What is the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act (CPRA) is an extension of the 2018 California Consumer Privacy Act (CCPA). The goal of both laws is to enhance the privacy rights of California residents with regards to the personal information that companies collect about them, giving them the right to see, delete and limit the sale of that data. The CPRA will be fully implemented in mid-2023.
In this article, we will take a close look at the provisions of CPRA and how it amends the CCPA. We also provide answers to common questions about these privacy laws in the FAQ section at the end of the post.
The CPRA imposes the following key new obligations:
- Consumers have the right to access and delete their own personal information.
- Consumers can opt out of having their information sold.
- Businesses must get authorization from a parent before selling a child’s sensitive personal information (teenagers can provide their own consent).
- Businesses may utilize a customer’s information only for the purposes specified at the time of its collection.
- Companies may preserve a customer’s information only for as long as the company has indicated publicly.
- Business must not collect any more information about customers than absolutely necessary (data minimization).
- All subsequent transferees must provide the same level of cybersecurity (chain of custody).
- Companies must be able to inform businesses to which they’ve sold or exchanged personal information that a deletion request has been received.
- Businesses must allow customers to make changes to their personal information.
- Consumers have the right to stop the use of a new category of data: sensitive personal information (SPI), which includes race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, contents of communications, and other data that can be used for cross-context behavioral advertising.
- Consumers have the right to object to automated decision-making and gain valuable insight into the reasoning involved.
- The CPRA eliminates the 30-day right to cure infraction
Who is subject to the CPRA?
The CPRA applies to any company that does business in California, no matter where it is based, if it meets any of the following criteria:
- It has an annual revenue of $25 million or higher.
- It shares, sells or acquires the personal data of 100,000 or more customers or households.
- It makes at least half of its yearly income from selling or exchanging personal information about customers (regardless of total revenue).
Who enforces the CPRA?
The CPRA is enforced by the CCPA, a new agency created under the CPRA. The agency’s only mission is to enforce the CPRA, respond to complaints and hold non-compliant firms accountable.
The CPRA can also be enforced by consumers through litigation.
What is the timeline for CPRA rollout?
January, 2020– CCPA takes effect
November 2020 — The CPRA was passed by California voters via the Proposition 24 initiative on the November 2020 ballot.
January 2021 — The California Privacy Rights Act becomes law and the California Privacy Protection Agency is established.
July 2021 — The process for formulating and adopting CPRA regulations begins.
July 2022 — CPRA implementation rules, including risk assessment standards, must be in place by July 1, 2022. They will likely provide guidance on the scope of risk assessments as well as the procedure for conducting and recording them. To prepare, businesses may find the GDPR useful in the interim, because the CCPA and CPRA are heavily influenced by it.
January, 2023 — CPRA is in full force.
July, 2023 — Enforcement of the CPRA begins under the CPPA.
What’s new with the CPRA?
The CPRA enhances the protection regulations set down by the CCPA, addressing some loopholes and reinforcing some weak spots. Here are the primary changes:
- Personal information is divided into two types: standard and sensitive.
Because some personal data, such as a Social Security number, is more valuable and sensitive than other personal data, such as an email address, the CPRA has different rules and potential sanctions for standard and sensitive personal information. For example, sensitive data has more stringent disclosure requirements and more restrictions on how the data can be utilized.
- Employees must be protected regardless of where they live.
The CPRA broadened the scope of the CCPA to include not just California residents but all workers and contractors working for California businesses, regardless of location.
- Businesses must have opt-out links on their website.
The California Privacy Rights Act requires businesses to enable users to opt out of having their personal information sold or shared by including on their websites a link named “Do Not Sell Or Share My Personal Information”.
The CPRA also adds a new obligation for your website to have a link labeled “Limit the Use of My Sensitive Personal Information” that allows Californians to choose how their SPI is used and disclosed.
- The CPRA established new consumer rights and modified existing ones in the CCPA.
The CPRA introduces two new rights. Customers have the right to have inaccurate information corrected, and the right to limit use of their personal information by businesses. The CPRA also increased data portability, data exclusivity and other rights.
- Increased penalties for violations involving the data of minors.
The CPRA expands the CCPA’s protection of children’s private rights by tripling penalties for violations involving a minor’s data. The CPRA also gives parents more control over the personal data of their children.
- Changed rules for third parties
Under the CPRA, the definition of the term “third party” specifically excludes both contractors and service providers. Significantly, the CPRA requires a company that distributes or sells personal information to a third party to have a contract in place with the third party that imposes the same limits as a service provider agreement. The agreement would stipulate, among other things, that personal information is sold or divulged by the company “only for restricted and stated reasons.”
- Removed the “cure” period
The CPRA removes the 30-day cure period that businesses were given under the CCPA to address a violation after being formally notified by the OAG about it.
More generally, the law requires businesses to:
- Inform consumers of the categories of personal information being collected (such as sensitive personal information) and the purposes of that data collection.
- Inform consumers for how long they will retain their personal data.
- Be able to justify that the collection, use, retention and sharing of a consumer’s personal information are reasonably necessary and proportionate.
- Put in place reasonable security policies and practices that are appropriate for the nature of the personal information to safeguard it against unauthorized or unlawful access, destruction, use, alteration or disclosure.
The full list of duties and responsibilities are listed here.
What is are the penalties for CPRA violations?
Any business, service provider, contractor or other entity that violates the CPRA can face an injunction and an administrative fine of not more than $2,500 for each violation; that fine triples to $7,500 for each violation involving the personal information of minors under 16 years of age.
How can Netwrix help?
With Netwrix solutions, you can achieve, maintain and prove CPRA compliance with less effort and expense. They automate processes like change, access and configuration auditing; ensure accurate discovery and classification of sensitive data; and provide actionable insight into your data and infrastructure security. Netwrix solutions also streamline data subject requests by automating the data collection process — a crucial and resource-intensive step.
Summary
The CCPA and CPRA are designed to help protect consumers and their personal information.
The table below shows how the CPRA differs from its predecessor, the CCPA, in terms of some of the most major modifications.
CCPA | CPRA | |
Enforcement entity | California Attorney General’s Office | California Privacy Protection Agency |
Sensitive data | – | + |
Data minimization | – | + |
Purpose limitation | – | + |
Storage limitation | – | + |
Data protection impact assessments | – | + |
Control of third parties | – | + |
Deletion of PI | + | + * |
Opt-out links | + | + |
Fines | Intentional violation: $7,500
Unintentional: $2,500 |
Violations involving the data of minors: $7,500 |
* Third parties included
FAQ
Does the CPRA replace the CCPA?
The California Consumer Privacy Act (CCPA) was updated by the California Privacy Protection Act (CPRA), which takes effect on January 1, 2023. The CPRA is not a replacement for the CCPA; rather, it extends it with new requirements, such as requiring firms to perform risk assessments.
How can a business comply with the CPRA?
CPRA compliance involves multiple steps. One is a continuous process of data classification so that regulated data can be properly handled. Businesses must also provide users with options to opt out of data gathering, make it simple for users to move or update their data, and be vigilant about user privacy. The more thorough you are with these processes, the less likely you are to be fined for intentional violations of the California Privacy Rights Act.
How is the CPRA different from the CCPA?
The basic answer is that California has a single overarching legal data privacy framework, which was created by the CCPA on January 1, 2020, and to which the CPRA is more of an overlay than a separate statute. The CPRA is a renovation of the CCPA that clears up ambiguities and introduces additional requirements to protect consumers.