Introducing the CPRA
The California Privacy Rights Act (CPRA) was passed in California on November 3, 2020 and goes into effect on the 1st of January, 2023. Enforcement is scheduled to begin on the 1st of July, 2023.
This could give you several months to prepare, if you still haven’t!
Let’s look at what CPRA is for and who it affects, and how your business and website can comply with it.
Even if you don’t think California’s laws will affect your company, keeping up with what’s new in global privacy regulations will give you a good touchstone for what data regulators will be focusing on in 2023 and beyond.
More privacy protection for consumers
CPRA expands on the existing CCPA California Consumer Privacy Act (CCPA), giving additional privacy rights to California residents. This is intended to:
- “Place them [consumers] on a more equal footing [with companies] when negotiating with businesses in order to protect their rights.”
- “Give consumers the information and tools necessary to limit the use of their information to non-invasive, pro-privacy advertising, where their personal information is not sold to or shared with hundreds of businesses they’ve never heard of, if they choose to do so.”
The new act also includes protections for employees’ and independent contractors’ data. It will add GDPR-like provisions and become one of the most comprehensive privacy laws in the United States. It is expected to be a model for other states to follow.
Key CPRA changes
Here are a few notable features of the CPRA:
- A new definition of “business” to exclude smaller businesses and focus on bigger businesses that generate a large income from collection, sharing and selling of Californians’ personal information.
- New definitions for “Personal information” or “PI”.
- An introduction and definition of the term “sensitive personal information” or “SPI”. This is a special category of personal data which may already be familiar to you from the GDPR, but was not mentioned in the CCPA.
- A “lookback period” to January 1, 2022. All data collected from that date on will be liable for compliance.
- New website requirements, including a link titled “Do Not Sell Or Share My Personal Information”, and a link titled “Limit The Use of My Sensitive Personal Information” OR “a single, clearly-labeled link” that easily allows a consumer to simultaneously opt-out of sale or sharing of PI and limit the use or disclosure of the consumer’s SPI.
- CPRA expands the requirement for consent to cover more scenarios.
- New security requirements, similar to GDPR’s. Businesses must “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure”.
- Extra emphasis on protecting children’s personal data. CPRA gives parents the right to make decisions regarding the use of their children’s data.
New and improved privacy rights in the CPRA
The CPRA’s expanded consumer rights include 4 new rights and 5 expanded redefinitions of existing rights.
Here are four new CPRA rights:
- The right to correct inaccurate personal data. The CCPA did not mention this right.
- The right to opt-out of automated decision making. California residents can now say the do not want your to use their personal information (especially behavioral data) for profiling, targeted advertisements, and more.
- The right to know about automated decision making. California residents can request information about how you use automated decision making and how it might affect them.
- Right to limit use of sensitive personal information to “use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services”.
Here are five expanded CPRA rights:
- Updated right to deletion. Businesses must now notify third parties they’ve shared a person’s data with and ask then to delete that data when a California resident sends them a request for deletion.
- Updated right to know. California residents can now request access to personal information collected beyond the original 12-month limit in the CCPA.
- Updated right to opt-out from the sale or sharing of personal information. The right to opt out of data sales was a staple of the CCPA. Now people can also opt out of other types of data sharing.
- Updated rights and consents for minors. Businesses that share minors’ behavioral data for advertising purposes must now get the person to opt-in first.
- Updated right to data portability. California residents can ask for their PI to be transferred to a new service provider or any other organization they choose.
CPRA extended scope and new business definitions
New definition of covered “businesses”.
The CPRA’s new definition of covered businesses includes any website, company or organization that:
- has an annual gross revenue of at least $25 million.
- and/or earns at least 50% of its annual revenues from selling or sharing personal information.
- and/or buys, sells or shares the personal information of more than 100,000 consumers or households annually.
This puts more liability on businesses that depend on the collection and sharing of personal information.
Notice that the CPRA now extends liability to businesses that share significant amounts of personal data, as well as ones that ones that sell it.
New “Opt out” and “Limit use” link requirements
Your website must now provide a link or button titled, “Do not sell or share my personal Information”, AND a link or button titled, “Limit the use of my sensitive personal information”.
You can also create a single, clearly-labeled link that easily allows a consumer to simultaneously opt-out of sale or sharing of PI and limit the use or disclosure of the consumer’s SPI.
CPRA and sensitive data
Under the CPRA, “sensitive personal information” (SPI) is defined, and like “sensitive data” under other global regulations, SPI includes data related to:
- Race and ethnicity
- Religious, political and philosophical convictions
- Sex life or sexual orientation
- Genetics and biometrics
- Health and health history
- Social security and driver’s license numbers
New consent requirements
- Get new consent to sell or share personal information if a user has opted out
- Get consent before selling or sharing minors’ personal information
- Get consent before using, selling or sharing sensitive personal information (SPI) after a user has opted out
- Get consent for research exemptions
- Get consent to opt-in to financial incentive
CPRA compliance tips
- Identify personal data and sensitive personal data in your systems.
- Use systems that let you sort data by date or date range to comply with the lookback period.
- Put limits on the amount of time you store PI in emails and folders.
- Monitor your team and systems to make sure you stick to your policies.
- Use encryption or pseudonymization to protect PI at rest and in transit.
- Set yourself up to verify and respond to all types of data requests.
Privacy regulations are here to stay
Strict privacy regulations are here to stay. No matter where your business is located in the world, the tips above are best practices to become compliant and keep the trust of your customers.