The CCPA vs CPRA, How do they Differ?

CCPA vs CPRA article featured image

Data collection began in the 1980s to personalize marketing. At the time, customers largely found it helpful and it enjoyed a generally positive reaction. However, with the arrival of the Internet, data collection began to increase without restrictions. Consumers became aware of how their data was being used and called for changes to regulate, restrict, and protect their private information. This led to a wave of laws, at home and abroad, including California, with the CCPA and CPRA. To answer how they differ, it’s less of a battle of the CCPA vs the CPRA, and how they complement each other.

Regulation for data collection is still relatively new and continuously changing. The first large privacy law to go into effect was the General Data Protection Regulation (GDPR) in 2018. It sets strict regulations on organizations targeting or collecting data on consumers in the EU. The GDPR includes hundreds of pages worth of requirements, holding businesses to stringent privacy and security standards.  

In the wake of Europe implementing the GDPR, the US also began to set restrictions on data collection. The California Consumer Privacy Act of 2018 (CCPA) was the first of its kind in the US. It gives consumers more control over their personal information and provides guidelines on how to implement the law. The California Privacy Rights Act (CPRA) was approved in 2020 to amend and expand upon the CCPA.

Both laws impact how companies can do business, but what’s the difference? Below, we will take a closer look at both laws, break down the differences, and discuss how your business may be affected.

A Breakdown of the Differences Between the CCPA vs CPRA


The CCPA is a historic and comprehensive bill that gives California residents privacy rights and protections. Its main focus is placed on consumer rights; giving individuals the right to know what personal information is being collected, used, and shared with third parties. Consumers under the CCPA have the right to access their data, delete their information, and opt out of their information being sold.


The CPRA was a ballot initiative that sought to amend and expand the CCPA. It took effect in January 2023 and enforcement comes later in the year. The CPRA adds new provisions to strengthen consumer privacy and specify whom the law affects. 

In addition, the CPRA also established the California Privacy Protection Agency (CPPA) to investigate and enforce privacy violations. The agency aims to educate consumers about privacy rights and spread awareness on how to exercise their rights.

Consumer Rights & Business Applications

CCPA vs CPRA granted consumer rights guidelines image

The CCPA and the CPRA apply to businesses that collect, store, or sell the data of consumers who live in California, regardless of where the business is located. The graphic on the right of the page illustrates what areas the law covers and their relevant jurisdictions.

Compliance & Enforcement of the CCPA vs CPRA

One of the biggest differences between the CCPA and CPRA is how and the extent to which these laws are enforced. The California Office of the Attorney General enforces the CCPA. The new CPPA enforces the CPRA, with full investigative and rulemaking authority. Failure to protect consumer privacy can result in serious penalties in both cases.

The CCPA imposes the following options in the event of non-compliance:

  • Civil Penalties: Fines up to $7,500 per intentional violation or $2,500 per unintentional violation.
  • Damages: Consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages.
  • Non-Monetary Relief: Consumers may seek injunctive or declaratory relief for security breach violations.
  • Businesses may be subject to an injunction in actions brought by the Attorney General.

The fines will be the same under the CPRA with one difference. An increase to $7,500 for each violation involving the personal information of consumers under the age of 16.

Stay in Compliance with Shred Nations

Provisions made by the California Privacy Rights Act will come into effect in 2023. Businesses of all sizes will need to assess their privacy practices to maintain compliance. Shred Nations can help you build a data privacy plan for your business with shredding and information management services.

Contact us at (800) 747-3365 or fill out the form to connect with providers in your area today. Our privacy experts can help you select services and give you free quotes today.