What is the California Privacy Rights Act (CPRA)?

California has one of the strictest data protection legislation in the United States. CPRA deals with the digital privacy of the residents of California, from Californian businesses and companies around the world, and it is a huge undertaking. A significant part of life is governed on the internet, so protecting digital privacy has become more important than ever. From medical records, personal details, entertainment choices, opinions, educational records, and more, our data is at risk of being misused or misappropriated. If personally identifiable info falls into the wrong hands, then identity fraud and social engineering can be exercised, and lead to serious consequences, including breaches, hacking or disabling a system with ransomware. CPRA comprehensively covers all the necessary requirements to stop this from happening.

Legitimate companies also use our personal information to tailor our user experience or in targeted advertising. Data privacy legislation, like CPRA, holds companies responsible for how they use our data. The comprehensive laws governing how they collect, share and store all kinds of important data ensure companies maintain high standards of security and take the necessary steps to protect our personal information.

The California Privacy Rights Act (CPRA)- also known as CCPA 2.0- is the legislation for the state of California, mandating businesses to stick to a comprehensive code of laws governing data- its collection, storage, processing, sharing and deletion. These laws go further and cover the media on which it is stored, the environment it touches, and roles and responsibilities of the people ensuring its enforcement. 

The CPRA is built upon the CCPA– the California Consumer Privacy Act- which was the previous data privacy legislation and came into effect January 1st, 2020. The CPRA has been developed and updated to reflect the current modern reality of data threats. The CPRA necessitated the establishment of the first dedicated data protection authority in the US: the California Privacy Protection Agency (CPPA).

When did the CPRA come into effect?

The CPRA came into effect on January 1st, 2023. Leading other states in updating its privacy legislature, California comes just ahead of Virginia, Utah, Connecticut, and Colorado- all of whom are due to finalize data privacy legislation in 2023. 

It is important to note that although businesses were given until January 1st 2023 to comply with the CPRA, penalties and fines for violations of the CPRA will only be enforced from July 1, 2023, onwards. The legislation itself was first released in December 2020.

[The CCPA was originally established in 2018 and put into effect in January 2020.]

Does the CCPA still apply?

The CPRA is more of an amendment to the CCPA than a replacement. Consider it an upgrade. This means that most of your preparation to become compliant with CPRA will be covered by being compliant with CCPA. What is important is to understand the new amendments and be fully cognizant of the new requirements the CPRA brings with it. Taking a look at the differences between the CCPA and CPRA will make this clearer.

What is the difference between the CCPA and the CPRA?

These are the categories added to the CPRA that didn’t exist in the CCPA.

Sensitive Personal Information (SPI) – This is an old concept with a new name. It is a form of PII (personally identifiable information); this type of information can be used alone, in combination with other info, or in context to identify, find, or get in touch with a specific person. 

New Links are required on websites – The CPRA updates the criteria for how users can exercise their right to restrict the use of their SPI and adds a criterion for how users can choose not to have their PI sold or shared:

• By requiring a link that reads “Do Not Sell Or Share My Personal Information,” the CPRA changes the CCPA’s Do Not Sell button.
• To give Californians more control over how their SPI is used and shared, the CPRA also adds a new requirement that websites feature a link labeled “Limit The Use Of My Sensitive Personal Information.“

DSR Requests and Amendments to Existing CCPA Rights – 

The Right to Correct	If customers find that their PI or SPI is inaccurate, they have the right to ask for a change.
The Right to Opt-Out	Data subjects now have the choice to prevent their personal information from being sold or shared with third parties, including for cross-context behavioral advertising, by “opting out”. Opting out means that consent is assumed, unless data subjects choose not to participate.
The Right to limit the use of sensitive personal information	Californians have the right to require businesses to restrict the use of specific categories of personal data, especially when it comes to sharing with third parties.
The Right to opt-out of automated decision making	Californians have the right to refuse the use of their PI and SPI in automated decision-making processes, such as profiling for targeted behavioral advertising.
The Right to know about automated decision making	Californians have the right to information regarding automated decision making, including details on how these systems function and the consequences they are anticipated to produce.
The right to Delete	Customers can now ask businesses to instruct suppliers, contractors, or other third parties to delete any personal data that the company may have provided or sold to them.
The Right to Access	Businesses will now need to report all PI data they have shared with third parties. Same goes for the third parties with whom they have shared the PI.
The Right to Data Portability	This asserts the right of data subjects to request the transfer of some or all of their personal data to another organization. However, the company must be able to carry out this communication technically in order for this right to be exercised.
Right of Minors	Businesses are now required to provide children advance notice if they plan to sell or share their personal data. It’s also important to remember that if a customer under the age of 16 declines to consent to a business selling or sharing their personal information, the company is required to wait a further 12 months or until the customer turns 16 before re-requesting their opt-in consent.

Behavioral Advertising – The CPRA changes the CCPA to also apply to behavioral advertising where companies make use of personal information to profile citizens of California and promote advertisements.

California Privacy Protection Agency (CPPA) – Here is a new innovation introduced by the CPRA that is sure to be copied by other states. The California Privacy Protection Agency (CPPA) is the first authority in the US dedicated solely to enforcing data protection for CPRA. It will be the main implementer and supervisor of the CPRA. 

The CPRA also has an effect on a company’s Data Privacy Policy. 

• Collection Notice – Under the CCPA, websites are already obligated to inform their customers when their data is being collected. The California Privacy Rights Act (CPRA) extends this requirement and requires organizations to provide additional detail about how and why they collect a user’s data. Specifically, organizations must disclose if they share any personal information (PI) and sensitive personal information (SPI), as well as how long they plan to retain the data.
• Privacy Policy –   For companies to bring their privacy policies up to date in compliance with the CPRA, they will have to make changes such as letting the user know if they plan to “share” their data in any way in addition to if they are going to “sell” their data. Before the CPRA, under the CCPA, companies only needed to let users know if they planned on selling their data. Companies should make notes of changes made to their operations and handling of data to keep their policies informed and up to date.

Who needs to comply with the California Data Privacy Legislation?

Companies that either operate in California or offer their services and products to California residents. If either of these apply to you, the next step to see if CPRA will apply my meeting at least one of the following criteria:

• Your annual gross revenue (over one calendar year Jan-Dec) is $25 million or above. 
• At least 50% of your annual revenue comes from selling or sharing personal information, regardless how much revenue you make in total. The focus is on what percentage of it comes from data sales or sharing data. So this will pertain to data scrapers or data brokers, analytics tools or businesses that work processing consumer data and passing it on to someone else.
• If you buy, or sell personal information of at least 100,000 Californian household residents or share that with third parties. This is where your company is most likely to enter the scope of CPRA. Besides buying and selling data for money, it covers data sharing for behavioral advertising. [After some consideration, most businesses will find that the CPRA applies to you if your Google Analytics cookies, Facebook Pixel, Twitter Pixel, or other tracking technology gathers the personal information of at least 100.000 California residents.] If you have hit 100k unique visitors in your Google Analytics, you’ll need to be ready to prepare to comply with the CPRA requirements.

How do you comply with the CPRA?

In order to be compliant with the updated laws, businesses need to take proactive steps to protect their customers’ data. This includes ensuring you have a dedicated privacy officer, providing customers with the correct mechanisms to access and delete their data, to disclose the types of data being collected and show how it is being used. 

The first step for businesses to comply with the CPRA is to appoint a dedicated privacy officer. This role will be responsible for ensuring that the company is in complys with the law, and it needs to be someone who is knowledgeable about data privacy laws and regulations. The privacy officer should also have the authority to make changes as needed to the company’s data privacy practices and policies. 

The next step is to provide customers with a mechanism to access and delete their data. This includes providing customers with the right to know what data is being collected about them, how it is being used, and the right to opt out of the sale of their data. It is also important to ensure that customers have an easy way to access and delete their data if they so choose. 

Finally, businesses must disclose the types of data being collected and how it is being used. This includes providing customers with information about the types of data being collected, how it is being used, and how long the data will be retained. This information should be provided in a clear and concise manner, and should be easily accessible to customers. 

By taking steps to comply with the CPRA, businesses can ensure that they are taking the necessary steps to protect their customers’ data. This includes appointing a dedicated privacy officer, providing customers with a mechanism to access and delete their data, and disclosing the types of data being collected and how it is being used.

The legislation needs to be worked through methodically and carefully to ensure you are covering all the requirements. Here is a basic summary of  the CPRA requirements:

1. Give clear and understandable information regarding how you collect, use, store and disclose personal information.

2. Ensure that personal information is only used for the purpose you disclose.

3. Obtain explicit, informed “opt-in” consent if you sell personal information.

4. Ensure your data subjects have access to their personal information.

5. Allow individuals to make requests to delete their personal information if they so wish.

6. Ensure you have reasonable security measures in place to protect personal information.

7. Don’t make the purchase of goods or services contingent on the selling of personal information.

8. Refrain from treating people unfairly when they utilize their CPRA rights.

Why is Data Inventory a Crucial Element of the CPRA?

Assuming you already have a data inventory built for the CCPA, determine further information that needs to be collected for upcoming U.S. state privacy regulations. Below is a summary of the four sections that need to be updated for the CPRA in data inventories created in compliance with the CCPA. 

The CCPA’s HR and B2B exemptions are scheduled to sunset at the onset of 2023, bringing new procedures and data processes into the scope of the law. Update data mappings to include HR and business-to-business data subjects in the data inventory. Some laws will require extending the reach of data subject rights to encompass employees and business-to-business data subjects as well as notification obligations.

Application of the law to employees imposes a heavy challenge to applicable companies for two reasons. Firstly, because employee-related data may not have been inventoried before and also because determining the potential applicability of exceptions to rights will require meticulous research.

Create an inventory of the important systems and resources that gather and handle the pertinent personal information for each main working group. The inventory should also include information about the circumstances and methods by which such information is disclosed to third parties.

A data inventory can be used to implement a data retention strategy, required by the CPRA and other state acts. Businesses can use a data inventory to categorically and methodically set data retention durations. The CPRA proposes disclosures of the retention period by category of personal information. Collecting record retention information via an organized data inventory will allow organizations to efficiently fulfill these requirements.

Newly enacted CPRA state laws give consumers the right to limit the use and disclosure of sensitive personal information, making it critical to understand and identify what sensitive personal information your organization manages.

Who enforces the CCPA and CPRA?

The CPRA established the California Privacy Protection Agency (CPPA) to implement and enforce the law. The Attorney General also retains civil enforcement authority.

U.S. Data Privacy Laws

The California Privacy Rights Act (CPRA) is a groundbreaking piece of legislation and it sets a new standard for American data privacy laws. The CPRA is an extension of the California Consumer Privacy Act (CCPA), expanding the scope of the original law and making it one of the most robust privacy laws in the country. It provides California consumers with a whole lot of rights, including the right to access and delete their personal data, the right to opt out of the sale of their data, and the right to know how their data is being used. The law also requires large businesses to appoint a dedicated privacy officer, outlining the need for companies to take proactive steps to protect their customers’ data- this is truly necessary in fighting the threat for personal information security.

The states who have implemented and are on the verge of implementing comprehensive data privacy legislation are:

UTAH

VIRGINIA

CONNECTICUT

COLORADO

Data privacy legislature in the United States is evolving rapidly! As technology has advanced, so too have the data privacy laws that seek to protect consumers. Each state has their own set of laws, which vary in terms of scope and complexity. For example,  some states have comprehensive laws that provide consumers with a wide range of rights, while other states have more basic laws that focus on a specific issue, such as the sale of data. There are some states that don’t currently have much legislation at all, for example Alabama, Delaware and others. 

California is generally seen as being at the forefront of data privacy legislation in the United States. The state’s Consumer Privacy Act (CCPA) set the standard for data privacy laws, and the California Privacy Rights Act (CPRA) was recently passed which further expands the scope of consumer rights, as we’ve explored above. The CPRA is considered  one of the strongest data privacy laws in the country, and provides consumers with a whole gamut of rights, including the right to access and delete their personal data, the right to opt out of the sale of their data, and the right to know how their data is being used. 

Other states, such as Nevada, New York, and Texas, have also passed comprehensive data privacy laws that provide consumers with a wide range of rights. All these laws generally focus on protecting consumers from the misuse of their data, like the sale of their data without their consent, or the use of their data for purposes they did not consent to. 

They also provide consumers with the right to know what data is being collected about them, and how it is being used. The federal government is in the process of creating a comprehensive data privacy law and is likely to impose even stricter regulations on companies and provide  consumers with even more rights- it will certainly be highly beneficial and change the data privacy landscape when it does come into existence. 

Data privacy laws in the United States are constantly evolving as technology advances and new threats arise. As such, it is important for companies to stay up to date on the latest data privacy legislation in their state and comply with the relevant laws in order to protect  their customers. In addition to the leading states mentioned above, there are other states who have privacy acts and data protection in place in some form or other. 

Why is it important for businesses to understand the CPRA and Data Privacy Legislation?

Data privacy rules must be understood by businesses in order to comply with them and, most importantly, protect their clients. Companies must take action to guarantee that they are treating customer data responsibly since data privacy rules are intended to protect customers from the exploitation of their data. Additionally, businesses must designate a dedicated privacy officer, guarantee that consumers may access and erase their data, and notify them of how their data is being used. They must also make sure they are aware of all the rights of the data subjects and put the appropriate safeguards in place to protect those rights.

Data privacy is not only for your consumers. In order to avoid legal action, penalties and fines, a business must comply with the required legislation. Damage to reputation, data breaches, ransomware attacks and other disturbances to operations need to be avoided, and this is largely through data privacy and data security- the differences of which should be understood. 

Why is it important for individual citizens to understand the CPRA and Data Privacy Legislation?

It is important to know about data privacy legislation in order to understand what your rights as a consumer are and to protect yourself from the misuse of your data. Data privacy laws provide consumers with the right to know what data is being collected about them, how it is being used, and the right to opt out of the sale of their data. 

Data privacy legislation also requires companies to take proactive steps to protect their customers’ data, such as appointing a “dedicated privacy officer” and providing customers with a mechanism to access and delete their data. You can choose to give your data to companies that abide by the laws and care about your rights. This is something you can check in a company’s privacy policy. By understanding your rights and the data privacy laws in your state, you can make sure that your data is secure and being used responsibly.

Using Centraleyes to comply with the CPRA

The Centraleyes platform is updated with the latest release of the CPRA. Our built in CPRA questionnaire makes it easy to cover all of the requirements and ensure you are fully compliant with the laws. Methodically working through the questions, the Centraleyes platform automatically generates actionable remediation steps instructing you in how to close gaps. Real-time visual data analytics and automated reports help you keep on top of your progress, set goals and meet deadlines. Data collection is easy for the team, assigning tasks to individuals or groups, and tracking their completion. 

Centraleyes hosts a huge variety of risk and compliance and regulatory frameworks that can be implemented in tandem with the CPRA, ensuring the highest levels of information security and minimal cyber risk. Use the platform to evaluate your third party vendor’s security posture and improve data security by making informed decisions as to who you let access your data.

Complying with the CPRA doesn’t need to be overwhelming or overly complicated with the right tools. Let Centraleyes make your journey to CPRA compliance smooth and successful.