The California Privacy Rights Act (CPRA) was voted into a state-wide data privacy law in the General Election of November 2020. The CPRA (also referred to as CCPA 2.0) earned popular support with 56% voting in favor of the ballot initiative. The law will amend the California Consumer Protection Act (CCPA) and substantially increase the rights of consumers and regulate businesses that handle personal information.
The CPRA is intended to “further protect consumers” rights including the constitutional right of privacy”. It is important to note that CPRA does not repeal or replace CCPA but strengthens the existing framework in key areas:
- Enforcement arm – California Privacy Protection Agency (CPPA)
- New definitions
- Expanded consumer rights
The CPRA will be operative from January 1, 2023, and applies to information collected on or after January 1, 2022. The enforcement will begin on July 1, 2023, and until then CCPA will remain the primary governing legislation.
CPRA: What does it change?
Businesses who need to comply
The CPRA keeps most of the CCPA thresholds intact but makes a few significant changes.
|Has annual gross revenues over $25 million||Has annual gross revenues over $25 million in the preceding calendar year|
|Buys, or receives, or sells, or shares personal information of 50,000 or more consumers, households or devices for commercial purposes||Buys, or sells, or shares the personal information of 100,000 or more consumers or households|
|Gets 50% or more of its annual revenues from consumer’s selling personal information||Gets 50% or more of its annual revenues from selling, or sharing consumer’s personal information|
CPRA narrows the applicability of common branding that was applicable under CCPA. Businesses that have a common branding will now be covered under CPRA if they share California consumers’ personal information.
New categories of covered businesses
CPRA adds two new categories that will be qualified as a business. First, a joint venture or partnership of businesses where each business has at least 40% interest and each business within this joint venture will be considered as a separate single business. Second, any business that does not fall under the given thresholds can self-certify to the newly-created California Privacy Protection Agency that it complies with CPRA.
California Privacy Protection Agency
The biggest change in CPRA is the creation of a distinct enforcement arm — the California Privacy Protection Agency (CPPA). CPPA will have full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act and the California Privacy Rights Act.
In March 2021, California announced the establishment of the first CPPA. The agency consists of a five-member board of experts in privacy, technology, and consumer rights. It is set to take over rulemaking authority from the California Attorney General by July 1, 2021.
CPPA will be entrusted to investigate possible violations of the CPRA and to initiate action through the Administrative Law Court, as opposed to the state court, which has been the mechanism under CCPA.
Sensitive personal information
The CPRA maintains the CCPA’s definition of personal information but includes a new category of sensitive personal information. It includes:
- Social security, driver’s license, state ID or passport number
- Account log-in credentials like password, security or access code
- Precise geographic location
- Racial or ethnic origin, religious belief or union membership
- Contents of mail, email or text
- Genetic information
- Biometric information that can identify the consumer
- Medical data
- Sex life or sexual orientation
Under CPRA, consumers have the right to limit a business’s use and disclosure of sensitive information and can direct the business to use it only to perform the necessary service. Businesses have to provide a “clear and conspicuous link” on their website homepage titled “Limit the Use of My Sensitive Personal Information.” This is in addition to the opt-out link required under CCPA.
CPRA explicitly defines what does and does not constitute consent. It defines that consent should be a specific, freely given, specific, informed and unambiguous indication of the consumer’s intent.
Consent does not include:
- Hovering over, muting, pausing, or closing a given piece of content or
- Consent obtained through the use of dark patterns
To know what dark patterns in consent are and how to adopt best practices, refer here.
The CPRA adds and amends the definition of service providers, contractors and third parties in CCPA. It introduces a new category — contractors. The contractor is defined as a person with who the business “makes available a consumer’s personal information for a business purpose pursuant to a written contract”.
CPRA requires contractors to certify that they understand and will comply with the requirements. The contractor will also have to notify the business if they are unable to comply with CPRA.
Third party and service provider
CPRA defines a service provider as a “person that processes personal information on behalf of a business” for business purposes under contract. Third parties are defined as anyone other than the business, contractor or service provider. A third party cannot be a business with whom the consumer intentionally interacts and that collects personal information directly from consumers.
The CPRA introduces a new concept — sharing. It is defined as any disclosure of personal information to third parties for cross-context behavioural advertising, whether or not for monetary or other valuable consideration.
If a business engages in sharing, it should post a “Do Not Share My Personal Information” link and provide consumers with an option to opt-out of sharing. The new definition of sharing under the CPRA makes clear that any disclosure of personal information for targeted advertising is also subject to consumer opt-out.
CPRA defines profiling as any form of “automated processing” of personal information done to evaluate personal aspects of an individual and to make predictions such as “performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements”.
Expanded consumer rights
Right to opt-out of sharing
CPRA also expands on CCPA’s right to opt-out and includes the sale and sharing of personal information, including data that is shared with a third party for “cross-context behavioral advertising.” It refers to targeted advertising to a consumer based on data obtained from the consumer’s activity across websites, apps or services other than the one with which the consumer intentionally interacts.
Similar to the provision in CCPA, the right to opt-out of sharing does not extend to sharing personal information with service providers and contractors. (To know more the difference between opt-in and opt-out is, refer this)
Right to opt-out of automated decision making
Similar to the provision in GDPR, consumers will now have the right to know and opt-out of any form of automated decision-making. Businesses will be required to provide information about the “logic involved in automated decision-making processes”, and also inform the consumer about the likely outcome of the process.
Rights of children
CPRA strengthens opt-in rights for minors. A business must obtain opt-in consent before selling or sharing personal information of a consumer under 16. CPRA also calls to “establish technical specifications for an opt-out preference signal that allows the minor or their parent to specify that the consumer is less than 13 or between 13 and 16 years of age.
Right to delete and correct
Additionally, businesses have to inform consumers about how long they plan to retain their personal information. Consumers also have the right to have their data deleted or corrected. Businesses also have to notify third parties they have shared any data with, about the consumer requests.
Right to access
Consumers can now request for information collected about them beyond the previous 12-month period preceding the request. Businesses can decline to provide information beyond a 12-month look-back period if it involves a disproportionate effort. This applies to information collected on or after January 1, 2022.
Right to data portability
With CPRA consumers can request businesses to transmit specific pieces of personal information to another entity. CPRA also indicates that data should be provided in a format easily understandable to the average consumer, and a commonly used, machine-readable format.
Other key changes
The CPRA explicitly requires that businesses must have appropriate contractual provisions in place with service providers, contractors and third parties. Such contracts prohibit the retention, use, or disclosure of personal information for purposes other than the services specified. Contracts may also permit businesses to monitor the service providers’ compliance with contractual provisions through manual reviews, automated scans, regular assessments and audits at least once a year.
CPRA brings in the concept of data minimization and storage limitation, core principles under GDPR. CPRA mandates that businesses can only collect personal information that is reasonably necessary for the purpose it is collected. Besides, businesses cannot retain personal information for longer than what is necessary for the purpose it was collected.
While CCPA requires businesses to implement reasonable security procedures and practices, CPRA imposes strengthened auditing requirements. Businesses that may create a “significant risk” to consumers’ privacy have to perform annual cybersecurity audits. They have to submit their regular risk assessment to the California Privacy Protection Agency. The risk assessment should be performed concerning their processing of personal information, including whether the processing involves sensitive data, and weighing the benefits resulting from the processing to the business, the consumer and other stakeholders.
Extension of employee exemption
CCPA exempted certain employment and personal information involved in business-to-business (B2B) communications and transactions. This exemption was set to expire on January 1, 2021. But, CPRA extended the exemptions given to employment and B2B data until January 1, 2023.
Increased penalty for non-compliance of CPRA
The CPRA increases fines for privacy violations of minors. Businesses that violate the rights of those under the age of 16 can be fined $7,500 for each violation. Under CCPA, this penalty was charged only for intentional violations. For all other non-intentional violations involving consumers of 16 years or above, the maximum fine of $2,500 remains the same.
The CPRA also eliminates the 30-day cure period after the alleged violation under CCPA. The enforcement agency will now have the discretion to provide a business with a time to rectify, by taking into account a lack of intent to violate the CPRA and voluntary efforts taken by the business to cure the alleged violation.
Another notable provision of CPRA is that it expands the scope of consumers’ private right of action to include data breaches involving email account credentials.
7 steps to prepare your business for CPRA
The good news for businesses is that the CPRA will be operative from January 1, 2023. This does not mean that businesses can turn a blind eye to CPRA now. Remember that CPRA applies to all information collected on or after January 1, 2022. So, it will be in your best interest to start preparing right away.
Also, recall that CPRA intends to strengthen the provisions of CCPA. Therefore, if you have a CCPA compliant mechanism in place, you are already halfway through. But, ensure that you stay up-to-date with the latest amendments to CCPA.
Here are 7 steps that your business should take to effectively build compliance.
Determine if CPRA applies to your business
- Assess if your business meets the changed thresholds, as entities who meet the requirements for CCPA may now be exempt from CPRA.
- Also, note that CPRA compliance extends outside of the state of California. If a California resident can access your website, CPRA compliance is necessary.
Perform data inventory
- Conduct data inventory to figure out the type of information you collect, and if you collect sensitive personal information. Identify the businesses you share data with, where it is stored, and how it is transferred.
- Perform annual audits to review and update data mapping efforts including the tracking and security of sensitive personal information.
Review your contracts
- Study the updated contractual provisions in CPRA and be prepared to amend the contracts with service providers, contractors, third parties
- Review that your vendors have adequate data privacy provisions as per the latest amendments of CCPA
Update CCPA notices
Include additional categories of information in your CCPA notices. This includes:
- Disclosure about if you sell or share personal information, including details of the service providers, contractors and third parties you share the data with
- What categories of personal information (including sensitive personal information) you collect and process, how and why you collect and process this information
- The time-frame you will retain each category of the personal information collected
- Separate disclosure regarding sensitive personal information
- The methods to request access, change, move, or delete a consumer’s data
- How consumers can opt-out of selling or sharing their personal information
- Consent notice for minors (13-16 years) and parents (under 13 years)
Add opt-out links on website
Opt-out of sale links are already mandated under the CCPA. CPRA expands the right to opt-out to include ‘sharing’ of personal information with third parties for targeted advertising. So, businesses should update their links to ”Do not sell or share my personal information” and display it on the website’s homepage.
CPRA also limits the use of consumer’s sensitive data. Therefore, businesses may add a “Limit the use of my sensitive personal information”. They may either add a separate link or provide this option within the opt-out link. Use clearly labelled, conspicuous opt-out links with plain and jargon-free language on your website.
Add consumer request forms
CPRA gives consumers expanded rights and also the right to make certain requests about their data. Create web request forms where consumers can easily submit these requests.
As CPRA requires businesses to have at least two methods for consumers to submit requests. You may also add a toll-free phone number for the consumer to make requests. Ensure that your phone number is prominently mentioned on your website or privacy page.
Moving forward with CCPA Compliance
If businesses have already taken steps for CCPA compliance, moving towards CPRA compliance should be easier. Here’s where CookieYes can help you. With CookieYes, you can automatically scan your website for cookies and add them to your site’s list of cookies.
For proof of consent, you can use the consent log feature where you can record user consent and their cookie preferences.
What are you waiting for? Start complying with CCPA right away!