?

The CPRA was backed by the non-profit “Californians for Consumer Privacy.” This is the same organization that was behind the 2018 ballot initiative. Last-minute, the 2018 initiative was pulled from the ballot in exchange for enactment of the CCPA. CPRA was introduced in late 2019 given concerns that amendments to the CCPA had gutted the key provisions.  The final text of the CPRA was published November 13, 2019. In late June 2020, the Secretary of State confirmed that the initiative had received enough valid signatures to appear on the November ballot.

What are some of the key provisions?

  • Scope. The thresholds to qualify as a “business” under CCPA has been revised to: (i) clarify the revenue threshold is based on previous year’s activities, (ii) increase the processing to 100,000 consumers or households (from 50,000 currently under CCPA), and (iii) require that entities sharing common control and common branding must also share personal information.

  • Employee / B2B Exemption. CPRA retains the CCPA’s exceptions for personal information collected in the employment and business-to-business contexts and extends their sunset provisions to January 1, 2023.

  • Governance concepts. CPRA introduces a new storage limitation requirement. Personal information is not to be retained for longer than is “reasonably necessary” for the specific, disclosed purposes. A data minimization principle is also included. Collection, use, retention, and sharing of personal information should be limited to what is “reasonably necessary” to achieve the specified purposes.

  • Individual Rights. Among some modifications to the right to know, deletion, and do-not-sell rights, CRPA includes a new right to “correction.” There are also certain rights for “sensitive personal information” (a new category of information introduced).

  • Enforcement.  A new California Privacy Protection Agency would replace the attorney general’s office as the regulator implementing CPRA rules and enforcing its requirements against violators. Enforcement will begin on July 1, 2023 and applies to violations occurring on or after that date.

Putting it Into Practice. While 2023 may seem far away, the passage of CPRA serves as another reminder of the benefit of establishing overarching principles-based privacy programs – that can expand and grow as laws change. We will be monitoring developments of CPRA; we expect that additional regulations may also be promulgated.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 310

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

Rachel Hudson, Lawyer, Sheppard Mullin, Intellectual Property Practice Group

Rachel Tarko Hudson is an associate in the Intellectual Property Practice Group in the firm's San Francisco office.

Areas of Practice

Rachel advises clients in the retail, technology, media, and other industries in online and mobile e-commerce transactions and vendor agreements, intellectual property licensing, commercial and development agreements, and other transactional matters. She assists clients in complying with domestic and international privacy laws, clearing advertising campaigns, conducting contests and sweepstakes promotional initiatives, and...


Craig Cardon serves as Co-chair of Sheppard Mullin’s Privacy & Data Security Group and as the International Liaison for the firm’s China offices. Craig is a partner in the Entertainment, Technology and Advertising and the Intellectual Property Groups in Sheppard Mullin's San Francisco and Century City offices.

Areas of Practice

Craig enjoys a broad advertising, privacy and ecommerce focused practice. He primarily represents brands, retailers, ad agencies, ad networks and other business involved in...