Introducing the CPRA
The California Privacy Rights Act (CPRA) was passed in California on November 3, 2020 and went into effect on the 1st of January, 2023. The CPRA amends the California Consumer Protection Act (CCPA).*
First, let’s look at what CPRA is for and who it affects. Then, we’ll look at some of its new features. Finally, we’ll give you some CPRA compliance tips for your business and website.
*Read more about CCPA here.
CPRA = more privacy protection for consumers
In short, CPRA expands on the existing California Consumer Privacy Act (CCPA), giving additional privacy rights to California residents.
The new and improved privacy rights, as described in CPRA, are intended to:
- “Place them [consumers] on a more equal footing [with companies] when negotiating with businesses in order to protect their rights.”
- “Give consumers the information and tools necessary to limit the use of their information to non-invasive, pro-privacy advertising, where their personal information is not sold to or shared with hundreds of businesses they’ve never heard of, if they choose to do so.”
California has a population of ~39 million people and its economy ranks #5 in the world. Therefore, its consumer regulations stand to have a significant impact on the world’s economy and business culture.
Recently, in 2020, California followed the EU’s lead by passing the GDPR-inspired CCPA. Now, CPRA adds even more GDPR-like provisions and thus become one of the most comprehensive privacy laws in the United States. In the future, it is expected to be a model for other states to follow.
How CPRA differs from CPPA
While CPRA does not replace CCPA, it does add to it significantly. Here are a few notable new features of the CPRA:
- 4 new consumer rights, along with 5 expanded rights.
- A new definition of “business”. Now, very small businesses will be excluded. Instead, the focus will be on bigger businesses that generate a large income from collecting, sharing, and selling personal data.
- A new definition of “Personal information” (PI).
- An introduction and definition of the term “sensitive personal information” (SPI). This is a category of personal data you may recognize from GDPR. It was not previously mentioned in the CCPA.
- A new “lookback period” to January 1, 2022. All data collected from that date on will be liable for compliance.
- New website requirements, including a link titled “Do Not Sell Or Share My Personal Information”, and a link titled “Limit The Use of My Sensitive Personal Information” OR “a single, clearly-labeled link” that easily allows a consumer to simultaneously opt-out of sale or sharing of PI and limit the use or disclosure of the consumer’s SPI.
- An expanded requirement for consent to cover more scenarios.
- New security requirements, similar to GDPR’s. For example, businesses must “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure”.
- Extra emphasis on protecting children’s personal data. CPRA gives parents the right to make decisions regarding the use of their children’s data.
- Protections for employees’ and independent contractors’ data.
New and improved privacy rights in the CPRA
The CPRA’s expanded consumer rights include 4 new rights, as well as 5 expanded redefinitions of existing rights.
Here are four new CPRA rights:
- The right to correct inaccurate personal data. Previously, the CCPA did not mention this right.
- The right to opt-out of automated decision making. California residents can now say the do not want your to use their personal information (especially behavioral data) for profiling, targeted advertisements, and more.
- The right to know about automated decision making. California residents can request information about how you use automated decision making and how it might affect them.
- Right to limit use of sensitive personal information to “use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services”.
Here are five expanded CPRA rights:
- Updated right to deletion. Businesses must now notify third parties they’ve shared a person’s data with and ask then to delete that data when a California resident sends them a request for deletion.
- Updated right to know. California residents can now request access to personal information collected beyond the original 12-month limit in the CCPA.
- Updated right to opt-out from the sale or sharing of personal information. Although the right to opt-out was a staple of the CCPA, it was limited to the sale of data. Now, people can also opt out of other types of data sharing.
- Updated rights and consents for minors. Businesses that share minors’ behavioral data for advertising purposes must now get the person to opt-in first.
- Updated right to data portability. California residents can now ask for their PI to be transferred to a new service provider or any other organization they choose.
CPRA extended scope and new business definitions
The CPRA’s new definition of covered businesses includes any website, company or organization that:
- has an annual gross revenue of at least $25 million.
- and/or earns at least 50% of its annual revenues from selling or sharing personal information.
- and/or buys, sells or shares the personal information of more than 100,000 consumers or households annually.
Previously, under CCPA rules, many businesses would be exempt from liability unless they sold large amounts of data. But now, liability extends to businesses that share significant amounts of personal data, not just ones that sell data.
New “Opt out” and “Limit use” link requirements
Your website must now provide a link or button titled, “Do not sell or share my personal Information”, AND a link or button titled, “Limit the use of my sensitive personal information”.
Alternatively, you can create a single, clearly-labeled link that easily allows consumers to simultaneously opt-out of sale and sharing of PI and limit the use or disclosure of the consumer’s SPI.
CPRA and sensitive data
CPRA adds a new definition for “sensitive personal information” or “SPI”. Much like GDPR “sensitive data”, SPI includes data such as:
- Race and ethnicity
- Religious, political and philosophical convictions
- Sex life or sexual orientation
- Genetics and biometrics
- Health and health history
- Social security and driver’s license numbers
New consent requirements
CPRA expands the requirements for consent compared to CCPA. Here are the new CPRA consent requirements:
- Get new consent to sell or share personal information if a user has opted out
- Get consent before selling or sharing minors’ personal information
- Get consent before using, selling or sharing sensitive personal information (SPI) after a user has opted out
- Get consent for research exemptions
- Get consent to opt-in to financial incentive
CPRA compliance tips
Of course, more consumer rights along with stricter requirements will make CPRA compliance more demanding for companies. So, make sure you take the following steps to get ready for compliance:
- Identify personal data (PI) and sensitive personal data (SPI) in your systems.
- Sort data by date or date range to comply with the lookback period.
- Put limits on the amount of time you store PI in emails and folders.
- Monitor your team and systems to make sure you stick to your policies.
- Use encryption or pseudonymization to protect PI at rest and in transit.
- Set yourself up to verify and respond to all types of data requests.
A smarter way to comply with the CCPA
Clearly, good privacy management has become a pillar of good business, no matter where you and your customers are in the world.
With this in mind, here at Safe Online, we’ve created a suite of solutions that make privacy management easy.
Read about how our products can help you handle personal and sensitive data (i.e., PI and SPI) and comply with regulations.