Skip to main content

Introducing the CPRA

The CPRA (California Privacy Rights Act) was passed in California on November 3, 2020 and went into effect on the 1st of January, 2023. The CPRA amends the CCPA (California Consumer Protection Act). First, let’s look at what CPRA is for and who it affects. Then, we’ll look at some of its new features. Finally, we’ll give you some CPRA compliance tips for your business and website.

The CPRA provides better protection for personal information

In short, CPRA is data law that expands the existing California Consumer Privacy Act (CCPA), giving additional privacy rights to California residents. The new and improved privacy rights, as described in CPRA, are intended to:  

  • “Place them [consumers] on a more equal footing [with companies] when negotiating with businesses in order to protect their rights.” 
  • “Give consumers the information and tools necessary to limit the use of their information to non-invasive, pro-privacy advertising, where their personal information is not sold to or shared with hundreds of businesses they’ve never heard of, if they choose to do so.” 

California has a population of ~39 million people and its economy ranks #5 in the world. Therefore, its consumer regulations stand to have a significant impact on the world’s economy and business culture. 

Recently, in 2020, California followed the EU’s lead by passing the GDPR-inspired CCPA. Now, CPRA adds even more GDPR-like provisions and thus become one of the most comprehensive privacy laws in the United States. In the future, it is expected to be a model for other states to follow. 

How CPRA differs from CPPA

While CPRA does not replace CCPA, it does add to it significantly. Here are a few notable new features of the CPRA:

  • 4 new consumer rights, along with 5 expanded rights.
  • A new definition of “business”. Now, very small businesses will be excluded. Instead, the focus will be on bigger businesses that generate a large income from collecting, sharing, and selling personal data. 
  • A new definition of “Personal information” (PI).
  • An introduction and definition of the term “sensitive personal information” (SPI). This is a category of personal data you may recognize from GDPR. It was not previously mentioned in the CCPA. 
  • A new “lookback period” to January 1, 2022. All data collected from that date on will be liable for compliance. 
  • New website requirements, including a link titled “Do Not Sell Or Share My Personal Information”, and a link titled “Limit The Use of My Sensitive Personal Information” OR “a single, clearly-labeled link” that easily allows a consumer to simultaneously opt-out of sale or sharing of PI and limit the use or disclosure of the consumer’s SPI. 
  • An expanded requirement for consent to cover more scenarios. 
  • New security requirements, similar to GDPR’s. For example, businesses must “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorised or illegal access, destruction, use, modification, or disclosure”. 
  • Extra emphasis on protecting children’s personal data. CPRA gives parents the right to make decisions regarding the use of their children’s data.
  • Protections for employees’ and independent contractors’ data.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

New and improved privacy rights in the CPRA

The CPRA’s expanded consumer rights include 4 new rights, as well as 5 expanded redefinitions of existing rights.

Here are four new CPRA rights:

  • The right to correct inaccurate personal data. Previously, the CCPA did not mention this right.
  • The right to opt-out of automated decision-making. California residents can now say the do not want your to use their personal information (especially behavioural data) for profiling, targeted advertisements, and more.
  • The right to know about automated decision-making. California residents can request information about how you use automated decision-making and how it might affect them.
  • Right to limit use of sensitive personal information to “use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services”.

Here are five expanded CPRA rights:

  • Updated right to deletion. Businesses must now notify third parties they’ve shared a person’s data with and ask then to delete that data when a California resident sends them a request for deletion.
  • Updated right to know. California residents can now request access to personal information collected beyond the original 12-month limit in the CCPA.
  • Updated right to opt-out from the sale or sharing of personal information. Although the right to opt-out was a staple of the CCPA, it was limited to the sale of data. Now, people can also opt out of other types of data sharing.
  • Updated rights and consents for minors. Businesses that share minors’ behavioural data for advertising purposes must now get the person to opt in first.
  • Updated right to data portability. California residents can now ask for their PI to be transferred to a new service provider or any other organisation they choose.

CPRA extended scope and new business definitions

The CPRA’s new definition of covered businesses includes any website, company or organisation that: 

  • has an annual gross revenue of at least $25 million. 
  • and/or earns at least 50% of its annual revenues from selling or sharing personal information. 
  • and/or buys, sells or shares the personal information of more than 100,000 consumers or households annually. 

Previously, under CCPA rules, many businesses would be exempt from liability unless they sold large amounts of data.  But now, liability extends to businesses that share significant amounts of personal data, not just ones that sell data.

Changes in the CPRA text compared to the CCPA

1. New “Opt out” and “Limit use” link requirements
Your website must now provide a link or button titled, “Do not sell or share my personal Information”, AND a link or button titled, “Limit the use of my sensitive personal information”.
 

Alternatively, you can create a single, clearly-labeled link that easily allows consumers to simultaneously opt-out of sale and sharing of PI and limit the use or disclosure of the consumer’s SPI.

 

2. CPRA and sensitive data
CPRA adds a new definition for “sensitive personal information” or “SPI”. Much like GDPR “sensitive data”, SPI includes data such as: 

  • Race and ethnicity 
  • Religious, political and philosophical convictions 
  • Sex life or sexual orientation 
  • Genetics and biometrics 
  • Health and health history  
  • Geolocation 
  • Social security and driver’s license numbers 
  • Finances 

 

3. New consent requirements
CPRA expands the requirements for consent compared to CCPA. Here are the new CPRA consent requirements:

  • Get new consent to sell or share personal information if a user has opted out 
  • Get consent before selling or sharing minors’ personal information  
  • Get consent before using, selling or sharing sensitive personal information (SPI) after a user has opted out 
  • Get consent for research exemptions 
  • Get consent to opt-in to financial incentive 

CPRA compliance tips

Of course, more consumer rights along with stricter requirements will make CPRA compliance more demanding for companies. So, make sure you take the following steps to get ready for compliance:

  1. Identify personal data (PI) and sensitive personal data (SPI) in your systems.
  2. Sort data by date or date range to comply with the lookback period.
  3. Put limits on the amount of time you store PI in emails and folders.
  4. Monitor your team and systems to make sure you stick to your policies.
  5. Use encryption or pseudonymisation to protect PI at rest and in transit.
  6. Set yourself up to verify and respond to all types of data requests.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

A smarter way to comply with the CCPA

At Safe Online, we create solutions that help companies handle personal data and comply with regulations such as CPRA and GDPR.

DataMapper – Find your sensitive data
ShareSimple – Send and receive data securely in Outlook
RequestManager – Process data subject requests easily

Sebastian Allerelli
Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →

GUIDE

How to handle sensitive personal data

GUIDE

How to find personal data with datamapping tool

GUIDE

How to prepare for a data audit