Skip to content
Biscotti CMP
FeaturesPricing๐Ÿ” Cookie Checkโ™ฟ Accessibility๐Ÿ“ฆ DownloadsDocumentationBlog
Login
Homeโ€บBlog

CCPA vs. CPRA: What Changed for Website Operators in California?

July 7, 2026 ยท 15 min read

Quick Answer: The California Privacy Rights Act (CPRA) substantially amended the original California Consumer Privacy Act (CCPA), introducing new consumer rights, a dedicated enforcement agency, stricter penalties, and an entirely new category of sensitive personal information. For website operators, CCPA vs. CPRA: What Changed for Website Operators in California? is not a theoretical question, it translates directly into updated privacy policies, new consent mechanisms, and expanded contractual obligations with third-party vendors.


Key Takeaways

  • The CPRA took full enforcement effect on July 1, 2023, replacing and expanding the CCPA framework.
  • A new "sensitive personal information" (SPI) category requires a dedicated opt-out link on websites collecting that data.
  • Consumers gained the right to correct inaccurate personal data, a right that did not exist under the original CCPA.
  • The applicability threshold rose from 50,000 to 100,000 consumers or households, exempting some smaller operators.
  • "Sharing" personal data for cross-context behavioral advertising now counts as a "sale," requiring opt-out mechanisms.
  • Website operators must honor Global Privacy Control (GPC) signals as valid opt-out requests.
  • Administrative fines increased to $2,663 per unintentional violation and $7,988 per intentional violation as of January 1, 2025.
  • The California Privacy Protection Agency (CPPA) now has independent enforcement authority separate from the Attorney General.
  • Automated decision-making transparency requirements are set to take effect January 1, 2027.
  • Risk assessments and cybersecurity audits are now mandatory for high-risk data processing activities.

Key Takeaways

What Is the Difference Between CCPA and CPRA?

The CCPA, effective January 1, 2020, gave California consumers baseline rights over their personal data: the right to know, delete, and opt out of the sale of their information. The CPRA, passed by California voters in November 2020 and fully enforceable from July 1, 2023, did not replace the CCPA outright, it amended and significantly expanded it [1].

Key structural differences include:

Feature CCPA (Original) CPRA (Amended)
Enforcement body California Attorney General CPPA + Attorney General
Sensitive data category Not defined Formally defined (SPI)
Right to correct Not included Included
"Sale" definition Data exchange for value Includes "sharing" for advertising
Applicability threshold 50,000 consumers/households 100,000 consumers/households
Risk assessments Not required Required for high-risk processing
GPC signal compliance Not mandated Mandatory

The practical consequence for website operators is that CPRA vs. CCPA compliance is not merely a paperwork update, it requires architectural changes to consent flows, privacy policies, and vendor contracts [2].


When Did CPRA Go Into Effect and Replace CCPA?

The CPRA's substantive rights and obligations applied to data collected on or after January 1, 2022, with enforcement beginning July 1, 2023. The one-year enforcement grace period ended on that date, meaning the California Privacy Protection Agency could begin issuing fines without prior warning [4].

For website operators still operating under CCPA-era policies as of 2026, the exposure is real and immediate.


What New Rights Do Consumers Have Under CPRA That Weren't in CCPA?

The CPRA added two consumer rights that were absent from the original CCPA framework:

Right to Correct: Consumers can now request that a business correct inaccurate personal information it holds about them. Website operators must establish a verifiable request process and act on correction requests within 45 days [2].

Right to Limit Use of Sensitive Personal Information: Consumers can restrict how businesses use their SPI beyond the purpose for which it was originally collected. This right requires a separate, clearly labeled opt-out mechanism on the website [1].

These additions sit alongside the existing rights to know, delete, opt out of sale, and non-discrimination, creating a more layered compliance requirement for any site that collects user data beyond basic analytics.


What Is the Right to Correct Under CPRA?

The right to correct is one of the most operationally demanding additions in the CPRA. When a consumer submits a verified correction request, the business must use commercially reasonable efforts to correct the inaccurate personal information and direct any service providers or contractors who received that data to make the same correction [2].

For website operators, this means:

  • Building a correction request intake mechanism (web form, email process, or account portal).
  • Documenting the correction and notifying downstream data processors.
  • Responding within 45 days, with one 45-day extension permitted if necessary.

Common mistake: Many operators assume the right to correct only applies to account profile data. In practice, it extends to any personal information the business holds, including behavioral data, inferred preferences, and purchase history.


What New Data Categories Does CPRA Cover That CCPA Didn't?

The CPRA formally defined "sensitive personal information" (SPI) as a distinct, higher-protection data category. The CCPA had no equivalent classification [1].

SPI under CPRA includes:

  • Social Security numbers and government-issued IDs
  • Financial account credentials (login plus security codes)
  • Precise geolocation data
  • Racial or ethnic origin, religious beliefs, and union membership
  • Contents of private communications (mail, email, text)
  • Genetic and biometric data processed for identification
  • Health information and sex life or sexual orientation

Website operators collecting any of these categories must provide a "Limit the Use of My Sensitive Personal Information" link, functionally similar to the "Do Not Sell My Personal Information" link already required under CCPA [1].


CPRA vs. CCPA: Which One Applies to My Business?

As of 2026, the CPRA framework applies to for-profit businesses that do business in California AND meet at least one of these thresholds [7]:

  • Annual gross revenues exceeding $25 million.
  • Buys, sells, receives, or shares the personal information of 100,000 or more California consumers or households per year (raised from 50,000 under CCPA).
  • Derives 50% or more of annual revenues from selling or sharing consumers' personal information.

Choose CPRA compliance if: Your website serves California residents and you meet any one of the above criteria. If you previously qualified under CCPA's 50,000-consumer threshold but process fewer than 100,000 records annually, you may no longer be directly subject, though contractual obligations with larger partners may still require adherence.

Edge case: Non-profit organizations and purely B2B operators are generally exempt, but service providers and contractors to covered businesses carry their own CPRA obligations [3].


How Does CPRA Affect My Website's Privacy Policy?

A CCPA-compliant privacy policy is no longer sufficient. CPRA requires website operators to update their privacy policies to reflect [2][3]:

  • The new SPI category and the right to limit its use.
  • The right to correct inaccurate personal information.
  • The expanded definition of "sale" to include "sharing" for cross-context behavioral advertising.
  • How the business responds to GPC signals.
  • Data retention periods for each category of personal information collected.
  • Whether automated decision-making is used and how consumers can opt out.

Privacy policies must be reviewed at least once every 12 months and updated to reflect current data practices. Outdated policies that describe CCPA-era rights without CPRA additions are a common enforcement trigger.


Do I Need to Update My Consent Forms for CPRA Compliance?

Yes. Consent mechanisms that were sufficient under CCPA require meaningful updates for CPRA. Specifically, website operators must [3][5]:

  • Add a "Limit the Use of My Sensitive Personal Information" opt-out link if the site collects SPI.
  • Honor GPC browser signals as a valid opt-out of sale and sharing, this cannot require the user to take additional steps.
  • Obtain affirmative opt-in consent before selling or sharing personal information of consumers under 16.
  • Ensure that consent for cross-context behavioral advertising (retargeting, audience sharing with ad platforms) is clearly distinguished from other data uses.

A consent management platform can help automate GPC detection and preference recording. Biscotti CMP (www.biscotti-cmp.com) is built to handle these CPRA-specific requirements, including SPI opt-out flows and GPC signal compliance, without requiring custom development from the website operator.


What Are the Penalties for Not Complying with CPRA?

As of January 1, 2025, administrative fines under the CPRA framework are [5]:

  • $2,663 per unintentional violation.
  • $7,988 per intentional violation.
  • $7,988 per violation (tripled) for violations involving the personal information of consumers under 16.

These figures are adjusted periodically for inflation. Fines are assessed per violation, meaning a single non-compliant data practice affecting thousands of consumers can generate aggregate liability in the millions. The CPPA has independent authority to initiate enforcement actions without referral from the Attorney General [4].

Important: The CPRA eliminated the 30-day cure period that existed under CCPA for most violations, removing a safety net that many operators relied upon.


What Common Mistakes Do Websites Make with CPRA Compliance?

Based on the expanded requirements, the most frequent compliance failures include [3][6]:

  • Ignoring GPC signals: Failing to detect and honor browser-level opt-out signals is one of the CPPA's stated enforcement priorities.
  • Missing the SPI opt-out link: Adding only a "Do Not Sell" link without the separate "Limit SPI Use" link when SPI is collected.
  • Outdated vendor contracts: Not updating data processing agreements with service providers to include CPRA-required terms.
  • No data retention schedule: CPRA requires businesses to disclose and adhere to retention periods; many privacy policies still omit this.
  • Assuming the cure period still applies: Operators who wait for a notice before fixing violations may face immediate fines.
  • Overlooking the right to correct: Building only deletion workflows without correction request handling.

Do Small Businesses Have Different CPRA Requirements?

The threshold increase from 50,000 to 100,000 consumers directly reduces the compliance burden on smaller website operators [7]. A small e-commerce site or SaaS product serving fewer than 100,000 California consumers annually, with revenues under $25 million and no revenue from data sales, falls outside the CPRA's direct scope.

However, small businesses should note:

  • If they act as a service provider to a covered business, they inherit contractual CPRA obligations regardless of size.
  • Voluntary compliance is increasingly expected by enterprise clients and can be a competitive differentiator.
  • Other states have enacted similar laws, and federal privacy legislation remains under active discussion as of 2026.

How Much Does It Cost to Become CPRA Compliant?

There is no fixed compliance cost, it varies significantly based on the complexity of a website's data ecosystem. General cost drivers include:

  • Privacy policy update: Low cost if done in-house; $500,$3,000+ if using legal counsel.
  • Consent management platform: Ongoing SaaS subscription; pricing varies by traffic volume and feature set.
  • Technical implementation: Developer time to add opt-out links, GPC detection, and correction request workflows.
  • Vendor contract review: Legal review of data processing agreements with all third-party processors.
  • Risk assessments: For high-risk processing, formal assessments may require external consultants.

For most mid-sized website operators, initial compliance remediation runs in the range of several thousand dollars, with ongoing operational costs for policy maintenance and consent management. The cost of non-compliance, given per-violation fines, substantially outweighs the investment.


How Do I Know If CPRA Applies to My Website Visitors?

The CPRA applies based on the residency of the consumer, not the location of the business. If a website has California-resident visitors and the operator meets any of the three business thresholds, CPRA obligations apply to the data collected from those visitors [7][8].

Practical indicators that CPRA likely applies:

  • The website accepts orders, registrations, or ad targeting from U.S. users without geo-blocking California.
  • The business uses third-party advertising networks that engage in cross-context behavioral advertising.
  • The website collects any form of SPI from users (health questionnaires, financial data, precise location).

When in doubt, the conservative and legally defensible position is to treat all U.S. website visitors as potentially covered under CPRA and implement compliant consent flows accordingly.


Mandatory Risk Assessments, Cybersecurity Audits, and What Comes Next

The CPRA requires businesses engaged in high-risk processing to conduct regular risk assessments and cybersecurity audits. Regulations detailing these requirements were finalized in 2025 and took effect in 2026 [6]. High-risk activities include processing SPI at scale, profiling consumers for significant decisions, and selling or sharing data with large numbers of third parties.

Additionally, automated decision-making transparency requirements, covering profiling for employment, credit, housing, and similar consequential decisions, are scheduled to take effect January 1, 2027 [6]. Website operators using algorithmic recommendation engines, credit scoring tools, or behavioral profiling should begin compliance planning now.


Conclusion

Understanding CCPA vs. CPRA: What Changed for Website Operators in California? is not optional for any business serving California residents at scale. The CPRA introduced substantive new obligations, sensitive data categories, the right to correct, GPC signal compliance, expanded vendor requirements, and a dedicated enforcement agency with real fining authority, that demand concrete operational responses, not just policy updates.

Actionable next steps for website operators in 2026:

  1. Audit your current data collection practices against the SPI category list and add the required opt-out link if applicable.
  2. Update your privacy policy to reflect CPRA rights, data retention schedules, and the expanded definition of "sale."
  3. Implement GPC signal detection, this is an enforcement priority and cannot be deferred.
  4. Review and update all data processing agreements with service providers and contractors.
  5. Build a correction request workflow alongside your existing deletion process.
  6. If your site engages in high-risk processing, commission a formal risk assessment before regulators initiate one for you.
  7. Evaluate a consent management solution such as Biscotti CMP (www.biscotti-cmp.com) to automate opt-out flows, GPC compliance, and preference recordkeeping.

The CPRA's enforcement trajectory in 2026 makes proactive compliance the only rational strategy.


FAQ

Q: Is the CPRA the same as CCPA 2.0? The CPRA is commonly called "CCPA 2.0" because it amended rather than replaced the CCPA. It added new rights, a new enforcement agency, and new data categories while preserving the original CCPA framework.

Q: When did CPRA enforcement begin? Full enforcement began July 1, 2023. The CPPA can issue fines for violations occurring after that date without a prior cure period for most violations.

Q: Does CPRA apply to businesses outside California? Yes. Any for-profit business that collects personal information from California residents and meets the applicability thresholds must comply, regardless of where the business is headquartered.

Q: What is a GPC signal and why does it matter? A Global Privacy Control (GPC) is a browser-level setting that signals a consumer's opt-out preference. Under CPRA, website operators must detect and honor GPC signals as valid opt-out requests, ignoring them is a compliance violation.

Q: Does CPRA apply to employee data? Yes. As of January 1, 2023, the temporary exemptions for employee and B2B data expired. Employee personal information is now subject to full CPRA protections.

Q: What is the difference between a "sale" and "sharing" under CPRA? Under the original CCPA, "sale" required an exchange for monetary value. CPRA expanded this to include "sharing" personal data with third parties for cross-context behavioral advertising, even without direct payment.

Q: How often must a privacy policy be updated under CPRA? At minimum, once every 12 months. It must also be updated whenever data practices materially change.

Q: Are non-profits exempt from CPRA? Generally yes, CPRA applies to for-profit businesses. However, non-profits acting as service providers to covered businesses may have contractual compliance obligations.

Q: What happens if a consumer submits a correction request and the business disagrees? The business may decline the correction if it determines the information is accurate, but must document the decision and inform the consumer of the basis for the denial.

Q: Is there a private right of action under CPRA? A limited private right of action exists for data breaches involving certain categories of personal information. Most other violations are enforced by the CPPA or Attorney General, not through private lawsuits.


Interactive CPRA Compliance Checker


References

[1] Cpra Explained Changes From Ccpa - https://www.legalbanner.com/blog/cpra-explained-changes-from-ccpa?utm_source=openai

[2] Ccpa Vs Cpra Key Differences - https://kukie.io/blog/ccpa-vs-cpra-key-differences?utm_source=openai

[3] Ccpa Vs Cpra What Changed And How To Comply In 2026 - https://dapripro.com/ccpa-vs-cpra-what-changed-and-how-to-comply-in-2026/?utm_source=openai

[4] Cpra Vs Ccpa - https://transcend.io/blog/cpra-vs-ccpa?utm_source=openai

[5] Ccpa And Cpra Cookie Compliance What Your Website Needs - https://www.clym.io/blog/ccpa-and-cpra-cookie-compliance-what-your-website-needs?utm_source=openai

[6] What Is Ccpa - https://www.recordinglaw.com/us-laws/data-privacy-laws/california-data-privacy-laws/what-is-ccpa/?utm_source=openai

[7] Ccpa Vs Cpra Key Differences And What They Mean For Your Business - https://www.consenteo.com/knowledge-hub/CCPA/ccpa_vs_cpra_key_differences_and_what_they_mean_for_your_business?utm_source=openai

[8] Ccpa Vs Cpra - https://nordlayer.com/learn/ccpa/ccpa-vs-cpra/?utm_source=openai

โ† Back to blog
Biscotti CMP

Consent Management and Legal Text Generator by Campcruisers GmbH (Falkensee). Can support your website compliance.

Product

๐Ÿข About UsFeaturesPricingDocumentation๐Ÿ” Cookie Check๐Ÿ“ฆ Downloads๐Ÿ“š Privacy & Consent Knowledge Base๐Ÿ“ Blog๐Ÿ“– Cookie Consent & Privacy Glossary๐ŸŒ Jurisdictionsโ™ฟ WCAG 2.2 Accessible Consent Banner

Legal

ImprintPrivacy PolicyTerms of ServiceRight of WithdrawalDPACookie Policy

Contact

Contact
ยฉ 2026 Biscotti โ€“ A service of Campcruisers GmbH๐Ÿช Change cookie settings