The California Privacy Rights Act, also known as the California Privacy Rights and Enforcement Act, was enacted by California voters on November 3, 2020 through Proposition 24. Following previously established rules about privacy rights in California, the CPRA develops parts of the preexisting California Consumer Privacy Act.
The CPRA establishes an organization called the California Privacy Protection Agency which is dedicated to regulating and enforcing data privacy rules. This is agency is the first of its kind in the United States and is responsible for regulating relevant policymaking and enforcing privacy laws.
Additionally, the CPRA increases consumer rights and business obligations. Businesses must now improve consumer accessibility to data so that consumers can correct or delete their data, or even opt-out, more easily. The act also expands the definition of sensitive personal information to include things like location, race, genetics, etc.
Before becoming a law, the CPRA was a ballot initiative supported by a data privacy advocacy group known as Californians for Consumer Privacy. However, before a vote could take place, the state legislature and the Californians for Consumer Privacy group made a deal passing the CCPA in 2018, the very first consumer privacy law.
The regulations established by CCPA were not satisfactory for the Californians for Consumer Privacy. Since its initial proposal on the ballot, the CCPA had become far less effective. Consequently, the group advocated for the CPRA in 2020. California residents voted to pass the CPRA and it has since gone into effect.
However, despite already being an established law, the CPRA was not enforced until January 1, 2023. The CPRA was equipped with a two-year compliance timeline that includes the establishment of the California Privacy Protection Agency in 2020. This timeline allows the state, businesses, and consumers to prepare for the coming changes.
Changes effected by the CPRA in 2023 will still apply to PI collected on or after January 1, 2022 and will be officially enforced on July 1, 2023.
There have been several notable impacts of the CPRA. As previously mentioned, it established the California Privacy Protection Agency (PPA). All funding, policymaking, and enforcement was in turn transferred from the California Attorney General to the PPA.
Another major impact is that the CPRA increases the penalties for compliance failures and cybersecurity violations. In fact, the fines for violations related to children’s data have increased threefold, reaching a maximum of $7,500 per violation. Additionally, the CPRA erases the previously implemented 30-day grace period granted for organizations to resolve violations before facing penalties.
Effect on Businesses
The CPRA simultaneously increases oversight of larger businesses and reduces the obligation of data privacy regulations on small and mid-sized businesses. First, it expands examination of businesses that earn revenue from sharing PI in addition to selling. Second, the act doubles the threshold of personal information from 50,000 to 100,000 for consumers and households.
Sensitive Personal Information
The CPRA also specifiers certain information as “sensitive personal information”. This includes driver’s licenses, social security numbers, financial account and login information, email addresses, geolocation, race, ethnicity, religion, personal messages, health/genetic data, and sexual life information/orientation. Sensitive personal information is subject to new, distinct data requirements and restrictions.
Rights and Amendments
The California Privacy Rights Act seeks to strengthen the rights of consumers by providing them with better control over their data. Consumers’ rights to correct inaccurate information, opt-out of automated decision-making technology, and access information about automated decision making are all part of CPRA provisions that enable consumers to take control over their data and privacy. Similarly, the CPRA also restricts third parties’ abilities to access sensitive personal information and uses new audit obligations to guarantee that personally identifiable data is handled, stored, and utilized compliantly.
The CPRA borrows several provisions from the General Data Protection Regulation (GDPR) active in Europe. These provisions aim to prevent businesses from collecting, using, keeping, and/or sharing PI that is not integral to business purposes, like purpose limitation, data minimization, and storage limitation. The CPRA aligns specifications regarding the standard of data “consent” in California with those of the GDPR.
CPRA vs CCPA
The CPRA does not explicitly alter the laws set forth by the CCPA, but rather expands and strengthens them to oversee data privacy more securely. The following list catalogues the rights established by the CCPA upon which the CPRA expands:
- Right to Delete: Businesses are now required to inform third parties to delete any shared or purchased consumer PI (barring specific exceptions)
- Right to Know: The CPRA expands this CCPA provision to include requests for PI collected beyond the previous 12 months (however, it only applies to data collected after January 1, 2022)
- Right to Opt-Out: The CPRA expands the CPPA-established right of consumers to opt-out of selling their data by including cross-context behavioral advertising, including targeted ads.
- Opt-in Rights for Minors: This has been revised to include the sharing of PI for behavioral advertising.
- Right to Data Portability: Consumers are enabled to request that businesses provide specific pieces of PI to other organizations
The CPRA aims to improve transparency in the process of data collection and processing. Consequently, companies must be aware of how much data they possess. Therefore, businesses must execute a thorough audit identifying the data collected, its use, and how to sort it according to requirements, before attempting CPRA compliance.
Once the CPRA is enforced, additional security measures related to sensitive personal information will be enacted. Most notably, users will have the right to request the removal of sensitive data. Thus, businesses must be able to differentiate between sensitive and non-sensitive information. The most efficient way to do so is to prepare ahead of time by implementing data separation strategies.
B2B and HR Data
The deadline for approved exemption from data privacy regulations for B2B and HR communications has been extended to 2023. B2B and HR communications may face challenges in becoming compliant, so its is best to prepare in advance.
Steps for Compliance
- Clearly map out data to determine what data you have and how it is being used. Identify and mark personal information data that may need to be deleted.
- Update all collection and management processes to meet CPRA requirements
- Ensure that your privacy notice is also in line with CPRA disclosure
- Reach out to contractors and providers to ensure that they are also compliant
- Execute risk assessment and prepare to address any compliance failure situations.