CPRA builds on CCPA by introducing a novel concept – sensitive personal information (PI) – and by imposing new requirements around the sharing of data. The new law also takes aim at what some in the privacy field call dark patterns by requiring digital environments to stop using ambiguity as a tactic to discourage people from opting out of protections.
Although CCPA and CPRA protections apply only to California consumers, the infrastructure that organizations build to make their websites and apps compliant will be the same infrastructure any consumer interfaces with, no matter where they are.
What’s more, other states, including Virginia, Connecticut and Colorado, are mandating privacy protections, making it difficult for organizations to operate digitally without following these states’ privacy laws.