LISTEN NOW: Evolution of Data Controls in the Era of Generative AI

View

What is CPRA? Understanding California Privacy Rights Act

Download: CPRA Decision-Making Guide
By Anas Baig | Reviewed By Omer Imran Malik
Publicada marzo 1, 2022

California Privacy Rights Act (CPRA), the state-wide data privacy law, is one of the most comprehensive and strictest privacy regulations in California. If you are operating in California, or offering products or services to California residents, you may want to consider assessing if you meet the CPRA threshold requirements and how compliant you are with the new data privacy law.

What is CPRA?

The CPRA is California’s state legislation that deals with protecting the digital privacy of its residents. The CPRA came into effect on January 1, 2023, it mandates all businesses to audit their data collection, storage, processing, and sharing mechanisms to ensure they are in compliance with the law. Its enforcement has been started from July 01, 2023.

The CPRA builds on an earlier piece of legislation known as the California Consumers Privacy Act (CCPA), which came into effect on January 1, 2020. The CPRA will be enforced by the first dedicated data protection authority in the United States: the California Privacy Protection Agency (CPPA).

What is the Purpose of CPRA?

When the General Data Protection Regulation (GDPR) came into effect in 2018, it was meant to ensure that any organization dealing with the personal data collected within the EU would have to make concrete efforts to protect it and the privacy of the data subjects whom it concerns. It didn’t matter if the organization operated from inside the EU or based elsewhere as it applied to any company that dealt with the personal data of data subjects who were residents of the EU.

The California Privacy Rights Act (CPRA) is similar in its scope as it applies to ‘for profit’ entities dealing with the personal information of California residents, which meets one of three criteria. The three criteria for a business to fall under the CPRA’s jurisdiction are:

  • Firstly, businesses that buy, sell, or share the personal information (PI) of at least 100,000 consumers or households will be subject to the CPRA. This is an update on the CCPA’s earlier threshold of 50,000 consumers, making it a friendlier piece of legislation for small-to-medium enterprises.
  • Secondly, a business that makes $25 million in gross revenue by January 1 of the calendar year will find itself subject to the California Privacy Rights Act regulations as well.
  • Lastly, businesses that receive 50% or more of their gross revenues from sharing or selling personal information collected on users also come under CPRA’s jurisdiction.

What is CPPA?

After the CPRA was passed, it established the California Privacy Protection Agency (CPPA) as the primary body responsible for safeguarding all Californian’s digital privacy. The CPRA gives the CPPA full legal, administrative, and enforcement rights when it comes to matters related to CPRA. The CPPA’s board comprises 5 members in addition to a chairperson and an executive director.

The CPPA has 4 primary responsibilities in relation to the CPRA: education, rulemaking, enforcement, and certifications. The CPPA has an annual budget of $10 million to aid it in its efforts to carry out these responsibilities.

The CPPA has the power to certify businesses that are CPRA-compliant. This certification can be used by businesses and entities that do not have to conform to CPRA regulations but want to voluntarily illustrate that their data protection practices are of the highest standards possible.

Moreover, considering California is one of the most lucrative business locations in the world, companies might find that a CPPA certification gives them an additional competitive edge in a more privacy-aware consumer market.

When Do You Need to Comply with California Privacy Rights Act (CPRA)?

Businesses doing business in California and which fall under the CPRA have until January 1, 2023, to comply with this new regulation.

However, businesses will only be fined for offenses or violations of the CPRA from July 1, 2023, onwards.

Get California Privacy Rights Act (CPRA) Readiness Assessment

Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.

For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.

CCPA vs. CPRA

For a business in California, it is natural to wonder, “Does the CPRA replace the CCPA?” and whether the CCPA still applies. While the CPRA aims to replace the CCPA, it is important to note that the CPRA amends the CCPA and, therefore, acts as more of an “upgrade” rather than a replacement.

The CPRA came into effect on January 1, 2023. This means that businesses now have to modify their data collection practices and become CPRA compliant. Most of these businesses are likely to already be CCPA compliant. Hence, it would help to know the key differences between the CCPA and CPRA and what practices they’ll need to amend.

CPRA Requirements

There are a number of CPRA requirements related to the protection and management of the personal information of consumers. Here’s what you should know:

CPRA Creates a New Category of Sensitive Personal Information (SPI)

The CPRA creates a new category of personal information called Sensitive Personal Information (SPI), which is subject to stricter disclosure and purpose limitation requirements. Since the CPRA also specifies that security measures for data must be appropriate for the data type; it would be reasonable to assume that SPI would require additional safeguards and protections.

Most importantly, the CPRA offers customers the ability to request that businesses limit the usage of consumer’s SPI. SPI contains very sensitive information sets such as:

  • Social Security Number;
  • Driver’s license;
  • State identification card;
  • Passport Number;
  • Financial account information and log-in credentials;
  • Debit Card or Credit Card number along with access codes;
  • Precise geolocation data;
  • Religious or philosophical beliefs;
  • Ethnic origin;
  • Contents of communication;
  • Genetic data;
  • Biometric information for identification;
  • Health information;
  • Information about sex or sexual orientation.

The CPRA revises the standards for how a website enables users to exercise their right to limit the use of their SPI and adds a requirement for how a website enables users to opt out of having their Personal Information sold or shared.

The CPRA modifies the CCPA's Do Not Sell button, requiring a website to have a link that says "Do Not Sell Or Share My Personal Information” to enable consumers to opt out of the sale and sharing of the consumer’s personal information.

The CPRA also adds a new obligation for a website to have a link labeled "Limit The Use Of My Sensitive Personal Information," enabling Californians to control how their SPI is used and disclosed.

Furthermore, the CPRA recommends enterprises to create "a single, clearly labeled link" that allows consumers to opt out of the sale or sharing of Personal Information while also limiting the use or disclosure of their SPI.

CPRA Creates New Data Subject Rights and Amends Existing CCPA Rights

The CPRA grants consumers additional rights regarding their personal data. These rights include:

  • Right to correction - Consumers have the right to request that their PI and SPI be changed if they discover that it is incorrect.
  • Right to opt-out of automated decision making - Data Subjects can refuse to have their PI and SPI used to make automated conclusions, such as profiling for targeted behavioral advertising.
  • Right to know about automated decision making - Data Subjects can ask for information on how automated decision technologies work and their likely outcomes.
  • Right to limit the use of sensitive personal information - Californians can compel corporations to limit the use of special categories of personal data, particularly when it comes to third-party sharing.

The CPRA has also amended the obligations of the covered entities while fulfilling the data subject requests granted by the CCPA.

  • Right to Delete - Consumers can now request that businesses direct third-party suppliers, service providers, or contractors to erase personal information that the company may have sold or shared with them.
  • Right to Access - Businesses are now required to also provide all PI data they have shared with third parties and the third parties with whom they have shared the PI.
  • Right to Opt-Out - Data subjects now have the option to opt out of having their personal information sold or shared with third parties, including for cross-context behavioral advertising.
  • Right to Data Portability - Data subjects have the right to request that organizations send certain pieces of personal information to another entity. This transmission, however, must be technically feasible for the company.
  • Right of Minors - Businesses must now notify minors if they intend to sell or share their personal information. It's also worth noting that if a consumer under the age of 16 refuses to give their approval for a business to sell or share their personal information, the business must either wait another 12 months or wait until the consumer becomes 16 before asking for their opt-in consent again.

CPRA Governs Behavioral Advertising

The California Privacy Rights Act (CPRA) modifies the CCPA to govern behavioral advertising that uses personal information to profile California citizens and promote advertisements.

CPRA introduces the California Privacy Protection Agency (CPPA)

As mentioned before, the California Privacy Protection Agency (CPPA) is designated as the principal enforcer and supervisor of the CPRA data privacy regime. It is the first dedicated data protection authority created within the United States.

CPRA takes inspiration from EU’s GPDR

CPRA adds GDPR-like provisions to the CCPA, such as data minimization and retention requirements as long as mandating businesses which undertake ‘risky processing’ to conduct and publish risk assessments.

How CPRA Affects an Organizations’ Data Privacy Policy

With  the CPRA in effect since January 01, 2023, it is significantly influencing how companies ensure that customers know what data is being collected on them. Here are the key areas where the most noticeable impact is taking place:

Collection Notice

Under the CCPA, websites are already required to make sure customers know exactly when their data is being collected. However, under the CPRA, organizations will be required to go into additional detail about how and why they need to collect a user’s data. The three main additional notices include the responsibility to disclose if the organizations share their personal information, collect any of their sensitive personal information (SPI), and how long will they retain the data being collected.

Privacy Policy

It is natural that the new CPRA regulation will require companies to alter their existing privacy policies. The most notable changes include letting the user know if they plan to “share” their data in addition to “selling” their data. Under the CCPA, companies only needed to let users know if they planned on selling their data.

CPRA Penalty for Non-Compliance

The CPPA is mandated to investigate possible violations of the CPRA, conduct administrative hearings, impose fines for violations and go to court in a civil action to recover unpaid fines.

It is important to note that the California Attorney General retains the power to enforce the CPRA through civil penalties and will be required to coordinate its actions with the CPPA. Violations under the CPRA may occur if a business:

  • Fails to fulfill consumers’ rights in a timely fashion.
  • Fails to create and maintain an up-to-date privacy policy or privacy notice.
  • Fails to provide opt-out when planning to share or sell consumers’ sensitive personal information.
  • Fails to assure non-discrimination when a consumer exercises their privacy rights.

If a business is deemed liable for a civil penalty, it will be fined for up to $2,500 per unintentional violation and $7,500 per intentional violation.

How to Comply with CPRA?

It is no surprise that this new law will change the ways websites collect information on their customers. However, the quicker companies can understand and comply with CPRA requirements, the better their chances will be to tighten data protection, meet compliance, and gain the trust of their customers. This is where Securiti can help.

Securiti is a global leader in privacy compliance software that uses robotic automation, machine learning, artificial intelligence, AI-driven PI data discovery, cookie consent management, and documented accountability to ensure privacy compliance for your business. Not only does this achieve CPRA compliance for a business, but it also does so in the most hassle-free manner possible. To see Securiti’s tools in action, request a demo today.


Frequently Asked Questions (FAQs) related to California Privacy Rights Act (CPRA)

Here are commonly asked questions related to the CPRA:

The CPRA came into effect on January 1, 2023. It amended the existing CCPA and brought many changes for businesses. The most immediate change is about the covered entities. Any business with $25 million annual gross revenue in the previous calendar year or buys/sells/shares personal information of 100,000 consumers or households or derives 50% or more of its revenue from selling/sharing personal information.

Other than that, the CCPA's exception for employee personal information will end, and businesses will need to implement a CPRA compliance program that includes their own employees' information. Other major changes include the requirement to respect a consumer's opt-out preference signal, such as the GPC and expand the "Do Not Sell" opt-out requirement to "Do Not Sell or Share" as well as revising their current vendor contracts to ensure they fulfill the requirements laid down in the CPRA for such arrangements.

Under the CPRA, sensitive personal information is any information that reveals a consumer's social security number, driver's license, passport, state ID, credit/debit card numbers as well as relevant passwords, geolocation, racial origin, sexual orientation, union membership, religious or political beliefs, as well as the consumer's biometric data.

One of the most important changes the CPRA brings compared to the CCPA is the consumers' right to correct information collected on them by organizations online. This can include any information that may have become inaccurate, incomplete, or obsolete since it was collected.

The purpose limitation introduced by the CPRA is, at its core, a lot like the data minimization of the GDPR. Purpose limitation puts a requirement on organizations collecting users' information to have a specific and explicit reason for doing so.

Much like the CCPA, the CPRA ensures that organizations cannot sell or share a child's personal information unless the child (at least 13 years old) or the child's parents (less than 13 years old) explicitly authorize the selling or sharing of such information. If, in such cases, consent is not provided, then the organization must wait at least 12 months before requesting consent again or wait until the child turns 16.

However, these obligations apply only if the organization has "actual knowledge" of the child's age. In any case, the organization must comply with all its relevant obligations under the federal Children's Online Privacy Protection Act regarding the personal information of children under the age of 13.

The CPRA will be enforced primarily by the newly created California Privacy Protection Agency.

Presently, the CCPA requires businesses to inform users of all categories of personal information to be collected and the purpose behind their collection. The CPRA expands these requirements with the organizations collecting the data now required to inform the users if their data will be sold or shared, how long their data will be retained, and more detailed information related to the collection of sensitive personal information.

The CPRA expands the applicability scope under the CCPA by altering the definition of "businesses". There are four categories under the CPRA. Directors of Processing, Common Branding, Joint Ventures, and Certified Businesses.

The CPRA introduces several modifications, clarifications, and changes to the exceptions made in the CCPA. These include the Trade Secret Exemption, Household Data Exemption, Student Information, and Assessments Exemption, Physical Item Exemption, Commercial Credit Reporting Agency Exemption, Public Information Exemption, De Identified Information Exemption, Fair Credit Reporting Act Information Exemption, Car Dealer-Manufacturer Exemption, Financial Information Exemption, Aggregate Information Exemption, Medical Information Exemption, Healthcare Providers and Covered Entities Exemption, Clinical Trial Exemption, Driver's Privacy Protection Act of 1994 Exemption, Evidentiary Privilege Exemption, and Legal Compliance and Law Enforcement Cooperation Exemption.

Yes, the CPRA introduces a new information security auditing requirement for businesses that requires an annual cybersecurity audit of companies that process personal information that poses a significant risk to consumers' privacy. The results of such assessments will need to be provided to the CPPA to ensure an organization complies with its security responsibilities per the CPRA guidelines.

Similar to CCPA, the CPRA only applies to “for-profit” organizations. This further means that the CPRA provisions do not apply to government agencies or non-profit organizations.

California Privacy Rights Act (CPRA) has outlined fines with regard to violations in section 1798.155, Administrative Enforcement. The legislation states that any covered businesses, service providers, or contractors that violate CPRA provisions will be fined up to $2,500 for each violation. However, when it comes to the violation of the personal information of minors, CPRA increases the fine to up to $7,500 for each intentional violation.

The legislation further clarifies that the money received from the administrative fine and settlements will be deposited to the Consumer Privacy Fund. These funds will then be used to counterbalance the costs incurred by the regulatory authority (CPPA), state court, or any attorney general.

The CPRA came into effect on July 01, 2023. The CPRA introduces a rather sneaky provision, i.e., the “look back” period. The provision enables consumers to request access to their data that even goes back to January 1, 2022. This means that some exemptions that were provided in the CCPA but removed in the CPRA will come back to haunt businesses if they aren’t prepared beforehand. For instance, businesses must be able to give access to personal information to verified requests if an employee exercises his/her right to access personal information dating back to Jan 1, 2022.

Yes, CPRA requires businesses to conduct and provide privacy training to all their personnel that are responsible for handling consumers’ or employees’ personal information. The CPRA introduces the training requirements in section 1798.130(a)(6), which further covers 7 important sections that must be a part of the training, such as sections 1798.105, 1798.106, 1798.110, 1798.115, 1798.125, and 1798.130.

Compartir

Suscríbase a nuestro boletín

Obtenga toda la información más reciente, actualizaciones de leyes y más en su bandeja de entrada

What's
New