Frequently Asked Questions (FAQs) related to California Privacy Rights Act (CPRA)
Here are commonly asked questions related to the CPRA:
1. How does the CPRA change privacy laws in California, and am I impacted?
The CPRA will come into effect on January 1, 2023. It will replace and repeal the existing CCPA and bring many changes for businesses. The most immediate change will be who is subject to the CPRA. Any business with $25 million annual gross revenue in the previous calendar year or buys/sells/shares personal information of 100,000 consumers or households or derives 50% or more of its revenue from selling/sharing personal information.
Other than that, the CCPA's exception for employee personal information will end, and businesses will need to implement a CPRA compliance program that includes their own employees' information. Other major changes include the requirement to respect a consumer's opt-out preference signal, such as the GPC and expand the "Do Not Sell" opt-out requirement to "Do Not Sell or Share" as well as revising their current vendor contracts to ensure they fulfill the requirements laid down in the CPRA for such arrangements.
2. What is sensitive personal information under the CPRA?
Under the CPRA, sensitive personal information is any information that reveals a consumer's personal identification numbers such as social security number, driver's license, passport, state ID, credit/debit card numbers as well as relevant passwords, geolocation, racial origin, sexual orientation, union membership, religious or political beliefs, as well as the consumer's biometric data.
3. What new rights does the CPRA give consumers?
One of the most important changes the CPRA brings compared to the CCPA is the consumers' right to correct information collected on them by organizations online. This can include any information that may have become inaccurate, incomplete, or obsolete since it was collected.
4. What is the purpose limitation under the CPRA?
The purpose limitation introduced by the CPRA is, at its core, a lot like the data minimization of the GDPR. Purpose limitation puts a requirement on organizations collecting users' information to have a specific and explicit reason for doing so.
5. What does CPRA say about minors' personal information?
Much like the CCPA, the CPRA ensures that organizations cannot sell or share a child's personal information unless the child (at least 13 years old) or the child's parents (less than 13 years old) explicitly authorize the selling or sharing of such information. If, in such cases, consent is not provided, then the organization must wait at least 12 months before requesting consent again or wait until the child turns 16.
However, these obligations apply only if the organization has "actual knowledge" of the child's age. In any case, the organization must comply with all its relevant obligations under the federal Children's Online Privacy Protection Act regarding the personal information of children under the age of 13.
6. Who enforces the CPRA?
The CPRA will be enforced primarily by the newly created California Privacy Protection Agency. However, the agency's powers will only come into effect from July 1, 2023. Since the CPRA itself comes into effect on January 1, 2023, California's 62 District Attorneys will oversee organizations' business practices and bring actions to penalize those organizations that are not in compliance with the CPRA.
7. What notice obligations does the CPRA introduce?
Presently, the CCPA requires businesses to inform users of all categories of personal information to be collected and the purpose behind their collection. The CPRA expands these requirements with the organizations collecting the data now required to inform the users if their data will be sold or shared, how long their data will be retained, and more detailed information related to the collection of sensitive personal information.
8. Does the CPRA introduce a new applicability scope?
The CPRA expands the applicability scope under the CCPA by altering the definition of "businesses". There are four categories under the CPRA. Directors of Processing, Common Branding, Joint Ventures, and Certified Businesses.
9. What CCPA exceptions are impacted by the CPRA?
The CPRA introduces several modifications, clarifications, and changes to the exceptions made in the CCPA. These include the Trade Secret Exemption, Household Data Exemption, Student Information, and Assessments Exemption, Physical Item Exemption, Commercial Credit Reporting Agency Exemption, Public Information Exemption, De Identified Information Exemption, Fair Credit Reporting Act Information Exemption, Car Dealer-Manufacturer Exemption, Financial Information Exemption, Aggregate Information Exemption, Medical Information Exemption, Healthcare Providers and Covered Entities Exemption, Clinical Trial Exemption, Driver's Privacy Protection Act of 1994 Exemption, Evidentiary Privilege Exemption, and Legal Compliance and Law Enforcement Cooperation Exemption.
10. Does the CPRA introduce any security assessment requirements?
Yes, the CPRA introduces a new information security auditing requirement for businesses that requires an annual cybersecurity audit of companies that process personal information that poses a significant risk to consumers' privacy. The results of such assessments will need to be provided to the CPPA to ensure an organization complies with its security responsibilities per the CPRA guidelines.
11. Does CPRA apply to non-profit organizations and government agencies?
Similar to CCPA, the CPRA only applies to “for-profit” organizations. This further means that the CPRA provisions do not apply to government agencies or non-profit organizations.
12. What violations does CPRA impose?
California Privacy Rights Act (CPRA) has outlined fines with regard to violations in section 1798.155, Administrative Enforcement. The legislation states that any covered businesses, service providers, or contractors that violate CPRA provisions will be fined up to $2,500 for each violation. However, when it comes to the violation of the personal information of minors, CPRA increases the fine to up to $7,500 for each intentional violation.
The legislation further clarifies that the money received from the administrative fine and settlements will be deposited to the Consumer Privacy Fund. These funds will then be used to counterbalance the costs incurred by the regulatory authority (CPPA), state court, or any attorney general.
13. What is the CPRA look-back period?
Businesses shouldn’t assume that the changes brought by CPRA will be effective from January 1, 2023. Indeed, it will be effective from 2023, but it is not as straight as an arrow. The CPRA introduces a rather sneaky provision, i.e., the “look back” period. The provision enables consumers to request access to their data that even goes back to January 1, 2022. This means that some exemptions that were provided in the CCPA but removed in the CPRA will come back to haunt businesses if they aren’t prepared beforehand. For instance, businesses must be able to give access to personal information to verified requests if an employee exercises his/her right to access personal information dating back to Jan 1, 2022.
14. Does CPRA require training?
Yes, CPRA requires businesses to conduct and provide privacy training to all their personnel that are responsible for handling consumers’ or employees’ personal information. The CPRA introduces the training requirements in section 1798.130(a)(6), which further cover 7 important sections that must be a part of the training, such as section 1798.105, 1798.106, 1798.110, 1798.115, 1798.125, and 1798.130.