The California Privacy Rights Act (CPRA), approved by voters in November 2020 and operative from January 1, 2023, is not a new law. It amended the existing CCPA. But the amendments are substantial enough that companies compliant with the original CCPA are not necessarily compliant with CCPA-as-amended-by-CPRA. For PE deal teams, the CPRA amendments introduce obligations that did not exist when many portfolio companies last reviewed their privacy programs.
Sensitive Personal Information
CPRA created a new category: sensitive personal information (SPI). This includes Social Security numbers, driver's license numbers, financial account credentials, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of mail/email/text, genetic data, biometric data, health data, and sex life or sexual orientation data. SPI did not exist as a distinct category under the original CCPA.
The new obligation is specific. Consumers have the right to limit a business's use of their sensitive personal information to purposes that are necessary to perform the services or provide the goods reasonably expected by the consumer. Businesses that use SPI for secondary purposes (profiling, cross-context behavioral advertising, selling) must provide a "Limit the Use of My Sensitive Personal Information" link and honor the consumer's choice.
What we see consistently in PE-backed companies is that the SPI category has not been operationalized. The company may have updated its privacy policy to reference sensitive personal information. But the data architecture does not distinguish SPI from ordinary personal information. There is no separate tagging, no separate access controls, no separate consent mechanism, and no "Limit Use" link on the website. The compliance is textual, not operational.
The "Sharing" Expansion
The original CCPA gave consumers the right to opt out of the "sale" of personal information. CPRA expanded this to include "sharing," defined as making personal information available to a third party for cross-context behavioral advertising purposes. This expansion closed the loophole that allowed companies to claim they were not "selling" data when they shared it with advertising platforms for targeting.
The practical impact is significant. Every company that sends customer data to Meta, Google, TikTok, or any other advertising platform for audience targeting is "sharing" personal information under CPRA's definition. That sharing triggers the opt-out right. The "Do Not Sell or Share My Personal Information" link must cover both activities. And opt-out signals (including GPC) must be propagated to all advertising partners, not just data brokers.
For PE-backed D2C and performance marketing companies, this expansion changes the compliance scope dramatically. The original CCPA opt-out affected a narrow set of data transactions. The CPRA opt-out affects every advertising platform integration. A consumer who opts out must be excluded from custom audiences, lookalike audiences, and retargeting segments across every advertising channel. The technical implementation of that exclusion is materially more complex than what the original CCPA required.
Data Minimization and Purpose Limitation
CPRA introduced two principles that did not exist in the original CCPA: data minimization and purpose limitation. Businesses must not collect personal information beyond what is "reasonably necessary and proportionate" to the purposes disclosed. Businesses must not retain personal information longer than "reasonably necessary" for the disclosed purpose. And businesses must not use personal information for purposes that are not "compatible" with the disclosed purpose without providing new notice.
These principles represent a philosophical shift. The original CCPA was a transparency and control law: tell consumers what you collect and let them opt out. CPRA added substantive limits on what companies can collect and how long they can keep it, regardless of whether the consumer opts out. This aligns CPRA more closely with GDPR's data minimization principle.
The operational impact for PE-backed companies is that data hoarding becomes a compliance risk. Marketing databases that retain consumer data indefinitely "because we might need it" violate CPRA's retention limitation. Data collection practices that capture every available data point "because the pixel can" violate CPRA's collection limitation. Both require active governance: documented justifications for collection scope and automated enforcement of retention periods.
The California Privacy Protection Agency
CPRA created the California Privacy Protection Agency (CPPA) as a dedicated enforcement body. Under the original CCPA, enforcement was the responsibility of the California Attorney General's office, which had competing priorities and limited bandwidth for privacy enforcement. The CPPA is a standalone agency with a dedicated budget, rulemaking authority, and an explicit mandate to enforce CCPA/CPRA.
The CPPA's impact has been immediate. The agency began enforcement activities in 2023, launched investigative sweeps targeting specific compliance areas (GPC signal honoring, opt-out mechanisms, data broker registration), and issued guidance on multiple topics. The CPPA removed the 30-day cure period that existed under the original CCPA, meaning businesses no longer have a grace period to fix violations after receiving notice.
For PE deal teams, the CPPA's existence changes the enforcement risk calculation. Under the original CCPA, enforcement was sporadic and the cure period provided a safety valve. Under CPRA, enforcement is systematic, the cure period is gone, and the enforcing agency has dedicated resources. The probability of enforcement for non-compliant companies has increased materially. Deal models that priced CCPA risk based on pre-CPPA enforcement levels are underestimating current exposure.
The CPPA is also pursuing rulemaking on cybersecurity audits, risk assessments, and automated decision-making. These forthcoming regulations will impose additional compliance obligations on businesses that process personal information at scale. PE-backed companies should monitor the CPPA rulemaking calendar and plan for compliance before regulations finalize, not after.
RELATED ANALYSIS