Table of Contents
California is one of the strictest states regarding data breaches, data deletion requests, and maintaining correct personal information as there are multiple laws and regulations that cater to California consumers.
The latest law to hit the state is the California Privacy Rights Act (CPRA), an expansion of the earlier CCPA act, a state statute meant to protect consumers and their privacy rights, and cater to things like deletion requests, financial account data, and limit the amount of personal information businesses collect.
Even if your business is not incorporated in California, it could be liable under the California Privacy Protection Agency regulations. Simply doing business in the state means you collect personal information, and therefore are subjected to California privacy law.
In this article, we'll discuss questions like what is the CPRA? Is your business required to comply with the CPRA? What happens if you don’t comply with the CPRA? Read on to understand more about this critical California privacy law and how you can stay compliant with CPRA regulations.
What is the CPRA?
The California Privacy Rights Act is a 2020 California proposition meant to expand and amend the previously passed California Consumer Privacy Act of 2018. In short, the CPRA limits and prevents businesses from wrongfully using and abusing private data. To help implement the laws created by the amendment, the CPRA also created the California Privacy Protection Agency which serves as the state regulator.
What does the CPRA stand for?
The CPRA stands for the California Privacy Rights Act, a California ballot proposition that expands upon the California Consumer Privacy Act of 2018 by protecting consumers' personal information and compelling businesses to implement reasonable security procedures.
When did the CPRA go into effect?
While it was passed in 2020, the CPRA didn’t go into effect until January 1, 2023. Also, the CPRA applies only to personal data collected by businesses on or after January 1, 2022, though some older data still falls under the jurisdiction of the CCPA.
While the CPRA is a California legislation, it is a law that has impacted businesses nationwide and, in some cases, worldwide. The CPRA will apply to anyone who does business with California residents, which effectively means businesses in Europe and Canada too if they try to advertise to consumers in California.
To summarize the overall aims of the CPRA, the consumer rights protected by the act are outlined exactly in the text as follows:
1. Consumers should know who is collecting their personal information and that of their children, how it is being used, and to whom it is disclosed so that they have the information necessary to exercise meaningful control over businesses’ use of their personal information and that of their children.
2. Consumers should be able to control the use of their personal information, including limiting the use of their sensitive personal information, the unauthorized use or disclosure of which creates a heightened risk of harm to the consumer, and they should have meaningful options over how it is collected, used, and disclosed.
3. Consumers should have access to their personal information and should be able to correct it, delete it, and take it with them from one business to another.
4. Consumers or their authorized agents should be able to exercise these options through easily accessible self-serve tools.
5. Consumers should be able to exercise these rights without being penalized for doing so.
6. Consumers should be able to hold businesses accountable for failing to take reasonable precautions to protect their most sensitive personal information from hackers and security breaches.
7. Consumers should benefit from businesses’ use of their personal information.
8. The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses as compared to the relationship between consumers and businesses. In addition, this law is not intended to interfere with the right to organize and collective bargaining under the National Labor Relations Act.
Responsibilities of businesses under the CPRA
The responsibilities of businesses according to the act are outlined exactly as follows:
Businesses should specifically and clearly inform consumers about how they collect and use personal information and how they can exercise their rights and choice.
Businesses should collect consumers’ personal information only for specific, explicit, and legitimate disclosed purposes and should not further collect, use, or disclose consumers’ personal information for reasons incompatible with those purposes.
Businesses should collect consumers’ personal information only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used, and shared.
Businesses should provide consumers or their authorized agents with easily accessible means to allow consumers and their children to obtain their personal information, to delete it or correct it, to opt out of its sale and sharing across business platforms, services, businesses, and devices, and to limit the use of their sensitive personal information.
Businesses should not penalize consumers for exercising these rights.
Businesses should take reasonable precautions to protect consumers’ personal information from a security breach.
Businesses should be held accountable when they violate consumers’ privacy rights, and the penalties should be higher when the violation affects children.
The CPRA is an extensive set of regulations, and one that has seen additional amendments since it was approved by the residents of California in 2020. Read on to find out more key details of the CPRA and CCPA in the sections below.
Who does the CPRA apply to?
While the CPRA does introduce additional restrictions and requirements on businesses that interact with California residents, the CPRA is narrower than the CCPA. A business does not have to comply with the CPRA unless it meets one of the following conditions:
It collects the private information of at least 100,000 California residents. This is an update from the 50,000 California resident requirement, a change implemented to ensure small businesses aren’t required to follow the CPRA.
It has annual global revenue in excess of $25 million US dollars. This revenue does not have to come exclusively from California residents for a business to fall under CPRA jurisdiction.
It earns more than half of its global annual gross revenue from the collection and selling of consumer personal data. Once again, this revenue does not have to come exclusively from California residents for a business to fall under CPRA jurisdiction.
It is important to note that if a business meets the revenue or data collection requirements but does not collect any personal data from California residents, they do not have to be CPRA or CCPA compliant. However, as it can be difficult to determine where each individual visitor is from, most large businesses just opt to make their companies CPRA compliant.
In a nutshell, we strongly recommend seeking out CPRA compliance if your business processes personal information such as a consumer's social security number, driver's license number, racial or ethnic origin, financial account information, health insurance information, and more.
CCPA vs CPRA
The CPRA is an expansion of the CCPA, and it’s meant to provide additional protections for consumers and privacy rights obligations for businesses. In general, complying with the CPRA will ensure a business is compliant with the CCPA.
However, there are a few key differences worth noting to ensure total compliance and understanding of these acts. They are as follows:
Size of Business. The CCPA applies to all businesses that collect consumer data from 50,000 or more California households. The CPRA doubles the threshold and is enforced only after collecting data from over 100,000 Californian households and consumers.
SPI: The CCPA is broad in its coverage of consumer private data. The CPRA expands its protection by introducing the Sensitive Personal Information, or SPI category. This includes extra personal data like social security numbers, religion, ethnicity, etc
Enhanced Child Protection: The CCPA introduced regulations that prevent a business from selling the personal information of children 16 years and younger without their content. The CPRA imposed additional private data protection for children.
Additional Fines: Along with the additional protections, new fines have been introduced with the CPRA on top of violating the CCPA. For example, violating rules protecting children’s private data will now result in an additional $7,500 dollar fine per violation.
The CPPA: Previously, the rule-making and enforcement of the CCPA was enforced by the California Attorney General’s office. The CCPA and CPRA are now implemented by a dedicated agency, the California Privacy Protection Agency. This is the first US-based regulatory agency that is dedicated exclusively to data privacy protection.
Private Civil Suits: Lastly, the final major difference is that the CPRA has increased the categories and damages in which private individuals and consumers can sue a business in a civil lawsuit for private data violations.
For businesses that are required to comply with CPRA regulations, it is highly recommended that they reach out to a lawyer who specializes in private data legislation to understand exactly how its business is affected. As every business collects different data from different categories of people, compliance for one company will look different than compliance for another.
With that in mind, here is a broad overview of the new, changed, and key CPRA rights and restrictions that a business should be aware of:
New CPRA rights
Brand new rights introduced by the CPRA include:
Right to Restrict Use of SPI: Consumers can request businesses to limit and prevent disclosure of sensitive personal information.
Right to Change and Correct SPI: Consumers can request changes and updates to the SPI held by businesses.
Right to Access Information and Opt Out of Automated Decision Making: Consumers may request to learn more or opt out of any automated decision-making or individual profiling technology. This can include requesting the predictions and outcomes that automated decision technology would make from their private data profile.
Right to Know of Personal Data Collection: The CCPA requires businesses to inform consumers of all personal data collected within the past 12 months upon request. The CPRA expands this by requiring businesses to share additional and sensitive personal information collected beyond the initial 12-month restriction.
Modified CPRA rights
Rights in the CCPA that have been modified and expanded upon include:
Right to Share PI: Consumers can request a business to transmit their personal information to another company if it is technically feasible for the business to do so.
Right to Partially or Completely Opt Out of Third Party Data Sharing: Consumers can selectively or totally request a business to stop selling and sharing their private information with third party organizations and companies.
Right to Access All Private Information: Consumers can request a business provide all of their personal information, especially sensitive personal information, that it has shared with third party businesses and organizations.
Right to Delete Private Information: Consumers can request businesses to delete their personal information if the business no longer actively needs it. Additionally, a consumer can also request a business to reach out to third parties that have acquired the personal information to pass along the request for data deletion.
Advertising is one of the more nebulous areas of the CPRA that is still being discussed and modified by the California legislature. Currently, the CPRA enforces regulations based on Cross Context Behavioral Advertising, which is defined as advertising based on personal information obtained by a business through means other than direct interaction with the business.
Under the CPRA, consumers may withdraw their consent to businesses to sell or share their personal information for the purposes of targeted advertising, also known as cross context behavioral advertising.
There are several ways to comply with this requirement. A business may provide a “Do Not Sell or Share My Personal Information” link on their website and record individual visitor preferences to block personal data collection. The best way to guard consumer's personal information is via a DSAR form.
Advertising is not affected by the CPRA if the advertisement is based on one of the following:
Advertisements based on consumer interaction with a website or service owned primarily by the business.
Advertisements based on consumer searches or page exploration patterns on a website or service owned primarily by a business.
Advertisements based on consumer requests for the types of advertisements they would like to see.
Advertisements generated in response to the performance and reach of prior complaint advertising.
CPRA & data processing
Under new CPRA regulations, businesses that hold sensitive personal information that would put a consumer’s privacy at risk are now required to present an annual cybersecurity data processing audit to the CPRA.
This cybersecurity audit will consist of a risk assessment of all data processing activities as evaluated by an independent organization that follows the legal audit procedures outlined by the CPRA.
The CPRA cyber security audit will focus on the following data processing activities:
Types of data collected
Complexity and detail of data collected
Purpose of data
How data is stored
Ease of accessing and modifying data
Risk of data corruption and theft
Benefits provided by data collection
For businesses to successfully pass the new CPRA security audits, it is in their best interests to:
Minimize the data collected
Delete personal information collected when no longer needed
Control where consumer data is stored
Clearly outline the purpose of data collection
Introduce additional security to protect consumer data and correct inaccurate personal information
Maintain reasonable security procedures to prevent against unauthorized or illegal access
Offer an easy way to process deletion requests
The California Privacy Protection Agency
As detailed above, the passing of the CPRA ballot also led to the creation of the California Privacy Protection Agency, the first regulatory agency in the United States dedicated to the protection of consumer private data.
The creation of a dedicated agency allows for more effective enforcement of both the CPRA and the CCPA. The CPPA is governed by a five-member board and additional workers who work together to carry out the following responsibilities as outlined on the CPPA website:
Promoting public awareness of consumers’ rights and businesses’ responsibilities under the CCPA.
Adopting regulations in furtherance of the CCPA. The Agency may issue regulations to achieve the CCPA’s goals, including rules that operationalize the CCPA’s requirements, update existing regulations, and consolidate requirements to make the regulations easier to follow and understand.
Enforcement of the CCPA. The Agency is tasked with enforcing the CCPA through administrative enforcement actions. It has the ability to investigate possible violations, provide businesses with an opportunity to cure, and take enforcement actions.
Fines for noncompliance with CPRA
Under the CCPA, every unintentional violation would result in a $2,500 dollar fine while every intentional violation would result in a $7,500 dollar fine. The biggest change with the implementation of the CPRA is that any violation that has to do with a child who is 15 or younger will result in a $7,500 dollar fine no matter if it was intentional or not.
It is important to note that each fine is charged based on each individual violation. As a result, violating the rights of 1,000 Californian consumers protected by the CPRA intentionally would result in a $7,500,000 fine. Large businesses that fall under the jurisdiction of the CPRA or CCPA should make their companies compliant as soon as possible to avoid massive fines from the CCPA.
The CPRA is in effect fr0m the start of 2023 onwards. While it is an act that is designed to protect consumers in California, it will have an impact on businesses beyond those in the golden state. The CPRA creates conditions that make it extremely hard to engage in activities like selling personal information, or sharing consumers' personal information.
Hence, it is in a business' best interests to be aware of CRPA rules and take steps to ensure CPRA compliance.
In just a couple of years, the CCPA went from a singular statute in California to an expanded legislation that now has its own dedicated agency enforcing the CPRA, i.e. the California Privacy Protection Agency. Even online advertising is now affected by the rapidly changing CPRA.
Tips to stay compliant with CPRA
Just like the internet and the wider world of technology, what is accepted and covered by the CPRA today will likely change in the coming weeks and years. The better understanding one has of the CPRA now, the better prepared a business will be to protect itself against fines and adapt to the changes that come in the future.
Does your company need help ensuring CPRA compliance? Do you have any questions about the rules and regulations regarding CCPA, CPRA, or other private data collection legislation around the world like the GDPR? We at Enzuzo would be happy to help you with your private data collection concerns.
Enzuzo is an easy-to-use privacy management platform designed for businesses large and small. Enzuzo is designed with a collection of features that will ensure compliance with constantly changing personal information collection laws around the world without negatively impacting the customer experience.
If you would like to learn more or think that Enzuzo is a good fit for your business, contact us today! Whether you want to book a demo or just need a consultation to make your company CPRA complaint, Enzuzo is here to help.
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.