The California Privacy Rights Act (CPRA) forms the most recent addition to California’s data privacy arsenal. It was approved by 56.1% of Californians in November 2020. The CPRA has yet to come into force as of January 2023, however both the California Consumer Privacy Act (CCPA) and its amendment have had a profound impact on the privacy and data security landscape. US policy makers hope the legislation will act as a potential model for other states and will alter the way companies do business.
The Relationship between the CCPA and the CPRA?
The CCPA came into force in 2018 and the newer CPRA has been described as an amendment to the original regulation. The legislation itself says it is ‘amending’ the existing provisions of the CCPA and ‘adds’ new provisions.
The CPRA will require companies to have a good handle on what personal information they have access to and that they are collecting. This should be taken as a major shift for companies in the US, especially those which have not been compliant with the GDPR and who have not devoted resources to enhancing their privacy policies.
It would therefore be wise for companies to adapt their policies to the CPRA as it can be taken as the most up-to-date version of Californian Data Privacy law.
But, not to fret, this guide will put your company in good stead for compliance in 9 months’ time!
Who Does the CCPA and CPRA Apply To?
The CPRA regulates companies whose business involves the collection of Californian consumers’ personal information and thus determines the means and purposes of processing this. It applies to:
Companies who make more than 50% annual revenue from selling or sharing personal information
Any company doing business in California that did more than $25 million in revenue in the preceding year
If you sell or share the personal information of more than 100,000 consumers or households in California.
The number of consumers who must be impacted by a company’s actions has increased to 100,000 as compared with 50,000 under the CCPA. This means small to midsize businesses who previously had to comply with the CCPA may not fall within the scope of the CPRA. This can be seen as a protection of smaller entities who may not have the finance to have the access to appropriate accounting mechanisms to comply.
However, the caveat is the provision of ‘selling and sharing’ introduced by the CPRA replacing the ‘selling’ under the CCPA, which increases the scope of this provision further.
Significant changes from the CCPA to the CPRA
Whilst preserving the existing consumer rights under the CCPA, the CPRA establishes a range of protections. In the same spirit as Article 9 of the GDPR, the CPRA expands its scope of regulation to ‘sensitive personal data’.
‘Sensitive personal information’ is defined as relating to an individual’s persona. Some examples include; Government ID, finances, race, religion and union membership, communications, genetics.
Companies that use or disclose sensitive personal information must (1) provide notice to consumers, (2) provide ‘a clear and conspicuous link on the company’s internet homepage’ which enables a consumer to limit the use or disclosure of their information. Furthermore, data minimisation requirements have been implemented so that companies can keep the information no longer than is ‘reasonably necessary’ to fulfil the purposes disclosed to the consumer.
Companies who may share publicly available information, must note that a broad exemption for such data is made even if it contains sensitive details about an individual. Although, this exemption does not extend to biometric information collected without the knowledge of a consumer.
Consumers can thus limit the use and disclosure of their sensitive personal information. The inclusion of an ‘opt-out’ clause does not, in of itself, provide much protection for consumers, however alongside the increased disclosure requirements, purpose limitation requirements and opt-in consent requirements, consumers can limit the instances of which harm is caused.
In a similar vein, consumers now have access to an expansion of their old rights offered under the CCPA. These are as follows:
The right to opt-out of third-party sales and sharing.
The right to know (consumers can request information collected beyond the prior 12-month window under certain circumstances)
The rightbto delete (this has been extended to third parties who have bought or received the consumer’s personal information so all parties are aware that it must be deleted)
The right to data portability (consumers can now request that a business transfer specific personal information to another entity where it is technically feasible in a structured, commonly used, machine-readable format)
Opt-in right for minors (businesses must wait 12 months before asking a minor consumer for consent after the minor has declined giving it)
As well as an expansion of old rights, consumers have access to new data privacy rights. The most significant rights in this respect is the new right for correction and as mentioned above the right to restrict the use of sensitive data. Additionally, though, the CPRA shows a recognition of the development of technology in which consumers can opt-out of automated decision-making processes and they have a right to access information about these decision-making systems.
As a caveat to these new rights, there is no longer a 30-day cure period in which companies must remedy breaches or slipups before a regulator considers enforcement action.
For companies, the impact of these new and extended consumer rights means that they must be vigilant to protect not only the class of data but the choice of a consumer. Particularly, as the threat of enforcement looms greater than before. This means they must, in any case, respond accordingly where a consumer has decided to opt-out.
On a final note, the CRPA has sought to embed the spirit of the GDPR by finally codifying its principles such as data minimisation, purpose limitation and storage limitation. Importantly, this shows a greater recognition that data privacy is something that needs to be regulated and that working together, globally, is the only way that a balanced and assured system between consumers and companies, alike, will be created.
Enforcement
The CPRA has created a new enforcement agency, namely the California Privacy Protection Agency. They have the power to bring fines in equal measure to the Attorney General, but this can only be done on an administrative basis.
There is a worry that this will cause more liability for companies in terms of how much their fines are, and this may lead to larger actions being pursued for such data privacy violations.
Companies should therefore, most certainly, be grateful for an outline on how best to adapt and adopt the new amendments the CRPA has brought in!
How the GDPR has influenced the CPRA
The CPRA has encapsulated the spirit of the GDPR and can therefore be seen as being more akin to its European counterpart than the previous CCPA. Importantly, this means for European companies handling the personal data of Californian citizens, the task is made a lot easier.
Luckily, the provision of the 9-month transition period gives companies more than enough time to adapt!