Last updated on 20 May 2022 by Kate Stacey (Legal writer at TermsFeed)
Key updates in the CPRA include:
If the CCPA does not currently apply to your business, then the CPRA won't apply.
The CPRA applies if:
Relevantly, the CPRA creates:
Sensitive personal information includes:
If the information is already publicly available, it isn't sensitive personal information.
Under the CPRA, if MicroStrategy collects sensitive personal information, it will need to add it to this table as a separate category.
The CPRA allows users to limit the collection and use of their sensitive personal information.
This must be done via a link from your homepage labeled "Limit the Use of My Sensitive Personal Information." This link should direct users to a separate page where they can register their preferences.
If a user exercises their right to limit the use of their sensitive personal information, it can only be used in very limited circumstances including "to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services."
The CPRA gives users the right to correct any inaccuracies in their personal information.
Under this new right, upon receiving a user request you must make "commercially reasonable efforts" to correct the inaccurate personal information within 45 days.
It also provides both an online form and toll-free number for users to contact to correct their personal information:
Under the CPRA, users can opt out of their personal data (including personal sensitive information) being shared with a third party. This expands on the CCPA which allows users to opt out of their data being sold i.e. in exchange for payment.
We can see an example of this in Connexity's website footer, concerning the sale of data:
Under the CPRA, Connexity needs to update the link and opt out page to include data sharing.
The CPRA expands this obligation and requires you to also explain to users how long you intend to keep their information. This must be explained for each category of data you collect.
In the absence of providing a specific timeframe for the retention of personal information, you must explain the criteria for the disposal of it. You cannot keep information for longer than is reasonably necessary.
Under the CPRA, you must notify users if their data will be used for automated decision-making (or data profiling) and allow them to opt out of the process. This requirement is especially relevant to businesses that use AI to process or analyze users' personal information.
Unlike the requirement for data retention notification, this can be a general statement that applies to all the types of data you collect.
Under the CPRA, users can opt out of their data being used to profile:
One of the most significant changes under the CPRA is the requirement for businesses to inform users "at or before the point of collection" as to how their data will be used and stored.
At a minimum, you must display an explanation of users' rights under the CPRA, including a category-by-category breakdown of whether you have collected data, where you got it, how you use it, and who you've disclosed it to in the past 12 months.
You must also explain how users can request access to their data.
You can do this by adding a separate webpage to your website detailing the rights of Californian users under the CPRA.
Here's an example from This pop-up can be displayed when a user first navigates to your website, purchases your product, or subscribes to your service.
Here's an example from MeWe:
The CPRA will apply as of January 1, 2023. The CPRA expands on the data protection rights and obligations under the CCPA.
Relevantly, the CPRA creates:
More specific Privacy Templates are available over our blog.