The CPRA did not replace the CCPA. It rewrote parts of it. California's Attorney General and the California Privacy Protection Agency now refer to the law simply as "the CCPA, as amended" - one statute, updated. That distinction matters because every obligation that existed under the original CCPA still applies unless the CPRA specifically changed it.
California voters passed Proposition 24 in November 2020, creating the California Privacy Rights Act. The amendments took effect on 1 January 2023, with enforcement beginning in February 2024 after a court challenge delayed the original July 2023 start date. Since then, regulators have moved quickly: the California AG secured a record $1.55 million settlement with Healthline Media in July 2025 for failing to honour consumer opt-outs and sharing health-related browsing data with advertisers.
Who Each Law Applies To
The original CCPA applied to for-profit businesses operating in California that met any one of three thresholds: annual gross revenue above $25 million, buying or selling personal information of 50,000 or more consumers, households, or devices, or deriving 50% or more of annual revenue from selling personal information.
The CPRA changed two of those three criteria. The consumer data threshold rose from 50,000 to 100,000 consumers or households - and the word "devices" was dropped entirely. The revenue figure was also adjusted for inflation to $26,625,000 as of January 2025. The third criterion expanded from "selling" to "selling or sharing" personal information, which brought businesses engaged in cross-context behavioural advertising into scope even if no money changed hands.
The net effect: a handful of very small businesses fell out of scope, while a much larger group of companies running targeted advertising were pulled in.
New Consumer Rights Under the CPRA
The CCPA gave California residents four core rights: the right to know what personal information a business collects, the right to delete that information, the right to opt out of data sales, and the right to non-discrimination for exercising those rights. The CPRA kept all four and added more.
Consumers can now request that a business correct inaccurate personal information. They can limit how a business uses their sensitive personal information. They can opt out of automated decision-making technology (ADMT) used for significant decisions such as employment screening, credit approvals, and insurance underwriting. And the CPRA expanded the existing right to know by extending its scope to include data that a business shares, not just data it sells.
The right to opt out itself was broadened significantly. Under the original CCPA, consumers could only opt out of the sale of their personal information. The CPRA extended this to sharing - defined as making personal information available to a third party for cross-context behavioural advertising, regardless of whether money is exchanged. If your website loads a third-party tracking pixel that profiles visitors across multiple sites, that counts as sharing.
Sensitive Personal Information: A Category That Did Not Exist Before
The CCPA had one broad definition of "personal information." The CPRA carved out a new subcategory called sensitive personal information (SPI), subject to stricter rules. SPI includes social security numbers, driver's licence numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, contents of private communications, genetic data, biometric data, health information, and data about sexual orientation.
Consumers can direct a business to limit its use of SPI to purposes that are strictly necessary for providing the goods or services they requested. In practical terms, this means a business collecting SPI must display a "Limit the Use of My Sensitive Personal Information" link alongside the existing "Do Not Sell or Share My Personal Information" link.
| Feature | CCPA (Original) | CCPA as Amended by CPRA |
|---|---|---|
| Consumer data threshold | 50,000 consumers, households, or devices | 100,000 consumers or households (devices removed) |
| Revenue threshold (2025) | $25,000,000 | $26,625,000 (CPI-adjusted) |
| Opt-out scope | Sale of personal information | Sale and sharing of personal information |
| Sensitive personal information | Not defined as a separate category | Defined with stricter use limitations |
| Right to correct data | No | Yes |
| Right to limit SPI use | No | Yes |
| Opt-out of automated decisions | No | Yes (ADMT regulations finalised July 2025) |
| Enforcement body | Attorney General only | Attorney General + CPPA |
| 30-day cure period | Mandatory | Discretionary |
| Minors' consent (re-request delay) | No specific waiting period | 12-month wait after refusal |
The California Privacy Protection Agency
Before the CPRA, only the California Attorney General could enforce the CCPA. The CPRA created the California Privacy Protection Agency (CPPA) - the first dedicated data protection authority in the United States. The CPPA has rulemaking power, can conduct audits, and can levy administrative fines directly after formal proceedings.
The agency has been active. In 2025 alone, the CPPA issued a $1.35 million fine against Tractor Supply Company for privacy notice and opt-out failures, a $632,500 fine against American Honda Motor Co., and a $345,178 fine against clothing retailer Todd Snyder for an opt-out mechanism that was non-functional for 40 days. The CPPA also launched a Data Broker Enforcement Strike Force in November 2025, bringing multiple actions against unregistered data brokers under California's Delete Act.
Meanwhile, the Attorney General's office has pursued its own cases independently. The $1.55 million Healthline Media settlement in July 2025 - the largest CCPA penalty to date - involved a technically sophisticated investigation that examined actual cookie deployment, pixel firing, browser local storage, and downstream data flows to advertising partners.
The 30-Day Cure Period Is Gone
Under the original CCPA, businesses received a mandatory 30-day window to fix violations before regulators could pursue penalties. The CPRA removed this guarantee. Regulators now have discretion over whether to offer a cure period at all. In practice, recent enforcement actions show that neither the CPPA nor the AG's office has been offering businesses extra time to remedy issues before imposing fines.
What "Sharing" Means for Cookies and Tracking
The CPRA's expanded definition of "sharing" is where cookies, pixels, and tracking scripts become directly relevant. Sharing is defined as making a consumer's personal information available to a third party for cross-context behavioural advertising - whether or not any monetary consideration is involved.
A typical website with Google Analytics, Meta Pixel, or similar tools transmits visitor data to third parties that use it for advertising across multiple sites. Under the CPRA, this qualifies as sharing. Your site must offer consumers a way to opt out, usually through a "Do Not Sell or Share My Personal Information" link, and must honour opt-out preference signals such as the Global Privacy Control (GPC).
Unlike the GDPR, the CCPA/CPRA does not require opt-in consent before setting cookies (with one exception: minors under 16 require opt-in consent, and children under 13 require parental consent). The model is opt-out. You can set cookies when a visitor arrives, but you must clearly disclose what data you collect, explain how it is used, identify the third parties receiving it, and provide a simple mechanism for the visitor to say no.
Global Privacy Control Is Now Mandatory
The GPC is a browser-level signal that communicates a consumer's preference not to have their data sold or shared. California regulators treat it as a legally binding opt-out request under the CCPA. The 2022 Sephora enforcement action ($1.2 million settlement) established the precedent, and every major enforcement case since has included GPC compliance as an issue.
In September 2025, the CPPA joined forces with the Attorneys General of Colorado and Connecticut for a coordinated sweep targeting businesses that fail to honour GPC signals. California also signed the Opt Me Out Act (AB 566) in October 2025, which requires all major browsers to include built-in GPC functionality by January 2027.
New regulations effective 1 January 2026 go further: businesses must now confirm to consumers that their opt-out request has been processed, including requests received via GPC. A simple "Opt-Out Request Honoured" message on the website satisfies this requirement.
Updated Fines and Penalties
Penalty amounts are adjusted every two years based on the Consumer Price Index. As of January 2025 (valid through 2026), the figures are:
| Violation Type | Fine Per Violation |
|---|---|
| Unintentional / negligent | Up to $2,663 |
| Intentional | Up to $7,988 |
| Involving minors (under 16) | Up to $7,988 |
| Consumer damages (data breach) | $107 - $799 per incident |
Each violation is counted per affected consumer. The Healthline case illustrates what this means in practice: investigators identified more than 65,000 consumers whose opt-out requests were not properly honoured. At $7,988 per intentional violation, the theoretical maximum exposure exceeded $500 million. Healthline cooperated with investigators and settled for $1.55 million - a fraction of its possible liability, but still the largest CCPA settlement on record.
New Regulations Taking Effect in 2026 and Beyond
The CPPA finalised a major package of regulations in July 2025, approved by the Office of Administrative Law in September 2025. Several provisions took effect on 1 January 2026, with others phased in later:
Effective 1 January 2026: Businesses must confirm opt-out processing to consumers. Mobile apps must include a link to the privacy policy in their settings menu (previously optional). Closing or navigating away from a cookie banner without clicking "accept" does not count as consent - the CPPA explicitly flagged this as a potential dark pattern. Privacy policies must now disclose categories of personal information shared with service providers and contractors, not just third parties.
Effective later (phased by revenue): Cybersecurity audit certifications are due by April 2028 for businesses earning over $100 million, April 2029 for those between $50-100 million, and April 2030 for those below $50 million. Data processing risk assessments must be completed before initiating new processing activities from 2026 onwards, with existing activities assessed by December 2027.
Automated decision-making technology (ADMT): The finalised rules narrow the scope to technologies that replace or substantially replace human decision-making for significant consumer decisions. Behavioural advertising was removed from the ADMT definition in the final version - a notable change from earlier drafts that would have captured first-party advertising.
How CCPA/CPRA Differs from GDPR for Cookie Compliance
If your website serves visitors from both California and the EU, the consent models are fundamentally different. The GDPR (and the ePrivacy Directive, specifically Article 5(3)) requires prior, informed, opt-in consent before setting non-essential cookies. The CCPA/CPRA allows cookies to be set immediately but requires disclosure, an opt-out mechanism, and the ability to honour preference signals like GPC.
Running a single consent banner that satisfies both regimes is possible but requires geo-detection. European visitors need an opt-in banner that blocks non-essential cookies until consent is given. Californian visitors need clear information about data collection, a "Do Not Sell or Share" link, and a mechanism that stops third-party data sharing when triggered. A consent management platform that detects visitor location and serves the correct experience handles both without manual intervention. Kukie.io's geo-detection feature adjusts the banner behaviour based on where the visitor is browsing from.
Practical Steps to Comply with Both CCPA and CPRA
The starting point is knowing exactly which cookies and tracking scripts run on your site. Many businesses discover third-party cookies they did not deliberately place - leftover tags from former analytics tools, embedded widgets, or advertising partners added by a previous developer. A thorough cookie scan identifies every cookie, its source, its purpose, and its expiry.
Update Your Privacy Policy
Your privacy policy must disclose the categories of personal information collected, the purposes for collection, whether information is sold or shared, and the categories of third parties receiving it. The CPRA added a requirement to identify sensitive personal information separately and explain how consumers can limit its use. As of 2026, you must also disclose categories shared with service providers and contractors.
Implement Opt-Out Mechanisms
Display a "Do Not Sell or Share My Personal Information" link prominently on your website. If you collect sensitive personal information, add a "Limit the Use of My Sensitive Personal Information" link as well. Both links must lead to functional mechanisms - the Todd Snyder enforcement action resulted in a $345,178 fine partly because the opt-out link was broken for 40 days.
Honour GPC Signals
Configure your consent management platform to detect the Sec-GPC HTTP header and treat it as a valid opt-out. When a visitor's browser sends a GPC signal, third-party cookies involved in data sharing for advertising must be suppressed. From 2026, you must also display a confirmation that the signal was processed.
Audit Your Vendor Contracts
The Healthline settlement highlighted contract compliance as a priority for regulators. Every agreement with a third party that receives personal information must contain CCPA-required terms specifying the limited purposes for which the data can be used and obligations to honour consumer opt-outs. Do not assume vendors have signed the right framework - verify it.
Scan and Categorise Your Cookies
If you do not know which cookies your site sets, you cannot disclose them accurately or suppress the right ones when a visitor opts out. Run a free scan with Kukie.io to identify every first-party and third-party cookie, categorise them by purpose, and map which ones involve data sharing with external parties.
Frequently Asked Questions
Does the CPRA replace the CCPA?
No. The CPRA amends the CCPA rather than replacing it. California regulators refer to the combined law as "the CCPA, as amended by the CPRA." All original CCPA provisions remain in effect unless specifically changed by the CPRA.
Do I need opt-in cookie consent under the CCPA/CPRA?
Not for most visitors. The CCPA/CPRA uses an opt-out model, meaning you can set cookies when someone visits your site. However, you must disclose what data you collect, provide a clear opt-out mechanism for data selling or sharing, and honour Global Privacy Control signals. Opt-in consent is required only for minors under 16.
What is the difference between selling and sharing personal information?
Selling involves disclosing personal information to a third party for monetary or other valuable consideration. Sharing involves making personal information available for cross-context behavioural advertising, even without payment. The CPRA added "sharing" to close a loophole where companies claimed they were not "selling" data when allowing advertising partners to access it.
What happens if my website does not honour GPC signals?
Failure to honour GPC is treated as a failure to process a valid opt-out request under the CCPA. Regulators have fined businesses for this specific violation, including a $1.2 million settlement with Sephora in 2022 and a $1.55 million settlement with Healthline Media in 2025. A coordinated multi-state enforcement sweep targeting GPC non-compliance was announced in September 2025.
What are the current CCPA fines for 2025-2026?
As of January 2025, fines are $2,663 per unintentional violation and $7,988 per intentional violation or violation involving a minor's data. Consumer damages for data breaches range from $107 to $799 per i
