New Legislation: California Privacy Rights Act (CPRA)
What is the CPRA?
The California Privacy Rights Act (CPRA) is a new law that goes into effect January 1st, 2023. While the CPRA is new legislation, it acts as an overlay to the California Consumer Privacy Act, which was established in 2020.
The CCPA was frequently criticized for a lack of enforcement, consumer rights, and vague expectations. The CPRA is an addendum and improves what has been established by the CCPA.
One of the changes of CPRA is the creation of Sensitive Personal Information (SPI). This applies to a resident's:
-
Financial information
-
Social security number & driver's license number
-
Health information
-
Genetic & biometric data
-
Geolocation
-
Sexual orientation & behaviors
-
Race and ethnicity
-
Religious, political, philosophical beliefs
Consumers have increased rights regarding SPI compared to Personal Information (PI). Residents can have collected SPI disclosed to them and opt-out of SPI use.
Companies with a website must have a link titled "Do Not Sell or Share My Personal Information" and a link titled "Limit the Use of My Sensitive Personal Information".
Companies are encouraged to include a "single, clearly labeled link" that accomplishes both of these requirements, allowing consumers to opt-out of the sale of sharing of Personal Information and limit the use of SPI from a single click.
CCPA
The California Consumer Privacy Act (CCPA) is a state privacy law that regulates how businesses are allowed to handle the personally identifiable information (PII) of California residents. The CCPA regulation provides consumers privacy rights relating to access, deletion, and sharing of their personal information that is collected by businesses.
This regulation changed how personal data of California residents are processed and requires companies that conduct business in California to implement structural changes to their privacy programs. Your business could be based anywhere, as long as your services are accessible in California, you could be covered by the CCPA and have to comply with the requirements.
Achieve CPRA Compliance
The CPRA covers consumers living in California and applies to organizations doing business in California or organizations with employees or contractors in the state that meet certain criteria. This also means that CPRA is enforceable across state lines.
The California Attorney-General can pursue CCPA civil penalties from any person that violates any section of the CCPA up to $7,500 per intentional violation or $2,500 per unintentional violation. CCPA also allows Californians to file suit against a business if their nonencrypted and nonredacted personal information is leaked, such as in a data breach.