Complying With the California Privacy Rights Act (CPRA)
CPRA enforcement is only months away, so here’s everything that organizations need to know about how it differs from the CCPA, how CCPA compliance will be different moving forward, and whether or not the changes will apply to your organization.
What Is the CPRA and How Is It Different Than the CCPA?
Before learning about the California Privacy Rights Act (CPRA), it is first essential to gain a general understanding of the California Consumer Protection Act (CCPA), which first went into effect on January 1, 2020. The CCPA, known as AB 375 officially, is a piece of privacy legislation enacted in the State of California that aims to give consumers power over how businesses handle and use their data, similar to how the GDPR gives EU citizens control over their data.
The CCPA accomplishes this by giving California residents the right to (1) know what personal information a business has collected about them, who or what sourced the information, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold; (2) to opt-out of allowing a business to sell their personal information to third parties; (3) to have a business delete their personal information; and (4) to receive equal service and pricing from a business even after exercising their privacy rights afforded to them under the Act.
The CPRA, known as Proposition 24 in its proposed state, was approved by California voters in November 2020 and is considered an amendment to the CCPA. The CPRA brought significant changes to the CCPA that generally fall under three categories of changes:
- Consumers’ Rights
- Organizational Qualifications & Obligations
- Rulemaking & Enforcement
New and Expanded Rights for California Consumers
The following rights already existed in some form in the original version of the CCPA and have been somehow expanded or clarified.
Right to Access Information
The CCPA already afforded consumers the right to request access to any personal information a business collected about them in the preceding 12-month period, but the CPRA expands this to include any information collected—regardless of when it was collected—unless doing so proves impossible or would involve a disproportionate effort.
Right to Opt-Out of Sharing Information with Third Parties
The CPRA clarifies that consumers can opt out of both the sale and sharing of their personal information with third parties, as the definition of “sell” in the original CCPA did not explicitly include sharing. “Sharing” is defined as “sharing…or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
Right to Sue Businesses When They Expose Usernames and Passwords
The CCPA gave consumers the right to sue a business directly if and when it exposes their personal information through a preventable data breach. The CPRA expands the definition of “personal information” to include usernames and passwords.
The following rights were not a part of the original CCPA and have been added to the Act as a result of the CPRA.
The Right To Correct Inaccurate Personal Information
If someone were to exercise their right to access collected information and find that the information provided is inaccurate, they can request that the business correct that information. Unless an exception applies, the business would then be required to use “commercially reasonable” efforts to correct that information after receiving a verifiable consumer request.
Right to Receive Notice of Use of Personal Information and Opt-Out of Such Use
Under the CPRA, businesses are now required to give consumers special notice if they plan to collect or use several types of sensitive personal information, and a person can request those businesses to stop selling, sharing, and using it. This includes any information revealing:
- A social security number, driver’s license, state ID card, or passport number
- An account log-in, financial account, debit card, or credit card number in combination with the access code, password, or credentials that allow access to them
- A consumer's precise geolocation
- A consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership
- Any contents of a consumer’s mail, email, and text messages
- A consumer’s genetic data
- A consumer’s biometric information
- A consumer’s information collected and analyzed concerning a person’s health, sex life, or sexual orientation
Right to Data Minimization and Purpose Limitations
Businesses are now required to minimize the use, retention, and sharing of any personal information collected to what is reasonably necessary and proportionate to achieve the purposes of its collection.
Organizational Qualifications & Obligations
Like in the original version of the CCPA, the CPRA only applies to for-profit organizations that do business in California, collect personal information from California consumers on their own or by others on their behalf, alone or jointly with others determine the purposes and means of the processing, and meet certain threshold criteria. If your organization fits that description and meets any of the following criteria, that means it will be considered a “business” under the CPRA and is subject to its regulations:
- The company met or exceeded $25 million in gross revenue in the preceding calendar year.
- The company buys, sells, or shares the personal information of 100,000 or more consumers or households.
- The company derives 50% or more of its annual revenue from selling or sharing consumers' personal information.
Assuming a given organization qualifies as a business under the CPRA, it must:
- Provide notice of consumer rights
- Honor consumer rights
- Fulfill disclosure and retention obligations
- Facilitate consumer requests
- Implement security safeguards
Furthermore, while the original CCPA only defined businesses, service providers, and third parties along with outlining their principal obligations for proper compliance, the CPRA defines a fourth group: contractors. The CPRA defines a contractor as “a person to whom the business makes available a consumer’s personal information for a business purpose.” The principal obligations of such contractors include:
- Using personal information only to perform services on behalf of a business as specified in a contract
- Complying with the terms of the contract
- Implementing security safeguards
- Not combining personal information received from a given business with any personal information received from other businesses
- Notifying the business regarding their use of subcontractors, and those subcontractors must be contractually bound to the same terms as the primary contractors
Rulemaking & Enforcement
Currently, the rulemaking and enforcement authority created under the various state data breach regulations usually lies with a given state's attorney general, and under the original CCPA, the same could be said for California. But the CPRA created and transferred all rulemaking and enforcement authority from the California attorney general to the newly-created California Privacy Protection Agency--a five-member board appointed by California's Governor, Attorney General, Senate Rules Committee, and Speaker of the Assembly. While the substantive provisions of the CPRA took effect on January 1 of this year and are technically already law, the California Privacy Protection Agency will not begin enforcement until July 1, 2023.
Fortra's Data Protection Solutions Simplify CPRA Compliance
Fortra's data protection solutions work together to enable greater deployed efficacy, meaning your organization will quickly gain visibility into its data security and be able to address its most immediate needs, including keeping up with the shifting compliance landscape. Find out how you can gain comprehensive control over your data by chatting with one of our experts.