What Is the CPRA?
CPRA Overview
Are you subject to the California Privacy Rights Act (CPRA)? What are its primary requirements What penalties could you incur? Learn the answer to these questions and more in this blog article:
CPRA Effective Date
- CPRA effective date: 1/1/2023
- CCPA effective date: 1/1/2020
- Enforcement date: 7/1/2023
(updated: on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial CPRA regulations and retroactively setting the enforcement effective date to July 1, 2023.)
Deeper Dive
For those looking for a deeper dive into the CPRA questions, we field the most, download our free and ungated FAQ eBook:
Why Is It important?
Fines That Add Up
Privacy-minded individuals understand that respecting consumers' rights is inherently worthwhile, but data privacy compliance also saves businesses money and reduces risk.
Businesses that violate the CPRA are subject to:
- $2,000 per offense for mistake
- $2,500 per offense for negligent mistakes
- $7,500 per offense for willful offenses
This adds up! Each affected individual counts as one offense, so if a data breach exposes thousands of customers’ data, the penalty could be in the millions of dollars.
The Sephora Example
Take beauty retailer Sephora—the California Attorney General gave them 30 days to fix CCPA violations on their website, but they didn’t make the deadline in time. As a result, they were hit with a $1.2 million fine in what became the first official enforcement action of the CCPA.
We dive deep into what went wrong and how the penalty came about in our blog:
Read it to learn more about the penalties that noncompliance invites and how best to minimize your own risk.
What Do I Need to Do?
Start With the Basics
For businesses subject to any of the five laws that came online in 2023 or those coming online in 2024, we recommend following along on this checklist:
It covers the basics that you need for compliance with any privacy law, including the CPRA.
DSAR Overview
Learn or remind yourself of the basics of data subject access requests:
Have a DSAR Process That Includes Your Employees
One of the most unique features of the CPRA that businesses must be aware of is how the law treats data subject access requests (DSARs). Unlike other state privacy laws, the CPRA allows employees to make DSARs. Learn more about how this elevates complexity and risk in our infographic:
Consent Requirements Under CPRA
And, as with all omnibus data privacy legislation, businesses need to be aware of how the law treats consent for data collection, processing, and transfers. Under the CPRA, businesses need to offer a means for consumers to:
- Opt out of the sale or sharing of their personal information
- Request businesses to limit the use of their sensitive personal information to only what is necessary for the business to provide its core product or service
To dig deeper into the consent and cookie banner requirements under the CPRA, review our blogs:
- How CPRA Expands Consumer Privacy Rights and Information Sharing
- Cookie Banner Examples for the GDPR, CPRA, and More
Make It Easier Through Data Mapping
Like most data privacy regulations, the CPRA does not directly require you to map your organization’s data. But if you choose to skip this crucial step, meeting the law's other requirements will be much, much more difficult.
When done well, data mapping provides an accurate, up-to-date view of where personal data is sourced, stored, processed, and transferred throughout your organization. With a well-crafted data map, you'll be equipped to rapidly and accurately respond to DSARs, manage the flow of personal information and sensitive personal information based on user consent preferences, manage your vendors, and more. Learn about the basics of data mapping in our blog:
How Do I Get Compliant?
Find a Data Privacy Platform That Works for You
Given the scope and scale of the CPRA, privacy professionals looking to achieve CPRA compliance should evaluate holistic data privacy platforms rather than multiple point solutions.
It can be tempting to identify a functional cookie consent solution and merely rely on spreadsheets to manage the rest, but this approach invites noncompliance. Not only does using spreadsheets and point solutions waste time with redundant data entry and context switching, but it also raises the risk of human error.
In order to fulfill a DSAR under this approach, for example, you will have to have developed and maintained a data inventory listing where personal data flows through your organization or interview the owners of personal data stores throughout your organization. In both cases, you will be relying on manual, human-driven processes that put you at risk of missing the CPRA’s 45-day deadline and providing incomplete and/or inaccurate information to boot. What’s more, you’ll need to do this for each DSAR, and the work you do on your data inventory will continue to be manual.
Using a data privacy platform like Osano supports the full spectrum of tasks required for CPRA compliance in a single, seamless experience. With Osano, you can:
- Manage visitor cookie consent; automatically discover site tags like cookies, scripts, and iframes; review automatically recommended site tag classifications; and discover which vendors receive personal information based on the cookies on your website.
- Identify high-risk vendors based on Osano’s Privacy Score and cookie scans to prioritize which vendors need assessments and data processing addenda review.
- Streamline and centralize the privacy assessment process, including privacy impact assessments and vendor assessments.
- Discover stores of personal data throughout your organization and automatically generate a data map and inventory. With the resulting data map, Osano automatically acts on related compliance tasks, like generating RoPAs and responding to DSARs.
- Automatically respond to common DSARs like summary and deletion requests with your organization’s data map and manage the workflow of more complicated requests.
- Rest easy knowing the Osano Platform is regularly updated by privacy experts in response to changing regulatory standards and protected by the industry’s only “No Fines. No Penalties.” pledge.
Download the Osano Platform Brochure for an overview of the platform's capabilities!
How Osano Can Help You Comply
As a data privacy platform vendor, Osano is well aware of the individual challenges posed by the CPRA and the ways in which we can help businesses overcome them. Find out how we can support your business in our guide:
And of course, if you’d rather skip the reading and talk to somebody in person about how we can help your business, just schedule a demo.
What About Other States?
California may be the most robust data privacy law in the U.S. but there are others to consider. Check out our 2024 U.S. Data Privacy Laws Guide for a summary.