New Legislation: The California Privacy Rights Act (CPRA)
What is the California Privacy Rights Act?
The California Privacy Rights Act (CPRA) is a new law that went into effect on January 1st, 2023. While the CPRA is new legislation, it acts as an overlay to the 2020 California Consumer Privacy Act (CCPA).
The CCPA was frequently criticized for a lack of enforcement, consumer rights, and vague expectations so the CPRA is an addendum to improve on the groundwork of the CCPA.
CPRA is one of the strongest Data Privacy Legislation in the United States to date. It compares to the General Data Protection Regulation (GDPR) in the EU, which you can also read more about below.
How is the CPRA different from the CCPA?
The CPRA covers consumers living in California and applies to organizations doing business in California or organizations with employees or contractors in the state that meet certain criteria. This also means that CPRA is enforceable across state lines.
Sensitive Personal Information
One of the changes of CPRA is the creation of Sensitive Personal Information (SPI). This applies to a resident's:
Financial information
Social security number & driver's license number
Health information
Genetic & biometric data
Geolocation
Sexual orientation & behaviors
Race and ethnicity
Religious, political, philosophical beliefs
Consumers have increased rights regarding SPI compared to Personal Information (PI). Residents can have collected SPI disclosed to them and opt-out of SPI use.
Companies with a website must have a link titled "Do Not Sell or Share My Personal Information" and a link titled "Limit the Use of My Sensitive Personal Information".
Companies are encouraged to include a "single, clearly labeled link" that accomplishes both of these requirements, allowing consumers to opt-out of the sale of sharing of Personal Information and limit the use of SPI from a single click.
Enforcement
The CPRA gives the California Privacy Protection Agency (CPPA) “full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act” (1798.199.10.) The California Privacy Protection Agency is supported by the California Attorney General office. The Agency is governed by a five member board in which the Governor, Attorney General, Senate Rules Committee, and Speaker of the Assemble will appoint one member each. The Governor appoints the chairperson as well as a regular board member. Enforcement begins July 1, 2023.
Fines have also increased, particularly for violations that involve the data of minors 16 years of age and under which increases the fines by three times plus a $7500 administrative fee.
A consumer can sue a company:
Civil actions can be initiated that include investigations, fines, injunctive or declaratory relief, and any other relief the court deems proper per consumer who believe their rights have been violated (1798.150). Statutory damages are determined by, but not limited to, the number of violations, the seriousness of the violation, and the defendant’s assets and liabilities.
The California Privacy Protection Agency can fine and sue a company directly:
This agency can essentially award any amount of statutory damages it deems relevant, based upon the situation and number of violations (1798.199.90.).
CPRA and a Comparison to GDPR
GDPR Overview
The European Union's (EU) General Data Protection Regulation (GDPR) is a data privacy and protection law that impacts all organizations on a global scale. This new EU security framework applies to organizations in all member-states and has implications for businesses and individuals across Europe and internationally. GDPR includes all organizations, whether located in the EU or outside of the EU, that processes personal data or sells goods or services to citizens in EU countries, including EU citizens with dual citizenship, residency and passports.
Enforcement of the law went into effect in 2018 and organizations that are not compliant face heavy fines, lawsuits, and/or audits. Penalties can be as high as €20 million (about $20 million USD) or 4 percent of your company's annual global revenue, whichever is greater.
CPRA & GDPR Similarities
Much of the CPRA echoes the objectives of the EU’s GDPR and its requirements of data minimization, purpose limitation, and storage limitation.
The CPRA legislation emphasizes that businesses can only collect, use, and share Californians' personal information if it is in accordance with what is reasonably necessary and proportional to the collection purpose.
For example, through the CPRA, consent will be required to:
sell or share PI after a user has opted out
sell or share PI after a user has opted out, for secondary use of sharing or selling
sell or share PI of minors
opt-in to financial incentives
Finally, a business cannot collect, use, or share Californians' PI for a new purpose without first stating so. Additionally, businesses are required to notify residents of how long their data will be stored after being collected.
Who Needs to Comply and How?
CPRA applies to many companies that do business within California. Your business may be headquartered in New York, but you would still need to meet the CPRA compliance requirements.
According to 1798.140. a business is defined as a website, company or organization and applies to businesses outside of California if they collect or sell the PII of CA residents, conduct business in the state, and meet at least one of the following criteria:
has a gross annual revenue of $25M+ or;
derives 50% of more of its annual revenues from selling or sharing consumers' personal information or;
buys, sells, or shares the personal information of more than 100,000 consumers or households per year.
To be compliant with CPRA, companies should assess, develop, and implement the requirements. Compliance is not a one-time and done project and organizations need to demonstrate effort to comply with this legislation.
CPRA Compliance Requirements Highlights
The CPRA has added the requirement that businesses must submit to the California Privacy Protection Agency a risk assessment regularly where processing presents a significant risk to consumers' privacy (1798.185.).
Secondly, businesses are required to “perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent” (1798.185.).
Businesses must disclose to consumers:
The business or commercial purpose for collecting, selling, or sharing personal information.
The specific pieces of personal information it has collected about that consumer.
The categories of personal information it has collected about that consumer.
The categories of sources from which personal information is collected.
The categories of third parties to whom the business discloses personal information.
Finally, businesses must also implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.
How Clarus Can Help!
At Clarus Tech Partners, we have expertise in cybersecurity, data protection, risk management, data privacy, and regulatory compliance to address your cybersecurity risks and compliance requirements in the U.S., Europe, and globally. Schedule a consultation call by calling or emailing our team.
CLARUS TECH PARTNERS | CYBERSECURITY + DATA COMPLIANCE SOLUTIONS
Info@ClarusTechPartners.com www.ClarusTechPartners.com
Resources:
Regulations - California Privacy Protection Agency (CPPA)
General Data Protection Regulation (GDPR) Compliance Guidelines