Why the California Privacy Rights Act (CPRA) Matters for Investment Advisers, Broker-Dealers and Other Financial Professionals

The California Privacy Rights Act (“CPRA”), also known as Proposition 24, became effective on January 1, 2023. Rather than acting as a complete overhaul of the California Consumer Privacy Act (“CCPA”), the CPRA further strengthens and expands upon the data privacy rights of Californian consumers established by the CCPA. The CPRA seeks to give consumers greater control over their personal information, for example, by granting them the ability to limit the use and disclosure of sensitive personal information.

Amendments and Evolution from the CCPA

The CPRA applies to a somewhat narrower set of businesses compared to the CCPA, as the CPRA doubled the CCPA's consumer and household data processing thresholds. It retains the extraterritorial scope, affecting not only businesses within California but also those interacting with Californian residents' data, unless that interaction takes place wholly outside of California. Below are a few other notable differences between the CPRA and the CCPA:

  • California Privacy Protection Agency: The CPRA established the California Privacy Protection Agency (“CPPA”), an independent regulatory body responsible for enforcing the CPRA and ensuring compliance.
  • Sensitive Personal Information: The CPRA introduces the concept of "Sensitive Personal Information," including data like Social Security numbers, financial account information, precise geolocation, and health-related information. While such data is "personal information" under the CCPA, the CPRA introduces new consumer choice and disclosure requirements for certain uses of Sensitive Personal Information.
  • Data Retention Periods: Businesses under the CPRA are obligated to provide consumers with specific retention periods for each category of personal information collected (or at least the criteria used to determine retention), providing transparency about data retention.

B2B and Employee Data; Impact on Investment Advisers, Broker-Dealers and Other Financial Professionals

Previously, the CCPA generally exempted “personal information” (i.e., information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a particular person) about a business’s employees or business-to-business contacts, but those exemptions are no longer available. As a result, investment advisers, broker-dealers, fund managers, and other financial institutions subject to the CCPA that have employees in California may be subject to new compliance obligations under the CCPA. Similarly, subject to the exceptions described below, financial businesses that have clients, investors, or prospective clients or investors in California are subject to these same new obligations.

The CCPA still exempts non-public information that is subject to the Gramm-Leach-Bliley Act or California Financial Information Privacy Act, which address privacy concerns for financial institutions. While certain information collected by investment advisers, broker-dealers and fund managers may fall within those exemptions, they should analyze the CCPA's applicability to their operations.

Effective Dates

The CPRA became effective on January 1, 2023, and the regulations implemented by the CPPA were set to become enforceable on July 1, 2023. However, on June 30, 2023, a California state court judge issued an injunction delaying enforcement of the regulations until March 29, 2024, one year after the first set of regulations were finalized.[1] While enforcement of the regulations is postponed, the statute itself is still effective and enforceable.


The CPRA signals a shift towards more focused regulations and enforcement of data privacy practices in furtherance of an ongoing commitment to protecting consumers in the digital age. By expanding the scope of the CCPA, introducing new concepts, and establishing the CPPA, the CPRA sets higher standards for data protection and transparency. As financial professionals and businesses navigate the evolving landscape of data privacy, understanding the nuances of the CPRA is vital. Businesses operating in or interacting with Californian data (which is almost any financial professional or business with a practice that touches California in any way) should prioritize compliance efforts to navigate the evolving regulatory landscape.

For information on the CPRA and the operational changes we recommend, please see our prior article on this topic. For information on privacy laws generally (including those in California), please visit our Global Privacy & Cybersecurity Blog.


By the Investment Management and Broker-Dealer Team at Kilpatrick Townsend & Stockton

This content is provided by Kilpatrick Townsend & Stockton LLP for informational purposes only and is not intended to advertise our firm’s services, to solicit clients, or to provide legal advice.  Viewers should not rely on the posted materials as advice about specific legal problems.  Such advice can be rendered only by competent counsel familiar with the particular facts and circumstances involved.  Posting and viewing of the materials on our website or in printed form is not intended to constitute the rendering of legal advice or to create an attorney-client relationship with the viewer.  If Kilpatrick Townsend & Stockton LLP does not already represent you, and you send us an e-mail, your e-mail will not create an attorney-client relationship and will not be treated as privileged or confidential.

Attorney Advertising – Kilpatrick Townsend & Stockton LLP, 1100 Peachtree Street NE, Suite 2800, Atlanta, GA 30309 | 404-815-6500.

For more information, please refer to our Terms of Use and Privacy Policy.


[1] See Cal. Chamber of Comm. V. Cal. Privacy Protection Agency, 34-2023-80004106-CU-WM-GDS (Cal. Sup. Ct. June 30, 2023).


Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their