On July 1, 2020, California's CCPA became enforceable. A few days prior, privacy advocacy group, "California for Consumer Privacy" (CFCP) declared it collected almost a million signatures to have the California Privacy Rights Act (CPRA) placed on the November 2020 ballot.

Whether your business is in California or not, you should be observing this bill closely as it could have substantial consequences for how you operate.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is the California Privacy Rights Act (CPRA)?

The California Privacy Rights Act (CPRA) expands upon and amends the California CCPA, which has led to it being known informally as CCPA 2.0.

What Does the California Privacy Rights Act (CPRA) Do?

As noted by the CFCP, the California Privacy Rights Act (CPRA) is designed to make it much harder to weaken privacy. As it says on the CFCP website, the California CPRA will:

"MAKE IT MUCH HARDER TO WEAKEN PRIVACY in California in the future, by preventing special interests and politicians from undermining Californians' privacy rights, while allowing the Legislature to amend the law to further the primary goal of strengthening consumer privacy to better protect you and your children, such as opt-in for use of data, further protections for uniquely vulnerable minors, and greater power for individuals to hold violators accountable."

The California CCPA is greatly expanded upon by the CPRA. It will grant consumers new rights and impose unique obligations on businesses, as well as change enforcement provisions within the California CCPA.

According to the new measure, the California CPRA will be integrated into the CCPA. Anything added to the CCPA by the CPRA will take effect on January 1, 2023, although enforcement of added obligations won't start until July 1, 2023.

Who Does the California Privacy Rights Act (CPRA) Apply to?

There are many changes to the California CCPA made by the California Privacy Rights Act (CPRA). These changes range from new and potentially burdensome obligations, to helpful clarifications of the original law's language.

The California CPRA essentially applies (just as the CCPA does) to any for-profit organization, which may do business in the State of California, and which meets a few criteria.

The California Privacy Rights Act (CPRA) applies to businesses that:

  • Have a gross annual revenue of over $25 million in the preceding calendar year, or
  • Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or
  • Derive 50% or more of their annual revenue from selling or sharing California residents' personal information

Exemptions from California Privacy Rights Act (CPRA) Provisions

In general, the California CPRA keeps the same exemptions as the CCPA, although it improves upon some of them.

The California CCPA already provides exemptions for data related to job applicants, employees, and business-to-business (B2B) contacts. However, the CPRA extends these exemptions.

Some of the improvements upon the CCPA made by the CPRA include clarifications on clinical trial exemptions. For instance, if biomedical research or clinical trial is conducted in keeping with the Common Rule, an exemption applies.

The CPRA also provides exemptions on healthcare providers and medical data that's protected by the Confidentiality of Medical information Act.

Additionally, the following is also exempt:

"Personal Information collected as part of a clinical trial or other biomedical research study subject to or conducted in accordance with the Federal Policy for the Protection of Human Subjects...."

Significant Requirements of the California Privacy Rights Act (CPRA)

Significant Requirements of the CPRA

  • Service providers are banned from combining data received from other businesses or collected in the "business" capacity of the service provider with personal information collected as a service provider.
  • Businesses will now have to enter into contracts with third parties that the business "shares" or sells personal data to. In this context, "sharing" refers to transfers of data for the purpose of cross contextual advertising.
  • Storage limitation, data minimization, and data security requirements are established. For example, the CPRA demands that businesses disclose: "the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible the criteria used to determine such period..."
  • The 30-day "cure" period before a case of non-compliance ends in a CCPA violation is abolished.
  • The CCPA's private right of action has been broadened to encompass unauthorized disclosure of or access to an email address and password or security question, which would grant access to an account if the disclosure or access came as a result of a failure to execute reasonable security measures.

The California CPRA also allows consumers to specifically:

  • Ask that a business use a commercially reasonable effort to correct erroneous personal data in response to a verified request
  • Restrict a business's disclosure and use of the consumer's "sensitive personal information" that includes a broad range of data elements
  • Opt out of "sharing," which is defined by the CPRA as disclosures of personal data for the purposes of cross-contextual advertising
  • Opt out of automated profiling and decision making (although this is dependent upon a rulemaking proceeding

How to Comply With the California Privacy Rights Act (CPRA)

How to Comply With the CPRA

When it comes to compliance with the CPRA's amendments, businesses should be prepared to respond to all regulatory requirements swiftly. Through advanced reporting, which may include executive reports, trends, and native reporting, companies must be prepared to satisfy data requests at scale.

Additionally, businesses need to automatically discover, identify, and classify all sensitive personal information (SPI) no matter where it is stored. According to the CPRA, this data includes such things as:

  • Drivers licenses
  • State ID numbers
  • Exact geolocation
  • User credentials
  • Passport information
  • "Sex life" or sexual orientation information
  • Racial or ethnic origin data
  • Biometric or genetic information
  • Union membership
  • Content of mail, email, and SMS messages
  • Philosophical or religious beliefs
  • Social Security Numbers

The Right to Correction Stipulation

Under the California Privacy Rights Act (CPRA), users have the right to have inaccurate data about them corrected.

Organizations doing business in California must be able to make an inventory of all personal and sensitive information that belongs to an individual. This information can be either direct or inferred.

You should inventory all that data to gain a complete picture of exactly what consumer information your business is collecting.

That's because the California CPRA stipulates that businesses have to provide consumers with the means to correct and update any information the company has, which the consumer deems incorrect.

Include a clause in your Privacy Policy that lets users know about this right and how they can exercise it, like this one:

Insurance Australia Group Privacy Policy: Access to and Correction of your Personal Information clause

The Right to Know Stipulation

Your business should also try to strengthen any privacy management program it has by recording data flows and automating the "right to know" fulfillment process.

According to the California Privacy Rights Act (CPRA), a consumer's "right to know" includes personal information that is not just collected, but that is also shared or sold. Your company must now reveal what data categories it collects, shares, or sells to any third party. Moreover, you should keep in mind that the right to know extends past the CCPA's current 12-month lookback provision.

Make sure to add a clause to your Privacy Policy that lets users know about this right and how they can exercise it, like this one:

Technicolor CCPA Privacy Policy: Right to know clause excerpt

The Right to Limit the Disclosure and Use of Sensitive Personal Information

Your company should add context to the information it collects by inferring new attributes, uncovering relationships, and viewing information according to its end-use.

The reason for this is due to the California CPRA's stipulation that consumers will now be allowed to limit the collection and processing of their sensitive personal data to only "necessary" uses with the goal of providing the services or goods they've asked for.

The Right to Delete Rule

Your business must be able to determine where information is located, what ought to be deleted, and then ensure that ongoing deletion validation is automatic.

This is because the California CPRA demands that businesses inform service providers, contractors, and third parties of deletion requests made by consumers. The important part to remember here is that if your company receives that deletion request, you are now responsible for ensuring that all third parties work together to continue deleting the consumer's data down the line.

To comply with the California Privacy Rights Act (CPRA), you'll want to focus on:

  • Protecting data
  • Limiting data retention
  • Minimizing data collection

Here's an example of how you can disclose this information via a Privacy Policy clause along with other rights:

Walt Disney California Privacy Rights: Your Rights - Access, delete and opt out of sale clause

Additionally, keep in mind that your business will be required to prominently display a "Limit the Use of My Sensitive Information" link or button on its website. The only exception to this is if you provide consumers with the ability to limit information use through a preference signal (as in from a browser).

This can be displayed in a website footer with other important links.

HuffPost website footer links

Penalties for Non-Compliance with California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) updates the California CCPA's penalties to include administrative fines for intentional violations involving the sensitive personal information of people under the age of 16. These fines may also extend up to $7,500 (USD).

Summary

The California Privacy Rights Act (CPRA) updates and expands upon the CCPA. It creates new privacy rights for consumers, allowing them to prevent businesses from using sensitive personal data, which may include financial or health information. It also prevents businesses from selling or knowing a consumer's location without the consent or knowledge of that consumer.

Additionally, the California CPRA establishes a new agency to protect the rights of the consumer by giving them back control over data that belongs to them and by increasing overall transparency.

The California Privacy Rights Act (CPRA) gives consumers the following major rights:

  • The right to know what personal, sensitive information businesses collect and why
  • The right to deny the sale of that personal information
  • The right to hold businesses responsible for the security of any personal information that is collected

Finally, the California CPRA triples fines for collecting and selling the private information of anyone under the age of 16, and requires that businesses must acquire opt-in consent in order to sell to anyone 16 years old or younger.

All U.S. Privacy Laws

Want to read more about privacy laws in the USA? Start here:

COPPA: Children's Online Privacy Protection Act Federal law that protects the privacy of children under 13 years of age when online or using a mobile app.
HIPAA: Health Insurance Portability and Accountability Act Federal law that protects the privacy of health information of individuals.
California CalOPPA: California Online Privacy Protection Act California law that requires commercial websites to properly display a compliant Privacy Policy.
California CCPA: California's Consumer Privacy Act California law that gives consumers many privacy rights while putting transparency obligations on businesses.
California CPRA: California's Privacy Rights Act California law that expands the CCPA and gives consumers additional rights.
Virginia VCDPA: Virginia's Consumer Data Protection Act Virginia law that allows users to opt out of the sale of their personal data.
Maryland PIPA: Maryland's Personal Information Protection Act Maryland law that requires businesses to keep personal information private and secured.
Utah UCPA: Utah's Consumer Privacy Act Utah law that provides a range of consumer privacy rights, including the right to data portability.
Connecticut CTDPA: Connecticut's Personal Data Privacy and Online Monitoring Connecticut law that places transparency requirements on businesses while granting consumers rights over their personal data.
Colorado CPA: Colorado's Privacy Act Colorado law that grants privacy rights to consumers while dictating how businesses can collect and process personal data.
Florida FPPA: Florida's Privacy Protection Act Florida law that lets consumers control how their personal data is used, while requiring businesses to be more transparent.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy