The California Privacy Rights Act became operative on January 1, 2023, and the enforcement grace period that characterized much of CCPA’s first two years does not automatically extend to CPRA. The California Privacy Protection Agency — the dedicated enforcement body created by CPRA, separate from the California Attorney General — is active, staffed, and has already issued draft regulations. For adtech operators, publishers, and marketing technology platforms that have been running California consumer data programs under CCPA’s comparatively light-touch framework, the operational requirements have changed in concrete ways.

The most important change is structural, not technical: CPRA created a dedicated privacy enforcement agency for the first time in California. Under CCPA, enforcement authority rested with the California AG’s office, which was managing CCPA alongside dozens of other enforcement priorities. The California Privacy Protection Agency exists solely to enforce CPRA. It has rulemaking authority, investigative authority, and civil penalty authority. This is a qualitatively different enforcement posture than CCPA ever had.

What CPRA Adds That CCPA Did Not Cover

The CCPA established core consumer rights: right to know, right to delete, right to opt out of sale. CPRA expands the framework in several dimensions that are directly relevant to advertising and marketing technology operations.

Sensitive personal information is the most operationally significant new category. CPRA creates a separate regulatory tier for data that CCPA treated as standard personal information: precise geolocation, racial or ethnic origin, religious beliefs, union membership, health and medical information, sexual orientation, communications content (emails, texts), and financial account details combined with security credentials. Sensitive personal information requires explicit disclosure and, in some contexts, affirmative opt-in consent for certain processing purposes — including advertising profiling.

For adtech operators, the precise geolocation classification is immediately relevant. Location data has been a core signal in mobile programmatic — used for audience building, attribution, and proximity targeting. CPRA’s treatment of precise geolocation (latitude/longitude at sufficient precision to identify a person’s current or recent location) as sensitive data requires distinct consent treatment compared to general location categories. Mobile measurement companies, location data aggregators, and DSPs using location-based audience segments face specific compliance questions about their California data handling.

The CPPA’s final regulations published in late 2022 provide detailed guidance on sensitive personal information processing limits. Consumers have the right to limit the use and disclosure of their sensitive personal information to what is strictly necessary for the disclosed purpose — a significant constraint on the secondary use of sensitive data for audience building or cross-context behavioral advertising.

The Right to Correct: A New Requirement with Real Data Infrastructure Implications

CCPA’s deletion right required companies to delete consumer personal information upon request. CPRA adds a right to correct inaccurate personal information, which is an operationally distinct requirement.

Deletion is relatively straightforward to implement as a process: identify all data stores containing a consumer’s personal information and remove it. Correction requires updating data across all systems, syncing corrections to downstream partners and data recipients, and maintaining audit trails that document what was corrected, when, and what the corrected data is. For adtech companies that have built data pipelines where consumer data flows through multiple processing steps, syndication channels, and partner integrations, implementing the right to correct requires data lineage infrastructure that many organizations have not built.

The practical challenge is that correction requests will arrive from consumers who have, in many cases, only a partial understanding of what data exists about them and where it exists. A California resident who submits a correction request to a data broker or identity resolution platform may be requesting corrections to data that has already been syndicated to dozens of buyers, aggregated into audience segments, or used to train machine learning models. Tracing all of those downstream flows and implementing corrections consistently is non-trivial.

Employee and B2B Data: The Exemption Has Expired

CCPA included temporary exemptions for employee personal information and business-to-business personal information — data collected in the context of employment relationships and commercial contracts between businesses. These exemptions were enacted in 2018 with sunset provisions, extended by AB 1281 through January 1, 2023. The extensions have expired.

CPRA does not include equivalent exemptions. As of January 1, California employees, job applicants, contractors, and business contacts have full CPRA rights with respect to their personal information held by employers and business partners. This has substantial operational implications for HR systems, customer relationship management databases, and business contact data pools.

For B2B marketing specifically — contact database marketing, account-based advertising using business professional data, programmatic targeting against job title and company segments — CPRA’s application to business professional data is a new compliance layer. If you are running B2B programmatic campaigns targeting California-based business professionals using data from contact intelligence platforms, those individuals now have CPRA rights with respect to the personal data used to target them.

The CPPA’s enforcement timeline includes a formal rulemaking process that began in late 2022 and will continue into 2023. Civil penalty enforcement under CPRA can reach $2,500 per unintentional violation and $7,500 per intentional violation, with each individual consumer interaction potentially constituting a separate violation.

What Adtech Operators Need to Do Right Now

The immediate compliance priorities for advertising technology operations in California are not theoretical — they are operational checklists.

First, audit your sensitive personal information handling. Map all data flows involving precise geolocation, health/medical data, race or ethnicity inferences, and financial information. For each flow, confirm that your privacy policy discloses the processing, that you have a mechanism for consumers to limit use of their sensitive data, and that your downstream data recipients are under contractual obligations consistent with CPRA.

Second, update your data subject request infrastructure. If your DSAR system was built for CCPA deletion and access rights, it needs to be extended to handle correction requests. This requires data lineage documentation — you need to know where personal information goes after it enters your systems to implement corrections downstream.

Third, review your B2B data practices. If you are using California employee or business professional data for marketing purposes, confirm that your data suppliers have CPRA-compliant consent frameworks. Contact database providers who collected business professional data under the pre-2023 B2B exemption may have compliance gaps that their customers inherit.

The enforcement calendar matters: CPRA’s enforcement start date has been legally contested, with a court injunction delaying some elements of enforcement — but the injunction’s scope is specific to regulations, not the statute itself. The underlying CPRA statutory requirements are in effect regardless of the regulatory enforcement timeline. Waiting for enforcement to force compliance is a higher-risk posture than it was under CCPA.

FAQ

When did CPRA become operative and when does enforcement begin? CPRA became operative on January 1, 2023. Enforcement by the California Privacy Protection Agency is subject to ongoing legal and regulatory process — a court challenge delayed some enforcement elements tied to final regulations. The underlying statute’s consumer rights are in effect; enforcement of specific regulatory requirements depends on the litigation outcome.

What is “sensitive personal information” under CPRA and why does it matter for advertising? CPRA created a distinct category of sensitive personal information that requires higher-level privacy protections than standard personal data. For advertising, the key categories are precise geolocation (which has specific consent requirements that affect location-based targeting), racial or ethnic origin (which affects demographically inferred audience segments), and health data (which affects medical and pharmaceutical advertising audience building).

How is CPRA different from CCPA in terms of enforcement? CCPA enforcement authority rested with the California Attorney General. CPRA created the California Privacy Protection Agency (CPPA), a dedicated, standalone enforcement agency whose sole mission is CPRA enforcement and rulemaking. The CPPA has greater dedicated resources and institutional focus than the AG’s office, which managed CCPA alongside broad enforcement responsibilities.

Does CPRA apply to B2B contact data used in marketing? Yes. The temporary exemptions for employee and B2B personal information that existed under CCPA expired on January 1, 2023. CPRA does not include equivalent exemptions. California-based employees, business contacts, and professionals have full CPRA rights with respect to their personal information, including data used for B2B marketing and account-based advertising.