Certified Information Privacy Professional (CIPP): US - California Privacy Rights Act, CPRA, Sensitive Data, DPIA, Enforcement Agency

What This Is

The California Privacy Rights Act (CPRA) expands the CCPA by adding a new “sensitive personal information” category, requiring Data Protection Impact Assessments (DPIAs) for high?risk uses, and creating a dedicated enforcement agency – the California Privacy Protection Agency (CPPA). Think of a large e?commerce platform that sells California?resident data to advertisers; under CPRA it must (1) label any data that reveals health, financial, or biometric details as sensitive, (2) run a DPIA before launching a new AI?driven recommendation engine, and (3) answer any enforcement inquiry from the CPPA, which now has the power to levy fines and order corrective actions.

Key Terms & Provisions

• Sensitive Personal Information (SPI): Under CPRA, any data that reveals a consumer’s race, ethnicity, religious beliefs, health, genetic or biometric information, sexual orientation, or precise geolocation. Example: A fitness?app that records heart?rate and GPS routes must treat that data as SPI.
• Consumer (California Resident): The natural person who is a California resident, regardless of where the data processor is located.
• Right to Delete (CPRA): Consumers may request that a business erase their personal information, including SPI, unless an exemption applies (e.g., for legal compliance).
• Right to Correct (CPRA): Consumers can demand that inaccurate personal information be corrected. This is new versus CCPA.
• Data Protection Impact Assessment (DPIA): A systematic analysis required when a business intends to use or share SPI in a way that could pose “significant risk” to privacy (e.g., large?scale profiling, automated decision?making).
• Significant Risk: A risk that could result in discrimination, identity theft, financial loss, or other serious harm to a consumer.
• California Privacy Protection Agency (CPPA): The independent state agency created by CPRA to enforce privacy law, issue regulations, and adjudicate disputes. It can impose civil penalties up to $7,500 per intentional violation and $2,500 per unintentional violation.
• Opt?Out Sale (CPRA): Consumers may direct a business to stop selling any personal information, including SPI, to third parties. The business must honor the request within 15 days.
• Opt?In Sharing (CPRA): For sensitive data, businesses must obtain an explicit opt?in before sharing with third parties for any purpose other than the primary service.
• Contractual Safeguards: When a business shares SPI with a service provider, the contract must contain “reasonable security measures” and a prohibition on further sharing without consumer consent.
• Breach Notification (CPRA): If a breach involves SPI, the business must notify affected consumers and the CPPA within 72 hours of discovery.

Step?by?Step Process for Handling SPI & DPIA

1. Identify the Data – Inventory all data streams and flag any element that meets the CPRA definition of SPI (e.g., health records, biometric scans).
2. Assess the Use – Determine whether the planned processing (collection, sharing, profiling, automated decision?making) could pose a significant risk to consumers.
3. Conduct a DPIA – If a significant risk exists, complete a DPIA: describe the processing, map data flows, evaluate risks, and document mitigations (e.g., encryption, limited retention).
4. Obtain Consumer Consent (if required) – For any sharing of SPI that is not strictly necessary for the service, implement an explicit opt?in mechanism and retain proof of consent.
5. Update Contracts & Policies – Amend vendor agreements to include SPI?specific safeguards and revise privacy notices to disclose SPI collection, use, and consumer rights.
6. Monitor & Respond – Keep a log of DPIA outcomes, track any changes in processing, and be ready to respond to CPPA inquiries or consumer requests (delete, correct, opt?out) within statutory timeframes.

Common Mistakes

CIPP Exam Insights

1. Scope of “Sensitive” vs. “Personal” – Exams love to ask which of the following is not considered SPI under CPRA (e.g., “email address” is not SPI, but “medical diagnosis” is).
2. DPIA Trigger Threshold – Remember that a DPIA is mandatory when processing “likely to result in a significant risk” to privacy, not just any new technology. The exam may present a scenario with a low?risk data aggregation and ask if a DPIA is required.
3. Enforcement Agency Shift – The CPPA, not the FTC, now issues fines and can issue “orders to cease processing.” Expect a question contrasting CPPA powers with FTC’s prior authority.
4. Opt?In vs. Opt?Out for SPI – A classic exam trap: “A consumer who opts out of the sale of their data must have their SPI shared with a marketing partner.” The correct answer is no—SPI requires opt?in.

Quick Check Questions

1. Scenario: A health?tech startup collects heart?rate data from a California?resident user and wants to share it with a third?party analytics firm for product improvement.
   Answer: The startup must obtain an explicit opt?in from the consumer before sharing the heart?rate data (SPI).
   Why: CPRA treats biometric data as sensitive; sharing it requires consent, not merely an opt?out.

2. Scenario: A retailer discovers that a breach exposed customers’ mailing addresses and purchase histories (no health or biometric data).
   Answer: The retailer must notify affected consumers without delay (within 72 hours) but does not have to notify the CPPA because no SPI was involved.
   Why: CPRA breach?notification obligations to the CPPA apply only when sensitive data is compromised.

3. Scenario: A California?based SaaS provider uses AI to automatically approve loan applications based on credit scores and demographic data.
   Answer: The provider must conduct a DPIA because the automated decision?making poses a significant risk of discrimination.
   Why: CPRA requires DPIAs for high?risk processing, especially when profiling could lead to adverse outcomes.

Last?Minute Cram Sheet (10 One?Liners)

1. CPRA adds “Sensitive Personal Information” (SPI) – health, biometric, precise geolocation, etc.
2. DPIA is mandatory when processing SPI or any activity likely to cause a “significant risk.”
3. CPPA (California Privacy Protection Agency) = primary enforcer; can levy up to $7,500/intentional violation.
4. Opt?in required for any sharing of SPI; opt?out only covers non?SPI personal data.
5. Right to Correct (new under CPRA) – consumers can demand inaccurate data be fixed within 30 days.
6. Breach Notification: 72?hour deadline to CPPA only if SPI is involved.
7. Contractual Safeguards must be “reasonable security measures” and prohibit further sharing of SPI without consent.
8. Deletion requests must be honored within 45 days (extended from 30 days under CCPA) unless an exemption applies.
9. CPRA’s “Significant Risk” test mirrors GDPR Art. 35 but is risk?based rather than size?based.
10. CPPA can issue “Cease and Desist” orders, not just monetary penalties – a powerful compliance lever.