CPRA
The California Privacy Rights Act is the 2020 amendment to CCPA that created a dedicated enforcement agency, strengthened consumer rights, and added new obligations for sensitive personal information.
The California Privacy Rights Act (CPRA), effective January 2023, significantly amended the CCPA. It created the California Privacy Protection Agency (CPPA) — a dedicated privacy enforcement body with rule-making authority independent of the Attorney General. It introduced a new category of "sensitive personal information" (SPI) with additional rights and restrictions, created a right to correct inaccurate data, extended opt-out rights to cover "sharing" of data for cross-context behavioral advertising, and imposed new data minimization and purpose limitation obligations.
The sensitive personal information category is the most significant new engineering obligation. SPI includes Social Security numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, health information, biometric data used for identification, and communications content. Consumers have the right to limit the use of their SPI to what is necessary to perform the requested service — meaning organizations cannot use SPI for advertising, profiling, or secondary purposes without additional consent. Systems that process SPI must enforce these restrictions at the data processing level, not just in privacy policies.
CPRA's data minimization and purpose limitation requirements create engineering obligations CCPA did not: organizations must demonstrate that they collect only what is necessary and use data only for disclosed purposes. This requires data inventories that are live system artifacts — not annual documentation exercises — and data pipelines that enforce purpose limitation at the processing level rather than relying on contractual terms.
We implement CPRA compliance at the data architecture level — designing systems that differentiate between regular and sensitive personal information, implement SPI use limitations at the pipeline level, and enforce data minimization through schema design and processing controls rather than policy documents. Our implementations satisfy both CCPA and CPRA obligations through a unified compliance architecture.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.