Products

Data Command Center
View

Data+AI Teams

Data+AI Security Teams

Data Governance Teams

Data Privacy Teams

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Everything You Need to Know About CPRA Data Sharing Requirements

By Anas Baig | Reviewed By Omer Imran Malik

Published July 26, 2021 / Updated February 12, 2024

The CPRA is built on the data privacy management principles introduced by the CCPA in 2018. However, one of the major criticisms of the CCPA was that the expression ‘sale of personal data’ was never clear on whether it included sharing personal information between businesses and third parties for non-monetary consideration. The CPRA clarified this by explicitly providing a new term, ‘sharing of personal information.’

The CPRA defines data sharing as any disclosure of personal information (renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means) to third parties for cross-contextual behavioral advertising. Cross-contextual behavioral advertising is when a consumer is profiled and targeted based on personal information gained from his/her activity across various distinctly-branded businesses, websites, applications, or services. The purpose of sharing personal information can be for monetary benefits to the organization or any other enhanced personalization of services for the consumer.

The CPRA defines a “third party” as an entity with which the consumer is not intentionally interacting and to whom the consumer’s personal information is either sold or shared. Third parties are different from service providers and contractors, with whom businesses do not share or sell consumer personal information. They disclose consumer personal information for business or commercial purposes. Service providers and contractors have greater limitations on using, processing, and disclosing personal information than third parties.

It is easy to understand the data sharing concept by breaking it down into two key factors. For data to be “shared” under the CPRA, an organization must have:

Shared personal information with any third party entity which is neither a service provider nor a contractor, and
Used the information gained from other distinct and independent sources to provide targeted advertising to the consumer.

The CPRA lists certain actions which are not considered the ‘sharing of a consumer’s personal information by a business with a third party.’ Those actions are:

When consumers use or direct the business to disclose their personal information to a third party intentionally,
When a consumer intentionally interacts with a third party,
When a business shares an identifier with a third party to indicate that the consumer has opted-out of the sharing of their personal information, and
Finally, when a business transfers the personal information of a consumer to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business. However, it is conditional that the personal information is used or shared according to the purpose informed to the consumer at the time of personal information collection. If the usage or sharing purpose changes, the third party must notify the consumer again.

Suppose consumers do not opt-out of sharing their personal information with external entities for cross-context behavioral advertising. In that case, the organization can share all the collected personal information with third parties for monetary or non-monetary consideration.

Broadly speaking, consumer personal information includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Organizations also track and record consumer activity on their website. This includes tracking web page visits, product pages, time spent on each page, clicks on product links/descriptions, cart additions, checkouts, etc. This data is used to re-target visitors with ads to increase site traffic and conversions. The CPRA (similar to the CCPA) also considers this data as personal information.

The CPRA also introduces the new Sensitive Personal Information (SPI) category and provides that businesses may only use consumers’ SPI for limited business purposes. Consumers retain the power to restrict businesses from any other uses.

Some of the limited business purposes for which businesses can use consumer SPI include short-term use of the SPI, such as for non-personalized advertising to the consumer during the current interaction of the consumer - not utilizing profiling or sharing of the SPI with third parties.

For any further use, the consumer must be notified by the business and given a chance to opt out of the use of their SPI for that purpose.

Under the CPRA, SPI includes the following information:

Government-issued identifiers — Social Security, driver’s license, state identification card, or passport number.
Finances — Account log‐in, financial account, debit card, or credit card number combined with any required security or access code, password, or credentials allowing access to an account.
Geolocation — a consumer’s precise geolocation, including address, ZIP code, and city.
Race, religion, and union membership — Racial or ethnic origin, religious or philosophical beliefs, or union membership.
Communications — the contents of a consumer’s private communications, unless the company is the intended recipient of the communication.
Genetics — a consumer’s genetic data.
Biometrics — the processing of biometric information to uniquely identify a consumer.
Health — personal information collected and analyzed concerning a consumer’s health.
Sexual orientation — personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

It is important to note that SPI collected or processed without the purpose of inferring characteristics about a consumer is not subject to these restrictions.

According to the CPRA, businesses must sign agreements with third parties if they share consumer personal information with them. The agreements should explicitly:

State the limited and specified purposes explaining why the consumers’ personal information is being shared,
Obligate third parties to comply with the applicable obligations of the CPRA and provide a similar level of privacy protection to the disclosed consumers’ personal information as granted by the CPRA,
Grant businesses the right to take reasonable and appropriate steps to help ensure the third parties are using the transferred personal information in a manner that is consistent with their obligations under CPRA,
Require third parties to inform the business if they are unable to meet their obligations under the CPRA,
Provide businesses the right to stop and remediate the unauthorized use of transferred personal information either:
- After receiving a notice from a third party stating that they cannot meet their obligations under the CPRA.
- Or when the business has notified the third party to comply with their obligations under the CPRA, but they fail to do so.

Notify consumers at every point of personal information collection

The CPRA imposes additional obligations on the organization, collecting personal information (even if personal information is collected by service providers or contractors on the organization’s behalf) and sharing it with third parties.

Businesses that share consumers’ personal information with third parties are required to notify consumers at or before every collection point. The notification must include the following:

The categories of both personal information and sensitive personal information being collected,
The purpose for the collection and use of personal information and sensitive personal information,
Whether the business will share any of the collected information with external contractors,
The ‘retention period,’ which is the length of time each category of information is retained or the criteria for determining the retention period.

Organizations can notify consumers via display banners on their websites. These banners must have Opt-out links that are clearly visible and readable. The banners must also be placed in a prominent position on the landing page.

The CPRA mandates that businesses disclose within their privacy notice the following information about their personal information sharing activities:

Whether or not the business shares consumers’ personal information with third parties,
The business or commercial purpose for sharing the personal information,
The categories of consumers’ personal information they have shared with third parties, and
The categories of third parties with whom they are sharing the personal information.

Update Opt-out links and prominently display them on the homepage

Organizations that engage in sharing personal information must provide consumers with an option to opt out of sharing their personal information. The CPRA clarifies that any personal information that is disclosed for targeted advertising must have an option to opt out.

Additionally, organizations must update the “Do Not Sell My Personal Information” links to read “Do Not Sell or Share My Personal Information” and prominently display it on the website home page.

Businesses must wait at least twelve months before re-asking opted-out consumers for consent to share their personal information with third parties.

The CPRA mandates that businesses may not knowingly share children’s personal information without first gaining affirmative opt-in consent from the parents/guardians if they are below 13 years of age or directly from the child if they are aged between 13 and 15 years. Any business which ignores a consumer’s age shall be considered to be in actual knowledge.

Do not discriminate against Consumers who Opt-out

Consumers cannot be discriminated against if they choose to opt out of sharing their personal information. Businesses are barred from retaliating against consumers or employees who choose to exercise their rights under the CPRA in any of the following manners:

Denying goods or services to the consumer,
Charging different prices or rates for goods or services, including through the use of discounts, other benefits, or imposing penalties. (There are more qualified rules of how a business can offer financial incentives to consumers for allowing the sharing of their personal information),
Providing a different level or quality of goods or services to the consumer,
Suggesting that the consumer will receive a different price, different rate for goods and services, or a different level/quality of goods and services,
Retaliating against an employee, an employment applicant, or independent contractor for exercising their rights under the CPRA,
Degrading the consumer’s experience on the web page, they intend to visit after exercising the right to opt-out. The webpage must have a similar look, feel, and size relative to other links on the same web page.

Notify Third Parties of any Consumer Deletion Requests

The CPRA mandates that organizations must notify third parties, with whom they share consumer personal information, about any data deletion requests of their personal information.

Third parties with whom businesses have shared personal information must not further sell or share consumer personal information unless the concerned consumer has been informed, via an explicit notice, and provided a right to opt-out of the further sharing of their personal information.

Frequently Asked Questions (FAQs)

CPRA stands for the California Privacy Rights Act, which is a California state law that enhances and amends the California Consumer Privacy Act (CCPA).

The California Privacy Rights Act (CPRA) applies to businesses that exceed certain thresholds, including those that process personal information of 100,000 or more California consumers annually. Alternatively, businesses with annual gross revenues over $25 million may be subject to the CPRA.

The CPRA went into effect on January 1, 2023, with certain provisions becoming operative on January 1, 2022.

Get California Privacy Rights Act (CPRA) Readiness Assessment

Notify consumers at every point of personal information collection

Update Opt-out links and prominently display them on the homepage

Do not discriminate against Consumers who Opt-out

Notify Third Parties of any Consumer Deletion Requests

Frequently Asked Questions (FAQs)

Your Data+AI Command Center

Newsletter

Company

Resources

Terms

Get in touch

Everything You Need to Know About CPRA Data Sharing Requirements

Get California Privacy Rights Act (CPRA) Readiness Assessment

What is meant by data sharing under the CPRA?

What is not included in personal information sharing?

What is allowed under the data-sharing requirement of CPRA?

Sensitive Personal Information Sharing

What are your organization’s obligations before sharing data with contractors?

Have a written agreement with the third party before sharing personal information

Notify consumers at every point of personal information collection

Inform consumers about personal information sharing details

Update Opt-out links and prominently display them on the homepage

Gain Opt-in consent before sharing Children’s personal information

Do not discriminate against Consumers who Opt-out

Notify Third Parties of any Consumer Deletion Requests

Restrict re-sharing of personal information by Third Parties without notification

Frequently Asked Questions (FAQs)

Your Data+AI Command Center

Schedule a LIVE One-on-One Demo

Join Our Newsletter

Share

More Stories that May Interest You

CPRA Do Not Sell or Share My Personal Information – Definition

CPRA Cookie Consent – All You Need To Know [2024 Guide]

A Breathing Room for Businesses : Court Decision Postpones CPRA Enforcement Until March 2024

Newsletter

Company

Resources

Terms

Get in touch

What'sNew

What's
New