Cloud Compliance
Quick Reference · Not Legal Advice
CPRA Cheatsheet for Salesforce — Are You Compliant?
CPRA goes into effect January 1, 2023. New requirements for Sensitive Personal Information, opt-outs, and more. Use this cheatsheet to assess your Salesforce org. 7 key requirements. 4 steps to compliance. Start with free DataMasker.
Disclaimer: This document is for informational purposes only and does not constitute legal advice. Consult your legal counsel for guidance on CPRA compliance.
Jan 1, 2023
CPRA Effective Date
Already in effect
$7,500
Maximum Fine Per Violation
Per intentional violation
Sensitive PI
New Data Category
Enhanced protections required
30 Days
Cure Period
Removed under CPRA
CPRA REQUIREMENTS CHECKLIST
The California Privacy Rights Act (CPRA) expands CCPA with new categories, rights, and obligations. Use this checklist to evaluate your Salesforce org's compliance posture.
1
NEW: Sensitive Personal Information
  • Government ID, Finances, Geolocation
  • Race, Religion, Union membership
  • Communications, Genetics, Biometrics
  • Health & Sexual orientation
Action: Inventory and classify this data in Salesforce
Product: Personal Data Discovery
2
OPT-OUT & PROFILING RESTRICTIONS
  • Right to opt-out of automated decision-making
  • Profiling restrictions for sensitive PI
  • Additional minor protections
Action: Record opt-outs; integrate with request systems
Product: Consent Management
3
RIGHT TO DELETE (RTBF)
  • Must notify 3rd parties of deletion
  • Converted Leads, Cases, Comments special handling
  • Field History, Email history, Archives
Action: Enable deletion/anonymization across all objects
Product: Privacy Rights Automation
4
RIGHT TO DATA PORTABILITY
  • Transmit in commonly accepted format
  • Share with 3rd parties
Action: Enable CSV, PDF, JSON exports
Product: Privacy Rights Automation
5
REASONABLE SECURITY
  • Private right of action for security breaches
  • Based on CA Customer Records Act definition
Action: Mask sandbox data; implement security controls
Product: DataMasker (FREE)
6
DATA MINIMIZATION / RETENTION
  • Collection must be "reasonably necessary"
  • Purpose limitation requirements
Action: Minimize data capture; tag with classifications
Product: Data Retention
7
ANNUAL AUDIT & RISK ASSESSMENT
  • Cybersecurity audits for high-risk processors
  • Regular risk assessments required
Action: Run Salesforce Health Check; document controls
Product: All products with audit trails
How to Get Compliant (4 Steps)
1. Assess

Run discovery to identify gaps in your current Salesforce org

2. Classify

Tag new sensitive PI categories across all relevant objects

3. Implement

Deploy products for each CPRA requirement

4. Document

Maintain records and conduct annual review

CPRA Readiness Checklist — Key Milestones
Sensitive PI Inventoried
Opt-out Processes Active
Deletion Workflows Enabled
Audit Trail Enabled
Salesforce-Specific Considerations
Six areas where CPRA requirements intersect with Salesforce architecture and features.
Salesforce Architecture Considerations
📜

Field History Tracking

Contains PII in change logs. Must be included in deletion workflows and subject to access requests.

💬

Chatter & Files

Unstructured data in posts, comments, and attachments needs coverage under CPRA requirements.

💻

Sandboxes

Copies of production contain full PII. Mask them to prevent exposure to contractors and developers.

🧠

Einstein/AI

Automated decision-making and profiling restrictions apply to AI-powered predictions and scoring.

🌐

Experience Cloud

Self-service portals must support opt-out requests and privacy preference management.

🔗

Data.com/External Data

Third-party data sharing requires notifications and may trigger additional compliance obligations.

Quick Reference: CPRA to Salesforce Mapping
CPRA Requirement Salesforce Object/Feature Cloud Compliance Product
Sensitive PI Custom fields, objects, Field History Personal Data Discovery
Opt-out Individual object, Consent preferences Consent Management
Delete (RTBF) Contact, Lead, Cases, Field History Privacy Rights
Portability All customer objects, Reports Privacy Rights
Security Sandbox data, User permissions DataMasker (FREE)
Minimization All objects, Required fields Data Retention
Frequently Asked Questions
FAQ
What's the difference between CCPA and CPRA?
CPRA expands CCPA with sensitive PI, new rights (opt-out of automated decision-making), stricter requirements for children's data, and the creation of a dedicated privacy enforcement agency.
Does CPRA apply to B2B data?
Some B2B exemptions have been reduced under CPRA. Employee and B2B data are now subject to more CPRA requirements than under CCPA. Review your B2B data handling practices.
What's the deadline for CPRA compliance?
January 1, 2023 — CPRA is already in effect. The cure period for violations has been removed, meaning enforcement can happen immediately upon discovery.
How do I get started?
Start with free DataMasker for sandbox security. Then assess your current state, classify Sensitive PI, implement controls, and document your compliance efforts.
Tips for best PDF quality:
• Use Chrome or Edge browser
• Select "Save as PDF" as the destination
• Disable "Headers and footers" in print settings
• Enable "Background graphics" for colors