Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

Data Subject Rights under California Privacy Rights Act (CPRA)

Download: CPRA Decision-Making Guide
Published June 3, 2022
Contributors

Anas Baig

Product Marketing Manager at Securiti

Omer Imran Malik

Data Privacy Legal Manager, Securiti

FIP, CIPT, CIPM, CIPP/US

Listen to the content

This post is also available in: Brazilian Portuguese

Data privacy laws have gained increased importance worldwide in the past couple of years. Multiple factors have played a role in this phenomenon, the most important being the necessity to protect users’ data, freedom, and rights to privacy.

Ever since the General Data Protection Regulation (GDPR) came into effect in the EU, a plethora of jurisdictions have been inspired to either pass data privacy laws or are currently in the process of doing so. The US state of California is one of those.

Why? Because unlike most other developed countries in the world, it does not seem that the United States will pass a comprehensive federal data privacy law any time soon. As a result, several US states are drafting and legislating their data privacy laws. California’s current legislation dealing with the matter is the California Consumer Privacy Act (CCPA). It came to effect in June 2018. However, it will soon be replaced by the California Privacy Rights Act (CPRA) from January 1st, 2023.

As a piece of legislation, the CPRA has heaps of similarities with both the CCPA and the GDPR. As far as the latter is concerned, no other point strikes as perfectly similar as that of the new category of sensitive personal information which is provided extra protections, the new definition of consent which closely matches the one available within the GDPR as well as the requirement for businesses to conduct regular risk assessments similar to to how the GDPR require data controllers to conduct DPIAs.

What is the CPRA?

For the uninitiated, the CPRA will soon become California’s primary data protection law when it replaces the current CCPA on January 1st, 2023. It was passed via a vote in November 2018. While in its essence, it is more or less similar to the CCPA because it amends and improves upon it, however, it does significantly differ from the CCPA in some areas.

The most notable improvement includes establishing a separate agency to ensure the implementation, monitoring and enforcement of the CPRA, i.e., the California Privacy Protection Agency (CPPA), as opposed to the office of the Attorney General of California, who is currently in charge of enforcing the CCPA.

Secondly, the CPRA has increased the threshold of its application: it will only apply to for profit businesses that cater to at least 100,000 unique households or consumers (as opposed to 50,000 as per the CCPA), or who make $25 million in annual gross revenue, or derive 50% of their annual gross revenue from selling/sharing personal information of consumers to other third parties.

Thirdly, the CPRA will require all websites to carry a clearly visible and accessible “Do Not Sell or Share My Personal Information” button across all web pages. The significant difference from the CCPA lies in the inclusion of the word ‘share’ and the definition it has been given in the CPRA: whenever a business discloses a consumer’s personal information to a third party for cross-context behavioral advertising even if there is no exchange of money or any other consideration. This is a significant improvement of the right of consumers to opt-out of the excessive use of their personal information by the ad-tech industry for behavioral targeting.

Additionally, the CPRA introduced “sensitive personal information” (SPI). This includes all personal information from users that is highly sensitive in nature and its disclosure by the business can be limited by the consumer. SPI includes the following:

  • Social Security Number;
  • Driver’s license;
  • State identification card;
  • Passport Number;
  • Financial account information and log-in credentials;
  • Debit Card or Credit Card number along with access codes;
  • Precise geolocation data;
  • Religious or philosophical beliefs;
  • Ethnic origin;
  • Contents of communication;
  • Genetic data;
  • Biometric information for identification;
  • Health information;
  • Information about sex or sexual orientation.

Lastly, the CPRA requires businesses to undertake a significant amount of additional obligations as compared to the CCPA, such as to provide retention times for collected personal information to consumers, undertake reasonable security measures to protect consumers’ personal information from a breach and to conduct regular risk assessments and cybersecurity audits to ensure privacy and cybersecurity risks which threaten consumers’ personal information are immediately identified and mitigated/resolved.

CPRA also increases the number and scope of rights consumers can exercise over their personal information held by covered businesses.

What are Data Subject Rights?

In a nutshell, data subject rights (or consumer rights requests) are a set of rights users have that guarantee consumers retain control over how their data is collected, processed or shared/disclosed by data controllers. The purpose of these rights is to provide data subjects power over their own personal data/personal information and how it is used by data controllers/businesses while also ensuring data controllers and businesses act in a responsible manner.

What are the Data Subject Rights Under CPRA?

Consumer rights requests formulate the basic skeleton of the CPRA legislation. Like all major data protection laws, these rights ensure that consumers have adequate rights over how their personal information is collected, stored, used, protected, or sold to third parties. As per the CPRA, consumers can directly request a business to enforce their rights. Businesses must provide a mechanism to consumers to make these requests and it must honor them free of cost within 45 days or risk facing a penalty.

The CPRA explicitly states and defines what rights users are guaranteed. These rights intend to ensure users retain control over their data throughout their digital journey.

a. Right to Delete Personal Information

Consumers in California have the right to request any personal information collected on them by businesses be deleted.

Once such a request has been made, not only does the business have the responsibility to delete any personal information they may have collected on the consumer at that point but they must also direct their service providers, contractors to whom the data was disclosed to and inform third parties to whom they may have sold the personal information to, to delete the personal information as per the request of the consumer.

A business may maintain a confidential record of all such verifiable consumer requests to ensure the personal information of a consumer who has submitted a deletion request from being sold, for compliance with laws, or for other purposes.

There are exceptions for businesses and for service providers or contractors processing the personal data on behalf of another business from having to delete a consumer’s personal information if it is reasonably necessary to:

  • Fulfill the terms of a written warranty or product recall conducted in accordance with federal law;
  • Debug to identify and repair errors;
  • Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law;
  • Comply with the California Electronic Communications Privacy Act;
  • Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws;
  • To enable solely internal uses;
  • Comply with a legal or contractual obligation.

b. Right to Correct Inaccurate Personal Information

In a significant development, CPRA has granted consumers the right to request changes and alterations to the personal information collected by the business that has since become outdated/incorrect/obsolete.

It is the business’s responsibility to ensure that any information that the customer requests to amend must be updated using “commercially reasonable efforts”.

c. Right to Know What Personal Information is Being Collected. Right to Access Personal Information

A consumer has the right to know explicitly what data is being collected on them as well as for what exact purpose.

It is the business’s responsibility to ensure that consumers know about this information on its privacy policy as well as just before collection of personal information. They may link it to a central page that has all the relevant resources for a user that wishes to access this information.

Furthermore, the CPRA requires businesses to categorize the data they collect to ensure the consumers are properly informed about the types of personal information being collected about them, the business or commercial purpose for which the personal information is being collected, the service providers and contractors it is disclosed to and the categories of third parties with whom the data is shared or sold to, the time period for which such personal information and sensitive personal information shall be retained and the rights consumers have over their personal information and the mechanism for them to enforce it.

d. Right to Access Personal Information

Consumers have the right to request access to specific pieces of personal information or categories of personal information collected about them including the sources from where it was collected, the business or commercial purpose for which it was collected, sold or shared and the categories of third parties with whom the personal information was disclosed to.

e. Right to Opt-Out of Sale or Sharing of Personal Information

The consumers have the right to opt out of having any of their collected data or information being sold/shared by a business.

Once such a request is made, no data that is collected on the consumer may be shared/sold to a third party. It is important that the business have contractual and legal agreements in place to ensure it can follow through with this request. Business must provide a prominent link on its website/home page stating “Do Not Sell or Share My Personal Information".

In case of the selling or sharing of personal information of a minor (consumer under the age of 13), businesses must provide an opt-in consent to the guardian of a minor. If the minor is aged between 13 and 16, businesses must need the opt-in consent of the minor.

f. Right to Limit Use and Disclosure of Sensitive Personal Information

Consumers have the right to restrict the usage of their sensitive personal information collected.

The business must also ensure the user has easily visible access to a link on every webpage that makes the invocation of this right more convenient. This must be done by having a prominent “Limit the Use of My Sensitive Personal Information” link on their homepage.

g. Right of No Retaliation Following Opt-Out or Exercise of Other Right

Consumers have the right to exercise any of their data subject rights without having to endure any form of retaliation or loss in their user experience.

In the case of the website selling a product, the consumer’s choice to exercise any of their consumer rights under the CPRA must not result in them receiving an inferior product. Restricting their access to coupons or discounts is also prohibited.

At the same time, this does NOT prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs to consumers in order to get them to consent to share their data.

Businesses may also offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale or sharing of personal information, or the retention of personal information.

How Can Securiti Help?

California is not the only state that has its own data protection laws. Several other US states have followed suit since the CPRA was passed in November 2018. It signals just how important data privacy has become, and perhaps more critically, just how informed the average user has become of their right to data privacy.

Laws like the CPRA are meant to ensure that businesses amend their data collection and processing practices to guarantee that all personal or sensitive personal data is maintained per the standards prescribed in the official legislation. This requires businesses to reevaluate, and in some cases, rethink their approach to data altogether if they are to achieve CPRA compliance.

This is where Securiti can help. Securiti is a market leader in providing enterprise solutions in data compliance and data governance thanks to its state-of-the-art artificial intelligence and machine learning-based algorithms that optimize a business’ data collection practices to comply with the appropriate legislation.

Request a demo today to see how exactly can Securiti aid your CPRA compliance efforts.

Get California Privacy Rights Act (CPRA) Readiness Assessment

Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.

For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
Navigating the Data Minefield: Essential Executive Recommendations for M&A and Divestitures View More
Navigating the Data Minefield: Essential Executive Recommendations for M&A and Divestitures
The U.S. M&A landscape is back in full swing. May witnessed a significant rebound in deal activity, especially for transactions exceeding $100 million, signaling...
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix View More
Simplifying Global Direct Marketing Compliance with Securiti’s Rules Matrix
The Challenge of Navigating Global Data Privacy Laws In today’s privacy-first world, navigating data protection laws and direct marketing compliance requirements is no easy...
What to Know About Quebec’s Act Respecting Health and Social Services Information (AHSSS) View More
What to Know About Quebec’s Act Respecting Health and Social Services Information (AHSSS)
Learn more about Quebec's AHSSS, including its obligations on healthcare providers, researchers, and technology providers, with Securiti's latest blog.
View More
What is Automated Decision-Making Under CPRA Proposed ADMT Regulations
Learn more about automated decision-making (ADM) under California's CPRA, its regulatory approach to the technology, and how to ensure compliance.
View More
Is Your Business Ready for the EU AI Act August 2025 Deadline?
Download the whitepaper to learn where your business is ready for the EU AI Act. Discover who is impacted, prepare for compliance, and learn...
View More
Getting Ready for the EU AI Act: What You Should Know For Effective Compliance
Securiti's whitepaper provides a detailed overview of the three-phased approach to AI Act compliance, making it essential reading for businesses operating with AI.
View More
Enabling Safe Use of Data with Amazon Q
Learn how robust DSPM can help secure Amazon Q data access, automate sensitive data tagging, eliminate ROT data, and maximize AI productivity safely.
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders View More
Singapore’s PDPA & Consent: Clear Guidelines for Enterprise Leaders
Download the essential infographic for enterprise leaders: A clear, actionable guide to Singapore’s PDPA and consent requirements. Stay compliant and protect your business.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New