On Nov. 3, 2020, 56% of California voters voted to approve Proposition 24, a ballot that created the California Privacy Rights Act (CPRA).
Keep reading to learn more about the CPRA and what it means for your business, including:
- What the California Privacy Rights Act is
- How the CPRA differs from the California Consumer Privacy Act
- How the CPRA affects businesses and how to prepare for it
California Privacy Rights Act
The California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act of 2018 (CCPA) by creating expanded rights for California residents and new compliance obligations for businesses.
The CPRA also introduces a new agency, the California Privacy Protection Agency (CalPPA), which is in charge of implementing regulations, conducting investigations, and enforcing actions.
The CPRA will take full effect on Jan. 1, 2023, giving businesses two years to prepare.
Businesses the CPRA Affects
The California Privacy Rights Act applies to businesses that:
- Make $25 million or more in annual gross revenue
- Buy, sell, or share personal information of at least 100,000 California residents or households
- Derive 50% of their annual revenue from selling OR sharing personal information
The CPRA is also applicable if your company buys personal information from a business or receives that information for cross-context behavioral advertising purposes.
The CPRA applies to service providers and contractors to businesses covered by the CPRA. It imposes the same contractual and direct obligations to service providers and contractors and distinguishes both.
A service provider receives personal information from or on behalf of a business and processes that information. Meanwhile, a contractor requests personal information from a business.
Under the CPRA, service providers and contractors must cooperate and assist businesses in providing or deleting any requested personal information.
CCPA vs. CPRA
The California Privacy Rights Act amends the California Consumer Privacy Act by taking a General Data Protection Regulation (GDPR)-like approach to governance, expanding individual rights, and establishing an enforcement agency. Here are some key differences between the CCPA and CPRA.
Table 1. Differences between CCPA and CPRA
CCPA | CPRA |
The business should have $25 million in annual revenue | The business should have $25 million in annual revenue |
buys or sells, OR receives or shares for business’s commercial purpose, personal information of 50,000+ consumers, households, or devices | buys, sells, or shares personal information of 100,000+ consumers or households |
derives at least 50% of annual revenue from selling consumer personal information. | derives at least 50% of annual revenue from selling or sharing consumer personal information |
Creation of the California Privacy Protection Agency
One significant addition to the California Privacy Rights Act was the mandate to create the California Privacy Protection Agency (CalPPA), a new, dedicated privacy agency to handle enforcement.
Table 2. What you need to know about CalPPA
Activity | Implementer | Effective Date |
Enforcement of CCPA | California Attorney General’s office | Until December 31, 2022 |
Creation of the California Privacy Protection Agency | California Governor, California Attorney General, Senate Rules Committee, Speaker of the Assembly | 90 days after the effective date of the CPRA (five days after the Secretary of State officially files the election results) |
Drafting regulations | California Privacy Protection Agency | Starts July 1, 2021 (or six months after the CPPA tells the Attorney General it is prepared to begin rulemaking) |
Final regulations | California Privacy Protection Agency | It should be ready by July 1, 2022 |
The CalPPA will be governed by a five-member board.
Members of the board must be experts in the field of technology, privacy, and consumer rights. Members can serve a maximum of eight years and may be removed by their appointing authority at any time.
Expanded Consumer Rights in the CPRA
The California Privacy Rights Act expands the scope and definition of certain items in the California Consumer Privacy Act.
Table 3. The difference in Expanded Rights
CCPA | CPRA | |
Right to Access Information | Information that a business has collected about a person in the last 12 months | Information that a business has collected about a person, regardless of when it was collected. |
Right to Opt-Out of Sharing Information | Definition of “sell” does not explicitly include sharing of information to third parties. | Definition of sell includes both selling and sharing of information to third parties. |
Right to Sue Businesses | When a business exposes personal information through a data breach. | When a business exposes personal information (including a username and password) through a data breach. |
Consumers Can Access Information
Under the CCPA, a person can request access to any personal information a business collected about them in the last 12 months.
The CPRA expands on this right so anyone can request any type of information collected no matter when it was collected. The exception is if doing so would be impossible or involve a disproportionate effort.
Basically, under the CPRA, users can request access to their personal information at any time (and not just the last 12 months).
Consumers Can Opt-Out of Sharing Information With Third Parties
The CCPA’s definition of “sell” does not explicitly include sharing. The California Privacy Rights Act expands upon the CCPA’s definition of “sell” to clarify that people have the right to opt out of businesses selling and sharing their personal information to another party.
Consumers Can Sue Businesses When They Expose Personal Information
The CCPA learned from the Cambridge Analytica scandal, a Facebook security breach that exposed 50 million users. The act allowed people to sue businesses when their personal information is exposed during a data breach.
The CPRA’s expansion on this right includes data breaches with personal information that reveals a username or password.
What’s New in the CPRA and What It Means for Your Business
The California Privacy Rights Act amends the California Consumer Privacy Act to include new rights that businesses must comply with. This is because 46% of consumers feel like they’ve lost control over their data.
Only 10% of consumers feel like they have total control over their personal information.
Businesses that violate the CPRA will be fined up to $2,500 for each violation and up to $7,500 for each intentional violation (or violations that involve anyone under the age of 16).
Consumers Can Determine Use of Information and Correct Inaccurate Information
As with the CCPA, people have the right to ask businesses how their personal information is being used. However, under the CPRA, companies must explain whether they share personal information (e.g., sharing to third parties for cross-context behavioral advertising purposes).
People also have the right to ask businesses to correct inaccurate information on record once they discover that the data is incorrect.
Impact on businesses: Under the California Privacy Rights Act, customers have expanded consumer rights, including the right to determine where their information is used. Consumers also have the right to correct inaccurate personal information a business holds about them.
There are some exceptions, but companies are required to comply with these regulations.
Remember, the CPRA also applies to businesses that provide or request data from contractors or service providers. Review contracts with these third-party providers to determine whether they need to include provisions required by the CPRA.
What your business can do:
- Perform a data audit. Create a database with the following information:
- Sources of all information that your business uses and collects
- Categories of personal information
- Purposes of the collection
- List of entities to which your business discloses personal information
- Retention period or criteria used to determine the retention period for the information
- Security measures applied to protect personal information
- Update privacy notices to reflect your company’s practices regarding personal information. Consider the medium your business will use to deliver these notices — via your company website, app, email, in person, or phone.
- Implement procedures for reviewing and processing requests. Under the CPRA, online businesses that engage in interest-based advertising are required to post a new link titled “Do Not Sell or Share My Personal Information.” Consumers can opt-out from sharing their personal information with advertising partners.
Businesses Have Data Minimization and Storage Limitation
As much as possible, businesses are required to limit or minimize the use, retention, and sharing of personal information to what is necessary.
Impact on businesses: The CPRA prohibits businesses from retaining personal information longer than necessary. Companies are also required to disclose retention periods for each category of personal data collected.
What your business can do: Your company must determine whether it’s retaining data longer than necessary. Your company policies should include deadlines on data deletion and ensure that these are followed.
Consumers Can Receive Notice From Businesses
One notable change in the CPRA is the definition of “sensitive personal information,” which differs from the GDPR’s definition of sensitive personal data.
Under the CPRA, sensitive personal information becomes a regulated dataset. Because of that, users have new rights designed to limit businesses’ use of sensitive personal information.
Businesses are required to give special notice when they plan to collect or use “sensitive personal information” such as:
- Credit card number, social security number, driver’s license, or passport
- Account login
- Exact geolocation
- Contents of emails and text messages
- Biometric information to identify someone
- Genetic data
- Information concerning a person’s health, sex life, or sexual orientation
- Race or ethnic origin, religious or philosophical beliefs, or union membership
Impact on businesses: Businesses should identify the “sensitive personal information” they hold and how they use it. They should also be ready to honor customer requests to remove their information and stop selling, sharing, and using it.
What your business can do:
- Include a website link with information on how consumers can exercise their rights regarding their sensitive personal information
- Honor customer requests to have their information removed
- Look into changing the way your business structures data so that it can be removed easily once requested by a customer
Ensure all these changes and updates are communicated to your employees. Include the changes and updates in your company handbook and via training programs so your employees know how to address any compliance gaps moving forward.
The California Privacy Rights Act has been approved and will replace the California Consumer Privacy Act when it officially takes effect on Jan. 1, 2023. Businesses that are subject to the CPRA should look ahead and start preparing to be CPRA-compliant.
Need help building a compliant website? Check out Bluehost’s full-service hosting plans today.