Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View
Contact Us See a demo

Summary of CPRA – A Section by Section Overview of the California Privacy Rights Act

Download: CPRA Decision-Making Guide
CPRA Summary banner
Published May 26, 2022
Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Senior Data Privacy Consultant at Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

We are nearing the year when the California Privacy Rights Act (CPRA) will become fully effective, i.e., on January 1, 2023, with the civil and administrative enforcement to follow suit six months later on July 1, 2023. CPRA is an upgraded and more comprehensive version of the California Consumer Privacy Act (CCPA). CPRA adds more consumer rights to the act, along with added obligations on businesses, and forms a new agency that will be responsible for enforcing the act: the California Privacy Protection Agency (CPPA).

This section-by-section summary of the CPRA will enable businesses to take a quick overview and learn about the varying obligations that the law imposes.

Get California Privacy Rights Act (CPRA) Readiness Assessment

Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.

For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.

Summary of CPRA

Section 1: Title: The California Privacy Rights Act of 2020

This section mentions the term by which the law is to be cited.

Section 2: Findings and Declarations

Section 2 is a preamble to the necessity of establishing a law that puts consumers on equal footing with businesses with regards to controlling how the latter collects, stores, shares, or sells consumers' personal information. This section has twelve sub-sections (A to L) that give us a sketch of the concept of privacy rights, its inclusion in the California Constitution in 1972, the proposition and enactment of various privacy laws including the CPPA, the need to have bolstered consumers' rights, the need to have parental or guardian approval in case of a minor's consent, data security and business accountability, and the need to have an independent agency that ensures full enforcement of the law.

Section 3: Purpose and Intent

Section 3 is one of the critical sections of the act as it covers the essence that guides the implementation of the act. The section is further broken down into three subsections:

  • Section A, Consumer Rights - defines and establishes the varying rights that consumers have over the protection and privacy of their data, and how they can execute those rights.
  • Section B, The Responsibilities of Businesses - cites mostly limitations around consumers' privacy and data protection, and accountability when it comes to violations.
  • Section C, Implementation of the Law - is critical to the successful implementation of the law as it limits the Legislature from introducing any amendments that compromise or weaken consumer privacy.

Section 4: General Duties of Businesses That Collect Personal Information

Section 4 of the CPRA establishes the general responsibilities or principles that CPRA-applicable businesses must follow when dealing with consumers' personal information. Specifically, this section highlights the following important obligations:

  1. Businesses that control the collection of consumers' personal information need to inform them about the following prior to collection:
    • the categories and purposes of personal information and sensitive personal information to be collected or used and whether such information is sold or shared;
    • duration the business intends to retain each category of such information, the criteria used to determine such period, to ensure that the business does not retain a consumer's personal information or sensitive personal information for longer than is reasonably necessary other than for the disclosed purpose.
  2. Businesses must ensure that their collection, use, retention, and sharing of consumers' personal information is reasonably necessary and proportionate to their stated intent.
  3. For the sale, sharing, or disclosure of Personal Information to third parties, service providers, or contractors, businesses are required to enter into agreements, which outline:
    • the limited and specified purposes of personal information being sold or disclosed by the business;
    • obligations that the third party, service provider, or contractor has to comply with to provide the adequate privacy protections;
    • reasonable and appropriate steps to ensure that the third party, service provider, or contractor uses the personal information in line with the business's obligations;
    • how a third party, service provider, or contractor can notify a business when it is unable to meet its obligations; and subsequently the rights of the business to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information in such a case.

Businesses must implement reasonable security procedures to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.

Section 5 to Section 11 discusses the rights of consumers under the CPRA.

Section 5: Consumers' Right to Delete Personal Information

Section 5 empowers consumers to exercise their right to delete personal information collected by businesses or any third parties and in such cases:

  • Any business that receives a verifiable consumer request should comply with it and also notify all third parties to whom they have sold, or shared such personal information to delete it;
  • A confidential record of deletion requests should be maintained by the business.

However, the right to deletion comes with a certain set of limitations. For instance, businesses may not comply with the request if the information is reasonably necessary:

  • To complete transactions for which the personal information was collected;
  • To fulfill the terms of a written warranty or product recall conducted in line with Federal Law;
  • To provide a good or service as requested by the consumer as well as internal use of the business which is compatible with the context in which the consumer provided the information;
  • For the performance of a contract between the business and the consumer;
  • To exercise free speech or any other rights provided by the law;
  • To comply with the California Electronic Communications Privacy Act;
  • For public, peer-reviewed scientific or historical research that conforms with all privacy laws.

Section 6: Consumers' Right to Correct Inaccurate Personal Information

Section 6 enables consumers with the right to request a business to update and correct inaccurate personal information a business may have about them and obliges the business to carry out the update or rectification. It is important to highlight that businesses are obliged to use "commercially reasonable efforts" to correct personal information.

Section 7: Consumers' Right to Know What Personal Information is Being Collected. Right to Access Personal Information

Often cited as the right to access, Section 7 provides consumers with the right to request businesses to disclose information relating to the:

  • Personal Information collected from consumers;
  • The source from where it was collected;
  • The business or commercial purpose for collection; and
  • The category of third parties with whom the information is shared or sold.

Businesses are also obliged to disclose this information to their consumers in a general manner in their privacy notice.

Section 8: Consumers' Right to Know What Personal Information is Sold or Shared and to Whom

Section 8 is a continuation of the aforementioned right to access, Section 8 allows consumers to request businesses to disclose information relating to the:

  • Categories of personal information sold or shared and categories of third parties to whom it was sold/shared;
  • Categories of personal information disclosed for a business purpose and categories of persons to whom it was disclosed.

Businesses are also obliged to disclose this information to their consumers in a general manner in their privacy notice.

Third parties to whom a consumer's personal information is sold or shared are restricted from further selling or sharing consumers' PI unless the consumer first receives an explicit notice and has been given an opportunity to exercise their right to opt-out, which is defined under Section 9.

Section 9: Consumers' Right to Opt-Out of Sale or Sharing of Personal Information

Section 9 establishes the right of a consumer to opt out of the sale or sharing of their personal information by a business. Furthermore, guardians of a minor (under 13) must provide opt-in consent for the sale and sharing of their Personal Information, and in the case of consumers from ages 13 to 16, a business needs to get the opt-in consent of the minor.

Section 10: Consumers' Right to Limit Use and Disclosure of Sensitive Personal Information

Section 10 details the consumers' right to limit the use or disclosure of their sensitive personal information including:

  • Right to limit the business to collect sensitive personal information to only that usage which is reasonably necessary to perform the services or provide the goods to an average consumer;
  • Right to notification by a business who has used or disclosed the consumer's sensitive personal information for other than the specified purpose;
  • Right to give consent for the use or disclosure of sensitive personal information for additional purposes;
  • Moreover, a service provider or contractor to whom the consumer's personal information is disclosed is required to limit its use of sensitive personal information if the consumer requests the business and it is communicated to the service provider/contractor.

Section 11: Consumers' Right of No Retaliation Following Opt-Out or Exercise of Other Rights

Section 11 prohibits businesses from discriminating against the consumer when it comes to product offerings, pricing, or the quality of good that is being offered and from retaliation against an employee, an applicant for employment, or an independent contractor if they exercise any of their rights under this law.

Moreover, if a consumer refuses to provide opt-In consent, then the business has to wait for at least 12 months before requesting the consumer provide opt-in consent.

Also, a business can offer financial incentives including payments as compensation to the consumer for the collection, sale, or sharing of their personal information. However, these incentives should not be unjust, unreasonable, coercive, or usurious in nature.

Section 12: Notice, Disclosure, Correction, and Deletion Requirements

Section 12 gives details regarding fulfillment of Data Subject Rights (DSR), including but not limited to:

  • Designating at least two methods through which customers can submit requests including a telephone number, and an email address (in case the business operates online), or an internet website where requests can be submitted;
  • All DSR requests need to be verified and responded to within 45 days of receipt. This can be extended by additional 45 days when reasonably necessary and the requesting consumer is provided notice of the extension;
  • A DSR request to access can deal with disclosures of the required information covering the 12-month period preceding the business's receipt of the request. However, if the request requires information beyond this period the business is obligated to only provide information that is collected on or after January 1, 2022;
  • Service providers or contractors are obligated to provide assistance to a business with which it has a contractual relationship to help fulfill a verifiable consumer request;
  • Requirement of disclosing information through an online privacy policy detailing a description of consumer privacy rights and how consumers can exercise them.

Section 13: Methods of Limiting Sale, Sharing, and Use of Personal Information and Use of Sensitive Personal Information

Section 13 discusses the methods through which customers can exercise their right to limit the sale or sharing of their personal or sensitive personal information. Section 13 instructs businesses to provide consumers with 2 "clear and conspicuous" buttons on their homepage that must be titled:

  1. "Do Not Sell or Share My Personal Information."
  2. "Limit the Use of My Sensitive Personal Information."

Moreover, the business can also use a single, clearly-labeled link on the business's internet homepage allowing a consumer to opt out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information and must also build capabilities to receive and recognize a global opt-out preference signal.

Section 14: Definitions

Section 14 provides the definitions for the varying terms which are used throughout the act, including but not limited to business, advertising and marketing, biometric information, business purpose, commercial purpose, consent, consumer, and cross-context behavioral advertising, to name a few.

Two of the most significant terms added by the CPRA are:

  1. ‘Share' means the non-monetary exchange of personal information between a business and a third party for the purposes of cross-contextual advertising.
  2. ‘Sensitive personal information' which SPI includes highly sensitive data, such as Social Security Number, Driver's license, State identification card, Passport Number, Financial account information and log-in credentials, Debit Card or Credit Card number along with access codes, Precise geolocation data, Religious or philosophical beliefs, Ethnic origin, Contents of communication, Genetic data, Biometric information for the purposes of identification, Health information and Information about sex or sexual orientation.

Section 15: Exemptions

Section 15 is one of the extensive sections in the CPRA that outlines that the obligations imposed on businesses do not prohibit a business's ability to

  • Comply with federal, state, or local laws or court requirements;
  • Comply with requirements of law enforcement agencies;
  • Cooperate with government agency requests for emergency access in cases of risk, the danger of death to a person;
  • Exercise or defend legal claims;
  • Collect, use, retain, share or disclose de-identified or aggregate consumer information;
  • Collect, share, or sell consumer personal information if the commercial conduct in question takes place outside of California.

The section also outlines how this act does not apply to including but not limited to:

  • Medical or protected health information pursuant to the HIPAA 1996 and the Health Information Technology for Economic and Clinical Health Act;
  • Activities of consumer reporting agencies;
  • Personal information subject to regulation under the Fair Credit Reporting Act;
  • Personal information collected, processed, or sold subject to the Gramm-Leach-Bliley Act;
  • Personal information collected, processed, sold, or disclosed pursuant to the Driver's Privacy Protection Act, etc.

Section 16: Personal Information Security Breaches

Section 16 highlights the right of consumers to institute a civil action to recover damages when their personal information is breached due to the businesses' neglect in not providing adequate security and protection. Damages can range from $100 to $750 per consumer per incident or actual damages (whichever are higher), consumers can also request any injunctive or declaratory relief.

However, prior to initiating such an action in the case of a breach, a consumer is to provide a business a written notice of thirty days identifying the specific violations under the law and the business has 30 days to cure the violation. However, the CPRA has clarified that businesses cannot cure the violation by beginning to provide adequate security to the personal information after a breach event has occurred.

Section 17: Administrative Enforcement

Section 17 introduces us to administrative fines in the event of a violation. For every individual violation, a business may be fined in an administrative enforcement action by the California Consumer Protection Agency (CPPA) ranging from $2,500 for each violation, or $7,500 for an intentional violation or a violation involving the personal information of consumers below 16 years of age. It is important to note that the CPRA has also removed the 30-day cure period for violations of the law by businesses, service providers, contractors, and third parties.

Section 18: Consumer Privacy Fund

A special fund, named "Consumer Privacy Fund," is created under Section 18 CPRA. The funds, received from fines, will firstly be used to offset any cost incurred due to CPRA enforcement. The section further breaks down the percentage of the fund that is either to be kept in the State Treasury or used for privacy awareness programs.

Section 19: Conflicting Provisions

Section 19 discusses the purpose of the law and how it is intended to supplement other laws that ensure consumers' privacy and data protection. The section states that the provisions of this law are not limited to information collected electronically or over the internet, but apply to the collection and sale of all personal information collected by a business from consumers.

Moreover, in the case of conflict between other laws and the provisions of CPRA, precedence will be given to the law that provides the greatest protection for the right of privacy for consumers.

Section 20: Preemption

Section 20 establishes that CPRA preempts other local laws.

Section 21: Regulations

Section 21 provides a decent list of obligations and responsibilities for the Attorney General, which are later passed on to the newly created agency under CPRA: California Privacy Protection Agency (CPPA). Amongst the highlighted regulations include establishing rules and procedures for an annual cybersecurity audit, regular risk assessments, opt-out scope definition, and specifications for defining what constitutes a minor.

Section 22: Anti-Avoidance

Section 22 outlines provisions empowering courts or the California Protection Agency to disregard intermediate steps or transactions conducted by a business or otherwise with the intention of avoiding the requirements of the CPRA. This provision signifies that businesses if subject to the CPRA should implement the necessary protocols to be in full compliance with its requirements.

Section 23: Waiver

Section 23 deems any agreement or contract void or unenforceable that waives or limits rights under CPRA, as it's contrary to public policy.

Section 24: Establishment of California Privacy Protection Agency

Under Section 24, the CPRA establishes a new enforcement agency, CPPA, that will be enforcing and implementing the act instead of the Attorney General. Section 24 further details the timeline of the appointment of the agency, and its members.

Section 25: Amendment

Section 25 restricts the Legislature from amending the act unless the amendments are intended for the purpose of enhancing privacy protection.

Section 26: Severability

Section 26 defines the severability of the act, such as if any part of the act is deemed invalid for any reason, the remaining provisions will not be affected and will remain in full force and effect.

Section 27: Conflicting Initiatives

N/A

Section 28: Standing

Section 28 cites that if the State or its officials fail to defend the constitutionality of the act, any other government agency of the State shall have the authority to intervene in any court action to defend its constitutionality.

Section 29: Construction

The act shall be construed liberally to give full effect in implementing the statute's requirements.

Section 30: Savings Clause

Section 30 strictly cites that the act shall supplement other federal or state laws but shall not apply where it conflicts with federal or state laws, or the California Constitution.

Section 31: Effective and Operative Dates

Section 31 states the effective date of the CPRA which will be January 1, 2023, with the exemption that the right to access personal information may not apply for PI collected by a business on or before January 1, 2022.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share

More Stories that May Interest You

California’s Assembly Bill View More

April 3, 2025

An Overview of California’s Assembly Bill 2885 on Artificial Intelligence

Gain insights into California’s Assembly Bill 2885 on Artificial Intelligence. Learn what it means for businesses.

View More

February 24, 2025

California’s Legal Advisories on AI

Gain insights into California's legal advisories on AI, the scope of regulations, AI guidelines, and how Securiti can help businesses and developers meet compliance...

china CSL banner View More

October 30, 2024

What is China’s Cybersecurity Law

Learn What is China's Cybersecurity Law (CSL) and what are the key requirements for drafting comprehensive legal frameworks that protect individuals' personal data online.

Please enter a minimum of 3 characters to begin your search.

Videos

View More

January 20, 2025

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

January 15, 2025

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

January 15, 2025

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

January 2, 2025

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

December 24, 2024

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

November 1, 2024

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

October 29, 2024

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

August 12, 2024

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

June 3, 2024

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

January 29, 2024

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 14:21

AI Governance Is Much More than Technology Risk Mitigation

AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View
Spotlight 21:30

Companies Cannot Grow If CISOs Don’t Allow Experimentation

Watch Now View
Spotlight 2:48

Unlocking Gen AI For Enterprise With Rehan Jalil

Rehan Jalil
Watch Now View

Latest

View More

May 5, 2025

From Trial to Trusted: Securely Scaling Microsoft Copilot in the Enterprise

AI copilots and agents embedded in SaaS are rapidly reshaping how enterprises work. Business leaders and IT teams see them as a gateway to...

The ROI of Safe Enterprise AI View More

April 20, 2025

The ROI of Safe Enterprise AI: A Business Leader’s Guide

The fundamental truth of today’s competitive landscape is that businesses harnessing data through AI will outperform those that don’t. Especially with 90% of enterprise...

Data Security Governance View More

May 6, 2025

Data Security Governance: Key Principles and Best Practices for Protection

Learn about Data Security Governance, its importance in protecting sensitive data, ensuring compliance, and managing risks. Best practices for securing data.

AI TRiSM View More

May 5, 2025

What is AI TRiSM and Why It’s Essential in the Era of GenAI

The launch of ChatGPT in late 2022 was a watershed moment for AI, introducing the world to the possibilities of GenAI. After OpenAI made...

Managing Privacy Risks in Large Language Models (LLMs) View More

May 7, 2025

Managing Privacy Risks in Large Language Models (LLMs)

Download the whitepaper to learn how to manage privacy risks in large language models (LLMs). Gain comprehensive insights to avoid violations.

View More

April 27, 2025

Top 10 Privacy Milestones That Defined 2024

Discover the top 10 privacy milestones that defined 2024. Learn how privacy evolved in 2024, including key legislations enacted, data breaches, and AI milestones.

Comparison of RoPA Field Requirements Across Jurisdictions View More

April 24, 2025

Comparison of RoPA Field Requirements Across Jurisdictions

Download the infographic to compare Records of Processing Activities (RoPA) field requirements across jurisdictions. Learn its importance, penalties, and how to navigate RoPA.

Navigating Kenya’s Data Protection Act View More

April 14, 2025

Navigating Kenya’s Data Protection Act: What Organizations Need To Know

Download the infographic to discover key details about navigating Kenya’s Data Protection Act and simplify your compliance journey.

Gencore AI and Amazon Bedrock View More

January 7, 2025

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

November 18, 2024

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New