CPRA vs CCPA: Key Differences in Data Privacy You Should Know

Your marketing team is celebrating the launch of your latest campaign. Everyone's sipping champagne when suddenly the compliance team storms in with panicked looks on their faces. "Did anyone check if this complies with CPRA?" And just like that, the celebration stops.

If you've worked in marketing or compliance over the past few years, you've probably lived through a version of this scenario. California's privacy laws have transformed how businesses handle personal data, and the stakes keep getting higher. And some companies are scrambling to keep up — as of last year over 90% of companies were not meeting CCPA compliance requirements.

That's why we've created this guide to help marketing and compliance teams work together more effectively. Because no one wants to be that company making headlines for a six-figure privacy fine. 

Introduction to CPRA vs CCPA Compliance Trends

California's landmark privacy laws — the 2018 California Consumer Privacy Act (CCPA) and its 2020 amendment, the California Privacy Rights Act (CPRA) — have prompted major shifts in how businesses handle personal data. Compliance has lagged even as enforcement ramps up: as of early 2022, only 11% of companies were fully able to meet CCPA requirements (particularly around fulfilling consumer data requests)​. Even by mid-2023, studies showed slow improvement — for example, only about 15% of previously non-compliant companies had moved to implement at least manual CCPA/CPRA compliance processes over the prior year​.

Meanwhile, California regulators have become more aggressive. The state issued its first CCPA fine in 2022 (a $1.2 million settlement with Sephora) for failing to honor opt-out requests and disclose data sales.

The Attorney General's office also launched investigative sweeps (e.g. of major retailers, streaming services, and employers) to ensure businesses provide easy "Do Not Sell" opt-outs and comply with the new laws

At the same time, consumers are exercising their new rights in growing numbers — the volume of privacy requests surged 246% from 2021 to 2023 — driving up compliance costs for companies​.

One analysis found that manually processing data access/deletion requests now costs businesses roughly $800,000 per million consumer records — double the cost observed a couple years prior​.

In short, CPRA and CCPA have significantly raised the bar on data privacy: businesses face increasing pressure to adapt their practices or risk regulatory penalties and reputational damage.

Understanding the California Privacy Rights Act (CPRA)

The CPRA's reach is broad: an estimated 79,000 businesses fall under CPRA's requirements based on state regulatory filings.

Notably, this isn't limited to tech companies — roughly two-thirds of the affected businesses are considered small businesses (under $15 million in revenue, yet meeting the share of revenue or volume personal information sold/shared criteria),indicating that CPRA compliance is a widespread concern even beyond the Fortune 500​.

Every sector has felt the impact. Industry surveys show that data privacy has become a top-tier issue for companies in finance, retail, healthcare, and more. For instance, in one 2023 global survey, 41% of financial services firms and 42% of retail firms reported a "high level of concern" about data privacy regulations, the highest among industries​.

Yet preparedness is uneven — fewer than 40% of finance and retail companies felt "very prepared" for new state privacy laws like CPRA. This gap between concern and readiness underscores the adaptation challenge CPRA presents.

Compliance costs have risen accordingly. California's original economic analysis projected CCPA's implementation would cost businesses ~$55 billion (about 1.8% of the state's GDP) in upfront compliance — CPRA's additional mandates have added to that burden.

Key cost drivers are the systems and processes needed to handle consumer rights. Gartner has estimated it costs about $1,400 in labor to manually respond to a single data access or deletion request​.

With CPRA expanding the volume and types of requests (e.g. correction requests), these costs multiply unless companies invest in automation. Indeed, many larger enterprises have done so — about 60% of companies with 10,000+ employees had deployed an automated privacy rights management solution by 2022​ to mitigate the high cost of manual processing.

Still, smaller firms often rely on ad-hoc or manual methods, which can strain resources as request volumes climb. According to DataGrail's trend report, the average business in 2023 received 859 data subject requests per million consumers — more than double the rate two years prior​. If handled without automation, that could equate to well over $800k per million customers annually in compliance cost​.

Industry adaptation to CPRA has varied. Highly regulated sectors like finance and healthcare had privacy programs in place (due to existing laws like GLBA and HIPAA), making CPRA a layering of additional rules. Many of those firms report increasing privacy budgets and cross-functional privacy teams.

Less-regulated sectors (retail, media, tech start-ups) faced a steeper learning curve. By 2023, privacy compliance and data governance emerged as board-level priorities in a majority of organizations, and privacy technology vendors saw a spike in demand.

However, compliance is an ongoing process, not a one-time fix. Companies are not only updating privacy policies and adding opt-out links, but also overhauling data inventories, retention schedules, and vendor contracts to meet CPRA's new standards.

The CPPA has periodically issued guidance and held public forums, which businesses closely follow for hints of enforcement focus. In short, CPRA has forced companies to mature their privacy practices, often requiring significant investments in compliance infrastructure and expertise — a trend that is accelerating as other states enact similar laws following California's lead.

An Overview of the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA), effective January 2020, was the first comprehensive privacy law of its kind in the U.S. It granted California residents groundbreaking rights over their personal information and imposed corresponding duties on businesses.

Initial adoption of CCPA was a scramble for many companies. In the lead-up to 2020, businesses had to determine if they met the thresholds (back in the days it was handling data on >50k Californians or $25M+ revenue) and if so, stand up compliance programs quickly.

Common early steps included updating website privacy policies, adding "Do Not Sell My Personal Information" links, and creating processes to handle consumer data requests. By mid-2020, most large consumer-facing companies had at least a basic compliance framework in place.

However, true compliance was often incomplete — and, as mentioned previously, in 2021 only 11% of companies felt they could fully meet all CCPA requirements (especially the more technical obligations like data access and deletion request fulfillment)​.

The rest were either partially compliant or taking a wait-and-see approach, given that regulations were still evolving and enforcement was initially limited.

Enforcement of CCPA in its first years was relatively measured but increasingly assertive. The California Attorney General (AG) was solely responsible for enforcement until 2023. The law provided a 30-day cure period, so the AG's typical approach was to send a notice of alleged violation and give the business an opportunity to fix the issue.

By one year in, the AG's office had sent dozens of such notices. Most companies cured the deficiencies in time, meaning no penalty was levied. In August 2022, the AG announced the first public CCPA settlement: Sephora was fined $1.2 million for allegedly failing to disclose that it sold personal information (via third-party analytics trackers) and not honoring global opt-out signals from consumers' browsers.

The Sephora case was a wake-up call — it highlighted that selling data includes sharing it with advertisers, and that the Global Privacy Control (GPC) (a browser setting) must be treated as a valid do-not-sell signal.

Following that, the AG's office conducted thematic enforcement sweeps. For example, in early 2023, AG Rob Bonta launched an investigative sweep of popular streaming services and smart TV providers to check if they offer easy opt-out mechanisms for personal data sharing.

Other sweeps targeted businesses' handling of employee data (once the employee exemption expired) and mobile app compliance with CCPA requirements​.

These efforts often resulted in businesses implementing required changes (like adding missing "Do Not Sell" links or fixing privacy notices) under threat of enforcement.

On the business side, CCPA compliance strategies have changed over time. Initially, many companies tackled consumer requests (known as Data Subject Access Requests, or DSARs) using manual methods — e.g. an email alias or web form that fed to an internal team.

This was manageable at first because awareness among consumers was low. But as the law took effect, awareness grew and so did request volumes. In fact, the volume of DSARs nearly doubled from 2020 to 2021 with an estimated cost of manual processing climbing to $400,000 per million identities. 

With some companies receiving hundreds of requests per month, this became a significant operational overhead. In response, by 2021–2022 many organizations invested in privacy tech solutions or outsourcing — indeed, the majority of large enterprises (especially those with thousands of customer records) adopted automated workflows to track and fulfill requests​.

Businesses also developed strategies like providing self-service privacy dashboards for users, centralizing data inventories to locate personal data across systems, and training customer service staff on CCPA rights.

Noteworthy CCPA enforcement cases in its early years (beyond Sephora) often dealt with specific laws intersecting with CCPA. For example, cosmetics chain Ulta faced scrutiny for loyalty programs (whether their incentives were "financial incentives" under CCPA's rules), and several data brokers received notices to register under the law's data broker registry requirement.

The AG also released an online Consumer Privacy Tool in 2021–2022 to help consumers generate notices to businesses that did not post a clear "Do Not Sell" link​ — an innovative way to crowdsource enforcement.

By the end of 2022, California had set a clear expectation: businesses must provide transparent notices and functional opt-out mechanisms, or face enforcement. This paved the way for the CPRA, which would further tighten requirements and shift some enforcement to the new agency (CPPA) starting in 2023.

What is the CPRA and How Does It Compare to the CCPA?

The California Privacy Rights Act (CPRA) is a 2020 ballot initiative that amends and expands the CCPA, effectively creating a "CCPA 2.0." It took effect on January 1, 2023, adding new consumer rights and stricter obligations to the original law​.

Crucially, the CPRA also established a dedicated enforcement agency, the California Privacy Protection Agency (CPPA), giving the law additional "teeth" beyond what the CCPA had under the Attorney General​.

In practical terms, CPRA builds on CCPA's foundation but closes loopholes and increases requirements for businesses. For example, CCPA applied mainly to consumer data, with temporary exemptions for employee and business-to-business data — CPRA removes those exemptions, meaning employee and B2B contacts' personal information must now be handled with the same privacy rights as consumers' data.

CPRA also broadens the definition of a "business" to include companies that "share" personal information for behavioral advertising, not just those that sell data​. This explicitly brings online advertising tracking within scope, requiring businesses to honor opt-outs for targeted ads.

Additionally, CPRA raises the threshold for coverage: CCPA covered businesses handling data on 50,000 California residents/households, but CPRA raises that to 100,000 residents/households (while maintaining the $25 million revenue or 50% data-sales revenue thresholds, it was adjusted to $26,625,000 in 2025 to keep up with inflation)​.

This change relieves some very small enterprises but most mid-size and large companies — including virtually all fintechs, banks, and tech firms — remain squarely covered.

For businesses, these amendments mean privacy compliance is more extensive and ongoing under CPRA. Companies that scrambled to meet CCPA requirements in 2020 had to revisit and update their programs by 2023. New consumer rights (like data correction and limits on "sensitive" data use) require additional internal workflows, and the end of the employee data exemption forced companies to extend privacy notices and request handling to HR data for the first time.

The creation of the CPPA also signals that enforcement will be more consistent and specialized, pushing businesses to be proactive. In fact, the CPPA is authorized to hire up to 200 personnel dedicated to enforcing CPRA (versus the much smaller team at the AG's office for CCPA)​.

Many companies responded to these changes by investing in privacy management software or outside counsel to audit their practices. However, surveys indicate some firms took a "wait and see" approach — 44% of businesses that needed to comply had deployed no automated or formal solution by late 2021, partly because CPRA's impending changes left them hesitant to invest in tools that might soon require modification.

Now that CPRA is in effect, those companies face a significantly higher compliance bar and enforcement risk than under the original CCPA.

‍

Key Differences Between the CCPA and CPRA

CPRA introduces several key changes and enhancements to the CCPA that carry direct implications for businesses. The following are the most significant differences:

• Expanded Consumer Rights: The CPRA adds new rights on top of the CCPA's core rights. Notably, consumers now have the right to correct inaccurate personal information a business holds about them, and the right to limit the use or disclosure of "sensitive personal information" (a new data category defined by CPRA)​. These come in addition to the original CCPA rights (to know, delete, opt-out of sale, and non-discrimination), effectively broadening the scope of requests businesses must handle. CPRA also strengthened the opt-out rights — under CCPA, consumers could opt out of the "sale" of personal information; CPRA extends this to opt out of "sharing" data for cross-context behavioral advertising (covering targeted ads even when no money changes hands)​.
• Sensitive Personal Information (SPI): The CPRA creates a special sub-category of personal data called sensitive personal information, which includes things like Social Security numbers, driver's license numbers, financial account info, precise geolocation, race/ethnic origin, biometric data, health information, and more​. Businesses must disclose in their privacy notices if they collect sensitive PI and must provide a clear way for consumers to limit the use of their sensitive data to only what's necessary for the service or as allowed by law​. In practice, this often means adding a "Limit the Use of My Sensitive Personal Information" link or combining it with the opt-out link. This is a new obligation not found in the original CCPA, and it forces companies to segregate and manage sensitive data more carefully (e.g., a retailer might stop using precise location or income data for marketing if a consumer limits it).
• No More Broad Exemptions for Employees and B2B Data: CCPA had temporary exemptions that excluded most employee personal information and business-to-business contact information from its scope. CPRA ended those exemptions on January 1, 2023, which means employee data, HR records, and B2B communications involving Californians are now covered by the law​. Businesses must extend CCPA/CPRA rights to employees, job applicants, contractors, and business contacts. For example, a company must now comply if an employee requests to see or delete personal info in their personnel file (with some exceptions for legal retention). This dramatic scope expansion caught many employers off guard and requires robust internal policies for HR privacy compliance.
• Higher Thresholds for Applicability: As noted, CPRA slightly narrows which businesses are subject to the law by raising the data volume threshold. CCPA covered companies that handle data on 50,000 consumers/households or devices annually; CPRA raises that to 100,000 consumers or households (and removes the word "devices")​. This change was intended to relieve very small businesses or niche companies from compliance burden. In contrast, CPRA added "sharing" of data as an activity that can trigger coverage (if 50% or more of annual revenue is derived from selling or sharing personal info)​. The revenue criterion remained the same (As of 2025 it’s $26,625,000, up from $25,000,000). The net effect is that a few small entities at the margins might fall out of scope, but any company of significant size or engaging in ad-targeting practices will still be covered.
• New Enforcement Mechanisms and Agency: CPRA's creation of the California Privacy Protection Agency (CPPA) is a game-changer. The CPPA has administrative enforcement powers, including the ability to conduct audits and levy fines directly after formal hearings. This is in addition to enforcement by the AG. Moreover, CPRA removed the automatic 30-day cure period for violations. Under CCPA, businesses generally had a chance to fix issues before fines; under CPRA (from 2023 onward), the CPPA or AG can pursue action without offering a cure period (they have discretion to provide one, but it's not guaranteed)​. Penalties were also adjusted: CPRA explicitly triples fines for violations involving children's data — up to $7,500 per violation involving personal info of consumers under age 16 (up to $7,988 in 2025). This puts added onus on businesses handling minors' data (e.g. EdTech, toy and game companies) to comply or face steeper consequences.
• Data Minimization and Storage Limitation: The CPRA introduces an explicit mandate that businesses should only collect and use personal data that is "reasonably necessary and proportionate" for the purposes disclosed​. It also requires companies to state retention periods for each category of personal info and not keep data longer than needed. These principles mirror GDPR-style data minimization and storage limitation. While the practical enforcement of this is still evolving (companies are awaiting more guidance on what's "necessary and proportionate"), it signals that businesses should audit their data collection and retention practices. For example, under CPRA a company that collected extensive personal details not relevant to its service could be deemed non-compliant unless it can justify that data collection.
• Contractual Requirements for Service Providers/Contractors: CPRA places more detailed obligations on contracts with third parties. If a business shares or sells personal data to vendors or partners, it must update contracts to include CPRA-specific clauses, ensuring the receiver will safeguard the data and honor CPRA limits​. Contracts must now include terms that the service provider will only use personal info for the specified purposes, will notify the business if it can no longer comply, and grants the business rights to take reasonable steps to remediate unauthorized use. Many companies had to re-paper hundreds of vendor agreements by January 2023 to incorporate these new terms, a significant operational undertaking.
• Automated Decision-Making and Profiling (Upcoming Rules): The CPRA also mandated new regulations on automated decision-making, profiling, and risk assessments, which were not part of the original CCPA​. While the exact requirements are being finalized, businesses know that they will likely need to provide transparency or opt-outs around algorithms that profile consumers (e.g. credit risk scoring, targeted advertising profiles) and possibly perform annual risk assessments for high-risk data processing. This is a developing area, but it's a clear difference: CCPA had no such provisions.

CPRA significantly expands consumers' control and heightens business obligations. Companies must treat a broader set of data as within scope (employees, sensitive info), honor new rights (correct and limit), and button up their contracts and internal practices to meet stricter standards. The creation of a dedicated enforcement agency also means non-compliance is more likely to be detected and punished than under the original CCPA regime. All these differences mean that businesses can't simply "roll over" their old CCPA compliance program — they have to actively update and enhance it to stay compliant with the CPRA amendments.

Transitioning from CCPA to CPRA

The transition from the CCPA regime to the CPRA regime (effective 2023) posed significant costs and challenges for businesses. Many organizations that had just gotten a handle on CCPA's checklist requirements had to immediately pivot to implement CPRA's new provisions, essentially undergoing a second round of compliance overhaul within a few years. Several key challenges marked this transition:

• Updating Compliance Programs on a Tight Timeline: CPRA was approved by voters in Nov 2020, just as CCPA enforcement had begun in earnest. Although CPRA's main provisions didn't take effect until Jan 2023, businesses had to start preparing well in advance. This was challenging because the detailed regulations were only finalized in March 2023, after the law took effect. This compressed timeline left companies making educated guesses in some areas and then adjusting once regs were out. 
• Extending Coverage to Employees and B2B Data: Perhaps the biggest operational challenge was integrating employees and B2B contacts into the privacy program. Under CCPA's temporary exemption, most companies did nothing regarding employee data privacy (aside from basic internal policies). CPRA's removal of that exemption forced companies to issue privacy notices to employees, set up portals for employees to submit requests, and coordinate with HR and IT to fulfill those requests. For example, an employee could ask "What data do you have about me?" — which might reside across email systems, HR databases, performance reviews, etc. Companies had to figure out how to search and compile that in 45 days. They also had to determine what could or couldn't be deleted (certain HR records must be retained by law). Similarly, for B2B, a salesperson's contacts or a business client's data now falls under CPRA — raising questions like, how do you authenticate a deletion request from someone who isn't a traditional "consumer" but a client employee? Many businesses found these areas under-prepared and had to quickly adapt existing CCPA processes to internal data. This imposed new cross-department coordination between privacy/legal teams and HR departments or enterprise sales teams.
• Contract Renegotiations and Supply Chain Compliance: CPRA's new contractor and service provider requirements meant renegotiating potentially hundreds or thousands of contracts. This is expensive and time-consuming. Legal teams had to reach out to every third-party that processes personal data and execute contract amendments with CPRA language. Some suppliers were themselves unfamiliar with CPRA (especially overseas vendors), causing friction or delay. Companies had to educate smaller partners on the new requirements or find replacement vendors who would sign CPRA-compliant terms. All of this had to be project-managed, often with spreadsheets tracking which vendors were done. For firms in data-intensive industries (e.g., marketing firms, fintechs using many analytics tools), this contract overhaul was a major resource drain in late 2022.
• Systems and Technical Changes: On the technical side, transitioning to CPRA meant updating websites and apps (new links, new preference centers for sensitive information, possibly a redesigned cookie banner to accommodate "Do Not Share" alongside "Do Not Sell"). It also meant updating back-end workflows: for example, if a consumer submits a correction request, companies needed a process to review and amend the data in all systems. Some had to build new user verification steps for the correction right or integrate new APIs from their consent management platforms. IT teams faced tight deadlines to implement these changes by the New Year 2023. Additionally, companies implemented data retention schedules because CPRA requires disclosing retention periods. Many did not have formal deletion timelines for data before; CPRA pushed them to set up rules (e.g., delete marketing leads after 2 years if they don't convert, etc.). Building or configuring systems to automatically purge data according to these schedules was (and remains) a significant challenge.
• Increased Compliance Costs: All these new requirements inevitably meant higher costs. Mid-sized and large enterprises often brought in outside counsel or consultants specifically to manage CPRA transition. Some estimates pegged incremental compliance costs in the millions for Fortune 500 companies, when you add up legal fees, software, and labor. Small businesses faced a dilemma — absorb the cost to comply or risk penalties? The California Privacy Protection Agency tried to consider small business impacts in regulations, but still, a small company may need to spend tens of thousands on legal advice and tooling. A 2022 survey by PwC found that 88% of companies worldwide were spending over $1 million annually on privacy compliance (it’s not just CPRA, but it illustrates scale)​. The CPRA likely pushed some companies to increase privacy budgets further — one report suggested a jump in privacy program spending by over 50% for many U.S. companies between 2021 and 2023.
• Organizational Fatigue and Complexity: The rapid succession from CCPA to CPRA (and simultaneously other states passing laws in 2023) led to compliance fatigue. Privacy teams had to keep track of not just CPRA, but also new laws in Virginia, Colorado, etc., which had their own nuances starting in 2023. Companies had to decide whether to standardize one approach (often, meeting the highest common denominator of all these laws) or do a state-by-state approach. Many opted to extend CPRA rights to all U.S. customers for simplicity — which, while generous, meant effectively implementing CPRA-level compliance nationwide. This broad approach increases costs but reduces the complexity of trying to treat California data differently in systems.
• Legal Uncertainty and Litigation Risk: The transition also brought some legal uncertainty. For instance, the timeline of enforcement was thrown into question when the California Chamber of Commerce sued, leading to a judge ruling that CPPA couldn't enforce CPRA regs until one year after they were issued (i.e., July 2023). The CPPA appealed, and in February 2024 an appellate court overruled the delay, reinstating immediate enforcement. This back-and-forth was confusing for businesses: some wondered, does this mean we're safe from enforcement until 2024? The answer was no — the AG and CPPA could still enforce the statute from July 2023, just not the portions of regs that went beyond statute until Mar 2024. Prudent companies didn't slow down compliance due to the lawsuit, but it did add uncertainty. 
• Consumer and Employee Communication: Transitioning to CPRA also meant communicating changes to consumers and staff. Businesses sent out updated privacy notices at the start of 2023. Some received questions from consumers about new opt-out options or from employees curious about their rights. Handling these inquiries and educating the audience became part of the rollout. For example, HR had to inform employees "You now have these privacy rights; here's how to exercise them and what it means." Ensuring that communication was clear and didn't cause alarm (especially for employees who might misconstrue a deletion request as something that could wipe out needed HR records) was a delicate task.

‍

Despite the challenges, by mid-2023 many companies successfully transitioned to CPRA compliance. The key lesson businesses learned is that privacy compliance is not static. The CPRA transition underscored the need for agile, adaptable privacy programs that can adjust to new laws and regulations on an ongoing basis. Companies that invested early in robust privacy infrastructure (like flexible consent management and data mapping) were better positioned to absorb the CPRA changes. Those that treated CCPA as a one-off project found themselves scrambling again. Going forward, organizations realize that continuous compliance — with regular updates, monitoring legal developments, and nimble policy adjustments — is the new cost of doing business in the era of evolving privacy laws.

Final Thoughts: CPRA and CCPA Compliance in 2025

CPRA and CCPA compliance isn't going away. If anything, the regulatory landscape is getting more complex, with stricter enforcement and higher fines. But that doesn't mean your marketing efforts have to suffer.

The businesses that are thriving in this new environment aren't the ones finding clever loopholes or hoping regulators won't notice them. They're the ones who have embraced privacy as a core value and built it into their processes from the ground up.

Yes, these privacy laws have changed how we handle data. Email lists are smaller but more engaged. Data collection is more transparent. Consent is explicit rather than assumed. And quite frankly, these are all good things for building trust with your audience.

At its core, CPRA pushes us to respect customers, employees, and business contacts. And when people feel respected, they're more likely to trust your brand, engage with your content, and ultimately do business with you.

We created Luthor because we saw how many marketing teams were struggling with compliance. The rules are complex, the stakes are high, and most marketers aren't legal experts. Our AI-based tool automatically reviews your marketing assets for compliance issues, helping you reduce risk, effort, and time spent on manual reviews.

So instead of seeing CPRA as a burden, see it as an opportunity to build better, more trustworthy relationships with your audience. And if you need help navigating this complex landscape, we're here for you.

Want to see how Luthor can help your team stay compliant without slowing down? Request demo access today and see firsthand how our tool can streamline your compliance process.

‍