From CCPA to CPRA: How to Stay Compliant

From CCPA to CPRA: How to Stay Compliant

Over the last few years, privacy laws have evolved to protect individuals more than they ever have before. Many businesses operating in California state were enforcing security measures under the CCPA law, which has been effective since January 1, 2020. 

However, since the start of the year, California has been enforcing an amendment – the California Privacy Rights Act (CPRA), taking effect on January 1, 2023.  It brought with it a range of new obligations for organizations to comply with.

How to move from CCPA to CPRA compliance? Let’s take a look at how Plumrocket’s CPRA Extension is helping eCommerce stores comply with the new legislation, and learn how to update your eCommerce store to be CPRA compliant.

What is the Difference Between the CCPA and CPRA?

California Privacy Rights Act, or CPRA for short, is a ballot initiative that amends and expands the Consumer Privacy Protection Act of 2020. CPRA compliance is effective on January 1, 2023 and enforcement is expected to begin in June 2023.

Compared to the CCPA, the CPRA gives Californians more control over the personal information businesses collect. The law requires businesses to disclose information they collect, such as details about how they use your data, who they share your data with, and where you can access your data.

How Plumrocket Helps eCommerce Stores Become CCPA to CPRA Compliant?

To comply with the law, in addition to updating privacy policies, retailers must implement certain functionality on their eCommerce stores to notify California consumers about the law and let them exercise all their privacy rights.

Since 2020, Plumrocket has been helping all Magento-based websites to stay compliant by installing the all-in-one CCPA extension on their stores, which has now been updated with new features to provide websites with CPRA compliance in the same easy and straightforward way. Let’s go through the main law updates, and see how the Magento 2 CPRA extension helps.

  1. Right to Opt-Out of Third-Party Sales and Sharing:

In addition to “selling” under CCPA, the CPRA broadens this right to include the sharing of personal information. So, merchants are required to let California citizens request that businesses stop selling or sharing their personal information.

How Plumrocket Helps:

The Magento 2 CPRA extension provides an updated “Do Not Sell or Share” page, which automatically appears on the website’s footer. Once there, both registered and guest users can submit the “Do Not Sell or Share My Personal Information” request to the company.

Magneto 2 CPRA: Do Not Sell Or Share My Personal Information Page
  1. Right to Correct Information

The CPRA includes a completely new right that does not appear in the CCPA. A consumer has the right to request that any incorrect personal information provided by a company be corrected.

How Plumrocket Helps:

In addition to the fact that Magento itself allows registered users to edit personal information in the Personal Information section, the CPRA extension offers an updated Privacy Center dashboard that includes the “Correct My Personal Information” button. It allows all registered users and guests to submit the correction request by sending an email to the person in charge.

Magneto 2 CPRA: Correct My Personal Information Request


  1. Right to Restrict Use and Disclosure of Sensitive Personal Information

A consumer has the right to restrict the use and disclosure of their Sensitive Personal Information to “use that is necessary to execute the services or deliver the products reasonably expected by an ordinary consumer who requests such goods and services” (as per SEC. 10. Section 1798.121 d).

How Plumrocket Helps:

ECommerce stores are usually not subject to this requirement as the SPI is collected without the purpose of inferring characteristics about a consumer and is limited to what is necessary to provide goods or services. Therefore, the Magneto 2 CPRA extension by Plumrocket does not have this feature enabled by default, but if necessary, you can easily edit the “Do Not Sell or Share” page from the admin panel and add a “Limit the Use of Sensitive Personal Information” to the form.

Is My Company Impacted?

The CPRA places new thresholds for what companies fall under the law, including:

  • Organizations that do $25 million in annual gross revenue
  • Organizations that are buying, selling or sharing data of 100.000 California consumers (50.000 consumers under CCPA”) 
  • Organizations that derive 50% or more of their revenue from selling or sharing personal data (only “selling” under CCPA)

How to Update My Website to CCPA & CPRA Compliance?

If you use a plugin on your website for CCPA compliance, upgrading to CPRA won’t take much effort:

  1. Check if your business falls under the CPRA requirements.
  2. Ask your vendor if they have updated your CCPA-compliance plugin to CPRA.
  3. Update your privacy policy.

We at Plumrocket always try to keep our extensions up to date to meet the market requirements – we have already added new features to make your store fully CPRA compliant. Feel free to update your Magento 2 CCPA extension for free!