Like the CCPA, this law applies to every for-profit organization located in California and those doing business in the state, collecting personal information from California residents (or has it collected for them), and meeting revenue or other thresholds described below.
The law further strengthens online privacy rights for Californians, but the changes naturally extend to all consumers, as businesses want to create comprehensive privacy policies that will meet current and new state regulations as they come about.
It’s imperative that companies not only stay abreast of the online data collection and privacy changes, but that they also maintain compliance with new laws and regulations. This guide will outline California’s history related to privacy regulation, how it impacts businesses, critical elements of the CPRA, enforcement and penalties, and how you can better prepare for CPRA and other upcoming regulations.
A brief history of California privacy regulation
It wasn’t so long ago that online privacy rights were established, and in fact, the US still doesn’t have comprehensive federal law on data privacy. As states work to tackle privacy rights, companies that operate nationally and internationally are left trying to interpret and maintain compliance. Globally, the European Union has established the General Data Protection Regulation, and other nations are following with their own set of guiding principles.“Voters acted in response to the accelerating encroachment on personal freedom and security caused by increased data collection and usage in contemporary society,” the CPRA amendment update reads. “The amendment established a legal and enforceable constitutional right of privacy for every Californian. Fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.”
Since that time, the California Legislature has established several safeguarding mechanisms, from the Online Privacy Protection Act to the Privacy Rights for California Minors in the Digital World Act.
In 2018, the CCPA expanded privacy rights to include the ability for consumers to learn what personal information a business has collected and how it’s used, as well as to prohibit companies from selling their personal data.
The California Privacy Rights Act is the next iteration of California law that strengthens privacy regulations and protects consumers’ privacy. The CPRA supports the California Consumer Privacy Act (CCPA) of 2018, and many organizations will need to make some adjustments to data processing and sharing based on the new requirements.
What are the key changes of this so-called CCPA 2.0, and how might it affect my business?
The CPRA updates take effect January 1, 2023, with enforcement set to begin in July. Some of the most substantial changes include:
Updated “Right to Know” and “Right to Access Personal Information”:
Consumers have the right to request:- Categories of personal information (PI) it has collected;
- Categories of sources from which PI is collected;
- Business or commercial purpose for collecting, selling, or sharing PI; and
- Categories of third parties to whom the business discloses personal information.
- Specific pieces of PI a company has collected about them.
Updated criteria for qualifying businesses:
The CPRA redefines the size and scope of information a business processes to be required to adhere to the law. A legal, for-profit entity that collects California consumers’ personal information must follow the law if it meets any of the following:- Has an annual gross revenue of over $25 million in the previous calendar year.
- Buys, sells, or shares the personal information of 100,000 or more consumers or households (this is either alone or in combination with another company). The number is double what the CPPA outlined.
- Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information.
Grace period eliminated:
Ability to correct information:
- Government ID (Social Security numbers, passports)
- Geolocation
- Sexual orientation
- Race, religion, or union membership
- Finances (credit cards, access codes)
- Communications (log-ins, etc.)
- Genetic information
- Health
New rules on data sharing and portability:
Data retention limits:
Profiling:
Rights for Minors:
Below is a chart comparing some of the CPRA’s most significant changes compared to its predecessor, the CCPA.
|
CCPA
|
CPRA
|
|
|
Enforcement
|
California Attorney General’s Office
|
California Privacy Protection Agency
|
|
Profiling
|
N/A
|
Consumers can opt-out of automated decision-making
|
|
Sensitive data
|
N/A
|
Businesses must disclose how they collect, use and disclose
Consumers may opt-out of the use of their sensitive data
|
|
Data minimization
|
N/A
|
Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose
|
|
Consumer remedies
|
Consumers may file a private right of action when lack of reasonable security leads to a breach
|
CCPA, plus consumers can file a private right of action if data breached includes consumer’s email address and password or security question
|
|
Data Protection Impact Assessments
|
N/A
|
Required, specific rules to be determined by forthcoming rulemaking
|
|
Deletion
|
Businesses must fulfill validation consumer requests to delete their data
|
Businesses fulfilling legitimate deletion requests must also notify third-parties to delete such information
|
|
Third parties
|
Not defined
|
Third-parties defined, excludes service providers and contractors
Businesses must impose CPRA-level contractual obligations on third-parties before sharing, selling or disclosing personal data
|
|
Opt-out links on websites
|
Businesses must have a “Do not sell my personal information” link
|
Businesses must have a “Do not share my personal information” link and a “Limit the use of my personal information” link
|
|
Fines
|
Up to $7,500 per violation or $2,500 per unintentional violation
|
Automatic $7,500 fine for violations of minors’ data (children under the age of 16)
|
“No retaliation” is allowed
It’s important to note that the CPRA prohibits discriminating against consumers who opt-out by:- Denying goods or services to the consumer.
- Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
- Providing a different level or quality of goods or services to the consumer.
- Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
- Retaliating against a team member, an applicant for employment, or an independent contractor for exercising opt-out rights.
Enforcement of the CPRA
The CPRA required creating a new agency to implement and enforce the law. Dubbed the California Consumer Protection agency, the newly-established group will be responsible for ensuring the CPRA regulations are enforced.According to Bloomberg Law, “Although the CPRA grants the California Privacy Protection Agency’ full administrative power, authority, and jurisdiction to implement and enforce’ the CCPA, the Attorney General still retains enforcement powers. Cal. Civ. Code § 1798.199.90 provides that the California Privacy Protection Agency ‘may not limit the authority of the Attorney General to enforce this title.’”
The agency can bring enforcement actions against businesses, and it’s charged with educating the public on the rules protecting Californians’ privacy. Additionally, the agency is responsible for writing the specific regulations and guidelines businesses must follow under California law.
Many businesses are eagerly awaiting guidelines. In February 2022, the agency announced an update on the rulemaking process, with completion estimated in the fourth quarter. If rulemaking isn’t complete until the end of 2022, businesses would be left with little time to interpret and change their practices. It remains unclear if the initial January 1, 2023 compliance and July enforcement dates will be changed due to the rulemaking taking longer than expected.
What happens if the CPRA is violated?
The CCPA carries fines of $2,500 per violation, or $7,500 for each intentional violation. Still, it allows 30 days for businesses to remedy the violation once they’re informed of noncompliance.
The CPRA has more teeth — it both eliminates the 30-day remedy period and increases the fine for violations in the case of minors to $7,500 per incident, whether the violation was intentional or unintentional. The $2,500 maximum stands for accidental violations that involve California residents older than 16.
How can my company prepare for and ensure we’re compliant with the CPRA?
Right now, CPRA noncompliance becomes enforceable in mid-2023. This could change based on when the protection agency completes the final rulemaking. But (there’s always a “but”), there’s a 12-month “look-back” period. This means companies must be able to supply a person’s personal data to them for the entire year before the law takes effect on January 1, 2023.Like with any new regulatory compliance measures, preparing early will help ease the transition and spread out any implementation costs. If you haven’t already, now is the time to review where you are and need to be.
Make sure you understand your company’s processes:
- What personal information does your business collect?
- Why is data being collected?
- What is done with PI collected by your company? Where is it stored, and with whom do you share it?
Update notices on your website:
Point of data collection notices will need to be updated. In addition to notifying consumers that their data may be sold or shared, companies also have to inform users how long their data will be kept. Ensure your website’s privacy notice reflects the new definition of sensitive personal information (see above).
Update home page links:
The CPRA mandates that businesses update their “Do not sell my personal information” links to include “Do not sell or share my personal information” and to display it prominently on their home page.Update your privacy policy:
Ensure all changes are reflected in your company’s privacy policy and update your policy annually.Consider a consent management platform:
A designated consent management platform (CMP) can help your company document and manage user consent in a legally compliant manner before data is collected, stored, sold, or shared. They can help ensure compliance with privacy laws, even as they change. CMPs also can help manage requests for data information and monitor third-party vendors.
Download our ebook:
Our ebook “Preparing for the CPRA” will help you better understand the law and how it impacts you in easy-to-understand language.The CPRA is a complex set of regulations. We’ve tried to highlight fundamental changes that will impact businesses so you can better prepare for the future. You don’t have to do it alone — Osano provides solutions to keep companies compliant and ready for whatever the next new set of privacy regulations brings.
Why Osano?
Osano has attorneys on hand to continually monitor international privacy legislation, DPA opinions, and court cases, so you can rest easy that your company is doing everything possible to comply with regulations globally, even as they change.We can assist your company in creating policies, act as a company’s data protection officer (DPO), conduct assessments, create checklists, and more. We work with businesses of all sizes – from SMBs to Fortune 500 companies and everyone in between – and those at all stages in the compliance journey.
Osano helps companies decide which vendors they want to work with, comply with regulations like GDPR, CPRA, and other laws, and efficiently collect and store consent for verification. With Osano, you can see all your SaaS vendors, privacy scores, data transfers, and risk factors instantly.
