California Privacy Rights Act

 

Next Steps
Home » Solutions » Data Masking » CPRA

Quick Links

+
Overview Auditing DPDPA CPRA DLP FERPA GDPR HIPAA PCI DSS DMaaS Static Dynamic Real-Time Test Data/TDM

Passed in 2020, the California Privacy Rights Act (CPRA) strengthens consumer data privacy rights established initially by the California Consumer Privacy Act (CCPA) passed in 2018. Key CCPA compliance requirements are:

1798.105

(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

(b) A business that collects personal information about consumers shall disclose, pursuant to subparagraph (A) of paragraph (5) of subdivision (a) of Section 1798.130, the consumer's rights to request the deletion of the consumer's personal information.

(c) A business that receives a verifiable request from a consumer to delete the consumer's personal information pursuant to subdivision (a) of this section shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records.

1798.110

(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

  1. The categories of personal information it has collected about that consumer.
  2. The categories of sources from which the personal information is collected.
  3. The business or commercial purpose for collecting or selling personal information.
  4. The categories of third parties with whom the business shares personal information.
  5. The specific pieces of personal information it has collected about that consumer.

These provisions, including the right to delete personal data, speak to the basic intentions of consumer data protection under CCPA, and to the need for software capable of supporting them.

IRI provides the best data masking tools for CPRA compliance because they help you find, classify, de-identify or remove -- and audit changes to -- customer records in structured, semi-structured, and unstructured data sources on-premise or in the cloud. In fact, all of these features are in the affordable IRI FieldShield, CellShieldEE and DarkShield data masking tools, or the comprehensive IRI Voracity data management platform which includes them.

a crowd of people

The penalties for non-compliance are severe, and failing to comply is an option no business should take. As enforced under 1798.150:

  • (a) (1) Any consumer whose nonencrypted or nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
    • (A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
    • (B) Injunctive or declaratory relief.
    • (C) Any other relief the court deems proper.

Static data masking tools can help you comply with the CPRA. The proven data masking tools and services from IRI deliver:

  • multi-source data profiling, classification, search, extraction and reporting functions for DSARs
  • data deletion or de-identification functions for PII everywhere, to comply with the right to erasure
  • multiple redaction, encryption, pseudonymization, anonymization and other data obfuscation methods
  • the ability to extract, structure, reformat and deliver PII to provide for data reporting and record portability
  • peer-reviewed re-ID risk scoring to measure the likelihood of exposing someone even from demographic data 
  • quasi-identifier blurring (random noise) and bucketing (generalization) to anonymize data and preserve its value
  • query-ready data search and mask job logs -- internal or displayed in SIEM tools -- for CRPA compliance verification.
Data Protector Suite PDF Cover

Frequently Asked Questions (FAQs)

1. What is the California Privacy Rights Act (CPRA)?
The CPRA is an expansion of the California Consumer Privacy Act (CCPA) that strengthens consumer rights around personal data. It includes provisions for data access, deletion, and portability, and requires businesses to implement proper data protection practices.
2. How does CPRA differ from CCPA?
While CCPA focused on transparency and consumer rights, CPRA adds stricter enforcement, a new regulatory agency (the CPPA), expanded consumer rights, and more detailed requirements around data retention, security, and third-party sharing.
3. What rights do consumers have under the CPRA?
Under CPRA, consumers have the right to request:
  • Deletion of their personal information
  • Disclosure of what personal data has been collected
  • Access to the sources, recipients, and purposes of data collection
  • Portability and correction of personal data
4. How can businesses comply with CPRA deletion requests?
Businesses must locate and delete personal data upon verified request and ensure that all service providers also delete the relevant data. This includes structured, semi-structured, and unstructured data environments.
5. What happens if a business fails to comply with the CPRA?
Non-compliance can lead to civil penalties of $100–$750 per consumer per incident, or actual damages if greater. Businesses may also face court-ordered injunctive relief and reputational damage.
6. How can IRI tools help with CPRA compliance?
IRI FieldShield, DarkShield, and CellShield EE — and the IRI Voracity platform — help organizations discover, classify, mask, or delete PII. They support data subject access requests (DSARs), ensure secure record handling, and maintain detailed audit trails for verification.
7. What types of data can IRI tools search and mask for CPRA?
IRI tools can operate on structured data (like databases and flat files), semi-structured data (like XML and JSON), and unstructured sources (like PDFs, Word docs, images, and NoSQL). This ensures full coverage for CPRA compliance.
8. What masking methods are supported by IRI for CPRA?
Supported methods include:
  • Redaction
  • Pseudonymization
  • Encryption
  • Anonymization
  • Data blurring
  • Scrambling
  • Quasi-identifier bucketing and noise injection
9. Can IRI tools help measure re-identification risk?
Yes. IRI FieldShield includes peer-reviewed re-ID risk scoring that estimates how likely it is for someone to be re-identified from demographic or quasi-identifying data. This helps organizations ensure effective anonymization.
10. How does IRI support data portability under CPRA?
IRI tools allow users to extract, structure, and reformat personal data for delivery in standardized formats. This enables businesses to comply with CPRA's data access and portability requirements.
11. What role do audit logs play in CPRA compliance?
IRI tools generate machine-readable audit logs for every masking or deletion job. These logs can be queried internally or exported to SIEM tools like Splunk to prove compliance during audits or investigations.
12. Can IRI tools be used in on-premise and cloud environments?
Yes. IRI tools are designed to run in both on-premise and cloud environments, enabling CPRA compliance across hybrid data infrastructures.
Share this page

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.

Follow us on

Solutions
Products
Customers
Services
Company
Support
News
Partners

Copyright © 2025 Innovative Routines International (IRI), Inc.

Live Chat More Info Newsletter
Live Demo Free Trial Get Quote

Get the IRI Newsletter

See Previous Newsletters