'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot, as 56% of California voters favored the law. It amends and strengthens consumer data privacy rights. In addition, the CPRA imposes consumer privacy protection obligations on organizations. The new law will take effect starting January 1, 2023, and enforcement will begin six months later, on July 1, 2023.
In 2016, the GDPR was passed into law, and its purpose was to award rights to individuals over their personal data through a uniform standard of protection across the EU.
The CPRA mandates that organizations collect personal information only to the extent that it is relevant and limited to what is necessary to the purposes it is being collected, used, and shared.
The GDPR mandates that organizations collect only the data that is adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
Organizations that wish to use Personal Information differently than previously disclosed must notify consumers before proceeding with the data use.
Organizations can process personal data only for specified, explicit, and legitimate purposes.
Organizations must not retain PI for longer than is “reasonably necessary” for each disclosed purpose. At the time of collection, they must also disclose their retention periods for each category of PI—or, if that is not possible, the criteria used to determine the retention period.
Organizations cannot retain personal data for “longer than is necessary for the purposes for which the personal data are processed.” Also, personal data must be deleted once the legitimate purpose for which it was collected is fulfilled.
Inspired by the GDPR, the CPRA has introduced a new sub-category of personal information called Sensitive Personal Information (SPI). SPI defines higher-risk, sensitive information about a person that could cause significant harm to the person if it were to be made public or fall into the wrong hands. Examples of SPI under CPRA include:
To learn more about CPRA, click here.
Also, organizations must limit their use of sensitive personal information to only that which is necessary to perform the services or provide the goods reasonably expected by an average consumer.
The CPRA also gives consumers the right to restrict organizations from using, disclosing, or sharing their sensitive personal information for specific secondary purposes to third parties.
The GDPR also defines a sub-category of personal data called Sensitive Personal Data (SPD). Similar to the CPRA, SPD describes higher-risk, sensitive information about a person that could cause significant harm to the person if it were to be made public or fall into the wrong hands. Examples of SPD under the GDPR include data revealing:
Learn the key details of the GDPR in our knowledge center article: What is GDPR?
Organizations that process consumer personal information which presents a significant risk to consumer privacy or security must perform regular risk assessments and annual Cyber-security Audits. Risk assessment and audit results must be submitted to the newly-created California Privacy Protection Agency (CPPA).
Organizations that perform high-risk data processing activities must undertake data protection impact assessment (DPIA) before such processing. High-risk data processing activities include using new technologies and systematic/extensive evaluation of personal aspects of individuals. These evaluations are based on automated processing, including processing special categories of data on a large scale to create individual profiles. These special categories include personal data relating to:
Effective Date: January 1, 2023.
The CPRA applies only to for-profit organizations that conduct organization in California and collect personal information from California residents and meet at least one of the following criteria:
The CPRA also applies to joint ventures, which are defined as follows: “joint venture or partnership composed of organizations in which each organization has at least a 40 percent interest.”
Effective Date: May 25, 2018.
The GDPR applies to organizations that are processing personal data in any of the following ways:
Every organization must identify non-EU group processors or service providers that monitor, track or target EU data subjects and ensure compliance with the GDPR.
The CPRA allows consumers to make requests to access their PI, which is collected, sold, and covered by organizations. Consumers can request personal information collected by an organization for up to 12 months. While consumers’ can request personal information collected from before the 12 months, if the request requires disproportionate effort or is impossible to do so for the organization, the request can be denied. It is also important to note that if the request requires access to personal information collected beyond the 12 months, an organization is only liable to provide the PI collected after January 1, 2022.
Information required to be sent as part of an access request is:
Under the GDPR, data subjects have the right to confirm the processing of personal data held by the organization concerning them and access to the personal data and obtain a copy.
Information required to be sent as part of an access request is:
The CPRA prohibits selling the personal information of a person under the age of 16 without consent. Children aged 13 – 16 can provide consent. Parents must provide consent for children under 13. Specifically, the CPRA triples fines for violations involving children’s personal information under the age of 16.
The GDPR requires organizations to obtain consent from the holder of parental responsibility of those under 16 before using their personal data. Member states may require a lower age in their national laws provided that such age is not below 13 years. Moreover, any information specifically addressed to a child should be in such clear and plain language that the child can easily understand.
The CPRA requires that organizations whose processing of Personal Information “presents a significant risk to consumers’ privacy or security” perform an annual cybersecurity audit.
There are no Cybersecurity audit requirements under the GDPR.
New California Privacy Protection Agency (CPPA) is given full administrative power, authority, and jurisdiction to implement and enforce CPRA.
The European Data Protection Board (EDPB) ensures uniform application of the provisions of the GDPR across the EU. The GDPR also requires every EU member state to designate a Supervisory Authority to monitor the application of the GDPR.
Under the CPRA, organizations can be fined $2,500 per unintentional violation and up to $7,500 per intentional violation. In addition, fines for all violations related to children’s personal information under the age of 16 are $7,500 per violation if the organization had actual knowledge that the personal information belonged to a minor.
Also, organizations do not have the 30-day cure period before being fined for violations. Instead, the CPRA gives this responsibility to the CPPA agency, which has the discretionary power to provide a period to cure.
Under the GDPR, organizations can be fined up to EUR 20 million or 4% of annual global revenue, whichever is greater. Also, EU member states may impose penalties at their discretion related to GDPR violations that are not subject to administrative fines.
See how easy it is to manage privacy compliance with robotic automation.