CPRA Compliance Requirements & Checklist | Complete Guide For Businesses

What is CPRA compliance?

CPRA compliance means meeting the legal requirements of the California Privacy Rights Act, a state law that expanded consumer privacy protections and introduced stricter obligations for businesses that collect, process, or share personal data from California residents.

At CMIT Solutions, we help businesses translate those regulatory obligations into practical IT and operational steps, so compliance becomes a manageable part of how your business runs rather than a persistent source of uncertainty.

The California Privacy Rights Act took effect on January 1, 2023, with enforcement beginning July 1, 2023. It built on the original California Consumer Privacy Act (CCPA) but added new consumer rights, new categories of protected data, and a first-of-its-kind enforcement body: the California Privacy Protection Agency (CPPA). For small and mid-size businesses already navigating growing IT complexity, this shift from a compliance checklist to an ongoing operational responsibility adds another layer that requires real attention and the right support.

CPRA compliance is not a one-time audit. It requires changes to how your business collects, processes, stores, and shares personal data, and those changes need to be built into daily IT operations, vendor relationships, and employee practices.

Explore our business data compliance solutions to see how CMIT Solutions can help your business stay ahead of these requirements.

 

Which businesses must comply with the CPRA?

Not every business in California falls under the CPRA, but the thresholds are broad enough to reach many small and mid-size operations. The law applies to for-profit businesses that do business in California and meet at least one of the following criteria:

• Annual gross revenue over $25 million in the preceding calendar year
• Buy, sell, or share the personal information of 100,000 or more consumers or households per year
• Derive 50% or more of annual revenue from selling or sharing consumers’ personal information

One important update from CPRA compared to the original CCPA: the threshold for data volume was raised from 50,000 to 100,000 consumers, and it now includes households as a unit. The addition of “sharing,” not just selling, data also significantly expanded who qualifies under the law.

Businesses that do not meet these thresholds are not exempt from all data privacy considerations. Many customers, partners, and insurers now expect baseline privacy practices regardless of legal obligation.

CMIT Solutions provides strategic technology guidance aligned with your business goals, helping you assess your current data practices and build toward a stronger compliance posture proactively.

💡 Additional reading: What is CCPA compliance

What changed from CCPA to CPRA?

The CPRA did not replace the CCPA. It amended and expanded it. Many businesses that invested in CCPA compliance assumed they were covered, only to discover significant gaps when CPRA took effect, a reminder of how costly it can be to operate without long-term guidance on an evolving regulatory landscape. The most significant changes include:

• New category of sensitive personal information (SPI): The CPRA created a more protected class of data that includes Social Security numbers, financial account credentials, health information, precise geolocation, racial or ethnic origin, religious beliefs, and the contents of private communications. Businesses must now offer consumers the right to limit use and disclosure of this data.
• Right to correct: Consumers can now request that businesses correct inaccurate personal information, a right that did not exist under the original CCPA.
• Right to limit use of SPI: In addition to deletion and opt-out rights, consumers can restrict how sensitive data is used, even if they do not want it deleted entirely.
• Data minimization and storage limitation: Businesses may only collect personal data that is reasonably necessary for a disclosed purpose, and must not retain it longer than needed.
• California Privacy Protection Agency (CPPA): The CPRA established a dedicated state agency with authority to issue regulations, investigate violations, and impose civil penalties without requiring the state Attorney General to initiate action.
• B2B and employee data: Temporary CCPA exemptions for business-to-business communications and employee data have expired. This information is now fully covered under CPRA.

The table below summarizes key differences between the two laws:

Feature	CCPA (Original)	CPRA (2023+)
Enforcement body	California Attorney General	California Privacy Protection Agency (CPPA)
Sensitive personal information	Not separately categorized	Defined and separately regulated
Right to correct	Not included	Included
Data minimization requirement	Not explicit	Required
Employee and B2B data	Exempt (temporary)	Fully covered
Data sharing (not just selling)	Limited scope	Explicitly covered
Consumer or household threshold	50,000	100,000

CMIT Solutions works with businesses to identify which of these changes affect their current data environment and translates them into cybersecurity-informed recommendations and clear operational priorities, so the right IT and process changes get made without unnecessary complexity.

💡 Additional reading: Data compliance regulations

What rights do consumers have under the CPRA?

The CPRA grants California residents 11 distinct privacy rights. For many businesses, managing these requests adds meaningful operational complexity, particularly when internal IT resources are already stretched or processes have not been built to handle requests at scale. Failing to respond within required timeframes, generally 45 days, extendable to 90, can result in enforcement action.

The 11 consumer rights under CPRA are:

1. Right to know: Consumers can request disclosure of what personal information a business collects, uses, shares, or sells.
2. Right to delete: Consumers can request deletion of their personal information, subject to certain exceptions.
3. Right to correct: Consumers can request that inaccurate personal information be corrected.
4. Right to opt out of sale or sharing: Consumers can direct businesses to stop selling or sharing their personal information with third parties.
5. Right to limit use of sensitive personal information: Consumers can restrict the use of SPI to purposes necessary for providing requested services.
6. Right to non-discrimination: Businesses cannot penalize consumers for exercising their privacy rights.
7. Right to data portability: Consumers can request their data in a portable, usable format.
8. Right to know about automated decision-making: Businesses using automated tools that significantly affect consumers must disclose this.
9. Right to opt out of automated decision-making: Consumers can opt out of certain automated decision processes, including profiling.
10. Right to access information about third-party sharing: Consumers can ask who their data has been shared with.
11. Right of minors: Enhanced protections apply to consumers under 16, requiring opt-in consent rather than opt-out for sale or sharing of their data.

Managing these requests requires a clear internal workflow and consistent processes across your systems. CMIT Solutions helps businesses build the infrastructure and procedures needed to receive, track, and respond to rights requests within legal timeframes, so your team can stay focused on running the business.

What counts as sensitive personal information under CPRA?

Sensitive personal information (SPI) is a category the CPRA defines separately from general personal information, and it carries stricter requirements. Businesses must disclose if they collect SPI, provide a clear method for consumers to limit its use, and restrict its use to what is necessary to fulfill the reason it was collected.

The CPRA defines SPI as:

• Social Security numbers, driver’s license numbers, state ID numbers, or passport numbers
• Financial account numbers combined with access credentials such as passwords or security codes
• Precise geolocation data
• Racial or ethnic origin, religious or philosophical beliefs, or union membership
• Contents of a consumer’s mail, email, or text messages (unless the business is the intended recipient)
• Genetic data
• Biometric data processed for identification
• Health or medical information
• Information about sex life or sexual orientation

For many SMBs, the most relevant categories are financial account data, health information (particularly in healthcare-adjacent businesses), and precise geolocation. Even businesses that do not consider themselves data-heavy may be collecting SPI through employee records, customer accounts, or third-party applications.

CMIT Solutions helps businesses identify where SPI exists across their environment and put layered protection across systems and users in place to meet the law’s stricter requirements.

CPRA compliance checklist for businesses

Working through CPRA compliance is more manageable when it is broken into distinct areas. Use this checklist as a starting point, keeping in mind that compliance is an ongoing obligation, not a one-time exercise.

The CPPA continues to issue new guidance as the regulatory framework evolves.

Data inventory and mapping

• Identify all categories of personal information your business collects
• Identify all sources from which personal information is collected
• Map how personal information flows through your organization
• Identify all third parties with whom personal information is shared
• Flag all data that qualifies as sensitive personal information (SPI)
• Document the business purpose for collecting each category of data
• Confirm data is not retained beyond what is necessary for its stated purpose

Privacy policy and notices

• Update your privacy policy to disclose all categories of data collected and their purposes
• Add a clear “Do Not Sell or Share My Personal Information” link or mechanism
• Add a “Limit the Use of My Sensitive Personal Information” link or mechanism
• Disclose retention periods for each category of personal information
• Notify consumers at or before the point of data collection
• Update your privacy policy to cover employee and B2B data

Consumer rights request handling

• Establish a verified process for receiving and responding to consumer rights requests
• Build a system to respond within 45 days (or notify of an extension up to 90 days)
• Train staff on how to receive and escalate rights requests
• Document all requests received and the actions taken
• Confirm you have at least two methods for consumers to submit requests, such as a web form and a toll-free number

Vendor and service provider contracts

• Review all third-party contracts for data processing language
• Confirm that contracts with service providers include CPRA-required contractual terms
• Distinguish between service providers (restricted use), contractors (limited use), and third parties
• Include data processing agreements with any vendor that receives personal information
• Audit vendor compliance posture, particularly for vendors with access to SPI

Security and technical controls

• Implement reasonable security measures for all personal information you hold
• Apply stronger protections to sensitive personal information
• Review access controls to limit who within your organization can access personal data
• Establish a data breach response plan and test it
• Ensure systems collecting personal information are patched and up to date
• Enable logging and monitoring for systems that store or process personal data

Employee training

• Train all staff who handle personal information on CPRA requirements
• Train customer-facing staff on how to direct and handle consumer rights requests
• Document training records

What are the penalties for CPRA non-compliance?

The risk of data loss, enforcement action, and reputational damage makes CPRA penalties more than a regulatory footnote. The CPPA has authority to impose civil penalties of up to $2,500 per unintentional violation and up to $7,500 per intentional violation.

Violations involving the personal information of minors under 16 also carry the $7,500 per-violation figure regardless of whether the violation was intentional. The CPPA announced inflation-adjusted penalty thresholds effective January 1, 2025, so businesses should monitor the California Privacy Protection Agency for current enforcement figures.

These figures apply per violation, not per incident. A single data collection practice applied to thousands of consumers can result in penalties that multiply quickly.

The cure period that existed under the original CCPA has also changed under CPRA. The CPPA now has discretion over whether to offer a cure period at all, rather than it being an automatic right for businesses.

Beyond regulatory penalties, the CPRA also provides a private right of action for consumers in the event of a data breach involving certain categories of personal information. Consumers can seek statutory damages between $100 and $750 per consumer per incident, or actual damages if higher.

Proactive compliance is significantly less costly than reactive enforcement. CMIT Solutions helps businesses build security standards that exceed baseline expectations, putting the controls and documented processes in place that reduce the likelihood of a violation or breach before one occurs.

How CPRA affects your IT infrastructure

CPRA compliance is as much an IT challenge as it is a legal one, and for businesses where IT is already treated as a maintenance function rather than a strategic asset, the gap becomes clear quickly. The law’s requirements for data minimization, access controls, security safeguards, and breach response translate directly into technical obligations that many internal teams are not resourced to handle on their own.

Key IT-related CPRA requirements include:

• Access controls: Personal information, particularly SPI, should only be accessible to staff with a legitimate business need. Role-based access controls, multi-factor authentication, and privileged access management all support this requirement.
• Data retention enforcement: Many businesses collect data indefinitely by default. CPRA requires retention to be limited to what is necessary for the disclosed purpose. IT systems need to be configured to enforce retention schedules, including automated deletion or anonymization where appropriate.
• Logging and monitoring: Knowing what personal data exists in your environment, who has accessed it, and whether it has been shared or transmitted requires continuous monitoring. Without it, a business may not be able to respond accurately to a consumer rights request or reconstruct what happened in the event of a breach.
• Breach response readiness: CPRA requires a documented and tested incident response capability. Businesses need to be able to detect a breach, contain it, assess what data was affected, and notify affected consumers and the CPPA within required timeframes.
• Vendor system reviews: If a third-party application collects personal information on your behalf, such as a CRM, a scheduling tool, or a payment processor, that system is part of your CPRA footprint. Its security posture affects your compliance standing.

A data breach or extended system outage can carry costs well beyond regulatory penalties.

CMIT Solutions designs and manages IT environments with security built in by default, not bolted on after the fact. Our security-first managed IT services deliver continuous monitoring and threat response, backed by backup and recovery capabilities that keep your business operational even when incidents occur.

Use our IT downtime calculator to estimate the operational impact a compliance-related disruption could have on your business.

 

How CPRA interacts with other privacy and compliance frameworks

CPRA does not exist in isolation, and for businesses already managing multiple compliance obligations, the growing complexity of overlapping frameworks creates real accountability gaps, particularly when different requirements are handled by different vendors with no unified oversight. There is meaningful overlap in the underlying controls across frameworks, but also important distinctions that require careful navigation.

CPRA and HIPAA: Healthcare organizations subject to HIPAA have existing obligations around protected health information (PHI). CPRA adds state-level requirements for health information that falls outside HIPAA’s scope, for example, health data collected through wellness apps or employee health programs that do not involve covered entities or business associates as HIPAA defines them. HIPAA compliance does not automatically satisfy CPRA.

CPRA and PCI-DSS: Payment card data intersects with CPRA’s definition of sensitive personal information. PCI-DSS addresses cardholder data security, but CPRA adds consumer rights obligations around that data, including the right to know, delete, and correct, which PCI-DSS does not address.

CPRA and NIST: The NIST Privacy Framework provides a voluntary structure that aligns well with CPRA obligations. Businesses already using NIST guidelines as a baseline will find that the framework’s focus on data governance, risk management, and transparency maps closely to CPRA requirements, though regulatory compliance still requires addressing the law’s specific mandates directly.

CPRA and federal compliance: For businesses operating in or adjacent to the defense supply chain, federal data handling requirements extend beyond CPRA. Our CMMC compliance services are designed to sit alongside state-level privacy obligations, helping businesses manage both programs without duplication of effort.

CPRA and state-by-state privacy laws: California is not the only state with comprehensive privacy legislation. As of 2025, more than 20 states have enacted or are implementing similar laws. The IAPP US State Privacy Legislation Tracker is a regularly updated resource for businesses tracking requirements across multiple states. For businesses with customers in several states, building toward CPRA compliance often creates a strong foundation for meeting other state-level requirements as well.

CMIT Solutions brings the strategic guidance and technical expertise to help businesses navigate overlapping frameworks without having to tackle each one from scratch, drawing on shared tools, systems, and best practices built from supporting businesses across a wide range of industries and compliance environments.

For businesses working toward federal cybersecurity standards alongside CPRA, explore our CMMC compliance services to see how CMIT Solutions aligns both programs.

 

CPRA and cyber insurance: what your insurer may expect

Cybersecurity uncertainty does not stop at the regulatory level. It also shapes how insurers assess risk, and CPRA has made that relationship more direct. Insurers have grown more selective about the security controls they require before issuing or renewing coverage, and many of those controls align directly with CPRA’s own technical requirements.

Common insurer requirements that overlap with CPRA obligations include multi-factor authentication, endpoint protection, access controls, logging and monitoring, and incident response capabilities. A business that has worked through its CPRA compliance checklist, particularly the IT infrastructure and vendor management components, will typically be in a stronger position when applying for or renewing cyber liability coverage.

Many businesses assume their cyber insurance will cover them after an attack, but insurers increasingly require specific security controls before issuing or renewing coverage. A business that experiences a data breach and files a claim may face scrutiny over whether it maintained the controls it disclosed to the insurer.

If CPRA-mandated protections were absent, that gap could affect coverage outcomes.

CMIT Solutions helps businesses evaluate their security posture against both CPRA requirements and common insurer expectations, building protection to a standard that goes beyond baseline compliance and holds up to insurer scrutiny at renewal.

Use our insurance readiness assessment to see whether your current security environment aligns with modern insurer expectations.

 

Let CMIT Solutions guide your CPRA compliance program

CPRA compliance is not just a legal obligation. It is an opportunity to build the kind of secure, well-managed IT environment that protects your business, earns customer trust, and supports long-term growth.

For most SMBs, getting there requires more than an internal team can deliver alone. CMIT Solutions has been providing security-first managed IT services to small and mid-size businesses for more than 30 years, backed by a nationwide network of technology experts who bring enterprise-level capability to locally delivered, responsive support.

Our teams act as trusted technology advisors, not just a support desk. We assess your current data environment, identify gaps against CPRA’s technical requirements, and implement the layered security controls and operational practices that compliance demands, and that your business needs to operate with confidence.

Every recommendation is aligned with your business goals and informed by the latest thinking in cybersecurity, including how AI and emerging technologies are reshaping both the threat landscape and the compliance environment. Where on-site support is needed to assess systems or implement changes, our local teams are available to assist directly.

To see this approach in action, take a look at our Optyx case study. We helped Optyx, a multi-location optical retailer, unify its IT across locations with a consistent, secure infrastructure, bringing enterprise-level protection and standardized systems to a growing business operating across multiple sites.

Ready to turn CPRA compliance into stronger cybersecurity protection and long-term business resilience? Speak with a CMIT Solutions expert today, or call us at (800) 399-2648.

 

FAQs

Does CPRA apply to businesses located outside California?

CPRA applies to any for-profit business that collects personal data from California residents and meets at least one qualifying threshold, regardless of where the business is based. A company headquartered in Texas or New York that serves California customers and meets the revenue or data volume criteria must comply with CPRA in full, including consumer rights obligations and security requirements.

Does CPRA apply to nonprofits or government agencies?

CPRA exempts nonprofit organizations and government agencies from its requirements. However, a nonprofit that shares infrastructure, data systems, or branding with a for-profit affiliate may be drawn into scope indirectly. Organizations with any for-profit connection should review those relationships carefully, as the exemption does not automatically extend to entities with mixed or blended operational structures.

What is the difference between a service provider and a third party under CPRA?

Under CPRA, a service provider processes personal data on a business’s behalf under a written contract that restricts its own use of that data. A third party receives data and may use it for its own purposes. The distinction matters because sharing data with a third party triggers the California consumer’s right to opt out, while sharing with a contracted service provider does not constitute a sale or sharing under the law.

Can a business be held liable for how its vendors handle personal data?

Yes. CPRA holds businesses accountable for how service providers and contractors use personal data on their behalf. If a vendor violates CPRA’s data use restrictions, both the vendor and the contracting business can face liability. Businesses that fail to include required contractual protections or skip vendor vetting face direct exposure, making vendor contract review a compliance requirement rather than a precaution.

What steps should a business take immediately after discovering a data breach?

After a CPRA-covered data breach, the immediate priorities are containing the breach, preserving evidence, and assessing which categories of personal information were affected. California law requires businesses to notify affected consumers and, in certain circumstances, the California Privacy Protection Agency. Notification timing depends on the nature of the data involved, and the breach may also trigger the CPRA’s private right of action for consumers.