What is CPRA? Everything you need to know about the California Privacy Rights Act

A landmark data privacy law, The California Privacy Rights Act (CPRA), is an amendment to the California Consumer Privacy Act (CCPA), introducing new consumer rights and compliance requirements for businesses. 

As the digital world continues to evolve, understanding and navigating CPRA is crucial for businesses and consumers alike. So what is CPRA? And are you ready to dive in? Let’s go!

CPRA at a glance

• CPRA is a comprehensive privacy law providing Californians with increased data protection and requiring businesses to update their policies accordingly
• Consumers have the right to correct inaccurate personal information, delete data, and limit how businesses use and disclose sensitive personal information.
• Businesses must take steps to prepare for CPRA compliance, including assessing and updating privacy policies and implementing data security measures

Understanding CPRA

The California Privacy Rights Act (CPRA) was designed to strengthen privacy protections for California residents, and it has rapidly become a benchmark for data privacy laws across the United States. 

Built on the foundations of the California Consumer Privacy Act (CCPA), CPRA expands particular consumer rights and introduces new compliance requirements for businesses dealing with sensitive personal information.

As a result, companies must adapt their data collection practices and privacy policies to meet the stringent standards set forth by CPRA.

The evolution from California Consumer Privacy Act (CCPA) to the California Privacy Rights Act (CPRA)

The evolution of CCPA into CPRA began when California voters approved CPRA in the November 2020 election. 

This law took effect in California on January 1, 2023, widening the scope of businesses to which the law applies. It’s important to note that applicable businesses, service providers, third parties, and contractors must all comply with both California Consumer Privacy Act (CCPA) and The California Privacy Rights Act (CPRA), with CPRA adding a new fourth category of entity, “contractors”.

Businesses must meet the vendor contracting obligations under CPRA by providing California residents with notice and the right to opt out of disclosing their personal information to third parties. 

Contracts with contractors may include the right for businesses to monitor their compliance. This monitoring can be in the form of ongoing manual reviews, automated scans or regular assessments, audits, and other technical and operational tests at least once every twelve (12) months. Note that these requirements are still being worked on by the California Privacy Protection Agency (CPPA) and haven’t yet been finalized at the time this post was published.

---

---

The key differences between CCPA and CPRA

While the foundations of the CCPA remain intact, some key differences set CPRA apart. The most notable differences between the two laws include new categories of businesses, sensitive personal information, and private rights of action related to the consumer’s personal information.

CPRA introduces new categories within the CCPA’s definition of business.  These new categories include joint ventures (or partnerships) and persons voluntarily certifying to the CPPA (even though they may not be considered a ‘business’).  In addition, the CPRA added a new subset of personal information called ‘sensitive personal information’, which includes government identifiers (such as social security numbers), account log-in, financial account, debit card, or credit card number with any required security code/credential allowing access to the account.

As for “common branding,” the shared name, servicemark, or trademark must be recognizable enough for the average consumer to realize that two or more entities are related. The potential business must have the same branding as the covered business and get personal information from the covered business for cross-context behavioral advertising.

The impact of CCPA / CPRA on businesses

The CCPA / CPRA has a profound impact on businesses, as it requires them to comply with regulations or face penalties enforced by the CPPA and the State Attorney General.

Businesses must ensure their data collection and storage practices follow the law’s guidelines to meet the requirements of CCPA / CPRA. This includes setting up data retention periods or criteria for each type of information and deleting information based on a schedule or criteria, including the consumer’s precise geolocation data.

Compliance requirements

To comply with CCPA / CPRA, companies must implement a comprehensive privacy program and update their vendor contracts to meet the law’s requirements, including rules about sharing consumers’ personal information. 

Service providers and contractors must also comply with CCPA / CPRA’s obligations once the business has passed them down via contract, which may include handling sensitive personal information such as religious or philosophical beliefs.

Staying CCPA / CPRA compliant means ensuring your privacy notices and policies are up to date, performing a gap analysis, and only processing the minimum amount of consumer personal information. Businesses must understand the implications of CPRA and adapt their practices accordingly.

Penalties for non-compliance

Noncompliance with CCPA / CPRA can result in severe financial consequences. Penalties can range from $2,500 to $7,500 USD per violation, with intentional violations carrying a higher penalty of up to $7,500 USD per violation, while unintentional violations have a maximum penalty of $2,500 USD each.

The CCPA / CPRA provides a 30-day cure period, allowing businesses to take corrective action and avoid penalties if they remedy the situation within that time frame. It’s important to note that breaking the law when it comes to children’s personal information can result in a penalty as high as $7,500 for each offense.

Consumer rights under CCPA / CPRA

CCPA / CPRA significantly expands consumer rights, giving individuals the power to correct inaccurate personal information and limit how sensitive personal information is used and disclosed. 

Under CCPA / CPRA, consumers have the right to request businesses to delete personal information. The businesses must also notify their service providers, contractors, and third parties to whom the information was sold or shared for cross-contextual advertising purposes unless it requires a disproportionate effort.

The right to limit the use and disclosure of sensitive personal information is another essential aspect of CCPA / CPRA, allowing consumers to have greater control over their data and how businesses use it.

Right to correct inaccurate personal information

Under CCPA / CPRA, consumers now have the right to request that a business correct any inaccurate personal information they have about them. 

This new right empowers consumers to take control of their personal data and ensure its accuracy. Once a business receives a verified request, it must do its best to correct the personal information according to the consumer and the regulations.

Businesses must make every effort to correct personal information as per the consumer’s and the regulations’ instructions. Failing to comply with CCPA / CPRA’s requirements for correcting inaccurate personal information could result in hefty fines of up to $7,500 per violation.

Right to limit use and disclosure of sensitive personal information

CCPA / CPRA also encompasses the right to limit the use and disclosure of sensitive personal information, which includes data elements like: 

• Racial origin
• Religious beliefs
• Sexual orientation
• Consumer’s sex life
• Health information
• Precise geolocation

Consumers can instruct businesses to restrict the use of sensitive personal information to what is necessary to provide the services or goods they expect, or for specific business purposes while ensuring their personal information collected is protected.

To comply with CCPA / CPRA, businesses who are selling/sharing personal information with a third party must include a second link on their website homepage titled “Limit the Use of My Sensitive Personal Information.” This additional link allows consumers to exercise their right to limit the use and disclosure of sensitive personal information easily and effectively.

CCPA / CPRA enforcement and the California Privacy Protection Agency

CCPA / CPRA enforcement is handled by the California Privacy Protection Agency (CPPA), an administrative agency dedicated to administering, implementing, and enforcing CCPA as amended by CPRA. 

The Agency has been allocated $5 million for its initial setup and $10 million for its operations in every fiscal year afterward. The Attorney General retains enforcement authority under CPRA and may initiate civil action if necessary.

Agency structure and responsibilities

The California Privacy Protection Agency is responsible for safeguarding the consumer privacy of Californians. Its key responsibilities include investigating potential violations, providing businesses with an opportunity to remedy the situation, and taking necessary enforcement actions, with fines going to the state’s Consumer Privacy Fund.

The Agency’s rulemaking authority was effective from April 21, 2022. The members of the California Privacy Protection Agency are appointed by different branches of the state government, such as the Governor, the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly.

Investigation and enforcement process

The California Attorney General maintains enforcement authority under CCPA / CPRA and may initiate civil action if needed.

Understanding the investigation and enforcement process of CCPA / CPRA is crucial for businesses to ensure compliance and avoid potential penalties. By being proactive and taking the necessary steps to comply with CPRA, businesses can protect themselves from costly fines and safeguard their customers’ data.

Ready to prepare for CCPA / CPRA compliance?

Companies must take steps to assess and update their privacy policies and implement data security measures to prepare for compliance. 

A compliance checklist can help businesses navigate the complex requirements of CCPA / CPRA, including: 

• Board-level support
• Identifying compliance gaps
• Updating privacy notices
• Managing employee data
• Mapping sensitive personal information
• Providing additional security
• Training staff

Proper preparation and a thorough understanding of CCPA / CPRA’s requirements are vital for businesses to avoid potential penalties and protect their customers’ privacy. Not sure where to start? We can help! 

Assessing and updating privacy policies

To ensure CCPA / CPRA compliance, businesses must review their privacy policies and make sure they are up to date with the law’s requirements. This includes providing clear and concise information about the types of data collected, how it’s used, and who it’s shared with. Moreover, businesses must conduct privacy training for all personnel who handle consumers’ or employees’ personal information, as mandated by CCPA / CPRA.

Businesses should also assess their data collection, storage, and usage practices, as well as any third-party vendors used, to identify gaps in their current privacy policies and procedures. By proactively addressing these gaps, businesses can ensure their privacy policies are CCPA / CPRA compliant and ensure the protection of their customers’ sensitive personal information.

Implementing data security measures

In addition to updating privacy policies, businesses must implement data security measures to protect consumer data and prevent unauthorized access, exfiltration, theft, or disclosure. CCPA / CPRA requires businesses that process personal information with a high risk of impacting consumers’ privacy to conduct a yearly cybersecurity audit.

To ensure data security, especially for sensitive information like financial account details, businesses should consider adopting things like:

• Written guidance
• Internal governance
• Ongoing risk assessments and training
• Active management of vendors and third parties 
• Plan for responding to cyber incidents

Implementing these measures not only helps businesses comply with CPRA but also safeguards their customers’ data and maintains trust in their brand.

Conclusion: CPRA is a step forward in privacy protection but a hurdle for businesses

The California Privacy Rights Act (CPRA) represents a significant step forward in data privacy protection for Californians. By understanding the intricacies of CPRA and taking the necessary steps to ensure compliance, businesses can protect their customers’ data, avoid potential penalties, and foster trust in their brand. 

As the digital landscape continues to evolve, staying ahead of the curve and embracing the principles of CCPA / CPRA is not only a legal obligation but a strategic advantage for businesses prioritizing the privacy and security of their customers’ information.

CCPA / CPRA FAQs

---