The California Privacy Rights Act (CPRA) will go into effect on January 1, 2023. The CPRA will amend existing provisions by creating new and expanded rights for California consumers and increasing obligations on businesses. It also establishes the California Privacy Protection Agency to implement and enforce the law. Read more details about the CPRA in this article.
What Is CPRA?
The California Consumer Privacy Act (CCPA), the first data privacy law in the US took effect on January 1, 2020. The California Privacy Rights Act (CPRA) was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020, and will take effect on January 1, 2023, and applies to information collected on or after January 1, 2022.
The CPRA will not replace CCPA but strengthens the existing framework by including additional privacy protections for consumers. Read the full document of the proposed CPRA on the California Legislative Information website.
The key changes of CPRA vs CCPA are in the following fields:
- Expanded consumer rights
- Increased obligations on businesses
- New definitions
- Enforcement of the law: California Privacy Protection Agency.
Differences Between CCPA and CPRA
The new California state privacy law clarifies and amends existing provisions of the CCPA, includes additional privacy protections for consumers, creates additional obligations on businesses that collect California consumers' personal data, and creates a new enforcement agency called the California Privacy Protection Agency.
Expanded rights for California Consumers
The new rights under the CPRA are the following:
Right to correction. California consumers can request correction of their personal data held by a business if that data is inaccurate.
Right to opt-out of automated decision-making technology. California consumers could request to opt-out of the use of automated decision-making technology in connection with decisions related to the economic situation, health, personal preferences, interests, behavior, geo-location, racial or ethnic origin, religious or philosophical beliefs, etc.
Right to access information about automated decision-making. California consumers could requests access to information about how the automated decision-making processes are performed and access to a description of the likely outcome based on that process.
Right to opt-out of sharing sensitive personal information. California consumers may restrict the use and disclosure of sensitive personal information for certain secondary purposes to third-parties for cross-context behavioral advertising, which essentially refers to interest-based advertising.
Right to opt-out of certain uses and disclosures of sensitive personal information. Sensitive personal information could refer to the following information: consumer’s account log-in details; financial account, debit card, or credit card number in combination with a security or access code, password, or credentials; social security number, driver’s license, state ID card, or passport number; precise geo-location; racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s email and text messages unless the business is the intended recipient of the communications; genetic data and biometric data; health, sex life or sexual orientation.
Rights for children. A company must obtain implied opt-in consent before selling or sharing the personal information of a consumer under 16. The consent should be specific, freely given, informed, and unambiguous.
Right to data portability. California consumers can request businesses to transmit their personal information or a part of it to another company. CPRA also points out that the data should be provided in a format easily understandable and in a commonly used, machine-readable format.
Right to know, right to delete, and right to opt-out remain the same in both the CCPA and the CPRA. California consumers have the right to access and delete their personal information and to opt-out of the sale or sharing of their personal data.
Increased obligations on businesses
Like the CCPA, the CPRA applies to businesses that act in California, collect personal information from California consumers, and meet certain criteria. The businesses must satisfy these new criteria to apply the CPRA to their business:
- The company exceeds $25 million in the annual gross revenues in the preceding calendar year. In comparison, the CCPA applies to a company, which has annual gross revenues over $25 million, without stating anything about the preceding calendar year.
- The company buys, sells, or shares the personal information of 100,000 or more consumers or households. In comparison, the CCPA applies to a company, which buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes.
- The company gets 50% or more of its annual revenue from selling or sharing consumers' personal information. In comparison, the CCPA applies to a company, which gets 50% or more of its annual revenues from selling consumers' personal information.
The CPRA imposes new obligations on businesses for the minimization of personal data collection and the use just for a needed purpose.
The CPRA also imposes new requirements regarding contractors and third-parties to which the businesses sell or share information. The law mandates additional provisions regarding the collection and the use of personal information that businesses must include in their contracts with service providers, contractors, and other third-parties. Upon data deletion request from a consumer, a business must pass the deletion request not only to service providers but also to contractors and third parties to which the businesses have sold or shared information.
New obligations for websites
There are also new requirements for websites:
- Under the CPRA, websites will have to provide a link titled “Do Not Sell Or Share My Personal Information”, instead of “Do Not Sell”, which was required under the CCPA.
- Under the CPRA, websites will have a new requirement to provide a link titled “Limit The Use Of My Sensitive Personal Information”.
The CPRA also encourages businesses to create “a single, clearly-labeled link” that combines both above-mentioned links.
California Privacy Protection Agency (CPPA)
While the CCPA is presently enforced by the California Office of the Attorney General, the CPRA establishes a new enforcement agency, the California Privacy Protection Agency (CPPA). The CPPA will have investigative, enforcement, and rule-making powers. CPPA will have full administrative power, authority, and jurisdiction to implement and enforce both the CCPA and the CPRA laws.
In March 2021, California announced the establishment of the CPPA, which will consist of a five-member board of experts in the fields of privacy, technology, and consumer rights. It is supposed to take over rule-making power from the California Attorney General by July 1, 2021.
New Definitions of The CPRA vs The CCPA
The CPRA provides these new definitions or expands the previous ones:
Sensitive personal information. The CPRA expands the sensitive personal information, which now includes:
- Social security, driver’s license, state ID, or passport number
- Account log-in credentials like password, security, or access code
- Precise geographic location
- Racial or ethnic origin, religious belief, or union membership
- Contents of mail, email, or text
- Genetic information
- Biometric information
- Health status and medical data
- Sex life or sexual orientation
Contractor. The CPRA introduces a new term — a contractor. The contractor is defined as a person with who the business “makes available a consumer’s personal information for a business purpose pursuant to a written contract”. Under the CPRA, contractors must ensure that they understand and will comply with the CPRA regulations. When the contractor is unable to comply with CPRA, he should immediately notify the business.
Third-party and service provider. A service provider is “a person that processes personal information on behalf of a business” for business purposes under contract. Third-parties are defined as anyone other than the business, contractor, or service provider. A third party cannot be a business with whom the consumer intentionally interacts and shares his personal information.
Sharing. Under the CPRA, sharing is defined as any disclosure of personal information to third parties for cross-context advertising, independently for monetary or not monetary actions.
Profiling. Profiling is defined as any form of “automated processing” of personal information with the help of an automated decision-making technology, which is used to make predictions on “performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements”.
Fines For Non-compliance With The CPRA
Under CCPA, the penalties for non-compliance with the law were charged only for intentional violations.
The CPRA imposes stricter fines than the CCPA. The CPRA increases fines for privacy violations of minors. Violations for consumers under 16 years of age can be fined up to $7,500 per case. Violations for non-intentional adult consumers of 16 years or older could lead to a maximum fine of $2,500 per case, as it was in the case of CCPA.
The CPRA also eliminates the 30-day cure period after the violation under CCPA. The CPPA, the enforcement agency, will provide a business with a time to rectify the violation by taking into account a lack of motivation to violate the CPRA and voluntary efforts taken by the company to cure the alleged violation.
In addition to avoiding fines, compliance with the CPRA shows that your website takes seriously consumers' privacy rights and encourages consumers' trust in your website, which increases the usage of your services or goods.
How to Comply With CPRA?
To comply with the CPRA, you should follow both the above-mentioned CCPA and CPRA requirements. In particular, you should keep in mind the following aspects:
Perform personal data inventory to find out the type of information you collect, and if you collect sensitive personal information. Figure out the businesses you share data with, and what data is transferred to them.
Review your agreements with service providers, contractors, and third parties and ensure that they have adequate data privacy provisions according to the latest privacy requirements under the CPRA.
Update your Cookie Banner notices. You should disclose if you sell or share personal information, and provide the details of the service providers, contractors, and third-parties you share the data with. Disclose if you collect and process sensitive personal information, how and for what reasons you collect and process this information. Indicate how long you will keep each category of the personal information collected.
Add new opt-out links on your website. Add links ”Do not sell or share my personal information” and “Limit the use of my sensitive personal information” and display them on the website’s homepage. It is also recommended to add “a single, clearly-labeled link” that combines both above-mentioned links.
- Disclosures regarding personal information and sensitive personal information
- Disclosure of how to access, change, or delete personal information
- Method how to opt-out of selling or sharing personal information
- Consent notice for minors (13-16 years) and children under 13 years (consent from parents).
Provide a method to get consumers' requests. Under the CPRA, consumers have the right to be informed about their personal information collected. The CPRA requires businesses to have at least two methods for consumers to submit such requests. You can create web request forms, provide a phone number, or e-mail for the consumer to make requests. Ensure that these request methods are easily accessible and displayed on your website or privacy page.
Frequently Asked Questions
What is the CPRA?
The California Privacy Rights Act (CPRA) is a California data privacy bill that amends and expands the existing California Consumer Privacy Act (CCPA) by strengthening data privacy rights for California residents, increasing requirements for businesses, and establishing the California Privacy Protection Agency (CPPA) as an investigative, enforcement and rule-making power. The CPRA will take effect on January 1, 2023, and applies to information collected on or after January 1, 2022. Try CookieScript Consent Management Platform to be CPRA and CCPA compliant.
Does the CPRA replace the CCPA?
When will the CPRA take effect?
The California Privacy Rights Act (CPRA) was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020, and will take effect on January 1, 2023. The CPRA will apply to information collected on or after January 1, 2022. Try CookieScript Consent Management Platform to be CPRA and CCPA compliant.
What is the California Privacy Protection Agency?
The California Privacy Rights Act (CPRA) establishes a new enforcement agency, the California Privacy Protection Agency (CPPA), which will have investigative, enforcement, and rule-making powers. The CPPA will have full administrative power, authority, and jurisdiction to implement and enforce both the CCPA and the CPRA laws. CookieScript can help you to be CPRA and CCPA compliant.
What does "sharing" personal information mean under the CPRA?