The California Privacy Rights Act of 2020 will replace the California Consumer Privacy Act of 2018, and many organizations will need to make some adjustments to data processing and sharing based on the new requirements.
The California Consumer Privacy Act's passage in 2018 was a tough pill for many companies to swallow. It created the first state privacy law in the U.S., and it incited widespread panic within privacy offices and engineering meetings: New obligations were coming, and some processes would have to change to meet the new duties. Keep in mind that many companies had spent the two years prior trying to set up operations to comply with the EU's General Data Protection Regulation. Now, anyone with customers in California faced two significant challenges.
While it might have been a headache for companies, California residents were fond enough of the rights granted them by CCPA that two years later, they voted "CCPA 2.0" into law. Or, as it's formally called, the California Privacy Rights Act.
Does the CPRA replace the CCPA?
The CPRA will replace the CPPA on January 1, 2023. While the CCPA contains a provision allowing businesses to correct violations before the California attorney general would issue a fine, the CPRA eliminates the grace period. California Privacy Rights Act, CPRA, builds on the CCPA and imposes additional obligations on businesses.
What is the difference between the CCPA and the CPRA?
The most significant change the CPRA will impose on businesses is a new set of obligations for processing sensitive data. The law defines sensitive data pretty broadly, including any information that reveals the following about a person:
- Government ID (Social Security numbers, passports)
- Geolocation
- Sexual orientation
- Race, religion or union membership
- Finances (credit cards, access codes)
- Communications (log-ins, etc.)
- Genetics
- Health
In addition, the CPRA grants consumers greater control over their sensitive information. While the CCPA allowed consumers to opt-out of companies selling their data to marketers and other interested parties, the CPRA goes further. It says consumers can tell companies not even to use or disclose their sensitive personal data.
New rules on data sharing
The CPRA allows consumers to opt-out of the sharing of their personal information. The law defines data sharing as disclosing personal data to third parties for behavioral advertising.
Data retention limits
The CPRA imposes limits on data collection, retention and use. The law states that a business can't retain personal or sensitive information for purposes other than it was initially collected nor for "longer than reasonably necessary for that disclosed purpose."
Profiling
While there's not quite enough guidance yet on the specific rules related to profiling, the CPRA allows consumers to opt-out of the use of their data to run through automated decision-making processes to derive insights about a consumer.
Who enforces the CPRA?
The California Attorney General enforces the CCPA. But the CPRA established a California Consumer Protection Agency, which will oversee compliance with the CCPA and CPRA. The agency can bring enforcement actions against businesses, and it's also charged with educating the public on the rules protecting Californians' privacy.
The five-person agency is also responsible for writing the specific rules and guidelines businesses must follow under California law. There are a whole lot of businesses eagerly awaiting those guidelines now. Some say it could be only a matter of weeks before the CPPA initiates its rulemaking process. But it was only in March that California officials announced appointments to the board, so it may be some time before the newly formed agency is ready to act.
What are the fines for violating?
Penalties for violating the CPRA can be as high as $2,500 per violation. Now, under the CPRA, regulators can fine businesses up to $7500 per violation. The CPPA won't start enforcing the CPRA until July 1, 2023, so there's a little breathing room.
Below is a chart comparing some of the CPRA's most significant changes as compared to its predecessor, the CCPA.
|
CCPA
|
CPRA
|
|
|
Enforcement
|
California Attorney General’s Office
|
California Privacy Protection Agency
|
|
Profiling
|
N/A
|
Consumers can opt-out of automated decision-making
|
|
Sensitive data
|
N/A
|
Businesses must disclose how they collect, use and disclose
Consumers may opt-out of the use of their sensitive data
|
|
Data minimization
|
N/A
|
Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose
|
|
Consumer remedies
|
Consumers may file a private right of action when lack of reasonable security leads to a breach
|
CCPA, plus consumers can file a private right of action if data breached includes consumer’s email address and password or security question
|
|
Data Protection Impact Assessments
|
N/A
|
Required, specific rules to be determined by forthcoming rulemaking
|
|
Deletion
|
Businesses must fulfill validation consumer requests to delete their data
|
Businesses fulfilling legitimate deletion requests must also notify third-parties to delete such information
|
|
Third parties
|
Not-defined
|
Third-parties defined, excludes service providers and contractors
Businesses must impose CPRA-level contractual obligations on third-parties before sharing, selling or disclosing personal data
|
|
Opt-out links
|
Businesses must have a “Do not sell my personal information” link
|
Businesses must have a “Do not share my personal information” link and a “Limit the use of my personal information” link
|
|
Fines
|
Up to $7,500 per violation or $2,500 per unintentional violation
|
Automatic $7,500 fine for violations of minors’ data (children under the age of 16)
|
