
Privacy is a high priority for Californians, and recent changes in state law reflect that. In 2020, voters approved the California Privacy Rights Act (CPRA), a measure designed to strengthen the earlier California Consumer Privacy Act (CCPA). Together, these laws give individuals far more leverage over how companies handle their data.
In practice, this means Californians can demand transparency about how their information is collected, prevent certain types of data sales, and hold businesses legally accountable when their personal details are mishandled.
The CPRA introduced new rights and broadened those already available under the CCPA. Californians can now:
Before California passed these laws, many companies quietly collected and sold consumer data without consent or transparency. The CPRA shifts power back into the hands of consumers. For example:

Consumers should actively use the mechanisms the CPRA created:
The CPRA imposes complex obligations on businesses, and many attempt to limit compliance. Consumers benefit from having experienced legal representation when companies refuse to honor requests or when their data is exposed.
The Lyon Firm has represented individuals in privacy, cybersecurity, and consumer protection cases across the country. We investigate data misuse, file individual claims and class actions, and hold corporations accountable when they put profits ahead of consumer rights.
Our approach is client-focused and contingency-based—meaning you owe nothing upfront, and legal fees are covered if your case is successful.
1. What is the difference between the CCPA and the CPRA?
The California Privacy Rights Act (CPRA) builds on the California Consumer Privacy Act (CCPA). While the CCPA granted basic consumer rights like access and deletion, the CPRA strengthens those rights, adds new protections for sensitive personal information, and establishes the California Privacy Protection Agency (CPPA) to enforce compliance.
2. When did the CPRA go into effect?
The CPRA went into effect on January 1, 2023, and applies to data collected from January 1, 2022 onward. Enforcement began in July 2023 through the CPPA and the California Attorney General.
3. What counts as “sensitive personal information” under the CPRA?
The CPRA defines “sensitive personal information” broadly. It includes:
4. Who must comply with the CPRA?
The law applies to for-profit businesses doing business in California that meet one or more of the following thresholds:
5. Can consumers sue companies directly under the CPRA?
Yes. The CPRA expands the private right of action first introduced in the CCPA. Consumers may sue if their personal information is exposed due to inadequate security practices, including cases where login credentials are stolen in a data breach.
6. What are the penalties for violating the CPRA?
Businesses may face fines of $2,500 per violation, or $7,500 per intentional violation or violations involving minors. Importantly, these fines can add up quickly in class action cases or large-scale breaches.
Taking the first step doesn’t have to be complicated. In just a few minutes, you can share the basics of your case, and our team will guide you from there: