Skip to main content
Video Privacy Protection Act (VPPA) Claims

California Privacy Rights Act: What It Means for Consumers

Written by Joseph Lyon on . Posted in Class Action, Product & Consumer Safety News.

Privacy is a high priority for Californians, and recent changes in state law reflect that. In 2020, voters approved the California Privacy Rights Act (CPRA), a measure designed to strengthen the earlier California Consumer Privacy Act (CCPA). Together, these laws give individuals far more leverage over how companies handle their data.

In practice, this means Californians can demand transparency about how their information is collected, prevent certain types of data sales, and hold businesses legally accountable when their personal details are mishandled.

Expanded Rights Under the CPRA

The CPRA introduced new rights and broadened those already available under the CCPA. Californians can now:

  • Request access to their data: Consumers have the ability to see what data is being collected, how it is used, and whether it is shared or sold.

  • Delete personal data: Individuals can request removal of their information, with a few exceptions for necessary business uses.

  • Correct errors: If a company keeps inaccurate or outdated records, consumers may ask for corrections.

  • Limit use of sensitive information: A new category called “sensitive personal information” includes data such as race, religion, precise location, health details, and financial account information. Consumers may restrict how businesses process or share this information.

  • Opt out of sales or sharing: Companies must give clear options—often via a “Do Not Sell or Share My Personal Information” link—to allow consumers to block data transfers to advertisers or partners.

  • Protect minors’ data: If businesses exploit the data of children and teenagers, they face steeper penalties.

Why the CPRA Matters to You

Before California passed these laws, many companies quietly collected and sold consumer data without consent or transparency. The CPRA shifts power back into the hands of consumers. For example:

  • If you discover that a retail app is selling your purchase history to advertisers, you can demand they stop.

  • If a company suffers a data breach that exposes your email and password, you may be able to take legal action.

  • If you don’t want businesses tracking your location every time you use a service, you can restrict that use.

How to Exercise Your Rights

Consumers should actively use the mechanisms the CPRA created:

  1. Review company policies: Businesses must provide clear language about how they handle CPRA requests.

  2. Submit requests: Ask for copies of your data, request corrections, or direct the business to delete information.

  3. Look for opt-out links: The law requires that many sites post visible links allowing users to stop sales or sharing.

  4. Respond to breaches: If your private details are exposed, you may be eligible to join legal claims.

  5. Seek legal advice: A consumer protection lawyer can help if a company ignores your rights or mishandles your request.

Why Work With The Lyon Firm

The CPRA imposes complex obligations on businesses, and many attempt to limit compliance. Consumers benefit from having experienced legal representation when companies refuse to honor requests or when their data is exposed.

The Lyon Firm has represented individuals in privacy, cybersecurity, and consumer protection cases across the country. We investigate data misuse, file individual claims and class actions, and hold corporations accountable when they put profits ahead of consumer rights.

Our approach is client-focused and contingency-based—meaning you owe nothing upfront, and legal fees are covered if your case is successful.

CONTACT THE LYON FIRM TODAY

Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.

Frequently Asked Questions About the California Privacy Rights Act (CPRA)

1. What is the difference between the CCPA and the CPRA?
The California Privacy Rights Act (CPRA) builds on the California Consumer Privacy Act (CCPA). While the CCPA granted basic consumer rights like access and deletion, the CPRA strengthens those rights, adds new protections for sensitive personal information, and establishes the California Privacy Protection Agency (CPPA) to enforce compliance.

2. When did the CPRA go into effect?
The CPRA went into effect on January 1, 2023, and applies to data collected from January 1, 2022 onward. Enforcement began in July 2023 through the CPPA and the California Attorney General.

3. What counts as “sensitive personal information” under the CPRA?
The CPRA defines “sensitive personal information” broadly. It includes:

  • Precise geolocation data

  • Race, ethnicity, religion, or union membership

  • Genetic, biometric, or health data

  • Sexual orientation information

  • Private communications such as emails or text messages

4. Who must comply with the CPRA?
The law applies to for-profit businesses doing business in California that meet one or more of the following thresholds:

  • Gross annual revenues over $25 million

  • Buys, sells, or shares personal information of 100,000+ consumers or households

  • Derives 50% or more of annual revenues from selling or sharing consumer data

5. Can consumers sue companies directly under the CPRA?
Yes. The CPRA expands the private right of action first introduced in the CCPA. Consumers may sue if their personal information is exposed due to inadequate security practices, including cases where login credentials are stolen in a data breach.

6. What are the penalties for violating the CPRA?
Businesses may face fines of $2,500 per violation, or $7,500 per intentional violation or violations involving minors. Importantly, these fines can add up quickly in class action cases or large-scale breaches.