Remove the Technical Hurdles of CPRA

Skyflow addresses the key technical requirements of CPRA, so you can protect sensitive data, such as PII or sensitive personal information.

You can easily embed CPRA’s data privacy requirements into your systems:

  • Protect Sensitive Data from the Moment It’s Collected

  • Limit the Use of Sensitive Data

  • Gather, Correct, or Erase Sensitive Data Upon Request

Get a Demo

Get Your CPRA Readiness to a Golden State

Satisfy CPRA compliance by using a Data Privacy Vault to isolate, protect, and govern your customers’ sensitive data. CPRA adds regulations regarding data privacy to CCPA. Read on to learn about the differences between CPRA and CCPA.

With Skyflow, whether your customers reside in California, elsewhere in the US, or elsewhere, securing sensitive data and preventing its misuse just got simpler.

Solve CPRA and CCPA Together

CCPA already has provisions to penalize businesses between $2,500 and $7,500 per violation for data breaches. Additionally, CPRA violations are subject to a new civil penalty system and possible lawsuits from customers – up to $750 per consumer, per incident, or actual damages – whichever is greater.

The more personal information your business handles, the higher the potential fines. Skyflow can help you comply with CCPA more easily.

Privacy by Design

Skyflow Data Privacy Vault takes a zero trust approach to data privacy – never trust, always verify. Every data access request gets verified from the Data Privacy Vault so security and privacy don’t have to be a difficult afterthought.

Eliminate Breach Impact

Remove all the personal information from your infrastructure and replace it with format-preserving tokens. With personal information securely protected in your Skyflow vault, the rest of your infrastructure becomes less risky and more flexible, so you can move quickly and not break data privacy.

End Information Sprawl

Keep sensitive data isolated in a zero trust Data Privacy Vault instead of scattered across databases or systems. Managing one authoritative personal data source makes it quick and easy to respond to personal information requests.

Fine-grained Data Access Control

Quickly build and centrally manage the data access flows you need, within your organization and with third parties. Centrally control who sees what data, when, where, and how using any combination of policies, roles, and attributes.

Isolate, Protect, and Govern Sensitive Personal Data with a Data Privacy Vault

Centralized Sensitive Data Repository

Isolate sensitive data in your Skyflow Data Privacy Vault to give an extra layer of protection to your company’s most valued data. With a data privacy vault architecture, you only have to collect, correct, and delete sensitive customer data in one place when you receive data subject requests.
How polymorphic encryption works

Polymorphic Encryption

Keep your customer data encrypted at rest, in transit, and in memory. Skyflow’s unique approach to data security utilizes multiple encryption and tokenization techniques to provide optimal security without sacrificing data usability.
Data governance issues handled with Skyflow

Advanced Data Governance Engine

Govern where, how, and who can access customers’ personal information. Layering this complexity atop requirements like PCI DSS is a big challenge, even for the largest global companies. Fortunately, managing this complexity is easy when you use Skyflow’s powerful but intuitive policy expression language to create RBAC, ABAC, and PBAC policies that control how sensitive data is accessed and used.
Automated audit logs

Automated Audit Logs

Document data access with a robust audit trail to prove CPRA compliance. Every action in your vault is automatically logged and auditable. Skyflow also makes it easy to audit and investigate data access using SQL queries, so you can monitor compliance with ease.

Frequently Asked Questions about CPRA

Think of the California Privacy Rights Act (CPRA) as the enhanced version of the California Consumer Privacy Act (CCPA). Both acts aim to give residents more power over their personal information (data that’s identifiable or sensitive in nature) and set standards for proper protection.
Does CPRA Apply to My Organization?

The CPRA went into effect on January 1, 2023. It regulates any for-profit companies that do business in California, even those without a physical presence in the state. If your business collects personal information from California residents and meets one of the following threshold requirements, you’re subject to the CPRA:

  • Annual gross revenues exceeding $25 million
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 100,000 or more California consumers
  • Derives 50% or more of its annual revenue from selling personal information or performing targeted advertising using personal information
CPRA Vs. CCPA: What’s Changed?

CPRA is not a radical change of rules and regulations. It is more like CCPA 2.0, with added regulations regarding data privacy. Here’s a side-by-side comparison:

CCPA

CPRA

Important Change

Effect Date
Already in effect
Already in effect
Who Needs to Comply?
For-profit businesses that do business in California and that meet one or more of the following criteria:
  • Have revenues exceeding $25 million
  • Annually sell, buy, or receive personal information of 50,000 or more California consumers for commercial purposes
  • Derive 50% or more of its annual revenue from selling personal information
For-profit businesses that do business in California and that meet one or more of the following criteria:
  • Annual gross revenues exceeding $25 million
  • Annually sell, buy, receive, or share personal information of 100,000 or more California consumers for commercial purposes
  • Derive 50% or more of its annual revenue from selling or performing targeted advertising using personal information
Enforcement Authority
Attorney General of California
The California Privacy Protection Agency (CPPA)
CPRA established the nation’s first dedicated privacy regulator, the California Privacy Protection Agency (CPPA), focused on CPRA enforcement and oversight.
Data Coverage
Grants all Californians the right to their data as consumers.
Grants all Californians the right to their personal data, both as consumers or in business relationships, including employment.
CPRA considers B2B data, HR data, and personal information to have the same protections as consumer data.

The CPRA also adds a new category of information called sensitive personal information (SPI) that increases the compliance scope compared to CCPA. The following are some examples of SPIs:
  • Union Membership
  • Philosophical beliefs
  • Login ID and Password
  • Government identity information
  • Immigration or citizenship status
  • Precise geolocation
  • Race and ethnicity
  • Religious beliefs
  • Sexual orientation
  • Health and medical history
  • Genetic data
Private Right of Action
Consumers may take legal action and recover up to $750 per consumer, per incident, or actual damages, whichever is greater.

Under the terms of the CCPA, consumers may bring a private action against an organization when certain types of personal information get breached (in a format that’s not encrypted or redacted). These types of information are limited to a person’s last name and first name (or initials), in combination with a unique identifier.
Updates and expands upon the CCPA's rules governing a consumer's private right to action.

CPRA includes a person’s username and password that would permit access to an online account.
The CPRA adds a person’s email address in combination with a password or security question plus the answer to the list of data elements that are eligible for a private right of action. CPRA also clarifies the maintenance and implementation of reasonable security practices and procedures after a data breach will not be considered a proper defense or “cure” for that data breach.
General Privacy Rights
  • The right to know what consumer personal information is collected by businesses.
  • The right to access personal information.
  • The right to say no to the sale of personal information.
  • The right to know whether their personal information is sold or disclosed and to whom such information is sold or disclosed.
  • The right to equal service and price, even if privacy rights are invoked.
  • The right to correct inaccuracies.
  • The right to limit how sensitive personal information is used and shared.
  • The right to opt-out of targeted advertising.
  • Correct inaccurate personal information in addition to deletion.
  • Limit the use of SPI (sensitive personal information) as defined by CPRA.
Does CCPA Apply to My Organization?
CCPA
Already in effect
CPRA
Already in effect
Who Needs to Comply?
CCPA
For-profit businesses that do business in California and that meet one or more of the following criteria:
  • Have revenues exceeding $25 million
  • Annually sell, buy, or receive personal information of 50,000 or more California consumers for commercial purposes
  • Derive 50% or more of its annual revenue from selling personal information
CPRA
For-profit businesses that do business in California and that meet one or more of the following criteria:
  • Annual gross revenues exceeding $25 million
  • Annually sell, buy, receive, or share personal information of 100,000 or more California consumers for commercial purposes
  • Derive 50% or more of its annual revenue from selling or performing targeted advertising using personal information
Enforcement Authority
CCPA
Attorney General of California
CPRA
The California Privacy Protection Agency (CPPA)
Important Changes
CPRA established the nation’s first dedicated privacy regulator, the California Privacy Protection Agency (CCPA), focused on CPRA enforcement and oversight.
Data Coverage
CCPA
Grants all Californians the right to their data as consumers.
CPRA
Grants all Californians the right to their personal data, both as consumers or in business relationships, including employment.
Important Changes
CPRA considers B2B data, HR data, and personal information to have the same protections as consumer data.

The CPRA also adds a new category of information called sensitive personal information (SPI) that increases the compliance scope compared to CCPA. The following are some examples of SPIs:
  • Union Membership
  • Philosophical beliefs
  • Login ID and Password
  • Government identity information
  • Immigration or citizenship status
  • Precise geolocation
  • Race and ethnicity
  • Religious beliefs
  • Sexual orientation
  • Health and medical history
  • Genetic data
Private Right of Action
CCPA
Consumers may take legal action and recover up to $750 per consumer, per incident, or actual damages, whichever is greater.

Under the terms of the CCPA, consumers may bring a private action against an organization when certain types of personal information get breached (in a format that’s not encrypted or redacted). These types of information are limited to a person’s last name and first name (or initials), in combination with a unique identifier.
CPRA
Updates and expands upon the CCPA's rules governing a consumer's private right to action.

CPRA includes a person’s username and password that would permit access to an online account.
Important Changes
The CPRA adds a person’s email address in combination with a password or security question plus the answer to the list of data elements that are eligible for a private right of action. CPRA also clarifies the maintenance and implementation of reasonable security practices and procedures after a data breach will not be considered a proper defense or “cure” for that data breach.
General Privacy Rights
CCPA
  • The right to know what consumer personal information is collected by businesses.
  • The right to access personal information.
  • The right to say no to the sale of personal information.
  • The right to know whether their personal information is sold or disclosed and to whom such information is sold or disclosed.
  • The right to equal service and price, even if privacy rights are invoked.
CPRA
  • The right to correct inaccuracies.
  • The right to limit how sensitive personal information is used and shared.
  • The right to opt-out of targeted advertising.
Important Changes
  • Correct inaccurate personal information in addition to deletion.
  • Limit the use of SPI (sensitive personal information) as defined by CPRA.
How Does Skyflow Ease CPRA Compliance?

With Skyflow Data Privacy Vault as part of your architecture, you can isolate sensitive data to a single data source and protect it with polymorphic encryption and other privacy-enhancing technologies. With only one centralized personal information source, you can be confident that the access and usage of data is consistently enforced according to your policies.

Responding to any sensitive data requests becomes a matter of making one API call. Say goodbye to manual processes!

CPRA, CCPA, and the “Alphabet Soup” of US Privacy Laws

The United States doesn’t have a national law that regulates sensitive data. Five states have passed consumer privacy laws: California (CCPA, CPRA), Colorado (ColoPA), Connecticut (CDPA), Virginia (VCDPA), and Utah (UCPA). Currently, 27 other states have draft bills that could soon become law.

Privacy regulation can feel a lot to handle, even when these laws apply only to people who live in specific states. But fear not. If you take a privacy-first approach to handling personal information, you can easily comply with existing and new privacy regulations from anywhere in the United States or worldwide.

What about GDPR? Can Skyflow Help Me Solve That Too?

Yes. California privacy laws (CCPA & CPRA) are modeled after the EU’s GDPR. See the comparison chart below to see how they are similar and how they are different:

CCPA

GDPR

Intend to Protect
All people residing in California
All people residing in the EU
Default Consent
Opt-out from information being sold or shared, both as a consumer or in business relationships
Consumers opt-in to data use
Exclusion
Any data that is already legally available to the public
No exclusion
Threshold
Applies to for-profit businesses that meet one or more criteria:
  • Have revenues exceeding $25 million
  • Annually sell, buy, receive, or share personal information of 100,000 or more California consumers for commercial purposes
Derive 50% or more of its annual revenue from selling or performing targeted advertising using personal information
If processing personal data on a regular basis, businesses of all sizes must comply
Financial Penalties
Extends the provisions to penalize businesses between $2,500 and $7,500 per violation for data breaches from CCPA to include civil penalty system and possible lawsuits from customers up to $750 per consumer, per incident, or actual damages – whichever is greater.
Fines up to €20M or 4% of worldwide annual revenue, whichever is higher

The bottom line is: if you are aligning with either CPRA or GDPR, maintaining compliance with both of them is straightforward. See how Skyflow can help organizations of all sizes simplify and accelerate GDPR compliance.

Intend to Protect
CCPA
All people residing in California
GDPR
All people residing in the EU
Default Consent
CCPA
Opt-out from information being sold or shared, both as a consumer or in business relationships
GDPR
Consumers opt-in to data use
Exclusion
CCPA
Any data that is already legally available to the public
GDPR
No exclusion
Threshold
CCPA
All people residing in California
GDPR
Applies to for-profit businesses that meet one or more criteria:
  • Have revenues exceeding $25 million
  • Annually sell, buy, receive, or share personal information of 100,000 or more California consumers for commercial purposes
Derive 50% or more of its annual revenue from selling or performing targeted advertising using personal information
Financial Penalties
CCPA
Extends the provisions to penalize businesses between $2,500 and $7,500 per violation for data breaches from CCPA to include civil penalty system and possible lawsuits from customers up to $750 per consumer, per incident, or actual damages – whichever is greater.
GDPR
Fines up to €20M or 4% of worldwide annual revenue, whichever is higher
GDPR requirements explained
Benefits
Data Residency
Tokenization
SDKs/REST APIs
Granular Identity and Access Management
Redaction/Masking
Polymorphic Encryption
Configurable Vault Schema
Dedicated VPC
Skyflow
Compliance Automation Tools
Benefits
Data Residency
Tokenization
SDKs/REST APIs
Granular Identity and Access Management
Redaction/Masking
Polymorphic Encryption
Configurable Vault Schema
Dedicated VPC
Benefits
Data Residency
Tokenization
The most flexible solution on the market, Skyflow’s Data Privacy Vault takes minutes to set up and is built using a zero trust architecture that protects your sensitive data while accelerating your go-to-market plans.

Learn More

Avoid the limitations of compliance project management tools or the cost and risks of developing an in-house solution. Let us show you why Skyflow is the better way — sign up for a demo today.
By clicking Submit below, you agree to our Terms and Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.