The California Privacy Rights Act amended the California Consumer Privacy Act in 2020 and took effect on January 1, 2023. CPRA is what most US privacy programs now operationalize when they talk about "California compliance." The original CCPA was the framework. CPRA is the version that ships in production.
CPRA made four changes that matter for in-house teams. It created the California Privacy Protection Agency as a dedicated enforcement body, separate from the Attorney General. It introduced a new category of "sensitive personal information" with its own consumer rights and processing limitations. It tightened the rules around third-party data sharing and sales, including expanded opt-out signals like Global Privacy Control. And it added consumer rights around correction of inaccurate data and limited use of sensitive information.
Operationally, CPRA brought California closer to GDPR without becoming GDPR. The vocabulary is different (consumer instead of data subject, sensitive personal information instead of special category data), but the operational requirements rhyme: notice at collection, rights to access and delete and correct, contracts with vendors that touch the data, processing limitations on sensitive categories.
For SaaS vendors, the practical impact is that the contract-with-service-providers requirement is functionally an Article 28 analog. The vendor agreement has to spell out the limited purposes, the prohibition on sale or further use, and the obligation to assist with consumer requests. Most modern DPAs now bolt CCPA/CPRA terms onto the GDPR Article 28 backbone rather than maintaining two separate contracts.