Data privacy regulations have been a hot topic in the ever-changing discussion of consumer privacy. So far in 2021, 27 bills have been proposed in states which seek to implement new or change existing data privacy laws.[1] By comparison, only two state-level bills were introduced in all of 2018.[2]

One of those 2018 bills was the California Consumer Privacy Act (CCPA), a wide-reaching statute designed to enhance online consumer privacy for California residents.[3] On November 3, 2020, just nine months after the CCPA became enforceable,[4] California voters passed Prop 24 (also known as the California Privacy Rights Act or “CPRA”), which contains several significant changes to the CCPA.[5] However, businesses still have some time to study and adapt to these changes. The CPRA will only apply to personal information collected by a business on or after January 1st, 2022, and the CPRA does not become operative law until January 1st, 2023.[6] While not yet effective, there is no doubt the CPRA enhancements to the CCPA will be very impactful. Among other things, the CPRA changes what entities are required to comply with the CCPA and also establishes the California Privacy Protection Agency.[7]

CPRA Changes to Regulated Entities

To be regulated under the CCPA, a “business” as defined under California law must satisfy at least one of the following three conditions: (1) has annual gross revenue above twenty-five million dollars; (2) alone or in combination is involved in the buying, selling, or sharing of personal information of fifty-thousand or more consumers, households, or devices; or (3) derives fifty percent or more of its annual revenue from selling consumer’s personal information.[8]

The CPRA makes three fairly significant changes to these jurisdictional conditions.[9] The first is that the numeric threshold of “fifty thousand or more consumers, households, or devices” will be increased to one hundred thousand.[10] The second is that devices will no longer be considered when calculating the jurisdictional threshold.[11] The third is the addition of the phrase “or sharing” to regulate entities that derive fifty percent or more of their annual revenues from selling or sharing personal information.[12] In other words, entities will no longer be able to avoid compliance by claiming that more than fifty percent of their annual revenue comes from sharing information, and not selling it.

Creation of The California Privacy Protection Agency

Currently, the CCPA only allows individuals and the California Attorney General to bring claims alleging CCPA violations.[13] Despite the California AG having the authority to bring claims, though, that office is only equipped to handle a handful of cases per year.[14] Section 24 of the CPRA creates the California Privacy Protection Agency,[15] which will not only administer and enforce actions involving the CCPA but also promote public awareness of online security and provide guidance to consumers and businesses regarding their rights and duties under the CCPA.[16] The creation of an agency funded with ten million dollars to issue sanctions to companies that violate the CPRA should lessen the burden that is currently placed on the California Attorney General.[17]


The CCPA and CPRA have placed California at the forefront of state online consumer privacy laws. Given the large number of California residents (roughly one in eight U.S. residents live there) and businesses subject to these laws’ reach, the CPRA no doubt will increase the CCPA’s already profound impact on only consumer privacy protection. Time will tell the impact California’s approach will have on how other states create and change their consumer privacy laws. Such legislation likely has the impact to cause a ripple effect of creating guidelines as to what entities are governed as well as the creation of enforcement agencies. Contact Zasio today to see how our innovative products and services can help you remain compliant.





[1] David McCabe and Cecilia Kang, As Congress Dithers, States Step In to Set Rules for the Internet, N.Y. Times (May 14, 2021),

[2] Id.

[3] See Daisuke Wakabayashi, California Passes Sweeping Law to Protect Online Privacy, N.Y. Times (June 28, 2018),

[4] Id.

[5] See Cal. Legis. Serv. Proposition 24 (West 2020).

[6] Id.

[7] Id.

[8] See Cal. Civ. Code § 1798.140(c)(1)(A–C) (West 2020).

[9] See Cal. Legis. Serv. Proposition 24 (West 2020).

[10] Id.

[11] Id.

[12] Id.

[13] See Cal. Civ. Code § 1798.150–155 (West 2020).

[14] Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020),

[15] Cal. Legis. Serv. Proposition 24 (West 2020).

[16] Cal. Legis. Serv. Proposition 24 (West 2020).

[17] Greg Bensinger, A Privacy Measure That’s Hard to Like, N.Y. Times (Oct. 28, 2020),

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Author: Brandon Tuley, JD, CIPP/E

Author: Brandon Tuley, JD, CIPP/E

Analyst / Licensed Attorney