Articles

CPRA Enforcement: Frequently Asked Questions

Written by Matt Davis, CIPM (IAPP) | February 20, 2024

CPRA enforcement has gone through many twists and turns over the years, and it’s completely reasonable to be a bit confused about what’s happened. 

After a last-minute reversal, the CPRA is fully enforceable as of July 1, 2023.  

Some may have heard that CPRA enforcement had been delayed until March 29, 2024; others may have thought that the CPRA was already enforceable. The reality is... complicated. 

CPRA Enforcement Timeline

A Timeline (With Lots of Acronyms Starting With the Letter C) 

Most of the CPRA came into force on January 1, 2023. However, only the statutory requirements of the CPRA and the regulatory requirements of the previous California Consumer Privacy Act (CCPA) were enforceable. In essence, only the requirements defined in the text of the CPRA itself and the regulations and rules developed around the earlier CCPA were enforceable. That’s why the California attorney general was able to go after Sephora for CCPA violations, even though the CPRA hasn’t been fully enforceable until recently. 

Some issues (like data privacy) are too expansive and complicated to effectively manage with just one fixed set of requirements defined in the text of a law. In these cases, another state or federal authority makes rules that comprise the law’s regulatory (as opposed to statutory) requirements. In regard to the CPRA, that authority is the California Privacy Protection Agency (CPPA). This agency has been making additional rules to ensure the CPRA comprehensively and effectively regulates data privacy in California.   

Unfortunately, the CPPA was late finalizing its rules and only wrapped them up in March of 2023. The California Chamber of Commerce sued, arguing that enforceability was always meant to kick in a year after rulemaking was finalized, so California courts delayed enforcement to March 29th, 2024. The CPPA filed an appeal at the time.  

Again, this refers to the regulatory enforcement of the CPRA; not the statutory enforcement of the CPRA or the regulatory enforcement of the CCPA. That’s why the Sephora enforcement action could take place, even though CPRA enforcement hadn’t fully kicked in. Enforcement of the additional requirements developed by the CPPA had been delayed until March 29th, 2024.  

Except California's Third District Court of Appeal threw us all for a loop. It granted the CPPA’s appeal. As a result, not only is the CPRA enforceable as of today, but it has been enforceable as of July 1, 2023—the original date when enforcement was meant to kick in.  

Now that we’re all caught up on what happened with CPRA enforcement when and why, let’s answer some of the lingering questions we’ve been hearing about CPRA enforcement.

CPRA Enforcement FAQs

1. How Does Enforcement Work and What Should I Expect?

The state attorney general and the California Privacy Protection Agency (CPPA) have the right to levy fines against noncompliant businesses, including:  

  • Up to $7,500 for each intentional violation.  
  • Up to $2,500 for each unintentional violation.   

Each instance of improperly handled personal information counts as a violation, so these fines can quickly balloon to a serious level that has numbered in the millions of dollars in the past. Specifically, each impacted consumer is generally considered a “violation.” 

We can look to historical examples of enforcement to determine what companies should expect. Thus far, only one company has been penalized under the CCPA/CPRA: Sephora. They were given a 30-day notice to address violations—which is no longer a mandatory aspect of the law, unfortunately. Now, whether or not to offer this cure period is up to the Attorney General and CPPA’s discretion.  

Sephora failed to address these violations in time, however. They were fined $1.2 million for sending consumer data to external ad tech and analytics companies without giving consumers a way to opt out. You can learn more about this case in An Analysis of the Sephora Enforcement Action. 

2. Who Is Subject to the CPRA?

Without a doubt, the most frequent questions we receive from individuals and organizations center on whether or not the law applies to them. Let’s review the CPRA threshold criteria and dive deeper into its specifics. 

As a reminder, the CPRA applies to your organization if you “do business” in the state of California and meet at least one of the following: 

  • Buy, sell, or share the personal information of 100,000 people or households.   
  • Create 50% or more of your revenue through the sale or sharing of personal information.    
  • Had $25 million in gross revenue in the preceding calendar year.   

There are some important facts about these threshold criteria that are worth highlighting. First, the CPRA applies if you do business in California and meet any one of the three criteria listed above—so, if you earn $25 million in gross revenue and do business in California but don’t collect anybody’s personal information (which is, frankly, borderline impossible), you still need to comply. 

So, what does it mean to “do business” in the state of California? The CPRA itself doesn’t define this term, but there is a broader legal definition of the term. From legal-explanations.com: 

The term "doing business" refers to the regular activities a corporation undertakes, whether it is within the state of incorporation or in other states. The actions that constitute "doing business" can include a wide range of activities, such as selling products or services, maintaining a physical presence, or employing workers. 

That’s pretty broad, so a good rule of thumb is if you think you do business in California, you probably do and may be subject to the CPRA as a result. 

Importantly, this law is extra-territorial. So, even if you earned $25 million outside of California but still do business in the state and process Californians’ data, you’ll need to comply. It doesn’t matter whether your business is based in Canada, Kyrgyzstan, or the moon—you’ll still need to comply. 

Another common misconception is that the CPRA doesn’t apply to B2B organizations.  

There had been a period of time where personal information processed in the course of conducting due diligence regarding, providing a product or service to, or receiving a product or service from another business was exempt from the CPRA’s requirements. However, this exemption has since expired. 

Now, if you collect or process an individual’s information—even if you’re just trying to get the business they work for to become a client or customer—then it still counts against the CPRA’s threshold criteria, and violations involving that individual’s data can still be enforced. 

3. Are Non-Profits Exempt From the CPRA? What Kind of Exemptions Are There Under the CPRA?

Non-profits are indeed exempt from the CPRA, though any revenue-generating or for-profit ventures or partnerships may trigger the need for compliance for that specific activity. 

There are a number of other exemptions under the CPRA as well, including: 

  • Compliance with law enforcement investigations requiring the organization to process personal information. 
  • Cooperation with emergency access requests by a government agency.  
  • Deidentified or aggregated information; that is, the data cannot be linked to or used to infer information about a data subject, or the data is associated with a group or category of individuals whose information has been deidentified. 
  • Data governed by HIPAA, CMIA, GLBA, CFIPA, DPPA, FCRA, and several other federal and state regulations. It’s important to note that these exemptions apply to data, not entities. So, if your organization processes some data that is subject to HIPAA and some data that is not, then you’ll still need to comply with the CPRA for the non-HIPAA data. 

There used to be an exemption for data collected in an employment or commercial context, but this exemption was sunsetted on January 1, 2023—that means employees can exercise all of the rights afforded to them under the CPRA, and businesses must meet CPRA requirements around their employees’ data. 

For a complete list of exemptions, see Section 15 of the CPRA. 

4. What Are the CPRA’s Requirements Around PIAs?

As of this writing, the California Privacy Protection Administration (CPPA) has not finalized its formal rulemaking process for several key aspects of compliance, including risk assessments. However, it has released draft guidance on this subject, and we can look to how other laws handle privacy impact assessments (PIAs) to see what will likely be required. 

And just because the rulemaking process for this isn’t complete, it’s still in your best interest to complete PIAs/risk assessments when advisable. At worst, it reduces the privacy risk in your processing activities; at best, it saves you from a fine applied retroactively. 

According to the CPPA, organizations must conduct a PIA before engaging in activities that present a “significant risk” to privacy. Some example activities include: 

  • Selling or sharing personal information. 
  • Processing sensitive personal information. 
  • Using automated decision-making technology that could have a legal or similarly significant effect on a consumer or for developing consumer profiles. 
  • Processing the personal information of a known child (defined as an individual under 16). 

At a minimum, a risk assessment should include: 

  • A summary describing how PI is collected, used, disclosed, and retained. 
  • Categories of PI being processed. 
  • Context of the processing activity. 
  • Consumer expectations for the purpose of PI processing. 
  • Purpose, benefits, and negative impacts of PI processing. 
  • Safeguards to address negative impacts. 
  • Assessment of whether the negative impacts outweigh the benefits. 

For more information, see What Is a Privacy Impact Assessment (PIA) & How to Conduct One.

5. What Does “Selling” and “Sharing” Personal Information Mean, and What Are the Associated Opt-Out Requirements?

The CCPA’s original definition of the word “sell” created confusion, so the CPRA clarified the intended regulated activities by prohibiting both the sharing and selling of personal data should a consumer opt out. So, if a consumer asks your business not to share or sell their personal information, then you may not transfer that data to other entities, whether that’s for a monetary exchange, other valuable consideration, or even for free. Notably, this excludes the share of data for targeted advertising purposes. 

To operationalize this requirement, businesses must have a link on their website reading “Do not share or sell my personal information,” which, when clicked, must force the business to do exactly that. So, for example, if a business uses third-party cookies, it may not drop those cookies on the browser of a consumer who has opted out. 

The CPRA also requires businesses to allow consumers to opt out of certain uses of their sensitive personal information—this is a special category of data that could cause significant harm if it was mismanaged, such as social security numbers, race and ethnicity, gender identity, and so on. Businesses need to have a link reading “Limit the use of my sensitive personal information.”  

While the Do Not Share/Sell link prohibits businesses from sharing or selling all kinds of personal information (including sensitive personal information), this link limits what businesses can do with sensitive personal information to a specific list of business purposes, which includes: 

  • Providing the service or goods reasonably expected by an average consumer requesting those services or goods. 
  • Helping to ensure the security and integrity of the consumer’s personal information. 
  • Short-term, transient use, so long as the consumer’s information is not disclosed to a third party, used to build a profile, or otherwise affects the consumer’s experience outside of their interaction with the business. 
  • Performing basic services for the business, such as providing customer service, verifying customer information, and so on. 
  • Enabling product or service maintenance or improvement. 

Now, stopping a business from sharing all personal information entirely would have a major impact on operations and could even prevent a business from functioning at all. 

That’s why the CPRA requires data processing addendums with certain categories of vendors and/or partner organizations. These contractual addendums prevent organizations from misusing your consumers’ data. As a result, data transfers between your organization and these external parties are exempt from consumer opt-out requests. This way, critical business functions can continue to work as necessary, while potentially risky activities (like targeted advertising) remain prohibited. 

You can learn more about data processing addendums under the CPRA in CPRA Compliance Checklist: 7 Key Steps.

6. How Do Data Subject Requests Function Under the CPRA? Do Employees Get DSAR Rights?

Under the CPRA, data subjects have certain rights, including the right to: 

  • Know about the personal information collected and used by a business. 
  • Request the deletion of personal data. 
  • Opt-out from the sale or sharing of their personal information. 
  • Opt into the sale or sharing of the personal data of a child under 16. 
  • Correct inaccurate information. 
  • Limit the use and disclosure of sensitive personal data. 
  • Avoid discrimination upon exercising the rights granted by the CCPA. 

When responding to a data subject request, businesses must comply within a 45-day window, with the option of a 45-day extension. 

Now, for a long time, this information did not apply to individuals acting in a commercial capacity with the business—think employees, independent contractors, job applicants, and the like. So long as the business was collecting information related to that individual’s role, emergency contact, or benefits, then it was exempt from the CPRA’s DSAR requirements.  

Other data privacy laws still have this exemption, but the CPRA sunsetted it on January 1, 2023. So, employee information is indeed subject to the CPRA’s requirements, including its DSAR requirements.

7. How Do Universal Opt-Out Signals Relate to CPRA Requirements?

Universal opt-out signals are technologies that enable consumers to indicate their consent preferences once, rather than for each time they visit a new website. Most data privacy laws now require that businesses treat such signals as if the consumer had opted in or out of data collection on their website. 

One of the more common signals is the Global Privacy Control (GPC), which functions as a browser extension.  

In fact, one of the very first examples of CPRA enforcement involved a failure to honor GPC signals—Sephora was hit with a $1.2 million fine by the California attorney general for, among other things, transferring data without acknowledging consumer opt-outs made via the GPC. 

The next logical question is, of course, how do you recognize GPC signals? You can find backend implementation information on the GPC website. But realistically, it’s easier to find a consent management platform that can handle the full spectrum of consent requirements, both in California and abroad. 

Minimize Your Risk With a Data Privacy Platform 

Without a data privacy platform, becoming compliant with the CPRA and avoiding enforcement is going to be a challenge. Manual compliance is possible—but it’s more time-consuming, error-prone, and ultimately, riskier. Businesses interested in minimizing their risk and saving enough time to dedicate to revenue generation invest in data privacy platforms. 

With the Osano Data Privacy Platform, you’ll be able to: 

  • Discover and map stores of data across your organization, providing insight into third-party transfers, sensitive data collection points, and where data subjects’ information lives. 
  • Automate and streamline the DSAR workflow, minimizing the risk of missing deadlines, missing relevant data, or exposing others’ personal information by accident. 
  • Automatically block or trigger cookies and other data trackers on your site based on consumer consent preferences. 
  • Accept GPC and other universal opt-out preference signals. 
  • Assess your vendors to ensure you work with trustworthy organizations that can meet the obligations you set forth in your data processing addenda. 
  • And more. 

Schedule a demo of Osano today to see how it can help you reduce your risk now that CPRA enforcement is live.