Data Subject Rights under California Privacy Rights Act (CPRA)

Data privacy laws have gained increased importance worldwide in the past couple of years. Multiple factors have played a role in this phenomenon, the most important being the necessity to protect users’ data, freedom, and rights to privacy.

Ever since the General Data Protection Regulation (GDPR) came into effect in the EU, a plethora of jurisdictions have been inspired to either pass data privacy laws or are currently in the process of doing so. The US state of California is one of those.

Why? Because unlike most other developed countries in the world, it does not seem that the United States will pass a comprehensive federal data privacy law any time soon. As a result, several US states are drafting and legislating their data privacy laws. California’s current legislation dealing with the matter is the California Consumer Privacy Act (CCPA). It came to effect in June 2018. However, it will soon be replaced by the California Privacy Rights Act (CPRA) from January 1st, 2023.

As a piece of legislation, the CPRA has heaps of similarities with both the CCPA and the GDPR. As far as the latter is concerned, no other point strikes as perfectly similar as that of the new category of sensitive personal information which is provided extra protections, the new definition of consent which closely matches the one available within the GDPR as well as the requirement for businesses to conduct regular risk assessments similar to to how the GDPR require data controllers to conduct DPIAs.

What is the CPRA?

For the uninitiated, the CPRA will soon become California’s primary data protection law when it replaces the current CCPA on January 1st, 2023. It was passed via a vote in November 2018. While in its essence, it is more or less similar to the CCPA because it amends and improves upon it, however, it does significantly differ from the CCPA in some areas.

The most notable improvement includes establishing a separate agency to ensure the implementation, monitoring and enforcement of the CPRA, i.e., the California Privacy Protection Agency (CPPA), as opposed to the office of the Attorney General of California, who is currently in charge of enforcing the CCPA.

Secondly, the CPRA has increased the threshold of its application: it will only apply to for profit businesses that cater to at least 100,000 unique households or consumers (as opposed to 50,000 as per the CCPA), or who make $25 million in annual gross revenue, or derive 50% of their annual gross revenue from selling/sharing personal information of consumers to other third parties.

Thirdly, the CPRA will require all websites to carry a clearly visible and accessible “Do Not Sell or Share My Personal Information” button across all web pages. The significant difference from the CCPA lies in the inclusion of the word ‘share’ and the definition it has been given in the CPRA: whenever a business discloses a consumer’s personal information to a third party for cross-context behavioral advertising even if there is no exchange of money or any other consideration. This is a significant improvement of the right of consumers to opt-out of the excessive use of their personal information by the ad-tech industry for behavioral targeting.

Additionally, the CPRA introduced “sensitive personal information” (SPI). This includes all personal information from users that is highly sensitive in nature and its disclosure by the business can be limited by the consumer. SPI includes the following:

• Social Security Number;
• Driver’s license;
• State identification card;
• Passport Number;
• Financial account information and log-in credentials;
• Debit Card or Credit Card number along with access codes;
• Precise geolocation data;
• Religious or philosophical beliefs;
• Ethnic origin;
• Contents of communication;
• Genetic data;
• Biometric information for identification;
• Health information;
• Information about sex or sexual orientation.

Lastly, the CPRA requires businesses to undertake a significant amount of additional obligations as compared to the CCPA, such as to provide retention times for collected personal information to consumers, undertake reasonable security measures to protect consumers’ personal information from a breach and to conduct regular risk assessments and cybersecurity audits to ensure privacy and cybersecurity risks which threaten consumers’ personal information are immediately identified and mitigated/resolved.

CPRA also increases the number and scope of rights consumers can exercise over their personal information held by covered businesses.

What are Data Subject Rights?

In a nutshell, data subject rights (or consumer rights requests) are a set of rights users have that guarantee consumers retain control over how their data is collected, processed or shared/disclosed by data controllers. The purpose of these rights is to provide data subjects power over their own personal data/personal information and how it is used by data controllers/businesses while also ensuring data controllers and businesses act in a responsible manner.

What are the Data Subject Rights Under CPRA?

Consumer rights requests formulate the basic skeleton of the CPRA legislation. Like all major data protection laws, these rights ensure that consumers have adequate rights over how their personal information is collected, stored, used, protected, or sold to third parties. As per the CPRA, consumers can directly request a business to enforce their rights. Businesses must provide a mechanism to consumers to make these requests and it must honor them free of cost within 45 days or risk facing a penalty.

The CPRA explicitly states and defines what rights users are guaranteed. These rights intend to ensure users retain control over their data throughout their digital journey.

a. Right to Delete Personal Information

Consumers in California have the right to request any personal information collected on them by businesses be deleted.

Once such a request has been made, not only does the business have the responsibility to delete any personal information they may have collected on the consumer at that point but they must also direct their service providers, contractors to whom the data was disclosed to and inform third parties to whom they may have sold the personal information to, to delete the personal information as per the request of the consumer.

A business may maintain a confidential record of all such verifiable consumer requests to ensure the personal information of a consumer who has submitted a deletion request from being sold, for compliance with laws, or for other purposes.

There are exceptions for businesses and for service providers or contractors processing the personal data on behalf of another business from having to delete a consumer’s personal information if it is reasonably necessary to:

• Fulfill the terms of a written warranty or product recall conducted in accordance with federal law;
• Debug to identify and repair errors;
• Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law;
• Comply with the California Electronic Communications Privacy Act;
• Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws;
• To enable solely internal uses;
• Comply with a legal or contractual obligation.

b. Right to Correct Inaccurate Personal Information

In a significant development, CPRA has granted consumers the right to request changes and alterations to the personal information collected by the business that has since become outdated/incorrect/obsolete.

It is the business’s responsibility to ensure that any information that the customer requests to amend must be updated using “commercially reasonable efforts”.

c. Right to Know What Personal Information is Being Collected. Right to Access Personal Information

A consumer has the right to know explicitly what data is being collected on them as well as for what exact purpose.

It is the business’s responsibility to ensure that consumers know about this information on its privacy policy as well as just before collection of personal information. They may link it to a central page that has all the relevant resources for a user that wishes to access this information.

Furthermore, the CPRA requires businesses to categorize the data they collect to ensure the consumers are properly informed about the types of personal information being collected about them, the business or commercial purpose for which the personal information is being collected, the service providers and contractors it is disclosed to and the categories of third parties with whom the data is shared or sold to, the time period for which such personal information and sensitive personal information shall be retained and the rights consumers have over their personal information and the mechanism for them to enforce it.

d. Right to Access Personal Information

Consumers have the right to request access to specific pieces of personal information or categories of personal information collected about them including the sources from where it was collected, the business or commercial purpose for which it was collected, sold or shared and the categories of third parties with whom the personal information was disclosed to.

e. Right to Opt-Out of Sale or Sharing of Personal Information

The consumers have the right to opt out of having any of their collected data or information being sold/shared by a business.

Once such a request is made, no data that is collected on the consumer may be shared/sold to a third party. It is important that the business have contractual and legal agreements in place to ensure it can follow through with this request. Business must provide a prominent link on its website/home page stating “Do Not Sell or Share My Personal Information".

In case of the selling or sharing of personal information of a minor (consumer under the age of 13), businesses must provide an opt-in consent to the guardian of a minor. If the minor is aged between 13 and 16, businesses must need the opt-in consent of the minor.

f. Right to Limit Use and Disclosure of Sensitive Personal Information

Consumers have the right to restrict the usage of their sensitive personal information collected.

The business must also ensure the user has easily visible access to a link on every webpage that makes the invocation of this right more convenient. This must be done by having a prominent “Limit the Use of My Sensitive Personal Information” link on their homepage.

g. Right of No Retaliation Following Opt-Out or Exercise of Other Right

Consumers have the right to exercise any of their data subject rights without having to endure any form of retaliation or loss in their user experience.

In the case of the website selling a product, the consumer’s choice to exercise any of their consumer rights under the CPRA must not result in them receiving an inferior product. Restricting their access to coupons or discounts is also prohibited.

At the same time, this does NOT prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs to consumers in order to get them to consent to share their data.

Businesses may also offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale or sharing of personal information, or the retention of personal information.

How Can Securiti Help?

California is not the only state that has its own data protection laws. Several other US states have followed suit since the CPRA was passed in November 2018. It signals just how important data privacy has become, and perhaps more critically, just how informed the average user has become of their right to data privacy.

Laws like the CPRA are meant to ensure that businesses amend their data collection and processing practices to guarantee that all personal or sensitive personal data is maintained per the standards prescribed in the official legislation. This requires businesses to reevaluate, and in some cases, rethink their approach to data altogether if they are to achieve CPRA compliance.

This is where Securiti can help. Securiti is a market leader in providing enterprise solutions in data compliance and data governance thanks to its state-of-the-art artificial intelligence and machine learning-based algorithms that optimize a business’ data collection practices to comply with the appropriate legislation.

Request a demo today to see how exactly can Securiti aid your CPRA compliance efforts.