single php
cdp menu

Unraveling the mystery of CCPA & CPRA in 2023



Blog banner with the text California Privacy Rights Act (CPRA) & CCPA: Impact from 2023 with the California Map image, data privacy icon and legislators speaking

CCPA, GDPR, and other regulations have given enough safety nets to consumers concerning data privacy protection, especially in handling their data. California Privacy Rights Act, 2020, also known as the CPRA, is effective from January 1, 2023. CPRA is fully enforceable from July 1, 2023, and is an amendment to the existing CCPA (California Consumer Privacy Act, 2018) but not a replacement of the CCPA.

With emerging technology, the need for the emergence of new laws to regulate data arises. And the emerging data privacy regulations will bring doldrums to businesses & marketers as they are unsure how it will impact their existing operations.

Before we dive in to understand the complexities of the new data privacy law, the CPRA and how it impacts businesses & marketing teams,  let us know what the law says.

CPRA 2020: Coming into effect from 2023

CPRA – California Privacy Rights Act 2020, which has come into effect from January 1, 2023, is fully enforceable only from July 1, 2023. However, all businesses should follow the regulations mentioned in the CPRA, in addition to the existing CCPA regulations, from January 1, 2023.

Timeline for CCPA:

Below is the detailed timeline of how CCPA evolved

Infographic showing a detailed clear timeline from the action to initiate for California Privacy Rights Act (CPRA) - the CCPA, as amended

Starting it’s journey in 2019, CCPA evolved itself and has come into full force in January 2023.

California Consumer Privacy Act (CCPA), 2018: 

The voters of California approved CCPA in 2018 to safeguard their personal information and incorporate:

  • The right to know what information about them is collected by businesses and how it is used & shared
  • The right to get personal information about them deleted
  • The right to prohibit businesses from selling or sharing users’ personal information
  • The right to not be discriminated against, just because they are exercising their CCPA rights.

CCPA mandates that these rights are for all California residents, even if they are outside California temporarily. And it applies to all for-profit businesses that carry out business operations in California or drive more than or equal to 50% of their AR (annual revenue) from selling California residents’ personal information, or buying, selling, or receiving personal information of more than or equal to one hundred thousand California residents.


There is hype created among businesses across the world that CPRA is a new law that comes into effect in resemblance to the GDPR. However, it is an amendment to the current California Consumer Privacy Act (CCPA).

It is clarified by the Office of the Attorney General, that they refer to CPRA as “CCPA” or “CCPA, as amended.” The Attorney General’s office was held responsible for enforcing CCPA earlier until December 2020. 

The two extra rights CPRA provides in addition to the existing rights provided by CCPA are:

  • Right to Correct Inaccurate Personal Information
  • Right to Limit Use of Sensitive Personal Information

CPRA will establish California Privacy Protection Agency (CPPA). CPPA is vested with the full administrative power, authority, and jurisdiction to enforce CPRA. CPPA takes control from the Office of the Attorney General to administer & enforce CCPA.

CPRA has added a new term – Sensitive Personal Information, in addition to Personal Information in CCPA. This move is seen as an inspiration of CPRA from the EU’s GDPR. It is also an example to show that CPRA incorporates GDPR-like provisions, moving a step further into a privacy-compliant world.

Impact of CPRA:

Marketers who were collecting user data from third-party and second-party sources will face consequences due to the new CCPA. However, the right to opt-out does not regulate non-personalized advertising. CPRA mentions that businesses which run non-personalized advertising shall not build a customer profile.

Screenshot from CCPA actual PDF containing the part on Cross-context behavioural advertising to the consumer

The above image is a screenshot from the Official CCPA, as amended, document. CPRA mentions that no business can sell or share the personal information of opted-out consumers. In addition, it mentions – “no business shall combine the personal information of opted-out users with that of the personal information they receive from a third party or second party”. So that businesses do not build a customer profile using personally identifiable information (PII).

Under the new CPRA, businesses are restricted to sell, buy, or share customer data with other parties to build customer profiles. This means CPRA discourages the use of second-party and third-party data. The California Privacy Rights Act (CPRA) does not impose restrictions on businesses that collect customer data with the customer’s consent for behavioral advertising purposes. CPRA encourages businesses to rely solely on first-party data, instead of second-party and third-party data. 

CPRA encourages the use of First-party data for Behavioral Advertising.

By focusing on first-party data, businesses can promote transparency and build stronger relationships with their customers. 

Do you want to go a step further? Collect Zero-party data! – Read our crisp blog on what is Zero-party data & how it is crucial to marketers.

CPRA also provides for what is the meaning of cross-context behavioral advertising, and it means:

Screenshot from CCPA actual PDF containing the part on Cross-context behavioural advertising to the consumer

The Way-Forward:

Every business should collect data in compliance with the CPRA guidelines and adhere to all the regulations mentioned. Here is what businesses should do:

  • Collect: Organizations should collect the information only to the extent needed and with consent for the specific purpose.
  • Use: Use the data only for the purpose for which it collects. If it wishes to use it for other purposes, the consent of the users is again necessary.
  • Retention: Data should be stored only for a reasonable period, and you should inform the users of the duration for which the data is stored.
  • Refrain from disclosing or sharing data: Organizations should refrain from selling, disclosing, or sharing Sensitive Personal Information, for specific secondary purposes, with any other party.
  • Audit & Assessment: Organizations should audit their systems regularly at defined intervals to ensure data is secured and there are no breaches. Businesses should also conduct risk assessments to understand the strength of their cybersecurity frameworks and submit it to CPPA.

How your business can comply with CCPA:

As a data-driven digital marketer, collection & analysis of data is of high importance to understand user behavior and run high-performing ad campaigns. With GDPR and CCPA-like regulations emerging, you must turn to a fully privacy-compliant CDP like CustomerLabs. Trust us to collect and seamlessly integrate your real-time data with ad platforms. A step towards CustomerLabs will ensure your data is safe and secure in compliance with all data privacy regulations.

Our systems are highly secured and collect user-behavior data transparently. We have advanced technology that hashes the data before syncing it with the ad platforms such as Google, Facebook, etc. Thus, we are compliant with data privacy regulations across the world. While we offer comprehensive 360-degree customer profiling, we still maintain user privacy without disclosing personal information and Sensitive Personal Information.

CTA image with the text Make your data collection privacy compliant today by adopting the world’s most advanced CDP, CustomerLabs CDP

Key Takeaways:

  • CPRA is an amendment to the existing CCPA, taking it a step closer to a GDPR-like law that offers more privacy to users.
  • Users of California now enjoy two more rights in addition to the rights they enjoyed until 2022.
  • California Privacy Protection Agency (CPPA) will be the sole authority with full administrative power & jurisdiction to implement and enforce the CCPA.
  • Businesses & marketers should embrace the changes and adapt to the future of marketing.
  • Understand your consumers better in compliance with the data-privacy regulations across the globe.
  • Collect consumer data in compliance with data privacy regulations.
  • Protect consumer privacy while offering personalization.
  • Adopt First-party data strategies.
CTA with button text - Talk to first-party data experts and Know how to make your Business CPRA compliant & data privacy law compliant with First-party data using CustomerLabs CDP

Wanna know in detail about CCPA? Read-on – View the CCPA document (PDF)

Frequently Asked Questions (FAQs)

As per the Act, the California Privacy Rights Act (CPRA) is effective from January 1, 2023 and the lookback period would be a year prior i.e., January 1, 2022. However, its full fledged enforcement will be from July 1, 2023.
All residents of California will have the rights under the California Consumer Privacy Act.
The California Consumer Privacy Act has an opt-out policy - i.e., the user data can be collected by anyone and by any means to process it as long as the user themselves does not reach out to the one processing the data. And the GDPR has an opt-in policy which mandates the businesses to seek for consent even before collecting the data from the user.
With the recent amendment to the CCPA, i.e., the CPRA - also known as ‘CCPA’ or ‘CCPA, as amended’, it felt that CCPA has inspired and is being guided by the GDPR. However, the core principles of CCPA are - Accountability, Control & Transparency.
CCPA applies to every organization that collects the user data of Californians regardless of where the organization is located.
The CCPA mentions that ‘California Privacy Protection Agency’ has full authority to enforce the CCPA and is reinforced with full administrative powers & jurisdiction.

Marketing enthusiast who enjoys writing articles on a wide range of topics including Marketing, SaaS, Technology, Construction, Life lessons, Public Policy Nature, and Sustainability. Good at Public Policy analysis with a deeper understanding of societal issues and potential solutions. Also loves to volunteer & contribute to society in every possible way.

The latest news, perspectives, and insights from CustomerLabs

More Blogs

View all
Why is first-party data Go-to-strategy in 2023 for eCommerce Marketers
First-Party Data A Go-to Strategy In 2023 For Marketers

First-party data is the go-to solution for marketers in the future. Know how first-party data strategies can help you run personalized ads.

Read more
9 reasons why ecommerce need CDP
9 Reasons Why E-Commerce Businesses Need CDP

Ecommerce businesses has been accelerated like never before and the the key to win the market with data lies with CDP.

Read more

Get started with CustomerLabs CDP

Schedule a 1-1 Demo


Unified data to boost ecommerce growth


Engage your customers across the funnel with a unified martech stack


Increase product metrics with a unified martech stack


Scale your customers quickly with the right data