Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.
The California Privacy Rights Act (CPRA) is California’s state legislation that deals with protecting the digital privacy of its residents. Going into effect on January 1, 2023, it mandates all businesses to audit their data collection, storage, processing and sharing mechanisms to ensure they are in compliance with the law.
The CPRA builds on an earlier piece of legislation known as the California Consumers Privacy Act (CCPA), which came into effect on January 1, 2020. The CPRA will be enforced by the first dedicated data protection authority in the United States: the California Privacy Protection Agency (CPPA).
When the General Data Protection Regulation (GDPR) came into effect in 2018, it was meant to ensure that any organization dealing with the personal data collected within the EU would have to take concrete efforts to protect it and the privacy of the data subjects whom it concerns. It didn’t matter if the organization operated from inside the EU or based elsewhere as it applied to any company that dealt with the personal data of data subjects who were residents of the EU.
The California Privacy Rights Act (CPRA) is similar in its scope as it applies to ‘for profit’ entities dealing with the personal information of Californian residents which meets one of three criterias. The three criteria for a business to fall under the CPRA’s jurisdiction are:
Firstly, businesses that share the personal information (PI) of at least 100,000 consumers or households will be subject to the CPRA. This is an update on the CCPA’s earlier threshold of 50,000 consumers, making it a friendlier piece of legislation for small-to-medium enterprises.
Secondly, a business that makes $25 million in gross revenue by January 1 of the preceding year will find itself subject to the California Privacy Rights Act regulations as well.
Lastly, businesses that receive 50% or more of their gross revenues from sharing or selling personal information collected on users also come under CPRA’s jurisdiction.
After the CPRA was passed, it established the California Privacy Protection Agency (CPPA) as the primary body responsible for safeguarding all Californian’s digital privacy. The CPRA gives the CPPA full legal, administrative, and enforcement rights when it comes to matters related to CPRA. The CPPA’s board comprises 5 members in addition to a chairperson and an executive director.
The CPPA has 4 primary responsibilities in relation to the CPRA: education, rulemaking, enforcement, and certifications. The CPPA has an annual budget of $10 million to aid it in its efforts to carry out these responsibilities.
The CPPA has the power to certify businesses that are CPRA compliant. This certification can be used by businesses and entities that do not have to conform to CPRA regulations but want to voluntarily illustrate that their data protection practices are of the highest standards possible.
Moreover, considering California is one of the most lucrative business locations in the world, companies might find that a CPPA-certification gives them an additional competitive edge in a more privacy-aware consumer market.
Businesses doing business in California and which fall under the CPRA have until January 1, 2023, to comply with this new regulation.
However, businesses will only be fined for offenses or violations of the CPRA from July 1, 2023, onwards.
For a business in California, it is natural to wonder, “does the CPRA replace the CCPA?” and whether the CCPA still applies. While the CPRA aims to replace the CCPA, it is important to note that the CPRA amends the CCPA and therefore acts as more of an “upgrade” rather than a replacement. Thus, till the date of application of the CPRA arrives, businesses who are covered under the CCPA shall continue to comply with the law and its associated regulations.
The CPRA does not come into effect until January 1, 2023. This means that businesses now have a year left to modify their data collection practices and become CPRA compliant. Most of these businesses are likely to already be CCPA compliant. Hence, it would help to know the key differences between the CCPA and CPRA and what practices they’ll need to amend.
The California Privacy Rights Act (CPRA) introduced new requirements related to the protection and management of personal information of consumers. Here’s what you should know:
The CPRA creates a new category of personal information called Sensitive Personal Information (SPI), which is subject to stricter disclosure and purpose limitation requirements. Since the CPRA also specifies that security measures for data must be appropriate for the data type; it would be reasonable to assume that, SPI would require additional safeguards and protections.
Most importantly, the CPRA offers customers the ability to request that businesses limit the usage of consumer’s SPI. SPI contains very sensitive information sets such as:
The CPRA revises the standards for how a website enables users to exercise their right to limit the use of their SPI and adds a requirement for how a website enables users to opt-out of having their PI sold or shared.
The CPRA modifies the CCPA's Do Not Sell button, requiring a website to have a link that says "Do Not Sell Or Share My Personal Information.”
The CPRA also adds a new obligation for a website to have a link labeled "Limit The Use Of My Sensitive Personal Information," enabling Californians to control how their SPI is used and disclosed.
Furthermore, the CPRA recommends enterprises to create "a single, clearly labeled link" that allows consumers to opt-out of the sale or sharing of PI while also limiting the use or disclosure of their SPI.
The California Privacy Rights Act (CPRA) modifies the CCPA to govern behavioral advertising that uses personal information to profile California citizens and promote advertisements.
As mentioned before, the California Privacy Protection Agency (CPPA) is designated as the principal enforcer and supervisor of the CPRA data privacy regime. It is the first dedicated data protection authority created within the USA.
CPRA adds GDPR-like provisions to the CCPA, such as data minimization and retention requirements as long as mandating businesses which undertake ‘risky processing’ to conduct and publish risk assessments.
When the new California Privacy Rights Act (CPRA) takes effect in January 2023, it will have an impact on how companies ensure that customers know what data is being collected on them. Here are the key areas where the most noticeable impact will take place:
Under the CCPA, websites are already required to make sure customers know exactly when their data is being collected. However, under the California Privacy Rights Act (CPRA), organizations will be required to go into additional detail about how and why they need to collect a user’s data. The three main additional notices include the responsibility to disclose if the organizations share their personal information (PI), collect any of their sensitive personal information (SPI), and how long will they retain the data being collected.
It is natural that the new CPRA regulation will require companies to alter their existing privacy policies. The most notable changes include letting the user know if they plan to “share” their data in addition to “selling” their data. Under the CCPA, companies only needed to let users know if they planned on selling their data.
The new CPRA guarantees all residents in California certain rights. It is the responsibility of all businesses that fall under the CPRA’s jurisdiction to ensure these rights are fulfilled. An exhaustive list of CPRA rights include:
It is no surprise that this new law will change the ways websites collect information on their customers. However, the quicker companies can understand and comply with CPRA, the better their chances will be to tighten data protection, meet compliance, and gain the trust of their customers. This is where Securiti can help.
Securiti is a global leader in privacy compliance software that uses robotic automation, machine learning, artificial intelligence, AI-driven PI data discovery, cookie consent management, and documented accountability to ensure privacy compliance for your business. Not only does this achieve CPRA compliance for a business, but it also does so in the most hassle-free manner possible. To see Securiti’s tools in action request a demo today.