Last updated on 12 August 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
On July 1, 2020, California's CCPA became enforceable. A few days prior, privacy advocacy group, "California for Consumer Privacy" (CFCP) declared it collected almost a million signatures to have the California Privacy Rights Act (CPRA) placed on the November 2020 ballot.
The CPRA expands upon and amends the CCPA, which has led to it being known as CCPA 2.0. However, it was on the ballot officially as Prop 24.
According to a poll of 605 Californians by Goodwin/Simon Research, up to 81% supported the legislation, which passed in November 2020.
Whether your business is in California or not, you should be observing this bill closely as it could have substantial consequences for how you operate.
As noted by the CFCP, the CPRA is designed to make it much harder to weaken privacy. As it says on the CFCP website, the CPRA will:
"MAKE IT MUCH HARDER TO WEAKEN PRIVACY in California in the future, by preventing special interests and politicians from undermining Californians' privacy rights, while allowing the Legislature to amend the law to further the primary goal of strengthening consumer privacy to better protect you and your children, such as opt-in for use of data, further protections for uniquely vulnerable minors, and greater power for individuals to hold violators accountable."
The CCPA is greatly expanded upon by the CPRA. It will grant consumers new rights and impose unique obligations on businesses, as well as change enforcement provisions within the CCPA.
According to the new measure, the CCPA will be integrated into the CPRA. Anything added to the CCPA by the CPRA will take effect on January 1, 2023, although enforcement of added obligations won't start until July 1, 2023.
There are many changes to the CCPA made by the CPRA. These changes range from new and potentially burdensome obligations, to helpful clarifications of the original law's language.
The CPRA essentially applies (just as the CCPA does) to any for-profit organization, which may do business in the State of California, and which meets a few criteria.
The CPRA applies to businesses that:
In general, the CPRA keeps the same exemptions as the CCPA, although it improves upon some of them.
The CCPA already provides exemptions for data related to job applicants, employees, and business-to-business (B2B) contacts. However, the CPRA extends these exemptions.
Some of the improvements upon the CCPA made by the CPRA include clarifications on clinical trial exemptions. For instance, if biomedical research or clinical trial is conducted in keeping with the Common Rule, an exemption applies.
The CPRA also provides exemptions on healthcare providers and medical data that's protected by the Confidentiality of Medical information Act.
Additionally, the following is also exempt:
"Personal Information collected as part of a clinical trial or other biomedical research study subject to or conducted in accordance with the Federal Policy for the Protection of Human Subjects...."
The CPRA also allows consumers to specifically:
When it comes to CPRA compliance, businesses should be prepared to respond to all regulatory requirements swiftly. Through advanced reporting, which may include executive reports, trends, and native reporting, companies must be prepared to satisfy data requests at scale.
Additionally, businesses need to automatically discover, identify, and classify all sensitive personal information (SPI) no matter where it is stored. According to the CPRA, this data includes such things as:
With the above in mind, organizations doing business in California must be able to make an inventory of all personal and sensitive information that belongs to an identity. This information can be either direct or inferred.
You should inventory all that data to gain a complete picture of exactly what consumer information your business is collecting.
That's because the CPRA stipulates that businesses have to provide consumers with the means to correct and update any information the company has, which the consumer deems incorrect.
Your business should also try to strengthen any privacy management program it has by recording data flows and automating the "right to know" fulfillment process.
According to the CPRA, a consumer's "right to know" includes personal information that is not just collected, but that is also shared or sold. Your company must now reveal what data categories it collects, shares, or sells to any third party. Moreover, you should keep in mind that the right to know extends past the CCPA's current 12-month lookback provision.
Your company should add context to the information it collects by inferring new attributes, uncovering relationships, and viewing information according to its end-use.
The reason for this is due to the CPRA's stipulation that consumers will now be allowed to limit the collection and processing of their sensitive personal data to only "necessary" uses with the goal of providing the services or goods they've asked for.
Your business must be able to determine where information is located, what ought to be deleted, and then ensure that ongoing deletion validation is automatic.
This is because the CPRA demands that businesses inform service providers, contractors, and third parties of deletion requests made by consumers. The important part to remember here is that if your company receives that deletion request, you are now responsible for ensuring that all third parties work together to continue deleting the consumer's data down the line.
To comply with the CPRA, you'll want to focus on:
Additionally, keep in mind that your business will be required to prominently display a "Limit the Use of My Sensitive Information" link or button on its website. The only exception to this is if you provide consumers with the ability to limit information use through a preference signal (as in from a browser).
The CPRA updates the CCPA's penalties to include administrative fines for intentional violations involving the sensitive personal information of people under the age of 16. These fines may also extend up to $7,500 (USD).
The CPRA updates and expands upon the CCPA. It creates new privacy rights for consumers, allowing them to prevent businesses from using sensitive personal data, which may include financial or health information. It also prevents businesses from selling or knowing a consumer's location without the consent or knowledge of that consumer.
Additionally, the CPRA establishes a new agency to protect the rights of the consumer by giving them back control over data that belongs to them and by increasing overall transparency.
The CPRA gives consumers the following major rights:
Finally, the CPRA triples fines for collecting and selling the private information of anyone under the age of 16, and requires that businesses must acquire opt-in consent in order to sell to anyone 16 years old or younger.
Want to read more about privacy laws in the USA? Start here:
|COPPA: Children's Online Privacy Protection Act||Federal law that protects the privacy of children under 13 years of age when online or using a mobile app.|
|HIPAA: Health Insurance Portability and Accountability Act||Federal law that protects the privacy of health information of individuals.|
|California CCPA: California's Consumer Privacy Act||California law that gives consumers many privacy rights while putting transparency obligations on businesses.|
|California CPRA: California's Privacy Rights Act||California law that expands the CCPA and gives consumers additional rights.|
|Virginia CDPA: Virginia's Consumer Data Protection Act||Virginia law that allows users to opt out of the sale of their personal data.|
|Maryland PIPA: Maryland's Personal Information Protection Act||Maryland law that requires businesses to keep personal information private and secured.|
|Utah UCPA: Utah's Consumer Privacy Act||Utah law that provides a range of consumer privacy rights, including the right to data portability.|
|Connecticut CTDPA: Connecticut's Personal Data Privacy and Online Monitoring||Connecticut law that places transparency requirements on businesses while granting consumers rights over their personal data.|
|Colorado CPA: Colorado's Privacy Act||Colorado law that grants privacy rights to consumers while dictating how businesses can collect and process personal data.|
|Florida FPPA: Florida's Privacy Protection Act||Florida law that lets consumers control how their personal data is used, while requiring businesses to be more transparent.|