Privacy-proof consumer data and stay ahead of CPRA compliance

No, the California Privacy Rights Act (CPRA) does not replace the CCPA but amends it. The CPRA is an expansion of the CCPA, as it modifies existing provisions and introduces additional requirements for businesses and new rights for California consumers. The CPRA came into effect on January 1, 2023. Businesses that are subject to the CCPA will need to comply with the new requirements of the CPRA now.

Under the California Privacy Rights Act (CPRA), “personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household. The CPRA expands the definition of personal information of CCPA to include information such as geolocation data, race, ethnicity, religious or philosophical beliefs, and biometric information.

In addition, the CPRA introduces “sensitive personal information” that includes specific categories of personal information, such as financial information, identification numbers like social security number, driver’s licence and passport and personal information that reveals a consumer’s precise geolocation data health, genetic data, and biometric information.

The California Privacy Protection Agency (CPPA), the new enforcement agency created under the new provisions of CPRA, is the enforcement authority for CPRA. The CPPA is a first-of-its-kind state agency in California and will be taking over the enforcement and rulemaking responsibilities of the California Attorney General (CAG), who has been the regulatory authority for the CCPA.

CPRA enforcement:

The CPPA and the CAG were expected to begin CPRA enforcement on July 1, 2023. However, a California state court ruling delayed the enforcement of the new CPRA regulations, issued in March 2023, until March 29, 2024. However, this ruling does not limit the CPPA or CAG to enforce the amendments to the CCPA that became effective on January 1, 2023.

The California Privacy Rights Act (CPRA) applies to any for-profit entity or business that operates in California or collects personal information from California residents. The CPRA can apply to an entity that:

• Does business in California
• Collects the personal information of California residents, and
• Meets certain revenue requirements or data processing thresholds

If a business meets any of these criteria, it will be subject to the CPRA’s requirements, even if it is not physically located in California.

The CPRA includes several new provisions and changes to the CCPA, including:

• Creation of a new enforcement agency: The CPRA created a new agency called the California Privacy Protection Agency (CPPA), which will be responsible for enforcing privacy laws in California.
• Introduces sensitive personal information: The CPRA expands the definition of sensitive personal information to include new categories, such as financial information, precise geolocation, race, ethnicity, and health information.
• Introduces ‘sharing’ of personal information and opt-out rights: Sharing is defined as any disclosure of personal information to third parties for cross-context behavioural advertising, whether or not for monetary or other valuable consideration. 
• New consumer rights: The CPRA grants consumers the right to correct inaccurate personal information held by businesses.
• Increased fines for violations: The CPRA increases the fines for violations of privacy laws, with fines ranging from $2,500 to $7,500 per violation.

CPRA compliance refers to your businesses’ obligation to comply with the California Privacy Rights Act (CPRA), a comprehensive data protection law enacted in California. CPRA amends the existing California Consumer Privacy Act (CCPA) and introduces new requirements for businesses that collect and process the personal information of California residents. CPRA compliance is essential for organizations operating in California or handling the personal data of California residents.

The California Privacy Rights Act (CPRA) applies to the state of California and focuses on the data privacy rights of residents of the state. The General Data Protection Regulation (GDPR) applies to all European Union member states and aims to protect the personal data of individuals in the EU. Some of the key differences include:

• Applicability: The CPRA applies to businesses that meet certain threshold requirements, such as annual gross revenue of $25 million or more and businesses that sell or share personal information to generate 50 per cent of their revenue. The GDPR applies to any organization that processes the personal data of individuals in the EU, regardless of the organisation’s location or revenue.
• Consent: The GDPR has stricter requirements for obtaining consent from individuals for data processing. It requires opt-in consent, while the CPRA requires an opt-out consent framework.
• Penalties: CPRA imposes a penalty of $7,500 per intentional violation or up to $2,500 for unintentional violation. For GDPR, the penalty can go up to a maximum of €20 million or 4% of global annual turnover, whichever is higher.

Refer: CCPA vs GDPR: What’s the Difference, for a detailed explanation.

The CPRA amended the California Consumer Privacy Act (CCPA) and introduced new provisions, including an updated applicability threshold.  Here are some key threshold requirements under the CPRA:

• Business size: The CPRA applies to businesses with an annual gross revenue of over $25 million in the preceding calendar year.

• Data processing: It applies to businesses that alone or in combination, annually buy, sell, or share the personal information of, 100,000 or more consumers or households.

• Revenue from data sale/sharing: Businesses that derive 50 per cent or more of their annual revenues from selling or sharing consumers’ personal information.

The California Privacy Rights Act (CPRA) requires that businesses follow certain obligations for collecting personal information from California residents. Some of the key CPRA obligations include: 

• Provide a privacy notice: Businesses are required to provide a clear and transparent notice informing consumers about the types of personal information collected, the purposes for which it is used, their data privacy rights and how to exercise them. 
• Offer opt-out of sale/sharing of data: Businesses must present a conspicuous and easily accessible mechanism for consumers to opt out of the sale/sharing of their personal information.
• Honour consumer requests: Businesses are required to address consumer requests to access, correct, delete, or limit the processing of their personal information within a reasonable timeframe.
• Limit data retention: Businesses must refrain from retaining personal information beyond what is reasonably necessary for the purpose it was collected.

Refer: The Complete Guide to CPRA, for an in-depth understanding of CPRA regulations. 

Here are the key requirements you need to implement on your website to become CPRA compliant:

• Implement a  clear and conspicuous “Do not sell or share” link on your website so consumers can easily opt out of the sale or sharing of their personal information. 
• Add an opt-out cookie banner so that your site visitors can opt out of third-party cookies that sell or share their data.
• Respect universal opt-out preference signals such as GPC (Global Privacy Control).
• Update your privacy policy to include the provisions of CPRA.
• Add a detailed cookie policy within your privacy policy or as a separate document.
• Avoid dark patterns in your website and opt-out mechanisms.
• Provide accessible methods to make consumer requests.
• Implement basic technical controls and security standards on your website. 

Here are some links you can refer to for additional reading:

• Simplified Guide to CPRA California
• CCPA vs GDPR: What’s the Difference