The California Privacy Rights Act (CPRA) is a state-wide data privacy law that governs how businesses all over the world may handle California residents’ personal information (PI). The CPRA went into effect on January 1, 2023 and will become fully enforceable on July 1, 2023 – with a lookback period from January 1, 2022.
The CPRA is built on an earlier piece of legislation, the California Consumers Privacy Act (CCPA), which came into effect on January 1, 2020.
The CPRA defines ‘personal data’ as any information that identifies, relates to, describes, is capable of being associated with, or might feasibly be linked, intentionally or unintentionally, to a particular consumer or household. This law differs from the GDPR, ePrivacy Directive, and other privacy laws in that it includes household information in its classification of personal information.
Names, email addresses, biometric data, IP addresses, geolocation data, professional or employment information, and other information are examples of personal information. On the other hand, under the CPRA, public information is not viewed as personal information.
The CPRA applies to any for-profit industries in the world that share the personal information (PI) of at least 100,000 consumers or households per year, have an annual gross revenue of more than $25 million, or derive more than half of its annual revenue from sharing or selling the personal information of California residents.
CPRA exempts “insurance entities, agencies, and support programs,” because they already are privy to similar regulations under California’s Insurance Information and Privacy Protection Act (IIPPA).
What are the requirements for CPRA compliance?
The California Privacy Rights Act (CPRA) creates four new rights and modifies five existing CCPA rights for California residents.
The five modified CPRA rights are –
- Right to delete – California residents can request deletion of PI and businesses now have to notify third parties to delete this as well.
- Right to know – California residents can now request access to PI collected beyond the original 12-month limit in the CCPA.
- Right to opt-out – California residents can now opt-out of businesses sharing and selling their PI specifically for behavioral advertisement, and not only of the sale of PI, as in the CCPA.
- Rights of minors – where the opt-in requirement for businesses when dealing with minors is extended to include the sharing of PI for behavioral advertising.
- Right to data portability – where California residents can request to have their PI transported to other businesses or organizations.
These are the four new CPRA rights:
- Right to correction – meaning that users can request to have their PI and sensitive personal information (SPI) corrected if they find them to be inaccurate.
- Right to opt-out of automated decision making – allowing California residents to say no to their PI and SPI being used to make automated inferences, e.g. in profiling for targeted, behavioral advertisement online.
- Right to know about automated decision making – implying that California residents can request access to and knowledge about how automated decision technologies work and what their probable outcomes are.
- Right to limit use of sensitive personal information – meaning that California residents can make businesses restrict their use of this separate category of personal information, particularly around third-party sharing.
If this law applies to you, the CPRA contains clear and precise compliance requirements that your company must meet:
- Introducing a method for verifying the identity of all those making such requests.
- Adding a link to your home page that says, “Do Not Sell/Share My Personal Information.” It will benefit your consumers by preventing you from selling or sharing their personal information.
- Acquiring prior consent from minors aged 13 to 16 before selling their personal data. Minors under the age of 13 must have prior parental consent.
Why should you be CPRA compliant?
By design, the CPRA will provide significant benefits to consumers. They will have unprecedented control over their data. For starters, consumers will have the right to access all data collected about them by business organizations. They will be able to request this data for free twice a year, without fear of retaliation from organizations.
Failure to abide by the CPRA could result in hefty fines. If you do not meet CPRA requirements, the Attorney General will file a civil case against you. In the event of a data breach, this carries the risk of a fine of up to $7500 per violation. This indicates that if you disobey the CPRA-guaranteed rights of 1000 users, you will face legal consequences.
How to achieve compliance?
Increased disclosures will become an essential component of compliance for companies subject to the CPRA law. When personal information is collected, organizations must create and distribute privacy notices to consumers. These privacy notices should include descriptions of how personal information is collected and used, as well as the types of personal information that the organization has managed to sell to third parties in the previous year.
Businesses must also fully disclose and notify consumers about the existence and nature of their CPRA rights. These rights provide the ability for an individual to request copies of their personal information from a business.
To meet the CPRA requirements for companies protecting their customers’ PI, the Centraleyes platform includes a built-in CPRA questionnaire, automated workflows and analysis, integrated collection tools, prioritized remediation guidance, and real-time customized scoring. Using this questionnaire in an easy-to-use and streamlined platform assists organizations in collecting the necessary data in a timely manner and having a more pleasant experience as they go through the process of compliance.
Centraleyes has also mapped CPRA back to its extensive control inventory, allowing data to be shared across multiple frameworks via the platform, resulting in time and money savings, and more accurate data. Furthermore, the platform provides visual reports that non-technical senior leaders can understand – reports are built in a clean and intuitive structure, giving the cyber risk team a full view of their risk posture with the ability to dive into five different focus areas. Organizations can gain complete visibility into their cyber risk levels and compliance by using the Centraleyes platform.