The California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA) and substantially increases the rights of consumers and regulates businesses that handle personal information. On January 1, 2023, the substantive provisions of the California Privacy Rights Act (CPRA) took effect, amending the CCPA.
Purpose: CPRA’s purpose is to redefine and expand the existing California Consumer Privacy Act (CCPA) including the addition of new consumer rights.
Publication date: November 3, 2020
Effective date: January 1, 2023
Enforcement date: July 1, 2023
CPRA text: California Privacy Rights Act
What is CPRA?
The California Privacy Rights Act (CPRA) is a state-wide data privacy bill that expands the existing CCPA. The CPRA is intended to “further protect consumers” rights including the constitutional right of privacy”. It is important to note that CPRA does not repeal or replace CCPA but strengthens the existing framework in key areas.
Jump to
10 Steps to CPRA ComplianceOverview of key changes in CPRA
- New categories of covered businesses
- New enforcement agency – California Privacy Protection Agency
- New definitions of sensitive personal information and consent
- Introducing ‘sharing’ personal information
- Expanded consumer rights
CPRA enforcement
The CPRA is in effect from January 1, 2023, and applies to information collected on or after January 1, 2022. CPRA is fully enforceable as of July 1, 2023.
Who needs to comply with CPRA?
The California Privacy Rights Act (CPRA) applies to for-profit entities that:
- Does business in California or
- Collect or determine the purposes and means of processing the personal information of California residents, and
- Meet one or more of the following criteria:
- Have annual gross revenues over $25 million
- Buy, sell, or share the personal information of 100,000 or more California residents or households annually,
- Derive 50% or more of their annual revenue from selling or sharing the personal information of California residents.
The CPRA keeps most of the CCPA thresholds intact but makes a few significant changes.
CCPA | CPRA |
---|---|
Has annual gross revenue over $25 million. | Has annual gross revenue over $25 million in the preceding calendar year. |
Buys, or receives, or sells, or shares personal information of 50,000 or more consumers, households or devices for commercial purposes. | Buys, or sells, or shares the personal information of 100,000 or more consumers or households. |
Gets 50% or more of its annual revenues from consumer’s selling personal information. | Gets 50% or more of its annual revenues from selling, or sharing consumer’s personal information. |
CPRA narrows the applicability of common branding that was applicable under CCPA. Businesses that have a common branding will now be covered under CPRA if they share California consumers’ personal information.
CCPA vs CPRA: What has changed?
New categories of covered businesses in CPRA
CPRA adds two new categories that will be qualified as a business.
- First, a joint venture or partnership of businesses where each business has at least 40% interest and each business within this joint venture will be considered as a separate single business.
- Second, any business that does not fall under the given thresholds can self-certify to the newly-created California Privacy Protection Agency that it complies with CPRA.
California Privacy Protection Agency
The biggest change in CPRA is the creation of a distinct enforcement arm — the California Privacy Protection Agency (CPPA). CPPA will have full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act and the California Privacy Rights Act. CPPA will be entrusted to investigate possible violations of the CPRA and to initiate action through the Administrative Law Court, as opposed to the state court, which has been the mechanism under CCPA.
In March 2021, California announced the establishment of the first CPPA. The agency consists of a five-member board of experts in privacy, technology, and consumer rights. CPPA is entrusted to investigate possible violations of the CPRA and to initiate action through the Administrative Law Court, as opposed to the state court, which has been the mechanism under CCPA.
Jump to
CCPA vs CPRA: InfographicNew definitions in CPRA
Sensitive personal information in CPRA
The CPRA maintains the CCPA’s definition of personal information but includes a new category of sensitive personal information. It includes:
- Social security, driver’s license, state ID or passport number
- Account log-in credentials like password, security or access code
- Precise geographic location
- Racial or ethnic origin, religious belief or union membership
- Contents of mail, email or text
- Genetic information
- Biometric information that can identify the consumer
- Medical data
- Sex life or sexual orientation
Under CPRA, consumers have the right to limit a business’s use and disclosure of sensitive information and can direct the business to use it only to perform the necessary service. Businesses have to provide a “clear and conspicuous link” on their website homepage titled “Limit the Use of My Sensitive Personal Information.” This is in addition to the opt-out link required under CCPA.
Consent in CPRA
CPRA explicitly defines what does and does not constitute consent. It defines that consent should be a specific, freely given, specific, informed and unambiguous indication of the consumer’s intent.
Consent does not include:
- General or broad acceptance of terms of use or similar document
- Hovering over, muting, pausing, or closing a given piece of content or
- Consent obtained through the use of dark patterns
Contractor
The CPRA adds and amends the definition of service providers, contractors and third parties in CCPA. It introduces a new category — contractors. The contractor is defined as a person with who the business “makes available a consumer’s personal information for a business purpose pursuant to a written contract”.
CPRA requires contractors to certify that they understand and will comply with the requirements. The contractor will also have to notify the business if they are unable to comply with CPRA.
Third party and service provider
CPRA defines a service provider as a “person that processes personal information on behalf of a business” for business purposes under contract. Third parties are defined as anyone other than the business, contractor or service provider. A third party cannot be a business with whom the consumer intentionally interacts and that collects personal information directly from consumers.
Sharing
The CPRA introduces a new concept — sharing. It is defined as any disclosure of personal information to third parties for cross-context behavioural advertising, whether or not for monetary or other valuable consideration.
If a business engages in sharing, it should post a “Do Not Share My Personal Information” link and provide consumers with an option to opt out of sharing. The new definition of sharing under the CPRA makes clear that any disclosure of personal information for targeted advertising is also subject to consumer opt-out.
Profiling
CPRA defines profiling as any form of “automated processing” of personal information done to evaluate an individual’s personal aspects and make predictions such as “performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements”.
CPRA compliance checklist to prepare your business
CPRA intends to strengthen the provisions of CCPA. Therefore, if you have a CCPA-compliant mechanism in place, you are already halfway through. But, ensure that you stay up-to-date with the latest amendments to CCPA.
TL;DR CPRA Compliance Checklist
- Create an inventory of all the data you collect and track all data processing activities.
- Limit processing of sensitive personal information and enable consumers to limit their use and disclosure through opt-out mechanisms.
- Add a clear and conspicuous “Do not sell or share” link on your website.
- Implement an opt-out cookie banner so that your visitors can opt out of third-party cookies that sell or share their data.
- Respect user’s universal opt-out preference signal such as GPC (Global Privacy Control).
- Update your privacy policy to include the provisions of CPRA.
- Add a detailed cookie policy within your privacy policy or as a separate document
- Avoid dark patterns in your website and opt-out mechanisms
- Provide accessible methods to make consumer requests.
- Implement basic technical controls and security standards on your website.
Here are the detailed steps that your business should take to effectively build compliance with CPRA requirements.
01 Determine if CPRA applies to your business
- Assess if your business meets the changed thresholds, as entities who meet the requirements for CCPA may now be exempt from CPRA.
- Also, note that CPRA compliance extends outside of the state of California. If a California resident can access your website, CPRA compliance is necessary.
02 Perform data inventory
- Conduct data inventory to figure out the type of information you collect, and if you collect sensitive personal information. Identify the businesses you share data with, where it is stored, and how it is transferred.
- Perform annual audits to review and update data mapping efforts including the tracking and security of sensitive personal information.
03 Provide ‘do not sell/share’ links
Opt-out of sale links are already mandated under the CCPA. CPRA expands the right to opt-out to include ‘sharing’ of personal information with third parties for targeted advertising. So, businesses should update their links to ”Do not sell or share my personal information” and display them on the website’s homepage and other pages collecting data.
04 Add an opt-out cookie banner
If your website utilizes cookies and third-party scripts for cross-context behavioral advertising, implement an opt-out cookie banner on our website, providing users with the option to opt out of third-party scripts that engage in the sale or sharing of their data. Ensure that your consent mechanism also respects browser signals like Global Privacy Control (GPC) from browsers.
The CPRA opt-out banner can be displayed on your website to enable opt-out from sharing data.
05 Respect opt-out signals and global privacy controls
If users choose to opt out of sharing their personal data through browser settings such as Global Privacy Controls (GPC), CPRA requires that the website treat these preference signals as valid requests by individuals to opt out of sharing data.
06 Limit the use of sensitive personal data
Businesses are required to offer individuals the right to limit the processing of sensitive data. They should also provide a ‘Limit the use of my sensitive personal information” link on the homepage and other pages collecting data.
07 Avoid dark patterns
Businesses cannot manipulate individuals into sharing their personal data through the use of “dark patterns.” Any consent obtained by these means will be considered invalid. Websites should design opt-out methods that are:
- Easy to understand and avoids confusing language
- Has symmetrical choice i.e. choices that have equal weight
- Avoid confusing interactive elements like toggle buttons
- Easy to execute without unnecessary friction
The finalised CPRA regulation provides multiple examples of dark patterns to avoid such as adding “unnecessary burden or friction” to opt-out, bundling consent or requiring individuals to scroll or search to find an opt-out mechanism or click through multiple screens to confirm choices regarding data use.
08 Renew privacy policy
Update your privacy policy to detail the rights of the consumers and guide them to exercise their rights under CPRA. Ensure that your privacy policy is easily accessible. Other than the information highlighted in the CCPA notices, the privacy policy should include:
- Separate disclosure regarding sensitive personal information
- The methods to request access, change, move, or delete a consumer’s data
- How consumers can opt out of selling or sharing their personal information
- Consent notice for minors (13-16 years) and parents (under 13 years)
You can use the free privacy policy generator from CookieYes to create a compliant privacy policy exclusively for your business.
09 Add consumer request forms
CPRA gives consumers expanded rights and also the right to make certain requests about their data. Create web request forms where consumers can easily submit these requests.
CPRA requires businesses to have at least two methods for consumers to submit requests. You may also add a toll-free phone number for the consumer to make requests. Ensure that your phone number is prominently mentioned on your website or privacy page.
10 Implement technical measures to protect data
To ensure the security and integrity of your website, implement basic technical controls and adhere to established security standards. Employ encryption and deidentification measures wherever appropriate, to safeguard sensitive data from unauthorized access.
In line with best practices, conduct routine risk assessments and cybersecurity audits to identify and address potential vulnerabilities within your systems. Additionally, create a robust data breach response plan, outlining the procedures for the prompt detection, reporting, and thorough investigation of any potential breaches.
What are the new consumer rights under the CPRA?
Right to opt out of sharing
CPRA also expands on CCPA’s right to opt out and includes the sale and sharing of personal information, including data that is shared with a third party for “cross-context behavioral advertising.” It refers to targeted advertising to a consumer based on data obtained from the consumer’s activity across websites, apps or services other than the one with which the consumer intentionally interacts.
Similar to the provision in CCPA, the right to opt out of sharing does not extend to sharing personal information with service providers and contractors.
Rights of children
CPRA strengthens opt-in rights for minors. A business must obtain opt-in consent before selling or sharing the personal information of a consumer under 16. CPRA also calls to “establish technical specifications for an opt-out preference signal that allows the minor or their parent to specify that the consumer is less than 13 or between 13 and 16 years of age.
Right to delete and correct
Additionally, businesses have to inform consumers about how long they plan to retain their personal information. Consumers also have the right to have their data deleted or corrected. Businesses also have to notify third parties they have shared any data with, about the consumer requests.
Right to access
Consumers can now request information collected about them beyond the previous 12-month period preceding the request. Businesses can decline to provide information beyond a 12-month look-back period if it involves a disproportionate effort. This applies to information collected on or after January 1, 2022.
Right to data portability
With CPRA consumers can request businesses to transmit specific pieces of personal information to another entity. CPRA also indicates that data should be provided in a format easily understandable to the average consumer, and a commonly used, machine-readable format.
What is the penalty for non-compliance with CPRA?
Any entity that violates the CPRA can face an injunction and an administrative fine of up to $2,500 for each violation. For violations of the rights of minors (under the age of 16), the fine can go up to $7,500 for each violation.
The CPRA also eliminates the 30-day cure period after the alleged violation under CCPA. The enforcement agency will now have the discretion to provide a business with time to rectify, by taking into account a lack of intent to violate the CPRA and voluntary efforts taken by the business to cure the alleged violation.
Another notable provision of CPRA is that it expands the scope of consumers’ private right of action to include data breaches involving email account credentials.
CCPA vs CPRA [Infographic]
Other key changes in CPRA
Implement contracts
The CPRA explicitly requires that businesses must have appropriate contractual provisions in place with service providers, contractors and third parties. Such contracts prohibit the retention, use, or disclosure of personal information for purposes other than the services specified. Contracts may also permit businesses to monitor the service providers’ compliance with contractual provisions through manual reviews, automated scans, regular assessments and audits at least once a year.
Minimize data collection and storage
CPRA brings in the concept of data minimization and storage limitation, core principles under GDPR. CPRA mandates that businesses can only collect personal information that is reasonably necessary for the purpose it is collected. Besides, businesses cannot retain personal information for longer than what is necessary for the purpose it was collected.
Conduct risk assessment
While CCPA requires businesses to implement reasonable security procedures and practices, CPRA imposes strengthened auditing requirements. Businesses that may create a “significant risk” to consumers’ privacy have to perform annual cybersecurity audits. They have to submit their regular risk assessment to the California Privacy Protection Agency.
No employee exemption
The CPRA will eliminate the CCPA’s exemption for employee personal information. Since the CPRA came into effect, all the CPRA’s requirements on processing personal information will apply to employees and job applicants.
Looking ahead for businesses
If businesses have already taken steps for CCPA compliance, moving towards CPRA compliance should be easier. Businesses should start by reviewing their databases and implementing a consent mechanism. Here’s where a consent management solution like CookieYes can help you by notifying consumers, taking proactive consent and helping you automate your compliance.
FAQ on California Privacy Rights Act (CPRA)
The CPRA California will be operative from January 1, 2023, and applies to information collected on or after January 1, 2022. The enforcement was set to begin on July 1, 2023.
Enforcement of CPRA has been postponed until March 29, 2024, following a court order issued on, June 30. The decision was made in response to a complaint filed by the California Chamber of Commerce.
The CPRA stands for California Privacy Rights Act (CPRA), a state-wide data privacy law that is an amendment to the California Consumer Privacy Act or CCPA. It expands on the current privacy law CCPA with updated provisions.
January 2020: CCPA comes into effect.
November 2020: California Privacy Rights Act, CPRA was passed during the November 2020 ballot.
January 2021: The CPRA becomes law and the California Privacy Protection Agency (CCPA) is established.
January 2022: The 12-month lookback period for CPRA commences.
July 2022: The CPPA begins the formal rulemaking process.
January 2023: CPRA becomes operative and comes into force.
July 2023: Enforcement of the CPRA begins under the CPPA.
Yes, the CPRA (California Privacy Rights Act) has been finalised. California passed it in November 2020 as Proposition 24, amending and extending the California Consumer Privacy Act of 2018 (CCPA). The CPRA amendments to the CCPA became effective on January 1, 2023.
The CPRA was set to become enforceable on July 1, 2023. However, following a lawsuit by the California Chamber of Commerce, a Superior Court of California judge issued a ruling on June 30, 2023, delaying the enforcement of the CPRA regulations until March 29, 2024.
The CPRA defines “sharing” as:
“communicating orally, in writing, or by electronic or other means, a consumer’s personal information . . . to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
Cross-context behavioral advertising involves targeted advertising based on a consumer’s activities across various distinct businesses, websites, applications, or services.
Under CPRA, the purpose of sharing personal information can be for monetary benefits or any other enhanced personalization of services for the consumer.
Global Privacy Control (GPC) is an opt-out preference signal that allows users to signal their preferences through a browser extension or setting. The GPC is currently recognized by CPRA regulations as a valid opt-out mechanism and requires businesses to honour the GPC and other similar controls for the sale or sharing of personal information, as well as limiting the use of sensitive personal information.
The California Privacy Protection Agency (CPPA), the new agency established by the CPRA, is tasked with enforcing California’s privacy regulations. Headed by Ashkan Soltani, the CPPA will be responsible for implementing CPRA and holding non-compliant organizations accountable.
The CPRA transfers rulemaking authority from the California Attorney General (CAG) to the CPPA. The Agency began the formal rulemaking process on July 8, 2022. The Agency began the formal rulemaking process on July 8, 2022, and on March 29, 2023, California’s Office of Administrative Law (OAL) approved the CPPA’s final CPRA Regulations.
Yes, CPRA can apply to businesses outside California that collect personal information from California residents. CPRA applies to any for-profit entity “doing business” in California and meets one of the three threshold requirements below.
– Have annual gross revenues exceeding $25 million,
– Derive 50% or more of their annual revenues from selling or sharing consumers’ personal information, and
– Buy, sell, or share the personal information of 100,000 or more consumers or households, regardless of their location.
This means that even if a business is not organized under California law or does not have a physical presence in California, CPRA can apply to businesses meeting these criteria.
Under the California Privacy Rights Act (CPRA), personal information refers to any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This includes identifiers such as:
– Names, addresses, email addresses
– Online identifiers like IP addresses, cookies
– Geolocation data,
– Biometric information
– Commercial information, including records of personal property, products, or services purchased
– Professional and employment-related data
The CPRA also expands the definition of personal information to include a category for sensitive personal information (SPI). This includes:
– Financial Information
– Identification numbers such as Social Security number, driver’s license, passport)
– Precise geolocation data
– Health Information
– Genetic Data
– Biometric Information