fbpx
CPRA

The Complete Guide to California Privacy Rights Act (CPRA)

Last updated on July 30, 2021|Published on May 4, 2021

The California Privacy Rights Act (CPRA) was voted into a state-wide data privacy law in the General Election of November 2020. The CPRA (also referred to as CCPA 2.0) earned popular support with 56% voting in favor of the ballot initiative. The law will amend the California Consumer Protection Act (CCPA) and substantially increase the rights of consumers and regulate businesses that handle personal information. 

The CPRA is intended to “further protect consumers” rights including the constitutional right of privacy”. It is important to note that CPRA does not repeal or replace CCPA but strengthens the existing framework in key areas:

  • Enforcement arm – California Privacy Protection Agency (CPPA)
  • New definitions
  • Expanded consumer rights

The CPRA will be operative from January 1, 2023, and applies to information collected on or after January 1, 2022. The enforcement will begin on July 1, 2023, and until then CCPA will remain the primary governing legislation. 

CPRA: What does it change?

Businesses who need to comply

The CPRA keeps most of the CCPA thresholds intact but makes a few significant changes.

CCPACPRA
Has annual gross revenues over $25 millionHas annual gross revenues over $25 million in the preceding calendar year
Buys, or receives, or sells, or shares personal information of 50,000 or more consumers, households or devices for commercial purposesBuys, or sells, or shares the personal information of 100,000 or more consumers or households
Gets 50% or more of its annual revenues from consumer’s selling personal informationGets 50% or more of its annual revenues from selling, or sharing consumer’s personal information

CPRA narrows the applicability of common branding that was applicable under CCPA. Businesses that have a common branding will now be covered under CPRA if they share California consumers’ personal information.

New categories of covered businesses

CPRA adds two new categories that will be qualified as a business. First, a joint venture or partnership of businesses where each business has at least 40% interest and each business within this joint venture will be considered as a separate single business. Second, any business that does not fall under the given thresholds can self-certify to the newly-created California Privacy Protection Agency that it complies with CPRA.

California Privacy Protection Agency 

The biggest change in CPRA is the creation of a distinct enforcement arm — the California Privacy Protection Agency (CPPA). CPPA will have full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act and the California Privacy Rights Act.

In March 2021, California announced the establishment of the first CPPA. The agency consists of a five-member board of experts in privacy, technology, and consumer rights. It is set to take over rulemaking authority from the California Attorney General by July 1, 2021.

CPPA will be entrusted to investigate possible violations of the CPRA and to initiate action through the Administrative Law Court, as opposed to the state court, which has been the mechanism under CCPA.  

New definitions

Sensitive personal information

The CPRA maintains the CCPA’s definition of personal information but includes a new category of sensitive personal information. It includes:

  • Social security, driver’s license, state ID or passport number 
  • Account log-in credentials like password, security or access code
  • Precise geographic location
  • Racial or ethnic origin, religious belief or union membership
  • Contents of mail, email or text
  • Genetic information
  • Biometric information that can identify the consumer 
  • Medical data
  • Sex life or sexual orientation

Under CPRA, consumers have the right to limit a business’s use and disclosure of sensitive information and can direct the business to use it only to perform the necessary service. Businesses have to provide a “clear and conspicuous link” on their website homepage titled “Limit the Use of My Sensitive Personal Information.” This is in addition to the opt-out link required under CCPA.

CPRA explicitly defines what does and does not constitute consent. It defines that consent should be a specific, freely given, specific, informed and unambiguous indication of the consumer’s intent.

Consent does not include:

  • General or broad acceptance of terms of use or similar document
  • Hovering over, muting, pausing, or closing a given piece of content or
  • Consent obtained through the use of dark patterns

To know what dark patterns in consent are and how to adopt best practices, refer here.

Contractor

The CPRA adds and amends the definition of service providers, contractors and third parties in CCPA. It introduces a new category — contractors. The contractor is defined as a person with who the business “makes available a consumer’s personal information for a business purpose pursuant to a written contract”. 

CPRA requires contractors to certify that they understand and will comply with the requirements. The contractor will also have to notify the business if they are unable to comply with CPRA.

Third party and service provider

CPRA defines a service provider as a “person that processes personal information on behalf of a business” for business purposes under contract. Third parties are defined as anyone other than the business, contractor or service provider. A third party cannot be a business with whom the consumer intentionally interacts and that collects personal information directly from consumers. 

Sharing

The CPRA introduces a new concept — sharing. It is defined as any disclosure of personal information to third parties for cross-context behavioural advertising, whether or not for monetary or other valuable consideration. 

If a business engages in sharing, it should post a “Do Not Share My Personal Information” link and provide consumers with an option to opt-out of sharing. The new definition of sharing under the CPRA makes clear that any disclosure of personal information for targeted advertising is also subject to consumer opt-out. 

Profiling

CPRA defines profiling as any form of “automated processing” of personal information done to evaluate personal aspects of an individual and to make predictions such as “performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements”.

Expanded consumer rights 

Right to opt-out of sharing 

CPRA also expands on CCPA’s right to opt-out and includes the sale and sharing of personal information, including data that is shared with a third party for “cross-context behavioral advertising.” It refers to targeted advertising to a consumer based on data obtained from the consumer’s activity across websites, apps or services other than the one with which the consumer intentionally interacts. 

Similar to the provision in CCPA, the right to opt-out of sharing does not extend to sharing personal information with service providers and contractors. (To know more the difference between opt-in and opt-out is, refer this)

Right to opt-out of automated decision making

Similar to the provision in GDPR, consumers will now have the right to know and opt-out of any form of automated decision-making. Businesses will be required to provide information about the “logic involved in automated decision-making processes”, and also inform the consumer about the likely outcome of the process. 

Rights of children

CPRA strengthens opt-in rights for minors. A business must obtain opt-in consent before selling or sharing personal information of a consumer under 16. CPRA also calls to “establish technical specifications for an opt-out preference signal that allows the minor or their parent to specify that the consumer is less than 13 or between 13 and 16 years of age. 

Right to delete and correct

Additionally, businesses have to inform consumers about how long they plan to retain their personal information. Consumers also have the right to have their data deleted or corrected. Businesses also have to notify third parties they have shared any data with, about the consumer requests. 

Right to access

Consumers can now request for information collected about them beyond the previous 12-month period preceding the request. Businesses can decline to provide information beyond a 12-month look-back period if it involves a disproportionate effort. This applies to information collected on or after January 1, 2022.  

Right to data portability

With CPRA consumers can request businesses to transmit specific pieces of personal information to another entity. CPRA also indicates that data should be provided in a format easily understandable to the average consumer, and a commonly used, machine-readable format.

CPRA Consumer Rights

Other key changes

Contractual requirements

The CPRA explicitly requires that businesses must have appropriate contractual provisions in place with service providers, contractors and third parties. Such contracts prohibit the retention, use, or disclosure of personal information for purposes other than the services specified. Contracts may also permit businesses to monitor the service providers’ compliance with contractual provisions through manual reviews, automated scans, regular assessments and audits at least once a year.

Data minimization

CPRA brings in the concept of data minimization and storage limitation, core principles under GDPR. CPRA mandates that businesses can only collect personal information that is reasonably necessary for the purpose it is collected. Besides, businesses cannot retain personal information for longer than what is necessary for the purpose it was collected. 

Risk assessment

While CCPA requires businesses to implement reasonable security procedures and practices, CPRA imposes strengthened auditing requirements. Businesses that may create a “significant risk” to consumers’ privacy have to perform annual cybersecurity audits. They have to submit their regular risk assessment to the California Privacy Protection Agency.  The risk assessment should be performed concerning their processing of personal information, including whether the processing involves sensitive data, and weighing the benefits resulting from the processing to the business, the consumer and other stakeholders.

Extension of employee exemption

CCPA exempted certain employment and personal information involved in business-to-business (B2B) communications and transactions. This exemption was set to expire on January 1, 2021. But, CPRA extended the exemptions given to employment and B2B data until January 1, 2023.

Increased penalty for non-compliance of CPRA

The CPRA increases fines for privacy violations of minors. Businesses that violate the rights of those under the age of 16 can be fined $7,500 for each violation. Under CCPA, this penalty was charged only for intentional violations. For all other non-intentional violations involving consumers of 16 years or above, the maximum fine of $2,500 remains the same. 

The CPRA also eliminates the 30-day cure period after the alleged violation under CCPA. The enforcement agency will now have the discretion to provide a business with a time to rectify, by taking into account a lack of intent to violate the CPRA and voluntary efforts taken by the business to cure the alleged violation.

Another notable provision of CPRA is that it expands the scope of consumers’ private right of action to include data breaches involving email account credentials.

7 steps to prepare your business for CPRA

The good news for businesses is that the CPRA will be operative from January 1, 2023.  This does not mean that businesses can turn a blind eye to CPRA now. Remember that CPRA applies to all information collected on or after January 1, 2022. So, it will be in your best interest to start preparing right away.

Also, recall that CPRA intends to strengthen the provisions of CCPA. Therefore, if you have a CCPA compliant mechanism in place, you are already halfway through. But, ensure that you stay up-to-date with the latest amendments to CCPA

Here are 7 steps that your business should take to effectively build compliance.

Determine if CPRA applies to your business

  • Assess if your business meets the changed thresholds, as entities who meet the requirements for CCPA may now be exempt from CPRA. 
  • Also, note that CPRA compliance extends outside of the state of California. If a California resident can access your website, CPRA compliance is necessary. 

Perform data inventory

  • Conduct data inventory to figure out the type of information you collect, and if you collect sensitive personal information. Identify the businesses you share data with,  where it is stored, and how it is transferred. 
  • Perform annual audits to review and update data mapping efforts including the tracking and security of sensitive personal information.

Review your contracts 

  • Study the updated contractual provisions in CPRA and be prepared to amend the contracts with service providers, contractors, third parties 
  • Review that your vendors have adequate data privacy provisions as per the  latest amendments of CCPA

Update CCPA notices 

Include additional categories of information in your CCPA notices. This includes:

  • Disclosure about if you sell or share personal information, including details of the service providers, contractors and third parties you share the data with 
  • What categories of personal information (including sensitive personal information) you collect and process, how and why you collect and process this information
  • The time-frame you will retain each category of the personal information collected 

Renew privacy policy

Update your privacy policy to detail the rights of the consumers and guide them to exercise their rights under CPRA. Ensure that your privacy policy is easily accessible and compatible on all devices.

Other than the information highlighted in the CCPA notices, the privacy policy should include:

  • Separate disclosure regarding sensitive personal information
  • The methods to request access, change, move, or delete a consumer’s data
  • How consumers can opt-out of selling or sharing their personal information
  • Consent notice for minors (13-16 years) and parents (under 13 years)

You can use a free tool like the privacy policy generator from CookieYes to create a compliant privacy policy exclusively for your business. 

Add opt-out links on website 

Opt-out of sale links are already mandated under the CCPA. CPRA expands the right to opt-out to include ‘sharing’ of personal information with third parties for targeted advertising. So, businesses should update their links to ”Do not sell or share my personal information” and display it on the website’s homepage.

CPRA also limits the use of consumer’s sensitive data. Therefore, businesses may add a “Limit the use of my sensitive personal information”. They may either add a separate link or provide this option within the opt-out link. Use clearly labelled, conspicuous opt-out links with plain and jargon-free language on your website. 

Take a look at this CCPA notice created with CookieYes. You can link your notice at collection, and privacy policy all in the same banner.  Customize the text and links at any time to meet the changing requirements under CPRA.

CCPA Notice

With CookieYes, you can create custom GDPR and CCPA compliant cookie consent banners, CCPA notices, as well as privacy policy all under one roof. 

Add consumer request forms

CPRA gives consumers expanded rights and also the right to make certain requests about their data. Create web request forms where consumers can easily submit these requests.

As CPRA requires businesses to have at least two methods for consumers to submit requests. You may also add a toll-free phone number for the consumer to make requests. Ensure that your phone number is prominently mentioned on your website or privacy page.

Moving forward with CCPA Compliance

If businesses have already taken steps for CCPA compliance, moving towards CPRA compliance should be easier. Here’s where CookieYes can help you. With CookieYes, you can automatically scan your website for cookies and add them to your site’s list of cookies.

You can also add a fully customizable cookie consent banner or CCPA notice as well as an exclusive privacy policy for your business. 

For proof of consent, you can use the consent log feature where you can record user consent and their cookie preferences. 

What are you waiting for? Start complying with CCPA right away!

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.