The California Privacy Rights Act (CPRA) is a newly passed data privacy bill that will modify and expand the existing privacy law, California Consumer Privacy Act. CPRA is proposed to strengthen consumer privacy by enhancing the rights and responsibilities of the business towards them.
You must be wondering what all this means for your business and privacy regulation in California and beyond. This guide will talk about everything you should know about CPRA and how you can comply with it.
Table of contents
What new regulations will be introduced under the CPRA?
- Introduction of three new rights
- Modification of CCPA's existing five rights
- CPRA introduces new consent standard
- CPRA regulates behavioral advertising
- Establishment of the California Privacy Protection Agency
- CPRA introduces GDPR-like requirements
- CPRA requires businesses to add a link on their website for registering data sharing preferences
What is the California Privacy Rights Act?
California Privacy Rights Act, also known as Proposition 24, is a new data privacy bill approved by most voters during the general election on November 3, 2020. The act aims to:
- Strengthen the rights of Californian citizens.
- Tightening business regulations on using users’ personal information (PI).
- Establishing California Privacy Protection Agency (CPPA), a new government agency for state-wide data privacy enforcement, and more.
The act will be enforced on July 21, 2023, and will be applied to all the consumer data businesses collect on or after January 1, 2022.
Get the State of Email 2023 Report
150+ email experts share their email tips and secrets
History of CPRA
CPRA was proposed by Alastair Mactaggart, a real estate developer turned founder of the advocacy group Californians for Consumer Privacy. He made efforts via his advocacy group and put forth a ballot initiative known as the California Privacy Rights Act.
Alastair’s viewpoint is that “We’ve laid a historical foundation for consumer rights in California with the passage of the California Consumer Privacy Act, and now it’s time to seize that momentum and take the next step in enforcing and expanding the law to keep pace with an industry that is changing at a break-neck pace,” and “that’s why we’ve introduced a new initiative that will further protect our most personal information, increase fines for violating kids’ privacy, create more transparency and most importantly, establish an enforcement arm that truly looks out for consumers.”
As provided by state law, Attorney General Xavier Becerra released the title and summary for the CPRA.
Why was CPRA passed?
CPRA was passed to enhance California’s citizens’ privacy and create a transparent exchange of information between your business and consumers. CPRA will give Californian’s citizens the right to:
Control and limit the use of their personal information and sensitive personal information by businesses.
Correct, delete and transfer their personal information.
Know for how long the business will use their data.
Hold businesses accountable in case they fail to comply with CPRA regulations.
Have their privacy interests protected even as employees and independent contractors.
You must be thinking CPRA will be implemented in 2023, but the one-year lookback provision beginning from January 1, 2022, changes everything.
What does it mean?
As per CPRA, consumers will have the right to access all of the data you’ve ever collected about them going back to January 1, 2022. You must give all their data if they request, including those categories of vendors and service providers with whom you’ve shared data, starting on January 1, 2023.
That means you need to start collecting data in the right way from January 1, 2022, even if the CPRA doesn’t apply to your business until 2023.
For example, if someone asks for their data in 2028, you must produce everything you’ve collected about them beginning from January 1, 2022.
Who needs to comply with the CPRA?
CPRA will be more targeted towards the large businesses which meet the following criteria:
Has annual gross revenue of more than $25 million.
Generates 50% or more of its annual revenues from selling or sharing consumers’ personal information.
Purchases, sell or share the personal information of more than 100,000 consumers or households per year.
Important note: Even if your business isn’t physically or legally located in California, it is still subject to CPRA if you have users or conduct business in the state.
What new regulations will be introduced under the CPRA?
CPRA will bring in many new and modified regulations to protect Californians’ privacy from businesses. Major regulations are as follow:
Introduction of three new rights
CPRA will introduce three new rights for California residents, which are as follows:
1. Right to correct inaccurate information.
It means that users can request their PI and SPI corrected if they find them incorrect.
2. Right to opt-out and know of automated decision making.
It means that California residents will have the right to opt-out of the use of automated decision-making technology, including profiling. Profiling includes data related to a consumer’s economic situation, health status, personal preferences, interests, work preferences, behavior, location, movements, etc.
3. Right to limit the sensitive personal information
It means that California residents can make businesses restrict their use of this separate category of personal data, particularly third-party sharing. Sensitive information includes:
Data on race and ethnicity.
Religious beliefs, political and philosophical beliefs, or union membership.
Data on sex life or sexual orientation.
Health data, sex life, or sexual orientation.
Social security number and driver’s license, state ID card, or passport number.
Account log-in, financial account, debit or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.
Contents of a consumer’s mail, email, and text messages, if the business is not the intended recipient of the communication.
The processing of biometric information to uniquely identify a consumer.
Modification of CCPA's existing five rights
CPRA will modify the following rights:
1. Right to delete
The CPRA extends California’s residents’ right to demand the deletion of Personal Information, and businesses now have to notify their third parties to delete that information as well.
However, the right to delete does not require a company to delete personal data in case of the following:
If the business/service provider needs that information to complete a sale.
Regarding data security incidents.
To protect against malicious, deceptive, fraudulent, or illegal activity.
To exercise free speech.
2. Right to know
Under CCPA, consumers can request details relating to personal information collected in the previous year, but CPRA extends this window beyond 12 months in certain circumstances.
3. Right to opt-out
Under the CCPA, consumers could only opt out of businesses selling their data. But, under CPRA, California residents can now opt-out of companies sharing their PI specifically with third parties for behavioral advertisement.
4. Right of minors
The CCPA dictates that organizations ask for opt-in consent to sell data owned by people under 16. However, the CPRA now demands that businesses wait for 12 months after an opt-in request has been declined before requesting permission again.
5. Right to data transferability
Under the CCPA, citizens have a right to demand a copy of their personal information from the company. But, CPRA extends this right to allow consumers to claim a copy of their data in commonly used, machine-readable format to provide easy transferability to another organization.
CPRA introduces new consent standard
CPRA expands the CCPA’s current consent requirements by including the following:
- Consent for the selling or sharing PI and SPI after a user has opted out, including minors.
- Consent for using consumer's data for research purposes.
- Consent to opt-in to a financial incentive.
CPRA regulates behavioral advertising
The CCPA gave users the right to opt-out of selling and sharing personal information for advertising purposes in exchange for money.
But, the CPRA divided advertising into two different types: cross-context advertising and non-personalized advertising.
● Cross-context advertising
It involves targeting consumers based on their personal information with which they didn’t intentionally interact.
Users have the right to opt-out of such advertising.
Users can ask businesses to stop sharing their PI with third parties to avoid advertisements based on their behavior-related data such as search, browser, purchase history, device settings, etc.
● Non-personalized advertisement
It involves advertising based solely on a consumer’s PI derived from their current interaction with the business, except their precise geolocation.
CPRA doesn’t allow users to opt-out of such advertising as it is considered important for running the business.
Establishment of the California Privacy Protection Agency
The act will create a new dedicated privacy agency, the California Privacy Protection Agency (CPPA), to supervise and handle all the enforcement.
Governing members: CPPA will be governed by a five-member board appointed by the Governor, the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly.
All these appointees must have expertise in customer rights, privacy, technology, and (with some restrictions to help ensure that they remain free from external influence).
Role of CPPA: It will regulate and supervise both CCPA and CPRA. The CPPA will have the right to investigate and find any violations.
CPRA introduces GDPR-like requirements
CPRA introduces three additional requirements for business that are closely formed after the EU’s GDPR regime:
Under the CPRA, a website or business can only collect, use, and share Californians’ PI only for the stated collection goal.
An organization isn’t allowed to collect, use or share Californians’ PI for a different or new purpose without reporting it first. Furthermore, an organization cannot use, manage, or share information without declaring its intention.
A website or business will be required to inform (at the point of collection) California residents about the retention time of their collected personal information. It gives the users a right to know for how long their data will be stored after collection.
CPRA requires businesses to add a link on their website for registering data sharing preferences
CPRA provides guidelines for businesses to ensure that consumers can opt-out of having their personal information sold or shared and limit the use of their Sensitive personal information. For that, businesses must add a link titled “Limit The Use Of My Sensitive Personal Information” on their websites to enable California residents to limit the use and disclosure.
|Consumer privacy rights||CCPA gave the following rights to California’s citizens:
||CPRA will introduce new and expand the existing rights, which are as follows:
|Sensitive personal information (SPI)||CCPA includes SPI in the broader regulated dataset but doesn’t enforce separate requirements and prohibitions for sensitive PI (other than increased verification requirements).||CPRA imposes different requirements and restrictions on user’s sensitive PI, which are:
|Sharing of personal information (PI)||If users opt-out of sharing their PI, businesses can use their PI only for advertising purposes for money or other valuable consideration.||Under CPRA, opt-out rights restrict the use of PI for behavioral advertising, which may or may not involve an exchange for money or other valuable consideration.|
|Changes in the link title||Under CCPA, businesses had a “Do not sell button” on their website.||Under CPRA, businesses need to provide a link titled “Do Not Sell or Share My Personal Information.”|
|Grace period and fine on violation||Businesses were given a grace period of 30 days after being notified of an alleged breach or violation to cure the violation.||CPRA cancels that grace period of 30 days and raises the maximum on fines for violations.|
What happens if you don’t comply with CPRA?
If you violate the CPRA regulations, then you’ll be liable for the following penalties:
- An administrative fine of no more than $2,500 for each violation.
- For each intentional violation involving the PI of a consumer under 16 years of age, the fine will be $7500.
Get a sample AMP email in your inbox
Experience the power of interactivity right now
How can you comply with CPRA?
To comply with CPRA we highly suggest you do the following:
• Organize third-party data
CPRA broadens third-party data protection. You will need to audit your vendor and partner and ensure that all data is securely shared, managed, and stored. In addition, have streamlined processes in place to handle users’ requests for correction, deletion, or transfer.
• Create an inventory of user’s data
Since CPRA lays great importance on a consumer’s SPI, you must ensure that every piece of data like demographics, geolocation, employment data, etc., is accounted for beginning from January 1, 2022. So, having all that information organized and attached to the right user will be critical under CPRA.
• Label and distinguish your data
You should label the SPI to distinguish them from non-sensitive personal information. It will help you decide whether to use an opt-out request or a request to limit the use of sensitive data.
If you have already labeled out personal information, you can distinguish the SPI from the rest of the bunch. In addition, if you are already complying with the GDPR, then most likely, you have already identified most of the SPI.
• Update consent and opt-in forms
Use consent and opt-in form to confirm that consumers allow their data to be used, stored, or shared. In addition, improve opt-in and consent forms on your websites, emails, and other digital channels.
• Execute robust data processing system
With the implementation of CPRA, there will undoubtedly be more consumers' requests for deletion, transmission, or update of their data. Hence, you will need robust processes, personnel, and technologies to handle these requests smoothly.
• Change your data retention timeline
Change your data retention privacy policies so that “keep everything for 12 months” is changed to “keep everything going back forever as long as you’re still using it.”
With digitization, laws like CPRA play a crucial role in ensuring consumers’ personal data safety and security and that businesses use the data most transparently and rationally.
CPRA will bring changes in how you conduct your business operation, and by following the guidelines mentioned above, you can ensure that you don’t violate these regulations and maintain a healthy relationship with your users.