CPRA

What is the CPRA?

The California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) bring California’s privacy laws more in line with the GDPR.

The CPRA amendments went into effect in January 2023.

As a reminder, the CCPA applies to for-profit businesses that do business in California and meet any of the following conditions:

• Have a gross annual revenue of over $25 million in the preceding calendar year, or
• Buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or
• Derive 50% or more of their annual revenue from selling or sharing California residents' personal information

The CPRA amendments to the CCPA apply to employee and business-to-business personal information as well.

For organizations that meet the applicability criteria, here is a breakdown of what the CPRA amendments and CCPA require regarding consumer rights and business obligations:

Consumer/Employee Rights

• The right to opt out of having their personal information sold or shared for targeted advertising. Businesses must provide a clear and conspicuous link on their homepage, titled “Do Not Sell or Share My Personal Information.”
• The right to correct inaccurate personal information
• The right to request their information be deleted
• The right to know what information is being sold and who it is being sold to
• The right to limit the use and disclosure of sensitive personal information
• The right to non-retaliation

Business Obligations

• Businesses that collect personal information must inform consumers of:
  • The categories of personal information collected, how it will be used, and if the information will be sold or shared.
  • The categories of sensitive personal information how it will be used, and if the information will be sold or shared.
  • How long personal information will be retained
• A business acting as a third party collecting personal information about a consumer may satisfy its obligations by providing the required information prominently and conspicuously on the homepage of its website. In addition, the third party must inform consumers of the categories of information being collected, how it will be used, and if the information will be sold or shared.
• To meet the privacy principles, a business’s collection, use, retention, and sharing of personal information shall be reasonably necessary and proportionate to achieve the purposes for which it was collected or processed.
• A business that  shares personal information with a service provider or contractor must have an agreement, that:
  • Specifies that the personal information is  disclosed by the business only for limited and specified purposes
  • Obligates the  service provider or contractor to comply with CPRA requirements
  • Grants the business rights to take reasonable and appropriate steps to help to ensure that the  service provider or contractor uses the personal information in a manner consistent with the business’s obligations
  • Requires the service provider or contractor to notify the business if it can no longer meet its obligations
  • Grants the business the right to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information
• Businesses shall implement reasonable security procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.

Rights of Children

• Businesses must obtain opt-in consent to sell the personal information of a California consumer under 16 years of age.
• Businesses must establish technical specifications for an opt-out preference signal that allows the minor or their parent to specify that the consumer is less than 13 or between 13 and 16 years of age.

Comparing the CCPA and CPRA

The CPRA is an amendment to the CCPA that gave consumers more rights. Here are some of the key differences between the two laws.

• The CPRA gives consumers these rights not found in the CCPA:
  • The right to correction
  • The right to limit sensitive personal information
• When a business receives a deletion request, it must notify any third parties and service providers it has shared the personal information with and instruct them to delete the personal information as well.
• The CPRA created a new category of personal information known as sensitive personal information(SPI), which includes:
  • Racial origin and ethnicity
  • Religious beliefs and political and philosophical convictions
  • Sexual orientation and sex life activity
  • Contents of a consumer’s mail, email and/or text messages
  • Health and medical status and history
  • Financial status and history
  • Precise geolocation
  • Genetics and biometrics
  • Social security number and driver’s license.

Achieving CCPA Compliance

Organizations need to have the appropriate privacy controls implemented to honor consumer rights, address proper disclosure requirements, and a host of other obligations.. A privacy assessment is typically the first step toward compliance. The assessment will provide organizations with a roadmap by helping them understand their CPRA and CCPA obligations, risk exposure, and if their current controls satisfy the various requirements.
 

The Risk of Noncompliance

CCPA violations can result in fines up to $7500.

The CCPA gives consumers a private right of action in the event of a data breach. Individuals can file a civil suit if their non-encrypted or non-redacted personal information was included in a breach that was a result of a business’s CCPA violation. Damages in a civil suit range from $100-$750 per consumer incident, or more if the actual damages exceed $750.

The private right of action opens the door to class action lawsuits, which greatly increases an organization’s financial risk and exposure.
 

How we can Help

CompliancePoint provides a full suite of services that help organizations manage and respond effectively to privacy requirements, including CCPA, GDPR, and the other state laws. We help organizations proactively identify their gaps, build out frameworks to meet compliance requirements, and can manage their privacy program on an ongoing basis to maintain compliance.