The Complete Guide to California Privacy Rights Act (CPRA) [with Infographics]

The California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA) and substantially increases the rights of consumers and regulates businesses that handle personal information. On January 1, 2023, the substantive provisions of the California Privacy Rights Act (CPRA) took effect, amending the CCPA.

On March 30, 2023, the California Office of Administrative Law (OAL) formally approved regulations that will govern the application and enforcement of the California Privacy Rights Act (CPRA).

The California Privacy Rights Act (CPRA) is a state-wide data privacy bill that expands the existing CCPA. The CPRA is intended to “further protect consumers” rights including the constitutional right of privacy”. It is important to note that CPRA does not repeal or replace CCPA but strengthens the existing framework in key areas.

The CPRA is in effect from January 1, 2023, and applies to information collected on or after January 1, 2022. The full enforcement will begin on July 1, 2023.

The California Privacy Rights Act (CPRA) applies to for-profit entities that:

• Does business in California or
• Collect or determine the purposes and means of processing personal information of California residents, and
• Meet one or more of the following criteria:
  • Have annual gross revenues in excess of $25 million
  • Buy, sell, or share the personal information of 100,000 or more California residents or households annually,
  • Derive 50% or more of their annual revenue from selling or sharing the personal information of California residents.

The CPRA keeps most of the CCPA thresholds intact but makes a few significant changes.

CCPA	CPRA
Has annual gross revenue over $25 million.	Has annual gross revenue over $25 million in the preceding calendar year.
Buys, or receives, or sells, or shares personal information of 50,000 or more consumers, households or devices for commercial purposes.	Buys, or sells, or shares the personal information of 100,000 or more consumers or households.
Gets 50% or more of its annual revenues from consumer’s selling personal information.	Gets 50% or more of its annual revenues from selling, or sharing consumer’s personal information.

CPRA narrows the applicability of common branding that was applicable under CCPA. Businesses that have a common branding will now be covered under CPRA if they share California consumers’ personal information.

New categories of covered businesses in CPRA

CPRA adds two new categories that will be qualified as a business.

• First, a joint venture or partnership of businesses where each business has at least 40% interest and each business within this joint venture will be considered as a separate single business.
• Second, any business that does not fall under the given thresholds can self-certify to the newly-created California Privacy Protection Agency that it complies with CPRA.

California Privacy Protection Agency 

The biggest change in CPRA is the creation of a distinct enforcement arm — the California Privacy Protection Agency (CPPA). CPPA will have full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act and the California Privacy Rights Act. CPPA will be entrusted to investigate possible violations of the CPRA and to initiate action through the Administrative Law Court, as opposed to the state court, which has been the mechanism under CCPA.  

In March 2021, California announced the establishment of the first CPPA. The agency consists of a five-member board of experts in privacy, technology, and consumer rights. CPPA is entrusted to investigate possible violations of the CPRA and to initiate action through the Administrative Law Court, as opposed to the state court, which has been the mechanism under CCPA.  

New definitions in CPRA

Sensitive personal information

The CPRA maintains the CCPA’s definition of personal information but includes a new category of sensitive personal information. It includes:

• Social security, driver’s license, state ID or passport number 
• Account log-in credentials like password, security or access code
• Precise geographic location
• Racial or ethnic origin, religious belief or union membership
• Contents of mail, email or text
• Genetic information
• Biometric information that can identify the consumer 
• Medical data
• Sex life or sexual orientation

Under CPRA, consumers have the right to limit a business’s use and disclosure of sensitive information and can direct the business to use it only to perform the necessary service. Businesses have to provide a “clear and conspicuous link” on their website homepage titled “Limit the Use of My Sensitive Personal Information.” This is in addition to the opt-out link required under CCPA.

Consent

CPRA explicitly defines what does and does not constitute consent. It defines that consent should be a specific, freely given, specific, informed and unambiguous indication of the consumer’s intent.

Consent does not include:

• General or broad acceptance of terms of use or similar document
• Hovering over, muting, pausing, or closing a given piece of content or
• Consent obtained through the use of dark patterns

Contractor

The CPRA adds and amends the definition of service providers, contractors and third parties in CCPA. It introduces a new category — contractors. The contractor is defined as a person with who the business “makes available a consumer’s personal information for a business purpose pursuant to a written contract”. 

CPRA requires contractors to certify that they understand and will comply with the requirements. The contractor will also have to notify the business if they are unable to comply with CPRA.

Third party and service provider

CPRA defines a service provider as a “person that processes personal information on behalf of a business” for business purposes under contract. Third parties are defined as anyone other than the business, contractor or service provider. A third party cannot be a business with whom the consumer intentionally interacts and that collects personal information directly from consumers. 

Sharing

The CPRA introduces a new concept — sharing. It is defined as any disclosure of personal information to third parties for cross-context behavioural advertising, whether or not for monetary or other valuable consideration. 

If a business engages in sharing, it should post a “Do Not Share My Personal Information” link and provide consumers with an option to opt-out of sharing. The new definition of sharing under the CPRA makes clear that any disclosure of personal information for targeted advertising is also subject to consumer opt-out. 

Profiling

CPRA defines profiling as any form of “automated processing” of personal information done to evaluate an individual’s personal aspects and make predictions such as “performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements”.

CPRA intends to strengthen the provisions of CCPA. Therefore, if you have a CCPA-compliant mechanism in place, you are already halfway through. But, ensure that you stay up-to-date with the latest amendments to CCPA. 

Here are 8 steps that your business should take to effectively build compliance with CPRA requirements.

01 Determine if CPRA applies to your business

• Assess if your business meets the changed thresholds, as entities who meet the requirements for CCPA may now be exempt from CPRA. 
• Also, note that CPRA compliance extends outside of the state of California. If a California resident can access your website, CPRA compliance is necessary. 

02 Perform data inventory

• Conduct data inventory to figure out the type of information you collect, and if you collect sensitive personal information. Identify the businesses you share data with,  where it is stored, and how it is transferred. 
• Perform annual audits to review and update data mapping efforts including the tracking and security of sensitive personal information.

03 Provide ‘do not sell/share’ links

Opt-out of sale links are already mandated under the CCPA. CPRA expands the right to opt-out to include ‘sharing’ of personal information with third parties for targeted advertising. So, businesses should update their links to ”Do not sell or share my personal information” and display them on the website’s homepage and other pages collecting data.

The CPRA opt-out banner can be displayed on your website to enable opt-out from sharing data.

04 Respect opt-out signals and global privacy controls

If users choose to opt-out of sharing their personal data through browser settings such as Global Privacy Controls (GPC), CPRA requires that website treat these preference signals as valid requests by individuals to opt-out of sharing of data.

05 Limit the use of sensitive personal data

Businesses are required to offer individuals the right to limit the processing of sensitive data. They should also provide a ‘Limit the use of my sensitive personal information” link on the homepage and other pages collecting data.

06 Avoid dark patterns

Businesses cannot manipulate individuals into sharing their personal data through the use of “dark patterns.” Any consent obtained by these means will be considered invalid. Websites should design opt-out methods that are:

• Easy to understand and avoids confusing language
• Has symmetrical choice i.e. choices that have equal weight
• Avoid confusing interactive elements like toggle buttons
• Easy to execute without unnecessary friction

The finalised CPRA regulation provides multiple examples of dark patterns to avoid such as adding “unnecessary burden or friction” to opt-out, bundling consent or requiring individuals to scroll or search to find an opt-out mechanism or click through multiple screens to confirm choices regarding data use.

07 Renew Privacy Policy

Update your privacy policy to detail the rights of the consumers and guide them to exercise their rights under CPRA. Ensure that your privacy policy is easily accessible and compatible with all devices. Other than the information highlighted in the CCPA notices, the privacy policy should include:

• Separate disclosure regarding sensitive personal information

• The methods to request access, change, move, or delete a consumer’s data
• How consumers can opt-out of selling or sharing their personal information
• Consent notice for minors (13-16 years) and parents (under 13 years)

You can use the free privacy policy generator from CookieYes to create a compliant privacy policy exclusively for your business. 

08 Add consumer request forms

CPRA gives consumers expanded rights and also the right to make certain requests about their data. Create web request forms where consumers can easily submit these requests.

As CPRA requires businesses to have at least two methods for consumers to submit requests. You may also add a toll-free phone number for the consumer to make requests. Ensure that your phone number is prominently mentioned on your website or privacy page.

What are the new consumer rights under CPRA?

Right to opt-out of sharing 

CPRA also expands on CCPA’s right to opt-out and includes the sale and sharing of personal information, including data that is shared with a third party for “cross-context behavioral advertising.” It refers to targeted advertising to a consumer based on data obtained from the consumer’s activity across websites, apps or services other than the one with which the consumer intentionally interacts. 

Similar to the provision in CCPA, the right to opt-out of sharing does not extend to sharing personal information with service providers and contractors.

Rights of children

CPRA strengthens opt-in rights for minors. A business must obtain opt-in consent before selling or sharing personal information of a consumer under 16. CPRA also calls to “establish technical specifications for an opt-out preference signal that allows the minor or their parent to specify that the consumer is less than 13 or between 13 and 16 years of age. 

Right to delete and correct

Additionally, businesses have to inform consumers about how long they plan to retain their personal information. Consumers also have the right to have their data deleted or corrected. Businesses also have to notify third parties they have shared any data with, about the consumer requests. 

Right to access

Consumers can now request information collected about them beyond the previous 12-month period preceding the request. Businesses can decline to provide information beyond a 12-month look-back period if it involves a disproportionate effort. This applies to information collected on or after January 1, 2022.  

Right to data portability

With CPRA consumers can request businesses to transmit specific pieces of personal information to another entity. CPRA also indicates that data should be provided in a format easily understandable to the average consumer, and a commonly used, machine-readable format.

Any entity that violates the CPRA can face an injunction and an administrative fine of up to $2,500 for each violation. For violation of the rights of minors (under the age of 16), the fine can go up to $7,500 for each violation.

The CPRA also eliminates the 30-day cure period after the alleged violation under CCPA. The enforcement agency will now have the discretion to provide a business with time to rectify, by taking into account a lack of intent to violate the CPRA and voluntary efforts taken by the business to cure the alleged violation.

Another notable provision of CPRA is that it expands the scope of consumers’ private right of action to include data breaches involving email account credentials.

Implement contracts

The CPRA explicitly requires that businesses must have appropriate contractual provisions in place with service providers, contractors and third parties. Such contracts prohibit the retention, use, or disclosure of personal information for purposes other than the services specified. Contracts may also permit businesses to monitor the service providers’ compliance with contractual provisions through manual reviews, automated scans, regular assessments and audits at least once a year.

Minimize data collection and storage

CPRA brings in the concept of data minimization and storage limitation, core principles under GDPR. CPRA mandates that businesses can only collect personal information that is reasonably necessary for the purpose it is collected. Besides, businesses cannot retain personal information for longer than what is necessary for the purpose it was collected. 

Conduct risk assessment

While CCPA requires businesses to implement reasonable security procedures and practices, CPRA imposes strengthened auditing requirements. Businesses that may create a “significant risk” to consumers’ privacy have to perform annual cybersecurity audits. They have to submit their regular risk assessment to the California Privacy Protection Agency. 

No employee exemption

The CPRA will eliminate the CCPA’s exemption for employee personal information. Since the CPRA came into effect, all the CPRA’s requirements on processing personal information will apply to employees and job applicants. 

If businesses have already taken steps for CCPA compliance, moving towards CPRA compliance should be easier. Businesses should start by reviewing their databases and implementing a consent mechanism. Here’s where a consent management solution like CookieYes can help you by notifying consumers, taking proactive consent and helping you automate your compliance.

When does CPRA go into effect?

The CPRA will be operative from January 1, 2023, and applies to information collected on or after January 1, 2022. The enforcement will begin on July 1, 2023, and until then CCPA will remain the primary governing legislation. 

What does CPRA stand for?

The CPRA stands for California Privacy Rights Act (CPRA), a state-wide data privacy law that is an amendment to the California Consumer Privacy Act or CCPA. It expands on the current privacy law CCPA with updated provisions.

What is the timeline for CPRA?

January, 2020: CCPA comes into effect.

November 2020: California Privacy Rights Act, CPRA was passed during the November 2020 ballot.

January 2021: The CPRA becomes law and the California Privacy Protection Agency (CCPA) is established.

January 2022: 12-month lookback period for CPRA commences.

July 2022: The CPPA begins formal rulemaking process.

January, 2023: CPRA becomes operative and comes into force.

July, 2023: Enforcement of the CPRA begins under the CPPA.

What does the CCPA define as ‘Sharing’ of data?

The CPRA defines “sharing” as:

“communicating orally, in writing, or by electronic or other means, a consumer’s personal information . . . to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration”

Cross-context behavioral advertising involves targeted advertising based on a consumer’s activities across various distinct businesses, websites, applications, or services. 

Under CPRA, the purpose of sharing personal information can be for monetary benefits or any other enhanced personalization of services for the consumer.

What is Global Privacy Control (GPC)?

Global Privacy Control (GPC) is opt-out preference signal that allows users to signal their preferences through a browser extension or setting. The GPC is currently recognized by CPRA regulations as a valid opt-out mechanism and requires businesses to honour the GPC and other similar controls for the sale or sharing of personal information, as well as limiting the use of sensitive personal information. 

Who enforces CPRA?

The California Privacy Protection Agency (CPPA), the new agency established by the CPRA, is tasked with enforcing California’s privacy regulations. Headed by Ashkan Soltani, the CPPA will be responsible for implementing CPRA and holding non-compliant organizations accountable.

The CPRA transfers rulemaking authority from the California Attorney General (CAG) to the CPPA. The Agency began the formal rulemaking process on July 8, 2022. The Agency began the formal rulemaking process on July 8, 2022, and on March 29, 2023, California’s Office of Administrative Law (OAL) approved the CPPA’s final CPRA Regulations.