The California Privacy Rights Act (CPRA) of 2020, also known as Proposition 24, was approved by California voters on November 3, 2020. Even though the CPRA has been here for a while, many businesses and individuals are unaware of its regulations to date.
The CPRA extends the already enacted California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. The CPRA could be a game changer for several organizations that deal with the data of Californians.
The CPRA, like the CCPA, applies to any for-profit entity based in California or doing business in the state that collects or has previously collected any personal information from California citizens and meets revenue or other requirements as stated by the CPRA.
The law also increases Californians’ online privacy rights, empowering Californians to exercise their fundamental right to privacy and revoke access to any information provided to the business. With the CPRA coming into action, businesses must adopt the required measures and comprehensive privacy policies that comply with the CPRA.
The CCPA was passed to placate both companies and privacy concerns. On the other hand, privacy advocates have pointed to various flaws in the current CCPA legislation, giving birth to the CPRA. With the CPRA’s regulations, the law intends to close any gaps identified in the CCPA.
When the CPRA goes into effect on January 1, 2023, businesses in California will no longer have the option to be vigilant about data protection laws but instead implement proper data protection safeguards as specified by the law. The CPRA is a step higher than the CCPA for enterprises in many aspects.
Now that you’re undoubtedly curious about how the CPRA will affect your business, the short answer to that concern is that it depends on the nature of the business and its data-handling procedures.
The law updates several CCPA rights while also introducing a few new ones. Although many of the same safeguards are included, several regulations have been updated, and some new rights have been added.
CPRA – Are You Required to Comply?
The CPRA reinforces the size and scope of information that a company must process to comply with the law. If a legitimate, for-profit organization gathers personal information from California residents, it must comply with the law if it fits any of the following criteria:
- Gross revenue of more than $25 million in the preceding calendar year;
- Personal information of 100,000 or more customers or households is purchased, sold, or shared (either alone or in combination with another company);
- Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information.
- Sensitive Data Under the CPRA
The CPRA imposes a new set of duties for processing sensitive data which is one of the crucial differences from the CPPA. The CPRA gives greater control to individuals regarding their sensitive information.
Sensitive data under the CPRA includes geolocation, social security number, passport details, sexual orientation, race, religion, union membership, credit card details, financial details, genetic information, and health data.
The CPRA requires businesses to be transparent about collecting, using, and disclosing sensitive data. At the same time, consumers have the right to opt-out of using their sensitive data at any time.
- More Control Over Data
The CPRA places restrictions on data collection, storage, and use. According to the law, a company cannot keep personal or sensitive data for reasons other than those for which it was initially gathered or for “longer than reasonably necessary for that revealed purpose.”
Furthermore, consumers have the right to request that businesses remove their personal data, and businesses must forward that request to any third parties that have received the data.
If the data leaked includes the consumer’s email address, password, or security question, the consumer can file a private right of action. Before exchanging, selling, or exposing personal data, businesses must impose CPRA-level contractual duties on third parties. Consumers can also have a quick checkup via reverse email lookup if their data is available on the internet.
Do Not Sell Under the CCPA & CPRA
As far as the CCPA is concerned, businesses must explicitly have the ‘Do not sell my personal information’ link on their website. However, in the case of the CPRA, businesses are required to have a ‘Do not sell or share my personal information link’ and a ‘Limit the use of my personal information’ link visibly present on their website.
In short, previously, under the CCPA, businesses were only required to prompt a link where visitors could opt out of the sale of their personal information. Under the CPRA, businesses will need to explicitly have these things on their website:
- Do not sell my personal information.
- Do not share my personal information.
- Limit the use of my personal information.
As the statements ‘Do not sell my personal information’ and ‘Do not share my personal information’ state, businesses are required to respect the individual’s choice of not selling their personal information or sharing their personal information. Additionally, with the ‘Limit the use of my personal information’ clause, businesses need to restrict the utilization of an individual’s personal information.
Who’s Going to Regulate CPRA’s Regulations?
The California Privacy Protection Agency (CPPA) has full administrative power, authority, and jurisdiction to execute and enforce the CCPA. However, the Attorney General retains enforcement authority. According to California Civil Code 1798.199.90, the California Privacy Protection Agency “may not limit the Attorney General’s power to enforce this title.”
In a Nutshell
Companies must keep up with data privacy law developments and ensure that they are compliant with existing laws and upcoming laws and regulations. Businesses should begin with their compliance journey today and implement practices outlined in the law to avoid penalties and make it easier to adapt to future state requirements.
In the event of noncompliance, whether the offense was intentional or unintentional, businesses can be fined up to $7,500 per incident. Accidental infractions involving California citizens over the age of 16 are subject to a maximum fine of $2,500.