Table of Content
Data minimization
Purpose limitation
Storage limitation
Contractual requirements
Risk assessment
Extension of employee exemption
How are service providers defined under the CPRA?
What's a contractor?
How do third parties fit in?
Civil Penalties
Damages
Non-Monetary Relief
If you're a business owner in California, you should be aware of sweeping changes to the data privacy landscape that will affect your business for a long time.
As the first significant consumer privacy legislation in the United States, California's Consumer Privacy Act (CCPA) is a model for other states to change how companies conduct business.
Though enacted in January 2020, CCPA fell short of competing with its European counterpart, GDPR, which is still the world's most stringent data privacy law.
Therefore, the new amendment, California's Privacy Rights Act, expands on the current California Privacy Law and provides more rights and control to Californians.
This article discusses critical differences between CCPA and CPRA, what rights they provide, and how it affects your business.
What is CPRA?
California's Privacy Rights Act (CPRA) is an addendum to the existing California Consumer Privacy Act (CCPA) that expands upon the legislation providing more data control and privacy to the citizens of California.
CPRA brings significant changes and modifications in the current regulations focusing heavily on larger businesses and tracking data practices of smaller organizations.
When will the CPRA take effect?
California's Privacy Rights Act (CPRA) will be enacted on July 1, 2023. However, it has a look back period of January 1, 2022. This means businesses collecting data after December 31, 2021, must be accountable and compliant under the CPRA Regulations.
CPRA vs CCPA: Will it Affect your Business?
Californian consumers signed the ballot Proposition 24, which created California's Privacy Rights Act (CPRA) and significantly built on the CCPA. So much so that some refer to it as "CCPA 2.0."
It establishes new regulations on how businesses collect and handle personal information, especially sensitive personal information (SPI).
In other words, CPRA is more aggressive, unified, and complex privacy laws of all the passed and proposed privacy legislation in all the United States.
Let's take a detailed look into the key differences and potential impacts that you must be aware of as a business owner.
Updated CPRA Threshold
Any legal entity that operates for profit, such as Businesses, services, third parties, and contractors, is subject to the CPRA.
The CPRA defines a business as a for-profit entity that collects personal information as part of its operation. Additionally, this business must do business in California and meet one of the following requirements:
has annual gross revenues over $25 million or;
annually buys, receives, sells, or shares the personal information of 100,000 or more consumers, households, and devices or;
Derives 50% or more of its annual revenues from selling or sharing consumers' personal information.
If a business meets those requirements, it must:
Supply notice of consumer rights.
Comply with consumer rights.
Meet disclosure and retention requirements.
Respond to consumer requests.
Act on security safeguards.
Key Changes
Increase in the threshold from 50,000 to 100,000 for Californian consumers and households.
Includes sharing of data as a part of annual revenues.
Impact on Businesses
More aggressive toward large businesses due to the increase in threshold, giving a breather to SMBs.
SMBs may include sharing personal data, deriving at least 50% of the annual revenue of businesses.
Sensitive Personal Information (SPI)
Sensitive personal information, or SPI, is a new form of personal information the CRPA plans to enforce.
This is very similar to GDPR's Article 9, the "processing of special category of personal data," which forces businesses to practice more restraint and data governance when dealing with a high level of sensitive data.
SPI is personal information that shows:
Driver's license, social security number, and other forms of identification.
Any financial information such as debit/credit card numbers, bank credentials, logins, or passwords.
A consumer's exact location.
A consumer's demographic information, such as race, ethnicity, or beliefs, is the contents of a consumer's postal mail, email, or text messages unless given prior consent.
What's considered "selling" sensitive personal information?
According to the CCPA, selling personal information also includes releasing, disclosing, renting, or transferring personal information to another business or third party for monetary gain.
Key Difference
Updated disclosure requirements.
Purpose limitation requirements.
Opt-out requirements for use and disclosure.
Opt-in consent requirements after a previously selected opt-out.
Impact on Businesses
CPRA introduces "Sensitive Personal Information" (SPI), requiring businesses to protect and respond to consumer opt-out requests.
Businesses processing SPI must fulfill additional requirements.
Businesses storing SPI must include a website link titled "Limit the Use of My Sensitive Personal Information."
This link allows consumers to restrict the processing of their SPI.
SPI emphasizes the importance of safeguarding sensitive data and respecting consumer choices.
Consumer Privacy Rights
CCPA (Previous)
Right to Opt-Out of Third-Party Sales: Consumers can exercise this right to opt-out of businesses that sells their data to third-party.
Right to Know: Businesses must respond to consumer requests for personal information collected within the prior 12 months.
Right to Delete: Consumers can request the deletion of their personal information, with certain exceptions.
Right to Data Portability: Consumers have the right to receive a copy of their personal information.
Opt-In Rights for Minors: Businesses need opt-in consent to sell consumers' personal information under 16 years of age.
CPRA (Current)
Expanded Right to Opt-Out: Consumers can opt out of selling and sharing their personal information.
Extended Right to Know: Under certain circumstances, consumers can request personal information collected beyond the prior 12-month window.
Enhanced Right to Delete: Businesses must send delete requests to third parties that received the consumer's personal information.
Strengthened Right to Data Portability: Consumers can request the transfer of specific personal information to another entity in a machine-readable format.
5. Opt-In Rights for Minors: Businesses must wait 12 months before asking a minor consumer for consent to sell or share their personal information after the minor has declined, including data sharing for cross-context behavioral advertising.
CCPA Privacy Rights (Previous)
1. Right to know and request personal information collected by the business.
2. Right to request deletion of personal information
3. Right to opt out of the sale of personal information
4. Right to opt-in to the sale of personal information for consumers 15 and under
5. Right to avoid discrimination for exercising any rights; and
6. Right to take private action for data breaches.
CPRA Additional Privacy Rights (Current)
Right to correct false personal information.
Right, to eliminate the use of sensitive personal information.
Right to Access Information About Automated Decision Making
4. Right to Opt-Out of Automated Decision-Making Technology
Impact on Businesses
Compulsory CPRA Compliance is needed as the added privacy rights will need manual and technical expertise involving legal complexities.
Due to additional privacy rights, businesses must prepare to respond to the influx of privacy requests. DSAR Management will be the right fit for you.
Need in-house or outside third-party compliance platforms like Adzapier to navigate CPRA Compliance easily.
Learn more about CPRA Compliance
Replicating GDPR Principles
GDPR is the mother of all privacy laws and is the strictest data privacy legislation.
GDPR significantly emphasizes data minimization, purpose limitations, and storage limitations.
As CCPA didn't have any provisions for this, CPRA closed the gap by introducing concepts and data practices for businesses.
Data minimization
Businesses' collection, processing, retention, and sharing of personal data should be reasonable. Also, data usage shall be appropriately aligned with the purpose for which the personal data was collected.
Purpose limitation
Businesses must only collect and process personal data for precise, explicit, and lawful purposes.
Anything that intentionally or unintentionally contradicts the purpose of private data collection must be strictly avoided and should not be further engaged.
Storage limitation
Businesses should determine the criteria of the length of time the business intends to retain personal data, including sensitive personal data (SPI).
It should prohibit keeping data collected for a more extended period than is reasonably required for a specific purpose.
Key Changes
It introduces three new concepts and data practices that will narrow the scope for businesses to use personal data irresponsibly.
Impact on Business
The CPRA (California Privacy Rights Act) has codified principles regarding collecting and retaining personal information.
California has authorized its state regulator to enforce and penalize businesses that fail to adhere to these principles.
The first principle is to reasonably limit the collection of personal information to what is necessary for the intended purpose.
The second principle is to limit the retention of personal information to the minimum amount of time required to fulfill the intended purpose.
Lawsuits on Data Breach
Data breaches are the biggest problem for businesses, especially SMBs.
According to IBM, the average cost of data breaches from 2020 to 2022 has seen a 12.7% hike from $3.86 million to $4.35 million.
With data breaches, hackers extract highly sensitive data putting businesses and consumers at risk.
Previously under CCPA, the user could take the private right to take legal action against the company if it failed to establish appropriate data privacy and security measures.
Key Changes
Consumer login credentials are now included in the list of personal information categories subject to legal action, even if the CPRA does not expressly modify this right.
Impact on Business
Data breaches pose a significant risk to organizations, and the California Privacy Rights Act (CPRA) now considers login credentials as legally actionable personal information in case of a security breach.
To enhance data security, businesses should implement more advanced data encryption and consider using multi-factor authentication (MFA) as an additional security layer.
MFA requires users to provide multiple pieces of evidence to verify their identity, reducing the likelihood of unauthorized access even if login credentials are compromised, thus providing extra protection against data breaches.
California's Privacy Protection Agency
Previously, CCPA legislation was enforced on businesses by California's Attorney General. However, CPRA has established California's Privacy Protection Agency (CPPA), giving full authority to investigate, execute, and grant rulemaking powers.
Key Changes
CPRA establishes California's Privacy Protection Agency to enforce privacy legislation in the state.
Impact on Business
CPRA establishes CPPA, a new agency responsible for enforcing the CPRA, replacing the CCPA.
CPPA has a five-member board appointed by the Governor, Attorney General, Senate Rules Committee, and Speaker of the Assembly.
CPPA members require expertise in privacy, technology, and consumer rights. The impact on investigations and enforcement is uncertain, but increased activities are anticipated.
Other Significant CPRA Modifications
Contractual requirements
Maintaining contractual provisions and agreements with your third-party service providers under CPRA will be mandatory.
With a little slip on data privacy compliance from your third-party service provider, the contractor, i.e., you and your business, will be liable for CPRA non-compliance consequences.
The contract shall mention the purpose of data collection and how long it intends to use and retain personal data for specific purposes.
The contract may also allow businesses to monitor data privacy practices of the third-party service provider, such as manual review, risk assessment, automated scanning, audits, and much more, at least once every year.
Risk assessment
CCPA requires a business to implement appropriate data privacy and security solutions that help avoid data breaches, non-compliance violations, and other regulatory risks.
But CPRA wants the business to incorporate data auditing in their operations strictly.
It gives full autonomy to California's Privacy Protection Agency to force businesses to implement data privacy and security solutions that pose a "significant risk" to consumer privacy.
When conducting audits and risk assessments, it is crucial to understand the advantages and disadvantages by involving significant stakeholders:
User's Sensitive Personal Information
The Business
The Consumer
Other Stakeholders
Extension of employee exemption
The CPRA extended the exclusions for business-to-business and employment data until January 1, 2023.
How are service providers defined under the CPRA?
A "service provider" is an entity that collects personal information on behalf of a business per a written contract that forbids any retention, use, or disclosure of personal information other than what's in the contract.
A service provider must:
Only use personal information needed to perform services on behalf of a business as specified in a contract
follow the terms in the contract
Act on security safeguards
What's a contractor?
The new addition to the CPRA, a contractor is similar to a service provider in that personal information is limited to what's in the contract.
Unlike a service provider, a contractor must have a "certification" acknowledging that they understand the restrictions and will comply.
How do third parties fit in?
The CCPA defines a third party as an entity that doesn't qualify as a service provider but still receives personal information from the business.
A third party must:
Use personal information consistent with promises made at receipt.
Supply consumers notice of any new or changed practices.
3. Provide consumers with explicit notice of added sales of personal information and provide consumers with the opportunity to opt-out.
CPRA vs. CCPA: Fines and Penalties
The CCPA has three levels of punishment for non-compliance:
Civil Penalties: Businesses can incur fees of up to $7,500 per intentional violation or $2,500 per unintentional violation
Damages: If a security breach is discovered, consumers may recover statutory damages ranging from $100-$750 per incident or actual damages. In this case, consumers must provide written notice to the business first.
Non-Monetary Relief: In situations that deal with security breaches, consumers may receive non-monetary relief as the court deems appropriate.
Conclusion :
California is setting the standard for data privacy, and other states will soon follow. To avoid any issues down the road, it's best to take steps to compliance today. With Adzapier's CMP, you can collect and manage your online consumers' consent and preferences in one place. Try it free for 30 days.
FAQs
Does the CPRA replace the CCPA?
Not really. Considering the CPRA as an addition to the CCPA is more accurate. The CPRA states that it "amends" current provisions of the CCPA and "adds" new requirements (related to the establishment California Privacy Protection Agency).
However, we're still determining if it will continue to be known as the CCPA or transition to CPRA next year.
Who enforces the CCPA and CPRA?
The California Attorney General has authority under the CCPA, while the CPRA grants administrative power to the California Privacy Protection Agency. However, the California Attorney General still has the final say under both pieces of legislation.
When will enforcement of the CPRA begin?
Not until July 1, 2023. And the enforcement will only apply to violations after that date. No retroactive violations will be enforceable. However, the CCPA's provisions are still active and enforceable.
What rights are granted to consumers?
First, let's establish who is considered a "consumer."
A consumer is a California resident as defined by California's tax regulations.