'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
The California Privacy Rights Act (CPRA) is a privacy law that was passed in the November 2020 ballot, as 56% of California voters favored it. The law amends and strengthens consumer data privacy rights established initially by the CCPA in 2018. The CPRA also imposes additional consumer privacy protection obligations on organizations. The new law will take effect from January 1, 2023, and enforcement will start six months later (July 1, 2023).
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and came into effect on January 1, 2020. Often compared to GDPR, the CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared, or sold. The CCPA was passed by the California legislature under pressure from rights groups who wished to pass it in the form of a ballot measure.
The CPRA amends and expands the California Consumer Privacy Act (CCPA), creating new requirements, consumer privacy rights, and enforcement mechanisms for applicable organizations. The CPRA will come into effect on January 1, 2023. At that time, the CPRA will effectively replace the CCPA. Till then, CCPA requirements will continue to apply to covered businesses.
The CPRA applies to businesses that buy, sell, or share the Personal information of 100,000+ California consumers or households. Previously, under the CCPA, the threshold was 50,000. This means that some small businesses that might have been subject to the CCPA will be exempt under the CPRA.
Also, The CPRA applies to organizations that derive at least 50% of their revenue from selling or sharing consumer Personal Information. Under the CCPA, this provision only included businesses that “sell” consumer Personal Information.
The CPRA introduces the Sensitive Personal Information (SPI) category, which is subject to more stringent disclosure and purpose limitation requirements. Specifically, the law says security measures should be appropriate to the data type - thus, SPI would need extra protection.
Finally, the CPRA gives consumers the right to ask organizations to limit the use of their SPI.
SPI includes highly sensitive data such as:
The CPRA prohibits selling the personal information of a person under the age of 16 without consent similarly to the CCPA. However under the CPRA, violations involving childrens’ personal information are liable similarly to intentional violations, i.e., fines of $7500 per violation. This amendment has provided extra protection to childrens’ personal information in the CPRA.
The CPRA grants consumers additional rights regarding their personal data.
Right to Restrict Use of Sensitive Personal Information
Data subjects may request to limit the use and disclosure of their sensitive PI for specific secondary purposes, including disclosure to third parties.
Right to Correction
Data subjects can request the correction of any of their PI held by the organization if inaccurate.
Right to Access Information About Automated Decision Making
Data subjects have the right to request information about automated decision-making processes based on their personal information. Data subjects may also request a description of the likely outcomes that will result from these processes.
Right to Opt-Out of Automated Decision-Making Technology
Data subjects may also request to opt-out of the use of automated decision-making technology, which can include “individual profiling.”
The CPRA has also expanded or modified the organization’s obligations in fulfilling consumer rights requests granted by the CCPA.
Right to Delete
Consumers can now request businesses to instruct third-party vendors, service providers, or contractors to delete the personal information that might have been sold/shared to them by the business.
Right to Access
Businesses must provide all PI data specified in the CCPA along with the categories of PI it has shared with third parties as well as the third parties it has shared the PI with.
Right to Opt-Out
Data subjects now have the right to opt-out of both the sale and sharing of their PI with third parties, including for the purposes of cross-context behavioral advertising.
Right to Data Portability
Data subjects have the right to ask organizations to transmit specific pieces of PI to another entity. However, this transmission should be technically feasible for the organization.
Data Retention information at Notification at Point of Collection
Businesses will need to notify customers, employees, job applicants, and other workers at or before the point of data collection similarly as to the CCPA however, businesses must also include details about the retention periods for the collected personal data now.
Businesses are only allowed to retain PI as long as it is ‘reasonably necessary’ for the business/commercial purpose the PI has been collected for.
SPI Collection Notifications
The CPRA mandates organizations to also notify consumers about the categories of SPI being collected, the collection purpose, and the length of time the SPI will remain stored in their databases before or at the point of collection of the SPI.
Opt-in Rights for Minors
Another addition is that businesses must notify minors if they intend to sell or share their personal data. It is also important to note that after a consumer under 16 years of age has declined to provide consent to the business to sell or share their personal information, a business must either wait for another 12 months or wait until the consumer turns 16 before requesting their opt-in consent again.
Changes to Privacy Notices
The CPRA also has additional requirements for Privacy Notices. Starting from January 2023, organizations will be required to modify their privacy notices to include three additional categories of disclosure such as:
Unlike the CCPA, the CPRA creates an exclusive agency for the interpretation and enforcement of the law - the California Privacy Protection Agency (CPPA). Tasked with taking over rule making power from the California Attorney General, the CPPA shall be the first US based regulatory authority exclusively focused towards data privacy issues. It shall not only provide guidance on the enforcement of the CPRA but shall also have powers to investigate violations, conduct hearings and assign liability on covered entities for violations.
Cyber Security audit requirement
The CPRA mandates that organizations that hold personal information that might “present a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA. This audit must be independent and thorough according to the law. To determine the risk of PI processing operations, organizations need to consider the following factors:
Risk Assessment Requirement
The CPRA will also require organizations to conduct regular risk assessments to evaluate their processing activities. All assessments must weigh the privacy risks created by the processing activity against the benefits that are provided. One of the factors that can be used to evaluate a processing activity is the use of consumers’ sensitive personal data. This assessment then needs to be submitted to the CPPA.
Organizations need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This process will allow the organization to conduct timely risk assessments and identify problem areas quickly.
Under the CCPA, consumers can bring a civil suit against a business for actual damages or $100 to $750 in statutory damages (whichever is higher) for failing to take reasonable and appropriate security measures to protect their unencrypted or unredacted personal information from being subject to a breach - under the CPRA the categories of PI for which they can sue has been increased to include, email addresses in combination with a password or security question and answer that would permit access to the account. Since most data breaches involve this category of PI, this is a significant change which could increase liabilities for businesses subject to a breach.
Organizations must limit their collection of PI to what is reasonably necessary for its disclosed intended purposes.
Organizations that decide to use PI differently than previously disclosed must notify all data subjects before proceeding.
The CPRA mandates that organizations not retain PI for longer than “reasonably necessary” for each disclosed purpose. In addition, organizations must also inform their retention periods for each category of PI data at the time of collection. However, if that is not possible, the organization must, at least, provide the criteria used to determine the retention period.