CPRA Security Requirements: What California Businesses Must Know
The California Privacy Rights Act (CPRA), which amended and significantly expanded the California Consumer Privacy Act (CCPA), imposes explicit security obligations on businesses that collect, process, or share personal information about California residents. This page covers the specific security requirements embedded in the CPRA, how they are structured and enforced, and where the boundaries of compliance responsibility fall. Understanding these requirements is essential for any organization subject to California's privacy framework, as noncompliance can trigger civil penalties and private litigation.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Checklist or Steps
- Reference Table or Matrix
Definition and Scope
The CPRA, enacted by California voters as Proposition 24 in November 2020 and operative as of January 1, 2023, establishes a data privacy regime enforced jointly by the California Privacy Protection Agency (CPPA) and the California Attorney General. The statute's security requirements are codified primarily in California Civil Code §1798.100(e), which mandates that businesses implement "reasonable security procedures and practices appropriate to the nature of the personal information" they hold.
Scope of coverage: The CPRA applies to for-profit businesses that do business in California and meet at least one of three thresholds: (1) annual gross revenues exceeding amounts that vary by jurisdiction5 million; (2) annually buying, selling, or sharing the personal information of 100,000 or more consumers or households; or (3) deriving rates that vary by region or more of annual revenues from selling or sharing consumers' personal information (California Civil Code §1798.140). Nonprofit organizations and government agencies are generally outside the CPRA's scope, though public sector entities face separate cybersecurity obligations under California state law.
Geographic scope and limitations: CPRA security obligations apply when a qualifying business processes personal information of California residents, regardless of where that business is incorporated or headquartered. The CPRA does not govern the security practices of businesses operating exclusively outside California with no California-resident data subjects. Federal-sector entities subject to the Privacy Act of 1974 or FISMA operate under distinct frameworks not addressed by CPRA. For a broader view of how California's privacy and cybersecurity ecosystem fits together, the California Cybersecurity: How It Works page provides useful conceptual context.
Core Mechanics or Structure
The CPRA's security framework rests on four interlocking operational structures:
1. Reasonable Security Standard
The statute anchors security obligations to the "reasonable security" standard, which California regulators have historically associated with the Center for Internet Security (CIS) Controls and guidelines published by the National Institute of Standards and Technology (NIST). The California Attorney General's 2016 data breach report explicitly named the CIS Critical Security Controls (formerly SANS Top 20) as the baseline for reasonable security in civil litigation contexts.
2. Data Minimization and Retention Limits
Under California Civil Code §1798.100(a)(1), businesses must limit personal information collection to what is "reasonably necessary and proportionate" to the disclosed purpose. Data minimization reduces the attack surface directly: information that is not retained cannot be breached.
3. Sensitive Personal Information Category
The CPRA creates a distinct category of "sensitive personal information" (SPI), which includes Social Security numbers, financial account credentials, geolocation data, biometric data, health and medical information, and contents of private communications (California Civil Code §1798.140(ae)). Businesses handling SPI face heightened scrutiny and must honor consumer rights to limit its use.
4. Private Right of Action for Security Failures
California Civil Code §1798.150 creates a private right of action when a consumer's nonencrypted or nonredacted personal information is subject to unauthorized access due to a business's failure to implement reasonable security. Statutory damages range from amounts that vary by jurisdiction to amounts that vary by jurisdiction per consumer per incident, or actual damages if greater. Class actions under this provision can produce aggregate liability in the tens of millions of dollars. For terminology and definitions relevant to these standards, see the California Cybersecurity Terminology and Definitions page.
Causal Relationships or Drivers
Three structural forces drive CPRA security obligations:
Breach history as a legislative trigger: California's history of high-profile breaches — including incidents affecting Californians' health, financial, and identity data — was explicitly cited in legislative materials accompanying the CPRA's drafting. The 2020 Proposition 24 campaign materials referenced inadequacy of the original CCPA's enforcement mechanisms as justification for the CPPA's creation.
CPPA Rulemaking Authority: The CPPA, a first-of-its-kind standalone privacy enforcement agency in the United States, holds rulemaking authority over CPRA implementation. The Agency's 2023 regulations (promulgated under Title 11, California Code of Regulations, §§7000–7304) introduced cybersecurity audit requirements for high-risk processing activities and mandate risk assessments for businesses whose processing activities "present significant risk" to consumer privacy. These regulations directly expand the operational security burden beyond what the statute text alone specifies.
Federal Framework Interplay: NIST's Cybersecurity Framework (CSF), published by the National Institute of Standards and Technology, and NIST Special Publication 800-53 are not California-specific mandates, but they function as practical benchmarks that California regulators reference when evaluating whether a business met the reasonable security standard. Businesses already aligned with NIST CSF 2.0 (released in February 2024) are better positioned to demonstrate compliance. For the full regulatory context, the Regulatory Context for California Cybersecurity page maps how state, federal, and sectoral frameworks interact.
Classification Boundaries
CPRA security obligations fall into three distinct tiers based on data type and processing risk:
Tier 1 — General Personal Information: Name, email address, IP address, purchase history. Requires reasonable security appropriate to the sensitivity level; no enhanced use restrictions trigger automatically.
Tier 2 — Sensitive Personal Information (SPI): 11 categories defined in §1798.140(ae), including precise geolocation (within a radius of 1,850 feet per the statute), biometrics, and health data. SPI triggers consumer rights to limit use and disclosure, mandating tighter access controls and use-limitation enforcement mechanisms.
Tier 3 — High-Risk Processing: Defined in CPPA regulations as processing that involves profiling with significant effects, large-scale processing of SPI, or sale of SPI. High-risk processing mandates a formal cybersecurity audit and a Privacy Risk Assessment (PRA) submitted to the CPPA on a schedule the Agency may establish.
Entities operating in both CPRA-regulated space and federally regulated sectors — such as healthcare organizations subject to HIPAA or financial institutions subject to the Gramm-Leach-Bliley Act — face layered obligations. CPRA does not preempt HIPAA or GLBA; compliance with federal frameworks does not automatically satisfy CPRA, and vice versa. For healthcare-specific obligations, the California Healthcare Cybersecurity page addresses the intersection of HIPAA and CPRA in clinical settings.
Tradeoffs and Tensions
Reasonable Security vs. Prescriptive Rules: The CPRA's flexible "reasonable security" standard gives businesses discretion but creates legal uncertainty. A prescriptive framework specifying exactly which controls are required would reduce ambiguity but might not accommodate the diversity of business sizes and data types. Small businesses with fewer than amounts that vary by jurisdiction5 million in revenue are outside CPRA's scope, but mid-market businesses just above the threshold face the same standard as enterprise organizations. The California Small Business Cybersecurity page examines how smaller entities navigate adjacent obligations.
Data Utility vs. Minimization: Data minimization — collecting and retaining only what is necessary — reduces breach risk but conflicts with analytics-intensive business models that derive value from longitudinal data. The CPRA explicitly resolves this tension in favor of consumer rights, but enforcement of minimization in practice remains nascent.
Audit Confidentiality vs. Transparency: The CPPA's cybersecurity audit regulations create a tension between business confidentiality interests (audit findings contain sensitive vulnerability information) and the Agency's enforcement mandate. The regulations as promulgated allow businesses to withhold audit contents from the CPPA in certain circumstances while still certifying compliance, a compromise that consumer advocates have criticized as insufficient.
Vendor Risk and Contractual Chains: Under CPRA, businesses must include specific contractual provisions in agreements with service providers and contractors handling personal information. This obligation cascades upstream and downstream through supply chains, creating compliance complexity that grows with vendor network size. The California Third-Party Vendor Risk Management page details contract requirements and vendor assessment frameworks.
Common Misconceptions
Misconception 1: CPRA only covers large enterprises.
The 100,000-consumer threshold can be reached by mid-sized e-commerce businesses, SaaS platforms, or any organization that processes web analytics at scale. A business does not need to "sell" data to hit the threshold — sharing data for cross-context behavioral advertising counts under the CPRA's definition of "sharing."
Misconception 2: Encrypting data eliminates private right of action exposure.
California Civil Code §1798.150 exempts encrypted personal information from the private right of action only if the encryption is intact at the time of unauthorized access. Encryption of data at rest does not protect against exposure through application-layer vulnerabilities where data is decrypted before being exfiltrated.
Misconception 3: CCPA compliance equals CPRA compliance.
The CPRA introduced SPI as a new category, added the CPPA as a new enforcement body, created cybersecurity audit and risk assessment requirements, and expanded the private right of action. Organizations that implemented only CCPA controls as of 2020 are operating under an outdated framework.
Misconception 4: Only breaches trigger enforcement.
The CPPA can investigate and fine businesses for failure to implement required security practices even absent a reportable breach. Penalties for intentional violations can reach amounts that vary by jurisdiction per violation (California Civil Code §1798.155).
Misconception 5: Risk assessments are voluntary.
CPPA regulations issued in 2023 make Privacy Risk Assessments mandatory for businesses conducting processing activities the Agency classifies as high risk. Failure to conduct and maintain a PRA is itself a compliance violation independent of any data incident.
For enforcement history and the California Attorney General's role in CPRA actions, the California Attorney General Cybersecurity Enforcement page covers documented enforcement patterns. The broader California Privacy Protection Agency Cybersecurity Role page covers the CPPA's distinct authorities. For a comprehensive entry point to California's cybersecurity framework, the California Cybersecurity Authority site index provides navigation across all topic areas.
Checklist or Steps
The following represents a structural description of the compliance evaluation process, not legal or professional advice. The sequence below reflects the logical phases through which businesses typically assess CPRA security alignment.
Phase 1 — Applicability Determination
- Confirm annual gross revenue relative to amounts that vary by jurisdiction5 million threshold
- Count consumer and household records processed annually against 100,000 threshold
- Calculate revenue percentage derived from selling or sharing personal information against rates that vary by region threshold
- Document which threshold(s) apply (one threshold is sufficient)
Phase 2 — Data Inventory and Classification
- Inventory all personal information categories collected, received, and shared
- Identify which categories qualify as Sensitive Personal Information under §1798.140(ae)
- Map data flows: collection points, storage systems, processors, third parties
- Document retention schedules and minimization justifications
Phase 3 — Security Control Assessment
- Evaluate existing controls against CIS Critical Security Controls v8 or NIST CSF 2.0 benchmarks
- Identify gaps in encryption (at rest and in transit), access control, and logging
- Assess whether controls are "appropriate to the nature of the personal information" for each tier
- Document control implementation with evidence (configuration records, audit logs)
Phase 4 — Vendor and Contract Review
- Identify all service providers, contractors, and third parties receiving personal information
- Confirm contracts include CPRA-required terms: purpose limitation, security obligations, deletion rights, audit rights
- Obtain certifications from service providers that they comply with applicable CPRA obligations
Phase 5 — Risk Assessment and Audit
- Determine whether processing activities qualify as high-risk under CPPA regulations (§7150)
- If high-risk: conduct Privacy Risk Assessment covering processing purpose, necessity, benefits vs. risks, and safeguards
- If cybersecurity audit is required: engage qualified assessor and document findings
- Maintain records of both assessment and audit for CPPA review
Phase 6 — Incident Response Alignment
- Confirm that incident response procedures cover nonencrypted personal information breaches triggering §1798.150 private right of action
- Verify breach notification procedures comply with California Civil Code §1798.82 (California's data breach notification law, which sets a 72-hour-equivalent standard for certain breaches)
- Test response procedures against CPRA-specific scenarios (SPI breach, large-scale breach triggering class action exposure)
Reference Table or Matrix
CPRA Security Requirements at a Glance
| Requirement | Statutory Basis | Applies To | Enforcement Body | Penalty Exposure |
|---|---|---|---|---|
| Reasonable Security Practices | Cal. Civ. Code §1798.100(e) | All CPRA-covered businesses | CPPA, CA Attorney General | Up to amounts that vary by jurisdiction/intentional violation |
| Private Right of Action (Security) | Cal. Civ. Code §1798.150 | Businesses with nonencrypted data breach | Private plaintiffs | amounts that vary by jurisdiction–amounts that vary by jurisdiction/consumer/incident or actual damages |
| Sensitive Personal Information Controls | Cal. Civ. Code §1798.140(ae), §1798.121 | Businesses processing SPI | CPPA, CA Attorney General | Up to amounts that vary by jurisdiction/intentional violation |
| Service Provider Contracts | Cal. Civ. Code §1798.100(d) | All CPRA-covered businesses | CPPA | Up to amounts that vary by jurisdiction/negligent violation |
| Cybersecurity Audit | 11 CCR §7150 | High-risk processing businesses | CPPA | Regulatory action; not yet quantified |
| Privacy Risk Assessment | 11 CCR §7150–7152 | High-risk processing businesses | CPPA | Regulatory action; not yet quantified |
| Data Minimization | Cal. Civ. Code §1798.100(a)(1) | All CPRA-covered businesses | CPPA, CA Attorney General | Up to amounts that vary by jurisdiction/intentional violation |
Data Type Classification Under CPRA
| Data Category | Examples | CPRA Tier | Enhanced Controls Required |
|---|---|---|---|
| General Personal Information | Name, email, IP address, browsing history | Tier 1 | Reasonable security |
| Sensitive Personal Information | SSN, health data, biometrics, geolocation ≤1,850 ft | Tier 2 | Use limitation + heightened security |
| Children's Data (under 16) | Any personal information of minor consumers | Special | Opt-in consent + highest security posture; violations carry up to amounts that vary by jurisdiction/violation |
References
- California Privacy Rights Act — California Civil Code §§1798.100–1798.199.100
- California Privacy Protection Agency (CPPA)
- CPPA Regulations — Title 11, California Code of Regulations, §§7000–7304
- California Civil Code §1798.140 — Definitions
- [California Civil Code §1798.155 — Penalties](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?law