Legal and data protection research writer at TermsFeed.
On this page
- 1. What Does the CPRA Do?
- 2. Who Does the CPRA Apply to?
- 3. Exemptions from CPRA Provisions
- 4. Significant Requirements of the CPRA
- 5. How to Comply With the CPRA
- 5.1. The Right to Correction Stipulation
- 5.2. The Right to Know Stipulation
- 5.3. The Right to Limit the Disclosure and Use of Sensitive Personal Information
- 5.4. The Right to Delete Rule
- 6. Penalties for Non-Compliance
- 7. Summary
- 8. All U.S. Privacy Laws
On July 1, 2020, California's CCPA became enforceable. A few days prior, privacy advocacy group, "California for Consumer Privacy" (CFCP) declared it collected almost a million signatures to have the California Privacy Rights Act (CPRA) placed on the November 2020 ballot.
The CPRA expands upon and amends the CCPA, which has led to it being known informally as CCPA 2.0.
Whether your business is in California or not, you should be observing this bill closely as it could have substantial consequences for how you operate.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
What Does the CPRA Do?
As noted by the CFCP, the CPRA is designed to make it much harder to weaken privacy. As it says on the CFCP website, the CPRA will:
"MAKE IT MUCH HARDER TO WEAKEN PRIVACY in California in the future, by preventing special interests and politicians from undermining Californians' privacy rights, while allowing the Legislature to amend the law to further the primary goal of strengthening consumer privacy to better protect you and your children, such as opt-in for use of data, further protections for uniquely vulnerable minors, and greater power for individuals to hold violators accountable."
The CCPA is greatly expanded upon by the CPRA. It will grant consumers new rights and impose unique obligations on businesses, as well as change enforcement provisions within the CCPA.
According to the new measure, the CPRA will be integrated into the CCPA. Anything added to the CCPA by the CPRA will take effect on January 1, 2023, although enforcement of added obligations won't start until July 1, 2023.
Who Does the CPRA Apply to?
There are many changes to the CCPA made by the CPRA. These changes range from new and potentially burdensome obligations, to helpful clarifications of the original law's language.
The CPRA essentially applies (just as the CCPA does) to any for-profit organization, which may do business in the State of California, and which meets a few criteria.
The CPRA applies to businesses that:
- Have a gross annual revenue of over $25 million in the preceding calendar year, or
- Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or
- Derive 50% or more of their annual revenue from selling or sharing California residents' personal information
Exemptions from CPRA Provisions
In general, the CPRA keeps the same exemptions as the CCPA, although it improves upon some of them.
The CCPA already provides exemptions for data related to job applicants, employees, and business-to-business (B2B) contacts. However, the CPRA extends these exemptions.
Some of the improvements upon the CCPA made by the CPRA include clarifications on clinical trial exemptions. For instance, if biomedical research or clinical trial is conducted in keeping with the Common Rule, an exemption applies.
The CPRA also provides exemptions on healthcare providers and medical data that's protected by the Confidentiality of Medical information Act.
Additionally, the following is also exempt:
"Personal Information collected as part of a clinical trial or other biomedical research study subject to or conducted in accordance with the Federal Policy for the Protection of Human Subjects...."
Significant Requirements of the CPRA
- Service providers are banned from combining data received from other businesses or collected in the "business" capacity of the service provider with personal information collected as a service provider.
- Businesses will now have to enter into contracts with third parties that the business "shares" or sells personal data to. In this context, "sharing" refers to transfers of data for the purpose of cross contextual advertising.
- Storage limitation, data minimization, and data security requirements are established. For example, the CPRA demands that businesses disclose: "the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible the criteria used to determine such period..."
- The 30-day "cure" period before a case of non-compliance ends in a CCPA violation is abolished.
- The CCPA's private right of action has been broadened to encompass unauthorized disclosure of or access to an email address and password or security question, which would grant access to an account if the disclosure or access came as a result of a failure to execute reasonable security measures.
The CPRA also allows consumers to specifically:
- Ask that a business use a commercially reasonable effort to correct erroneous personal data in response to a verified request
- Restrict a business's disclosure and use of the consumer's "sensitive personal information" that includes a broad range of data elements
- Opt out of "sharing," which is defined by the CPRA as disclosures of personal data for the purposes of cross-contextual advertising
- Opt out of automated profiling and decision making (although this is dependent upon a rulemaking proceeding
How to Comply With the CPRA
When it comes to compliance with the CPRA's amendments, businesses should be prepared to respond to all regulatory requirements swiftly. Through advanced reporting, which may include executive reports, trends, and native reporting, companies must be prepared to satisfy data requests at scale.
Additionally, businesses need to automatically discover, identify, and classify all sensitive personal information (SPI) no matter where it is stored. According to the CPRA, this data includes such things as:
- Drivers licenses
- State ID numbers
- Exact geolocation
- User credentials
- Passport information
- "Sex life" or sexual orientation information
- Racial or ethnic origin data
- Biometric or genetic information
- Union membership
- Content of mail, email, and SMS messages
- Philosophical or religious beliefs
- Social Security Numbers
The Right to Correction Stipulation
With the above in mind, organizations doing business in California must be able to make an inventory of all personal and sensitive information that belongs to an identity. This information can be either direct or inferred.
You should inventory all that data to gain a complete picture of exactly what consumer information your business is collecting.
That's because the CPRA stipulates that businesses have to provide consumers with the means to correct and update any information the company has, which the consumer deems incorrect.
The Right to Know Stipulation
Your business should also try to strengthen any privacy management program it has by recording data flows and automating the "right to know" fulfillment process.
According to the CPRA, a consumer's "right to know" includes personal information that is not just collected, but that is also shared or sold. Your company must now reveal what data categories it collects, shares, or sells to any third party. Moreover, you should keep in mind that the right to know extends past the CCPA's current 12-month lookback provision.
The Right to Limit the Disclosure and Use of Sensitive Personal Information
Your company should add context to the information it collects by inferring new attributes, uncovering relationships, and viewing information according to its end-use.
The reason for this is due to the CPRA's stipulation that consumers will now be allowed to limit the collection and processing of their sensitive personal data to only "necessary" uses with the goal of providing the services or goods they've asked for.
The Right to Delete Rule
Your business must be able to determine where information is located, what ought to be deleted, and then ensure that ongoing deletion validation is automatic.
This is because the CPRA demands that businesses inform service providers, contractors, and third parties of deletion requests made by consumers. The important part to remember here is that if your company receives that deletion request, you are now responsible for ensuring that all third parties work together to continue deleting the consumer's data down the line.
To comply with the CPRA, you'll want to focus on:
- Protecting data
- Limiting data retention
- Minimizing data collection
Additionally, keep in mind that your business will be required to prominently display a "Limit the Use of My Sensitive Information" link or button on its website. The only exception to this is if you provide consumers with the ability to limit information use through a preference signal (as in from a browser).
Penalties for Non-Compliance
The CPRA updates the CCPA's penalties to include administrative fines for intentional violations involving the sensitive personal information of people under the age of 16. These fines may also extend up to $7,500 (USD).
The CPRA updates and expands upon the CCPA. It creates new privacy rights for consumers, allowing them to prevent businesses from using sensitive personal data, which may include financial or health information. It also prevents businesses from selling or knowing a consumer's location without the consent or knowledge of that consumer.
Additionally, the CPRA establishes a new agency to protect the rights of the consumer by giving them back control over data that belongs to them and by increasing overall transparency.
The CPRA gives consumers the following major rights:
- The right to know what personal, sensitive information businesses collect and why
- The right to deny the sale of that personal information
- The right to hold businesses responsible for the security of any personal information that is collected
Finally, the CPRA triples fines for collecting and selling the private information of anyone under the age of 16, and requires that businesses must acquire opt-in consent in order to sell to anyone 16 years old or younger.
All U.S. Privacy Laws
Want to read more about privacy laws in the USA? Start here:
|COPPA: Children's Online Privacy Protection Act||Federal law that protects the privacy of children under 13 years of age when online or using a mobile app.|
|HIPAA: Health Insurance Portability and Accountability Act||Federal law that protects the privacy of health information of individuals.|
|California CCPA: California's Consumer Privacy Act||California law that gives consumers many privacy rights while putting transparency obligations on businesses.|
|California CPRA: California's Privacy Rights Act||California law that expands the CCPA and gives consumers additional rights.|
|Virginia VCDPA: Virginia's Consumer Data Protection Act||Virginia law that allows users to opt out of the sale of their personal data.|
|Maryland PIPA: Maryland's Personal Information Protection Act||Maryland law that requires businesses to keep personal information private and secured.|
|Utah UCPA: Utah's Consumer Privacy Act||Utah law that provides a range of consumer privacy rights, including the right to data portability.|
|Connecticut CTDPA: Connecticut's Personal Data Privacy and Online Monitoring||Connecticut law that places transparency requirements on businesses while granting consumers rights over their personal data.|
|Colorado CPA: Colorado's Privacy Act||Colorado law that grants privacy rights to consumers while dictating how businesses can collect and process personal data.|
|Florida FPPA: Florida's Privacy Protection Act||Florida law that lets consumers control how their personal data is used, while requiring businesses to be more transparent.|