CPRA (California Privacy Rights Act)
What is CPRA?
The California Privacy Rights Act (CPRA) is a comprehensive privacy law that expands and strengthens the CCPA (California Consumer Privacy Act), introducing new consumer rights, stricter business obligations, and increased enforcement mechanisms. Passed by California voters in November 2020 as Proposition 24 and taking effect on January 1, 2023, CPRA adds significant requirements including the right to correct inaccurate personal information, expanded opt-out rights for sensitive personal information, stricter limitations on data retention, and the creation of the California Privacy Protection Agency (CPPA) dedicated to enforcement.
For B2B SaaS companies, CPRA represents a material expansion of privacy compliance obligations beyond CCPA's initial requirements. While CCPA established foundational rights like access, deletion, and opt-out of data sales, CPRA introduces new categories of protected data (sensitive personal information), new processing restrictions (purpose limitation and data minimization), and higher penalties for violations involving minors. CPRA also narrows several CCPA exceptions that businesses previously relied on, particularly around employee and B2B contact data, making it significantly harder to claim exemptions for business-to-business communications and marketing activities.
The practical impact for GTM teams is substantial. CPRA requires businesses to provide more granular consent options, implement stricter data governance practices, conduct regular privacy risk assessments, and maintain detailed documentation of data processing activities. Marketing operations teams must update consent collection mechanisms through their Consent Management Platforms, sales teams need new processes for handling data correction requests, and revenue operations teams must implement automated data retention and deletion workflows. Unlike CCPA which many viewed as primarily affecting consumer-facing businesses, CPRA's expanded scope and narrower exemptions make compliance mandatory for nearly all B2B SaaS companies serving California residents.
Key Takeaways
CCPA expansion: CPRA significantly strengthens California privacy law by adding new rights (correction, sensitive data limits), creating a dedicated enforcement agency, and tripling penalties for violations involving children
Sensitive personal information controls: Consumers gain the right to limit use of sensitive data including precise geolocation, racial/ethnic origin, health information, and biometric data beyond what's necessary for specified purposes
B2B exemption sunset: CPRA phases out most B2B and employee data exemptions that existed under CCPA, bringing business contact information under full privacy protections starting January 1, 2023
Heightened compliance requirements: Businesses must conduct regular risk assessments, implement data minimization practices, honor 12-month lookback periods for consumer requests, and maintain comprehensive processing documentation
Stronger enforcement: The California Privacy Protection Agency can levy administrative fines up to $7,500 per intentional violation, with separate penalties for each affected consumer, creating potential multi-million dollar liabilities
How It Works
CPRA operates through an expanded framework of consumer rights, business obligations, and enforcement mechanisms that build upon CCPA's foundation while closing loopholes and strengthening protections. The law applies to businesses that meet CCPA's threshold requirements—annual gross revenues exceeding $25 million, buying/selling personal information of 100,000+ California residents, or deriving 50%+ of revenue from selling/sharing personal information—but adds new compliance obligations across every aspect of data handling.
The consumer rights framework includes eight distinct rights that California residents can exercise. The right to know allows consumers to request disclosure of what personal information a business collects, uses, sells, or shares. The right to delete enables consumers to request deletion of their personal information with limited exceptions. The right to correct (new under CPRA) allows consumers to fix inaccurate personal information businesses maintain about them. The right to opt-out covers three distinct scenarios: opt-out of personal information sales, opt-out of personal information sharing for cross-context behavioral advertising, and the new right to limit use of sensitive personal information to only what's necessary for service delivery.
CPRA's sensitive personal information category is particularly significant for B2B SaaS companies. Sensitive data includes Social Security numbers, driver's license numbers, financial account credentials, precise geolocation data (within 1,750 feet), racial or ethnic origin, religious beliefs, union membership, mail/email/text content (unless the business is the intended recipient), genetic data, biometric data for identification, health information, and sexual orientation or sex life information. When businesses collect any of these sensitive data types, they must provide a "Limit the Use of My Sensitive Personal Information" link allowing consumers to restrict usage beyond what's strictly necessary for service delivery.
The business obligations under CPRA extend far beyond displaying privacy notices and responding to consumer requests. Companies must implement purpose limitation practices, only collecting and using personal information for disclosed purposes and not for additional purposes without new notice and consent. Data minimization requirements mandate collecting only information reasonably necessary for disclosed purposes, with regular reviews to purge unnecessary data. Data retention limitations require businesses to delete or de-identify personal information when it's no longer needed for disclosed purposes, with documented retention schedules and automated deletion workflows.
CPRA also introduces mandatory risk assessments for businesses engaged in high-risk data processing activities including processing sensitive personal information, selling/sharing personal information, or using personal information for profiling with significant legal or similar effects. These assessments must identify benefits and risks, evaluate safeguards, and document how the business addresses identified risks. The California Privacy Protection Agency can audit these assessments and impose penalties for insufficient risk management practices.
Key Features
Eight consumer privacy rights including new rights to correct inaccurate information and limit sensitive personal information usage
Sensitive personal information category with special protections and opt-out requirements for health, biometric, geolocation, and other sensitive data types
California Privacy Protection Agency dedicated regulatory body with rulemaking and enforcement authority, replacing general Attorney General enforcement
Expanded lookback period requiring businesses to honor consumer requests for information collected up to 12 months prior to the request
Automated decision-making disclosures requiring transparency about profiling and automated decision systems that produce legal or similarly significant effects
Contractor and service provider requirements imposing strict contractual obligations on third parties processing California resident data
Use Cases
Use Case 1: Marketing Automation Compliance
A B2B SaaS marketing automation platform implements CPRA compliance by restructuring how it processes customer data. The platform adds a "Limit Use of Sensitive Personal Information" link to all California user-facing pages, creates new workflows to process data correction requests within 45 days, and implements automated data retention policies that purge prospect engagement data after 24 months of inactivity. The company updates service agreements with customers who use the platform, clarifying that customers are "businesses" under CPRA while the platform acts as a "service provider" with limited data processing rights. The company also creates annual privacy risk assessment procedures evaluating how their lead scoring algorithms might create profiling concerns under CPRA's automated decision-making provisions.
Use Case 2: CRM Sensitive Data Handling
A sales intelligence platform discovers through CPRA compliance analysis that precise geolocation data (derived from mobile device IP addresses accurate within 1,000 feet) qualifies as sensitive personal information under CPRA. The company implements a multi-step response: updating their Consent Management Platform to provide California residents with options to limit geolocation data usage, creating CRM field-level controls that flag sensitive data fields, training sales teams on CPRA's restrictions on contacting consumers about sensitive data offers without affirmative consent, and building data processing agreements with customers who sync California resident data into their CRMs through the platform's API.
Use Case 3: B2B Contact Data Exemption Sunset
A B2B data enrichment company that relied on CCPA's B2B exemption must restructure operations for CPRA compliance since the exemption expired January 1, 2023. The company implements a comprehensive compliance program including adding a "Do Not Sell or Share My Personal Information" mechanism specifically for business contacts, creating deletion workflows for business emails and phone numbers upon request, providing access to California business contacts who want to know what information the company maintains, and implementing data minimization practices that limit retention of outdated business contact data. The company also updates customer contracts clarifying that customers bear responsibility for honoring CPRA rights when they use enriched B2B contact data for marketing.
Implementation Example
Below is a comprehensive CPRA compliance checklist organized by functional area that B2B SaaS companies should implement:
CPRA Compliance Implementation Checklist
Key Differences: CPRA vs CCPA
Understanding what changed from CCPA to CPRA is critical for compliance planning:
Aspect | CCPA (Original) | CPRA (Enhanced) |
|---|---|---|
Enforcement | Attorney General only | California Privacy Protection Agency (dedicated) |
Consumer Rights | 4 rights (know, delete, opt-out, non-discrimination) | 8 rights (adds correct, limit sensitive PI, automated decision opt-out) |
Sensitive Personal Information | No special category | New category with stricter controls and opt-out rights |
Purpose Limitation | Weak/implicit | Explicit requirement to limit use to disclosed purposes |
Data Retention | No specific requirements | Must delete when no longer necessary; document retention schedules |
B2B Exemption | Exempted B2B and employee data | Exemption expired January 1, 2023 (mostly removed) |
Lookback Period | Not specified | 12 months for consumer data requests |
Risk Assessments | Not required | Mandatory for high-risk processing activities |
Penalties (Minors) | $2,500 - $7,500 per violation | $7,500 per violation (tripled) |
Cure Period | 30 days to cure violations | No universal cure period (agency discretion) |
CPRA Sensitive Personal Information Categories
B2B SaaS companies must identify if they process any of these sensitive categories and provide limitation rights:
Sensitive PI Category | B2B SaaS Examples | Compliance Action Required |
|---|---|---|
Social Security, Driver's License, etc. | Identity verification for financial services | Provide opt-out; limit to verification purpose only |
Financial Account + Access Credentials | Payment processing, banking integrations | Limit to transaction purposes; strong encryption |
Precise Geolocation (within 1,750 ft) | Mobile app location features, IP-based location | Provide opt-out; don't use for profiling/ads |
Racial/Ethnic Origin | Demographic surveys, diversity analytics | Avoid collecting unless essential; aggregate only |
Religious/Philosophical Beliefs | Community platform profiles | Avoid collecting; provide deletion if collected |
Mail/Email/Text Content | Email/messaging platforms (unless recipient) | Limit to service delivery; don't scan for profiling |
Genetic Data | Healthcare/biotech applications | Strict consent requirements; medical-grade protection |
Biometric Information | Facial recognition, fingerprint authentication | Provide opt-out; limit to authentication only |
Health Information | Wellness apps, healthcare integrations | HIPAA + CPRA compliance; strict consent |
Sex Life/Sexual Orientation | Dating platforms, social communities | Avoid collecting; strong protection if collected |
For authoritative guidance on CPRA compliance, see the California Privacy Protection Agency's regulations and California Attorney General's CPRA compliance guide. Many B2B SaaS companies also reference the IAPP's CPRA resource center for implementation best practices.
Related Terms
CCPA: The predecessor California Consumer Privacy Act that CPRA expands and strengthens
GDPR: European privacy regulation that influenced CPRA's design and shares many similar requirements
Consent Management Platform: Technology that helps businesses comply with CPRA by collecting and enforcing consent preferences
Data Privacy: The broader practice of protecting personal information that CPRA regulates through legal requirements
Data Subject Rights: Individual rights to access, correct, delete, and control personal data that CPRA expands
Privacy Compliance: Organizational adherence to privacy regulations including CPRA
Consent Management: The process of obtaining and respecting user consent that CPRA requires for sensitive personal information
Do Not Sell My Info: The consumer right established by CCPA and expanded by CPRA to include "sharing" for cross-context advertising
Frequently Asked Questions
What is CPRA?
Quick Answer: CPRA (California Privacy Rights Act) is California's enhanced privacy law that expands CCPA by adding new consumer rights, creating a dedicated enforcement agency, and imposing stricter data protection obligations on businesses, effective January 1, 2023.
The California Privacy Rights Act is comprehensive privacy legislation passed by California voters in November 2020 as Proposition 24. CPRA significantly strengthens the original CCPA by introducing new consumer rights including the right to correct inaccurate information and the right to limit use of sensitive personal information. It creates the California Privacy Protection Agency with dedicated enforcement authority, removes most B2B and employee data exemptions, requires businesses to conduct privacy risk assessments, and triples penalties for violations involving minors. CPRA represents the strictest U.S. state privacy law and affects nearly all B2B SaaS companies serving California residents.
What's the difference between CPRA and CCPA?
Quick Answer: CPRA expands CCPA by adding four new consumer rights, creating the California Privacy Protection Agency for enforcement, establishing sensitive personal information protections, removing the B2B data exemption, and requiring data minimization and purpose limitation practices.
While CCPA established foundational privacy rights, CPRA substantially strengthens those protections through several key changes: creating a new category of "sensitive personal information" with special opt-out rights, requiring businesses to implement data retention limits and automated deletion, mandating privacy risk assessments for high-risk processing, establishing the California Privacy Protection Agency with dedicated enforcement powers, eliminating the cure period for certain violations, and sunsetting the B2B contact exemption on January 1, 2023. CPRA also increases penalties for violations involving consumers under 16 from $2,500 to $7,500 per violation.
Who does CPRA apply to?
Quick Answer: CPRA applies to for-profit businesses operating in California that exceed thresholds of $25 million annual revenue, process data of 100,000+ California residents, or derive 50%+ revenue from selling/sharing personal information.
CPRA uses the same applicability thresholds as CCPA, covering businesses that meet at least one of three criteria: annual gross revenues exceeding $25 million, buying/receiving/selling/sharing personal information of 100,000 or more California residents or households, or deriving 50% or more of annual revenue from selling or sharing California residents' personal information. Importantly, CPRA removed most exemptions for B2B contact data and employee data that existed under CCPA, meaning B2B SaaS companies that previously relied on these exemptions now face full compliance obligations for business contact information starting January 1, 2023.
What is sensitive personal information under CPRA?
Sensitive personal information under CPRA includes Social Security numbers, driver's licenses, financial account credentials paired with access codes, precise geolocation within 1,750 feet, racial or ethnic origin, religious beliefs, union membership, mail/email/text message content (when the business isn't the intended recipient), genetic data, biometric data used for identification, health information, and information about sex life or sexual orientation. California residents have the right to limit businesses' use of sensitive personal information to only what's necessary for service delivery, requiring businesses to provide a "Limit the Use of My Sensitive Personal Information" link and honor opt-out requests within 15 days.
How do B2B SaaS companies comply with CPRA?
B2B SaaS companies comply with CPRA through a multi-phase approach: updating privacy notices to disclose new rights including correction and sensitive data limitation, implementing web interfaces with required links ("Do Not Sell or Share" and "Limit Sensitive PI"), creating workflows to process consumer requests within required timeframes (45 days for most requests, 15 days for opt-outs), conducting data inventories to identify sensitive personal information, implementing data retention and deletion policies, updating vendor contracts with CPRA-compliant service provider language, conducting annual privacy risk assessments for high-risk processing activities, and training GTM teams on CPRA restrictions. Most B2B SaaS companies deploy Consent Management Platforms to automate consent collection and enforcement across their marketing technology stacks.
Conclusion
The California Privacy Rights Act represents the most significant expansion of U.S. privacy law since CCPA first took effect, creating a compliance framework that rivals European GDPR in scope and rigor. For B2B SaaS companies, CPRA fundamentally changes privacy compliance from a primarily consumer-facing concern to a core operational requirement affecting marketing technology, sales processes, customer data management, and vendor relationships across the entire GTM stack.
The sunset of B2B exemptions on January 1, 2023 is particularly consequential, bringing business contact data—the lifeblood of B2B marketing and sales operations—under full privacy protections for the first time. Marketing operations teams must now provide California business contacts with rights to access, delete, correct, and opt-out of data sales and sharing. Sales teams need documented processes for handling data correction requests. Revenue operations teams must implement automated data retention and deletion workflows that purge outdated business contact information according to documented schedules. These operational changes require significant investment in consent management platforms, data governance infrastructure, and team training.
As other U.S. states pass privacy laws modeled on CPRA—with Virginia, Colorado, Connecticut, Utah, and others adopting similar frameworks—the compliance investments that B2B SaaS companies make for CPRA will increasingly serve as the foundation for nationwide privacy compliance. Organizations that build robust privacy programs addressing CPRA's heightened requirements position themselves not just for California compliance but for sustainable operations in an increasingly privacy-regulated environment where consumer data rights are the expectation rather than the exception.
Last Updated: January 18, 2026
