California Privacy Rights Act: What You Need to Know

Origins of the CPRA

Mactaggart, a real estate developer in the California Bay Area, started worrying about consumer data privacy after having a conversation with an engineer that worked at Google. 

“These giant corporations know absolutely everything about you, and you have no rights,” he said in an interview. “I thought, oh, I’d like to find out about what these companies know about me. Then I thought, well, someone should do something about that.”

Soon after, Mactaggart decided to take action.

In 2019, he placed a  ballot measure initiative on California’s November ballot, and on November 3, 2020, Californians voted to approve Proposition 24, a ballot measure that eventually created the CPRA. 

Mactaggart, referring to the initiative as  “a great stride forward,” is optimistic. “If it happened here,” he said, “it’ll happen in the rest of the country.”

Californians will have the right to know and limit what huge companies like Facebook and Google, as well as other large businesses, know about them under the California privacy law. The CPRA regulations expand and amend the original CCPA. The CRPA went into effect on January 1, 2023.

CCPA and the CPRA: Why Both?

The California Privacy Rights Act (CPRA) can be described as a more comprehensive version of the CCPA, reworking the stipulations of the CCPA content to reflect popular consumer and public demand for increased rights of California consumers.

According to the CPRA, businesses that collect or use the personal information of state residents must allow individuals to exercise even more rights to privacy than stipulated in the CCPA. The rights covered in the new law include the right to request that a business disclose personal information it has collected about the individual, the right to request that their personal information is deleted, and the right to opt not to sell their data. Additionally, the CPRA introduces new disclosure requirements and other notable amendments to the CCPA.

Although the CCPA is now obsolete, companies that have reached CCPA compliance have the core of the framework up and running already. The CPRA is an expansion of the CCPA that introduces some new and significant changes. Many of these amendments were inspired by the EU’s General Data Protection Regulation (GDPR).

Read on as we provide an overview of all you need to know to prepare for the California Privacy Rights Act 2023.

What You Need To Know for the CPRA

New Threshold for Eligibility

Under the CPRA, businesses will need to comply if they fall under one or more of these criteria: 

• Have annual gross revenues above $25 million
• Purchase, sell, or share the personal information of 50,000 or more California consumers, households, or devices
• Have 50% or more of annual revenue derived from selling or sharing the personal information of California consumers

Notably, the CPRA doubles the CCPA’s original threshold criteria of 50,000 in the second condition. This means that the new law may cover fewer businesses than under the CCPA.

However, the CPRA also expands the CCPA’s definition of the third condition from “selling” to “selling and sharing”. This inclusion has the potential to increase the number of qualifying businesses that fall under its threshold. 

New Data Type: Sensitive Personal Information

Similar to Europe’s GDPR, the CPRA introduces a new category of personal data named “sensitive personal information”. Consumers have the right to request a business limit the use and disclosure of this category of information. 

The CPRA defines sensitive personal information to include the following types of information:

• Social Security number
• Driver’s license
• A state identification card or passport number
• Financial account information and log-in credentials
• Debit or credit card number and access codes
• Precise geolocation data
• Religious or philosophical beliefs
• Ethnic origin
• Genetic data
• Biometric information for identification purposes
• Personal health information
• Sex or sexual orientation information

To allow consumers to decide how they want this information handled, covered businesses must provide a “clear and conspicuous” link on their homepage, titled “Limit the Use of My Sensitive Personal Information.”

New Consumer Rights Under the CPRA

• The right to delete personal information
• The right to correct inaccurate personal information
• The right to know categories and specific pieces of personal information
• The right to opt out of the sale or sharing of personal information
• The right to limit the use and disclosure of sensitive personal information

New Disclosure Requirements

Businesses are already required by the CCPA to notify customers about the personal information they have acquired about them and the reason for doing so. However, under the CPRA, businesses are required to give consumers even more information, including whether their personal information will be sold or shared, how it will be used, and how long it will be kept on file.

Recently, the CPPA issued modified proposed regulations in implementing the CPRA. The modified version states that a business does not need to identify the names of third parties that use collected personal information in the required “Notice at Collection” message. The newly revised requirement saves businesses the extra work of having to update their “Notice at Collection” message every time there is a change in their third-party contracts that deal with consumer information.

New Enforcement Agency

The CPRA appoints the California Privacy Protection Agency (CPPA) to oversee enforcement. The new agency will also evaluate and approve the newly required mandatory annual risk assessments and report if organizations comply or not.

Consumer Right to Opt-out

Consumers have the choice to reject the sale or sharing of their personal information for “cross-context behavioral advertising,” commonly referred to as “targeted advertising,” under the CPRA, in contrast to the CCPA. Businesses must comply with this regulation by including a conspicuous link on their website that reads “Do Not Sell or Share My Personal Information.”

Companies must respect opt-out preference signals as legitimate requests to stop selling or sharing their products or information with “any consumer profile associated with that browser or device, including pseudonymous profiles,” as stated in the revised proposed regulations, and not just for that specific browser or device.

Additionally, customers have the right to request businesses delete personal information that was shared or sold to contractors and service providers, as well as to correct any inaccurate personal information.

Data Minimization, Purpose, and Storage Limitations

The CPRA’s “purpose limitation” provision means that companies can only collect, use, and share personal information that is reasonably necessary and proportionate to the purpose of the data collection.

Information with no stated purpose cannot be collected. There is also a requirement to notify consumers how long their personal information will be retained, or the criteria that will determine how long the information will be kept.

The five new attributes described below, which businesses should examine when determining whether their methods comply with the standards for data minimization, are included in the updated draft regulations.

Privacy Rights of Minors

A company must “establish, document, and comply with a reasonable method for determining that the person consenting to the sale or sharing of the personal information about the child is the parent or guardian of that child” if it has “actual knowledge” that it sells or shares the personal information of a customer under the age of 13. Without permission, the company is required to wait at least 12 months or until the child is 16 before requesting their opt-in consent once more.

Verified parental consent is required by the federal Children’s Online Privacy Protection Act, however, the CPRA specifies that permission must also be obtained before personal information can be sold or shared.

CPRA Compliance with Centraleyes

If your business is already in compliance with the CCPA, implementing the CPRA shouldn’t be too much of a hurdle. Centraleyes risk and compliance platform can simplify the process and save you many work hours. If several state privacy laws mandate your business, Centraleyes eases your evidence collection and crosswalks between standards, cutting your job in half or more.

Now that the CPRA effective date has passed, reach out to our team to see how Centraleyes can help your business.

Practical Steps To Get You Started

• Inventory data to identify which PI falls under the scope of the CPRA.
• Conduct a gap analysis to gain an understanding of how your current practices meet the CPRA’s requirements, as well as where they fall short. 
• Be sure to update privacy notices to reflect the newly modified rights and disclosure requirements.  
• Ensure that third parties are informed that they, too, may be bound by the new requirements of the CPRA.