CPRA Compliance Dashboard

California Privacy Rights Act

Jurisdiction: California, USA | Effective: January 1, 2023 | Domain: Privacy

Overview

The California Privacy Rights Act (CPRA) amends and extends the CCPA, creating the California Privacy Protection Agency and adding protections for sensitive personal information, correction rights, and data minimization requirements.

Controls

CPRA-C001: Sensitive Personal Information

• Requirement: Limit use and disclosure of sensitive personal information
• Automated: Yes
• Evidence: Data classification, use limitation logs

CPRA-C002: Correction Rights

• Requirement: Consumer right to correct inaccurate personal information
• Automated: No
• Evidence: Correction request logs

CPRA-C003: Data Minimization

• Requirement: Collection limited to what is reasonably necessary
• Automated: Yes
• Evidence: Purpose limitation documentation

CPRA-C004: Automated Decision-Making

• Requirement: Right to opt out of automated decision-making
• Automated: No
• Evidence: Decision logic documentation, opt-out logs

Compliance Gates

Gate	Control Ref	Requirement	Status
CPRA-G001	CPRA-C001	Sensitive PI use limited to stated purposes
CPRA-G002	CPRA-C002	Correction requests processed within 45 days
CPRA-G003	CPRA-C004	Automated decision opt-out available

Metrics

Metric	Target	Source	Trend
Sensitive data classification coverage	100%	data_catalog	Improving
Correction request SLA compliance	95%	request_tracking	Stable
Data minimization audit score	90%	governance_system	Improving

Recommended Actions

1. Classify all sensitive personal information categories
2. Implement correction request workflow
3. Conduct data minimization audit quarterly