The California Privacy Rights Act (CPRA) is a newly passed data privacy bill that will modify and expand the existing privacy law, California Consumer Privacy Act. CPRA is proposed to strengthen consumer privacy by enhancing the rights and responsibilities of the business towards them.
You must be wondering what all this means for your business and privacy regulation in California and beyond. This guide will talk about everything you should know about CPRA and how you can comply with it.
California Privacy Rights Act, also known as Proposition 24, is a new data privacy bill approved by most voters during the general election on November 3, 2020. The act aims to:
Strengthen the rights of Californian citizens.
Tightening business regulations on the use of users’ personal information (PI).
Establishing California Privacy Protection Agency (CPPA), a new government agency for state-wide data privacy enforcement, and more.
The act will be enforced on July 21, 2023, and will be applied to all the data businesses collect on or after January 1, 2022.
CPRA was proposed by Alastair Mactaggart, a real estate developer turned founder of the advocacy group Californians for Consumer Privacy. He made efforts via his advocacy group and put forth a ballot initiative known as the California Privacy Rights Act.
Alastair’s viewpoint is that “We’ve laid a historical foundation for consumer rights in California with the passage of the California Consumer Privacy Act, and now it’s time to seize that momentum and take the next step in enforcing and expanding the law to keep pace with an industry that is changing at a break-neck pace,” and “that’s why we’ve introduced a new initiative that will further protect our most personal information, increase fines for violating kids’ privacy, create more transparency and most importantly, establish an enforcement arm that truly looks out for consumers.”
As provided by state law, Attorney General Xavier Becerra released the title and summary for the California Privacy Rights Act.
CPRA was passed to enhance California’s citizens' privacy and create a transparent exchange of information between your business and consumers. CPRA will give Californian’s citizens the right to:
You must be thinking CPRA will be implemented in 2023, but the one-year lookback provision beginning from January 1, 2022, changes everything.
As per CPRA, consumers will have the right to access all of the data you’ve ever collected about them going back to January 1, 2022. You must give all their data if they request, including those categories of vendors and service providers with whom you’ve shared data, starting on January 1, 2023.
That means you need to start collecting data in the right way on January 1, 2022, even if the CPRA doesn’t apply to your business until 2023.
For example, if someone asks for their data in 2028, you must produce everything you’ve collected about them beginning from January 1, 2022.
CPRA will be more targeted towards the large businesses which meet the following criteria:
Important note: Even if your business isn’t physically or legally located in California, it is still subject to CPRA if you have users or conduct business in the state.
CPRA will bring in many new and modified regulations to protect Californians' privacy from businesses. Major regulations are as follow:
CPRA will introduce three new rights for California residents as follows:
It means that users can request their PI and SPI corrected if they find them incorrect.
It means that California residents will have the right to opt out of the use of automated decision-making technology, including profiling. Profiling includes data related to a consumer’s economic situation, health status, personal preferences, interests, work preferences, behavior, location, or movements, etc.
It means that California residents can make businesses restrict their use of this separate category of personal data, particularly third-party sharing. Sensitive information includes:
CPRA will modify the following rights:
The CPRA extends California’s residents’ right to demand the deletion of Personal Information, and businesses now have to notify their third parties to delete that information as well.
However, the right to delete does not require a company to delete personal data in case of the following:
Under CCPA, consumers can request details relating to personal information collected in the previous year, but CPRA extends this window beyond 12 months in certain circumstances.
Under the CCPA, consumers could only opt-out of businesses selling their data. But, under CPRA, California residents can now opt-out of companies sharing their PI specifically with third parties for behavioral advertisement.
The CCPA dictates that organizations ask for opt-in consent to sell data owned by people under 16. However, the CPRA now demands that businesses wait for 12 months after an opt-in request has been declined before requesting permission again.
Under the CCPA, citizens have a right to demand a copy of their personal information from the company. But, CPRA extends this right to allow consumers to claim a copy of their data in commonly used, machine-readable format to provide easy transferability to another organization.
CPRA provides guidelines for businesses to ensure that consumers can opt-out of having their personal information sold or shared and limit the use of their Sensitive personal information. For that, businesses must add a link titled “Limit The Use Of My Sensitive Personal Information” on their websites to enable California residents to limit the use and disclosure.
CPRA expands the CCPA’s current consent requirements by including the following:
The CCPA gave users the right to opt out of selling and sharing personal information for advertising purposes in exchange for money.
But, the CPRA divided advertising into two different types: cross-context behavioral advertising and non-personalized advertising.
It involves targeting consumers based on their personal information with which they didn’t intentionally interact.
It involves advertising based solely on a consumer's PI derived from their current interaction with the business, except their precise geolocation.
CPRA doesn’t allow users to opt-out of such advertising as it is considered important for running the business.
The act will create a new dedicated privacy agency, the California Privacy Protection Agency (CPPA), to supervise and handle all the enforcement.
Governing members: CPPA will be governed by a five-member board appointed by the Governor, the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly.
All these appointees must have expertise in consumer rights, privacy, technology, and (with some restrictions to help ensure that they remain free from external influence).
Role of CPPA: The California Privacy Protection Agency will regulate and supervise both CCPA and CPRA. The CPPA will have the right to investigate and find any kind of violations.
CPRA introduces three additional requirements for business that are closely formed after the EU’s GDPR regime:
Under the CPRA, a website or business can only collect, use, and share Californians’ PI only for the stated collection goal.
An organization isn't allowed to collect, use or share Californians’ PI for a different or new purpose without reporting it first. Furthermore, an organization cannot use, manage, or share information without declaring its intention.
A website or business will be required to inform (at the point of collection) California residents about the retention time of their collected personal information. It gives the users a right to know for how long their data will be stored after collection.
Both the laws aren’t exactly different from each other. The CCPA is California’s foundational data privacy law that went into effect on January 1, 2020. On the other hand, CPRA isn’t a new law but is an amended or modified version of the CCPA that will be enforced on July 1, 2023.
The table below summarizes the fundamental changes that will be made under CPRA:
|Consumer privacy rights||CCPA gave the following rights to California’s citizens: Right to Know Right to Delete Right to opt-out of third-party sales Right to Non-discrimination||CPRA will introduce new and expand the existing rights, which are as follows: Right to Know Right to Delete Right to Opt-Out of selling or sharing data with third-party. Right to Limit Use and Disclosure of Sensitive PI. Right to Correction. Right to Access Information About Automated Decision Making. Right to Opt-Out of Automated Decision Making Technology. Audit Obligations. Right to Non-discrimination|
|Sensitive personal information||CCPA includes SPI in the broader regulated dataset but doesn’t enforce separate requirements and prohibitions for sensitive PI (other than increased verification requirements).||CPRA imposes different requirements and restrictions on user’s sensitive PI, which are: Businesses must disclose what kind of SPI they are using. Opt-out requirements for use and disclosure. Opt-in consent required for use and disclosure. Businesses should state the Purpose of using SPI.\|
|Sharing of PI||If users opt-out of sharing their PI, businesses can use their PI only for advertising purposes for money or other valuable consideration.||Under CPRA, opt-out rights restrict the use of PI for behavioral advertising, which may or may not involve an exchange for money or other valuable consideration.|
|Changes in the link title||Under CCPA, businesses had a “Do not sell button” on their website.||Under CPRA, businesses need to provide a link titled “Do Not Sell or Share My Personal Information.”|
|Grace period and fine on violation||Businesses were given a grace period of 30 days after being notified of an alleged breach or violation to cure the violation.||CPRA cancels that grace period of 30 days and raises the maximum on fines for violations.|
If you violate the CPRA regulations, then you’ll be liable for the following penalties:
To comply with CPRA we highly suggest you do the following:
CPRA extends the added protection of third-party data. You will need to audit your vendor and partner and ensure that all data is securely shared, managed, and stored. In addition, have streamlined processes in place to handle users’ requests for correction, deletion, or transfer.
Since CPRA lays great importance on a consumer's SPI, you must ensure that every piece of data like demographics, geolocation, employment data, etc., is accounted for beginning from January 1, 2022. So, having all that information organized and attached to the right user will be critical under CPRA.
You should label the SPI to distinguish them from non-sensitive personal information. It will help you decide whether to use an opt-out request or a request to limit the use of sensitive personal information.
If you have already labeled out personal information, you can distinguish the SPI from the rest of the bunch. In addition, if you are already complying with the GDPR, then most likely, you have already identified most of the SPI.
Use consent and opt-in form to confirm that consumers allow their data to be used, stored, or shared. In addition, improve opt-in and consent forms on your websites, emails, and other digital channels.
With the implementation of CPRA, there will undoubtedly be more consumer data privacy requests - for deletion, transmission, or update. Hence, you will need robust processes, personnel, and technologies to handle these requests smoothly.
Change your data retention policies so that “keep everything for 12 months” is changed to “keep everything going back forever as long as you’re still using it.”
With digitization, laws like CPRA play a crucial role in ensuring consumers’ personal data safety and security and that businesses use the data most transparently and rationally.
CPRA will bring changes in how you conduct your business operation, and by following the guidelines mentioned above, you can ensure that you don’t violate these regulations and maintain a healthy relationship with your users.