California Consumer Rights Under CPRA: What Businesses Must Do
The California Privacy Rights Act (CPRA), which builds on and significantly expands the California Consumer Privacy Act (CCPA), creates an enforceable framework of consumer rights that demand immediate attention from compliance teams. Understanding these rights—and the operational requirements they trigger—is essential for any business collecting personal information from California residents.
The Core Consumer Rights Framework
Under California Civil Code §1798.100, consumers retain the foundational right to know what personal information a business collects, uses, shares, and sells. This isn't merely a disclosure obligation; it requires you to develop systems capable of responding to consumer requests within 45 calendar days (extendable by 45 days for complex requests). Your compliance infrastructure must document collection points, data flows, and retention practices with specificity sufficient to generate meaningful consumer disclosures.
California Civil Code §1798.105 introduces the right to delete, which the CPRA strengthens considerably. Consumers can now request deletion of personal information collected from them, subject to narrow exceptions. Your team must establish protocols identifying which systems retain deletable data, which exceptions apply to your business model (e.g., legal obligations, fraud detection), and how you'll document compliance. The deletion requirement extends to service providers and contractors unless you've contractually restricted their retention rights—a critical gap many organizations overlook.
New CPRA Rights Demanding Immediate Infrastructure Changes
The CPRA introduces the right to correct inaccurate personal information (Civil Code §1798.100(d)). This seemingly straightforward right creates operational complexity: you must determine whether your data architecture supports correction flags, system-wide updates, or both. Financial services firms and healthcare providers face particular challenges here, as regulatory obligations may conflict with consumer correction requests. Your compliance protocol should establish a decision tree addressing conflicts between consumer requests and legal/regulatory retention requirements.
California Civil Code §1798.120 grants consumers the right to limit use and disclosure of sensitive personal information. The CPRA's definition of