CCPA vs. CPRA: What Actually Changed, and Why It Matters Three Years On

The California Privacy Rights Act (Prop. 24) amended the California Consumer Privacy Act in November 2020, took substantive effect January 1, 2023, and became enforceable by the newly-created California Privacy Protection Agency on July 1, 2023. Three years of enforcement later, it is clear which changes were cosmetic and which were the ones that drive compliance work. This post is the operational breakdown for businesses that already handle CCPA and want to understand, specifically, what CPRA made different.

If you are looking for the banner-design rulebook, that's in our CCPA Cookie Banner Requirements pillar. If you want the enforcement case record, see The Honda, Ford, and Disney Cases. This post is the "what changed" document: the diff between CCPA as originally passed in 2018 and the law that actually binds you today.

TL;DR. Five changes matter operationally. (1) The "share" right for cross-context behavioral advertising captures retargeting and most pixel-based ad-tech, which CCPA proper did not. (2) Sensitive personal information is now a defined category with its own limit-on-use right. (3) The California Privacy Protection Agency is a dedicated regulator that has now out-fined the AG. (4) The 30-day cure period is gone, which removes the assumption that you can fix a problem after a sweep letter arrives. (5) The applicability threshold rose from 50,000 to 100,000 consumers or households. Everything else is detail.

The structural change no one names correctly

Before getting into differences, one framing point. CPRA is not a separate law. It is an amendment to the CCPA. The operative statute today is Cal. Civ. Code §§ 1798.100 et seq., "as amended by the California Privacy Rights Act of 2020." When regulators, lawyers, or vendors say "CPRA," they almost always mean "CCPA as amended by CPRA." When they say "CCPA," they also usually mean the amended statute. The distinction matters only when you are reading enforcement actions or opinions that cite specific provisions, because some provisions existed pre-2020 and some were added by Prop. 24.

The California Privacy Protection Agency itself uses "CCPA" in most of its materials to refer to the current statute. We do the same here.

Change 1: The "share" right for cross-context behavioral advertising

This is the single most operationally important change, and it is the one most non-California-focused teams underestimate.

The original CCPA (2018) created a right to opt out of the sale of personal information. "Sale" was defined in Cal. Civ. Code § 1798.140(ad) as transferring personal information to a third party for monetary or other valuable consideration. Businesses argued that many adtech integrations (pixels, conversion tags, retargeting) were not "sales" because no money changed hands in the narrow sense. The CA Attorney General pushed back, most visibly in the 2022 Sephora settlement, arguing that the exchange of data for "other valuable consideration" was enough. But the line was contestable.

CPRA closed the argument by adding a separate right to opt out of sharing, defined at § 1798.140(ah) as transferring personal information to a third party "for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions in which no money is exchanged."

Cross-context behavioral advertising is defined at § 1798.140(k) as targeting advertising based on personal information collected from the consumer's activity across businesses, sites, or services other than the one the consumer is currently interacting with. In plain terms: retargeting and the entire lookalike-audience, cross-site-tracking model of digital advertising.

The practical effect:

• Meta Pixel on your site, when used to build audiences for ads on Facebook and Instagram, is now clearly "sharing." Opt-out is mandatory.
• Google Ads conversion pixels and remarketing tags are sharing.
• TikTok Pixel is sharing.
• LinkedIn Insight Tag used for retargeting is sharing.
• The Trade Desk, Criteo, Taboola, Outbrain, and any DSP/SSP integration where user data is used for targeting across unrelated sites is sharing.
• Default Google Analytics 4 remains the contested case. The CA AG treats default GA4 as a "sale" per the Sephora precedent. Defense-side counsel disagree depending on configuration. Document the risk decision.

The required opt-out link text reflects this change. Pre-CPRA: "Do Not Sell My Personal Information." Post-CPRA: "Do Not Sell or Share My Personal Information." Using the pre-CPRA wording on a site that runs any retargeting or cross-context ad-tech is now non-compliant under 11 CCR § 7013.

Change 2: Sensitive Personal Information and the right to limit use

CPRA created a new statutory category of "Sensitive Personal Information" (SPI) and a new corresponding right: the right to limit use and disclosure of SPI.

SPI is defined at § 1798.140(ae) and includes:

• Social security, driver's license, state ID, or passport number
• Account login, financial account, debit card, or credit card number in combination with access credentials
• Precise geolocation
• Racial or ethnic origin, religious or philosophical beliefs, union membership
• Contents of mail, email, or text messages not directed at the business
• Genetic data
• Biometric information for unique identification
• Health information
• Data concerning sex life or sexual orientation

The right to limit use, codified at § 1798.121, allows consumers to restrict a business's use of their SPI to purposes that are "necessary to perform the services or provide the goods reasonably expected by an average consumer" requesting those services.

The operational implication: if your business collects SPI and uses it for anything beyond the immediately-requested service (e.g., analytics based on precise geolocation, personalization based on health signals, targeting based on religious observance inferences), you need a separate mechanism for consumers to limit that use. The regulation requires a "Limit the Use of My Sensitive Personal Information" link, or the alternative unified "Your Privacy Choices" link with the blue CA icon that combines the opt-out and limit-use rights into a single interface.

Note the CPRA carve-out in § 1798.121(d): businesses that do not use SPI for inferring characteristics beyond what's needed for the primary service are not required to provide the limit-use link. Most ad-tech-heavy businesses do not qualify for this carve-out. Most pure-utility SaaS businesses do.

A deeper discussion of what counts as SPI in practice lives in the sensitive personal information definitions post.

Change 3: The California Privacy Protection Agency

Before CPRA, CCPA was enforced by the California Attorney General. The AG's CCPA work was one program among many. CPRA created the California Privacy Protection Agency (CPPA) as a dedicated privacy regulator with its own rulemaking and enforcement powers. The Agency began rulemaking in 2021 and took over enforcement authority on July 1, 2023.

The practical differences this makes, three years in:

• More enforcement actions. The CPPA has announced multiple settlements since March 2025 (Honda, Todd Snyder, Tractor Supply, Ford, and the sports-media company at $1.1M). The pace is faster than the AG's pre-CPPA cadence.
• Technical expertise. The CPPA's findings are technically specific in a way that the AG's were not consistently. The Honda order addresses OneTrust implementation details. The Ford order requires an audit of every tracking technology. This is a regulator that understands the stack.
• Rulemaking ongoing. The CPPA's September 2025 rulemaking package added cybersecurity audits, risk assessments, ADMT requirements, and the 2026 § 7025(c)(6) change requiring visible GPC confirmation. More rulemaking is in the pipeline.
• Joint enforcement remains possible. The AG still has authority (Disney's $2.75M was an AG action in February 2026). CPRA did not strip the AG, it added the CPPA.

For businesses planning compliance spend, the operational assumption is: both regulators are active, the CPPA is more technically specific, and enforcement is more frequent than it was pre-2023.

Change 4: The 30-day cure period is gone

Under the original CCPA, § 1798.155(b) gave businesses 30 days to cure alleged violations after receiving notice. If the business cured in that window, no fine. This was a meaningful risk mitigator for accidentally-non-compliant sites.

CPRA removed the mandatory cure period effective January 1, 2023. The CPPA may, at its discretion, consider a business's good-faith cooperation and opportunity to cure, but this is no longer a statutory right. The operational assumption changed overnight: by the time you see a sweep letter, your window to pre-empt a finding with a quick fix is not guaranteed.

There was a brief period of confusion on this point. In June 2023, a Sacramento Superior Court initially delayed CPPA enforcement of the new regulations. The Third District Court of Appeal reversed in February 2024, restoring the CPPA's full enforcement authority retroactive to July 1, 2023. The cure-period analysis has been uncontested since.

Penalty structure under § 1798.155(a):

• $2,500 per unintentional violation
• $7,500 per intentional violation or per violation involving a consumer under 16

The CPPA has made clear (most recently in the Honda settlement announcement) that it counts violations on a per-affected-consumer basis for many findings. The aggregate fine math gets large quickly on sites with meaningful California traffic.

Change 5: The applicability threshold rose

Original CCPA applied to a business meeting any of three tests:

• Annual gross revenue over $25M, OR
• Annually buys, receives, sells, or shares personal information of 50,000 or more consumers, households, or devices, OR
• Derives 50% or more of annual revenue from selling personal information.

CPRA changed two prongs:

• The second-prong threshold rose from 50,000 to 100,000 consumers or households (devices was dropped as a separate category).
• The third prong was amended to include "selling or sharing" (consistent with the new sharing right).

The first-prong $25M revenue threshold was unchanged.

The practical effect: a narrow band of small businesses that fell under CCPA because they had 50,001 to 99,999 California consumer interactions may no longer be "businesses" under CPRA. This is an applicability re-evaluation worth running if you are in that size range, but the effect is modest in aggregate.

One sustained misreading: many secondary sources drop the word "households" from the second-prong threshold. The correct text is "100,000 or more consumers or households." A single California household counts as one unit toward the threshold.

Change 6: Rights expanded beyond opt-out

CPRA added or strengthened several consumer rights beyond the baseline CCPA set.

• Right to correction (§ 1798.106). Consumers can request correction of inaccurate personal information. This is new under CPRA.
• Right to know about automated decision-making. Covered in the 2025 rulemaking package and phased in starting January 1, 2027. Businesses that use automated decision-making technology for "solely" or "significant" decisions affecting consumers will have disclosure and opt-out obligations.
• Expanded data-minimization requirements. § 1798.100(c) codifies a proportionality standard: collection must be "reasonably necessary and proportionate" to the disclosed purpose. Maryland's MODPA adopted a similar standard with even stricter enforcement, covered in the US State Privacy Law Tracker.
• Extended lookback for deletion requests. Consumers can request deletion of personal information collected over the preceding 12 months; CPRA extended downstream obligations to require service providers and contractors to also delete.

Change 7: Contractual requirements with service providers and contractors

CPRA significantly tightened the contractual framework for data-processing relationships. Under § 1798.140(ag) (service providers) and related provisions for contractors and third parties, contracts must:

• Specify the limited and specified purposes for which personal information is processed
• Prohibit combining personal information with information from other sources (with narrow exceptions)
• Grant the business rights to audit and verify compliance
• Require the vendor to notify the business if it can no longer meet its obligations
• Prohibit sales, sharing, or cross-context behavioral advertising based on the transferred data

The Tractor Supply enforcement in September 2025 cited deficient ad-tech contracts as one of its findings. If your vendor contracts still use pre-CPRA data processing addenda, they are stale under the current statute.

How CCPA compares globally

For teams that also handle GDPR or other global regimes, the mental model most usefully:

CCPA (as amended by CPRA) is primarily opt-out, with notice-at-collection, a limit-use right for sensitive PI, and required UOOM (GPC) recognition. The EDPB-style "lawful basis" framework does not exist. Consent is required for minors and for some specific flows, but the default is opt-out.

GDPR is primarily consent-based for cookies and most marketing data. ePrivacy Directive Art. 5(3) requires prior consent before storing or accessing information on terminal equipment, with narrow exceptions. A separate lawful basis under GDPR Art. 6 is also needed for any processing that follows.

US state laws post-CCPA have mostly adopted a CCPA-flavored opt-out model with state-specific tweaks. Colorado, Connecticut, Virginia, Utah, and most post-2023 laws follow the opt-out structure with UOOM recognition requirements expanding. The full multi-state landscape is covered in the US state privacy law tracker.

A practical implication: running a single consent banner that works globally is non-trivial. Most large-traffic sites run region-aware logic. For California, symmetrical opt-out choice with GPC honored. For EEA/UK, prior consent with a rejectable default.

The three questions you should be able to answer today

If you are responsible for CCPA compliance at your organization, the post-CPRA operational test is whether you can answer these three questions specifically:

1. Which of your integrations are "sharing" under § 1798.140(ah)? List them. Meta Pixel, Google Ads, TikTok, LinkedIn, your DSPs and SSPs, any retargeting partner. The list of sharing integrations is what the opt-out is gating.

2. Which categories of sensitive personal information do you collect, and do any non-service purposes use them? If yes, a "Limit the Use" link or the unified "Your Privacy Choices" link is required. If no, you may be exempt from the limit-use link requirement.

3. What would the per-violation math look like for a CPPA sweep of your site? If the Agency found a single violation across your California-resident user base, what is that population? The math is straightforward ($2,500 to $7,500 per affected consumer) and produces a useful pressure point for prioritizing fixes.

Teams that can answer these three concretely are, in my experience, substantially better positioned than teams that treat CCPA as a document-based compliance exercise.

FAQ

Is CCPA still a separate law from CPRA?

CPRA is an amendment to CCPA, not a separate statute. The operative law is Cal. Civ. Code §§ 1798.100 et seq., as amended by CPRA. "CCPA" and "CPRA" are often used interchangeably to refer to the current, amended statute.

Do I need to change my opt-out link text?

Yes, if it still says only "Do Not Sell My Personal Information." The required text under CPRA-amended 11 CCR § 7013 is "Do Not Sell or Share My Personal Information," or the alternative "Your Privacy Choices" or "Your California Privacy Choices" link with the official blue Privacy Options icon.

When is the automated decision-making rule effective?

Compliance obligations under the CPPA's 2025 rulemaking package for automated decision-making technology phase in starting January 1, 2027. Businesses using ADMT for significant decisions affecting consumers will need to provide pre-use notices and honor opt-out requests.

Does CPRA apply to employee and job applicant data?

Yes. The previous employment-context carve-out sunset on January 1, 2023 under CPRA. Employees, job applicants, and contractors have CCPA rights with respect to data processed by their employer or prospective employer. The Tractor Supply enforcement was the first reported action specifically addressing job-applicant CCPA rights.

What is the statute of limitations for CCPA violations?

The CCPA itself does not include a statute of limitations provision specific to enforcement actions. Under California's general enforcement framework, civil penalty actions by the AG and CPPA are generally subject to a four-year limitation, but the analysis varies by claim type and consumers' private right of action (which is narrow) has its own rules under § 1798.150.

Are there still any statutory cure provisions?

No mandatory cure period. The CPPA may consider good-faith efforts at its discretion, but it is not obligated to. The operational assumption is that a finding can lead directly to enforcement.

What's the quickest operational change post-CPRA that most teams still haven't made?

Updating the footer link from "Do Not Sell My Personal Information" to "Do Not Sell or Share My Personal Information," or moving to the unified "Your Privacy Choices" pattern. Both are visible fixes and many sites, three years into CPRA, are still running the pre-2023 wording.

Where to go from here

If your team is still calibrating compliance against original-CCPA assumptions (no "share" right, 30-day cure, AG as sole enforcer), the first priority is to re-audit the opt-out mechanism, the tracking-tech inventory, and the vendor contracts against the current statute. Most compliance gaps in 2026 come from incomplete adoption of the CPRA amendments, not from non-compliance with the pre-2020 baseline.

For the full banner specification, see the CCPA Cookie Banner Requirements pillar. For the enforcement record, see The Honda, Ford, and Disney Cases. For the operational detail on opt-out form design, see Opt-Out Without Verification.

If you want a practical read on where your current implementation sits relative to the current statute and the 2025-2026 enforcement pattern, Consenteo's engineering team has implemented the post-CPRA spec on 200+ corporate sites across major jurisdictions. Get in touch for a conversation.