Updates to Privacy Law: CPRA

While most of us were distracted by political tickets on our ballots this November, Californians were passing a stringent privacy law. While we’ve become familiar with the California Consumer Privacy Act (CCPA), California residents decided to up the ante with Prop 24, the California Privacy Rights Act (CPRA). 

California is at the forefront of consumer protection legislation in the US, and CPRA indicates that residents are taking privacy more seriously. This blog post will cover what it means for businesses, which organizations should pay attention to it in the coming years, and what you’ll need to do to be prepared.

Who does CPRA apply to?

The first note is that CCPA previously applied to for-profit businesses that operate in California and meet any of the following requirements:

  • Gross annual revenue of +$25M
  • 50% or more of their annual revenue is derived from selling CA residents’ personal information
  • Buy, receive, or sell PI of 50,000 or more CA residents, households, or devices

CPRA changes the application to businesses by increasing the number of customers, households, or devices served from 50,000 to 100,000. They also adjusted the applicability to businesses that buy, receive, sell, or share personal information; we’ll get into what “sharing” actually means in the text below. Finally, CPRA will also apply to joint ventures or partnerships of businesses with at least a 40% interest. 

Manatt created this handy chart that spells it all out.

New and Additional Requirements of CPRA

In the brief times of CCPA, sensitive personal information was implicitly protected, without separate requirements or prohibitions related to it. Under CPRA, the privacy requirements edge closer to GDPR by adding a new classification for personal information referred to as “sensitive personal information.” 

This includes data like: 

  • driver’s license and passport numbers, 
  • geolocation, sexual orientation, 
  • racial or ethnic origin, 
  • religious beliefs, and 
  • contents of emails, mail, and text messages. 

You can find a full rundown of the information included on page 28, section (ae) of the act

CPRA also leans closer to GDPR through data minimization, and purpose and storage limitations. This means that a business has to minimize the collection, sharing, use, and storage of data to what is necessary for their purpose. 

Think of it as the golden rule: treat your customers as you would like to be treated as a consumer. Don’t share or sell data that you wouldn’t want a business to do with yours.

  • Purpose limitations say that a company may not use data for a reason other than originally disclosed to the consumer. 
  • Storage limitations require companies to communicate the retention periods for each category of personal data and may not store data for longer than necessary. 

If you’re a business that shares behavioral data, here’s where you should tune in.

CCPA was intended to curb the sale of personal information, and CPRA extends that protection further to include information “sharing.” That means a business can no longer share, disclose, or rent your PI to a third-party for targeting purposes, including instances when no money is exchanged. This will be impactful for “cross-contextual advertising,” which is targeting consumers based on PI from activity across businesses, websites, apps, and services other than those that you intentionally interact with. 

Children and PI

While we all hope that data on children are treated respectfully and safely, protections under CPRA require explicit opt-in consent to sell or transmit data on anyone under 16 years old. If the consumer is under 13 years old, the act requires opt-in consent from a parent or guardian. And California means business; they’ve increased penalties by 300% if the business has knowledge that consumer data is from a child. 

New and adjusted consumer rights

Limit use, disclosures, and corrections: Some new consumer rights include the ability to correct personal information, or limit the use and disclosure of that information by the data holder.  

Data portability: This is an interesting update. CPRA will require data holders to transmit consumer information at the consumers’ request if it is feasible for the business to send data in a secure, structured format.

Opt-out and access information about automated decision-making technology: The act now allows consumers to opt-out of profiling based on their personal information, and access the logic and description of the outcome from decision-making tech processes. This means that businesses will not be able use your personal data to feed algorithms to better form profiles of consumers. 

What if I don’t comply with CPRA?

This act legislated the creation of the California Privacy Protection Agency (CPPA). This agency will act as a watchdog and become effective immediately after the legislation passed. The CPPA’s board will be appointed within 90 days of the certification of the final vote. 

Under the CCPA, businesses may be fined up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation. The CPRA increases the penalty for unintentional violations involving the PI of persons under the age of 16 from $2,500 to $7,500 per violation

This certainly gives the CPRA more bite than bark compared to the CCPA. 

Implementation of CPRA

This post isn’t comprehensive, there are plenty of smaller adjustments that will need to be made on a case-by-case basis. But we should start talking about how to implement those changes. 

Start early and speak to experts

Like any new compliance regulation, we’ve got a significant runway to prepare our businesses for CPRA. But don’t be foolish and leave it until the last minute. We always recommend getting a jump start, particularly for growing companies. The sooner you build good compliance practices into the foundation of your business, the better off you’ll be. 

Because we don’t know what CPRA will require specifically, it’s best to loop in a privacy expert. Pro tip: if this expert has handled the shift into GDPR compliance, you’re in good hands. 

Assess gaps in your current compliance

The first step in any readiness process will require you to check current policies and practices against the new legislation. This is where an expert comes in–they can help identify where you may need to shore up your current processes to be ready for CPRA. 

In the meantime, examine your current privacy policies and the management of consumer requests. Because the CPRA allows consumers even more control over their data, your business will need to have a system in place to process those requests. 

Build-in guard rails for change

As tech leaders are painfully realizing now, new legislation will continue to place more stringent standards for consumer protection. It’s important to secure data and consumer privacy to the best of your ability. But it’s also wise to reflect on the trends and anticipate changes to avoid a complete upheaval down the road.

(Yes, we sound like a broken record, but a compliance expert can help you identify those trends and prepare for further change.) 

Prepare for regular audits

This is an important part of CPRA; you’ll now be required to go through regularly scheduled audits to ensure that your business is compliant. To reiterate what we already know with CCPA: this is a California-specific law that has national repercussions. Now, that means executing an annual audit. 

Again, don’t panic because we’ve got plenty of time to implement CPRA. You have until July 1st, 2023 to get your compliance into shipshape. Reach out to Laika if you need input on kick-starting or fine-tuning your privacy practices.

Share this post with your network: