All About the CPRA

All About the CPRA

The California Privacy Rights Act (CPRA) is an act aimed at bolstering consumer privacy protections set forth by the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020.

The CPRA enhances Californians' rights under the CCPA - hence it's often referred to as CCPA 2.0.

However, while some provisions will be implemented immediately, others will take years.

In other words, businesses struggling to grasp the new act's rules and ramifications have some breathing room.

Let's look more at this act and how compliance will look.


What is the CCPA?

The CCPA gives California residents and consumers special rights while limiting the activities of businesses related to gathering, storing, using and disseminating their personal data.

It's widely regarded as the most comprehensive regulation of its kind in the country, and in some respects it approaches the scope of the European Union's groundbreaking General Data Protection Regulation (GDPR) which was implemented in mid-2018.

The CCPA grants California consumers the right to:

  • Access their personal information
  • Know what personal information is being collected
  • Opt-out of having it sold or shared
  • Request that it be deleted, or corrected if it's inaccurate
  • Exercise their rights without fear of retribution or discrimination

It's important to note that under the new CPRA, consumer protections won't be limited to sales and monetary transactions, but may also apply to advertising, marketing and data exchanges.

Who Does the CPRA Apply to?

The CPRA applies to businesses that process the information of at least 100,000 California residents.

Furthermore, It's a common misconception that companies need to be physically located within the state to fall under the CPRA.

On the contrary, the CPRA applies to any entity doing business in the state or interacting with its residents, regardless of where it's located.

How the CPRA Differs from the CCPA

How the CPRA Differs from the CCPA

Though the CCPA hasn't yet celebrated its first anniversary, its successor - the CPRA - will significantly strengthen Californians' privacy rights.

The two acts are similar in aim and scope, but the CPRA was crafted to enhance the weak and vaguely defined consumer protection mandates, feeble enforcement, and spotty oversight that plagued the CCPA.

The CPRA will:

  • Establish an oversight and enforcement agency called The California Privacy Protection Agency
  • Set forth new classifications of personal information deemed especially sensitive
  • Offer more avenues of legal recourse for those who've been harmed
  • Allow consumers to manage and request corrections to their personal data
  • Add new restrictions on tracking
  • Provide new and stronger protections for minors

Key Components of the CPRA

Key Components of the CPRA

The CPRA aims to be clearer, stronger and more enforceable than the CCPA.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

To achieve these goals it focuses on a number of key areas.

Consumers' Right to Correct Inaccurate Personal Information

Addressing consumers' personal information rights is one of the act's primary functions.

Below is Section 1789.106 of the CPRA, which pertains to the right to correct inaccurate personal information:

Transcend: CPRA Section 1798 106 - Consumers Right to Correct Inaccurate Personal Information

Updated Consumer Privacy Rights

Included in the CPRA are a number of beefed-up privacy controls, including:

  • A consumer's right to limit how their sensitive personal information is collected, used and disclosed
  • Additional recourse options for those who've been harmed by online security breaches like the theft of sensitive personal and financial information

Limitations on Tracking

Though "geolocation" may seem like an odd term for a privacy act, most users know they're movements are being tracked by websites, apps, and advertisers.

Thankfully, the CPRA seeks to limit such tracking by giving consumers enhanced rights. Consumers will be able to stop business geolocation tracking for most purposes, within a specific area radius.

Additional Protections for Minors

California's minors will enjoy more protections under the CPRA than they did under the CCPA.

In fact, the CPRA prohibits the selling of their personal information without permission, and unlike its predecessor, consent may require opting in as opposed to opting out.

In other words, children are automatically protected under the CPRA, and in some instances fines for non-compliance will be three times heftier than they were before.

Express Information Security Requirements

Seeking to do away with lax regulations and vague requirements in the previous act, the CRPA's Express Information Security Requirements make it more transparent and manageable for those looking to stay in compliance.

These security requirements include that businesses must "implement reasonable security procedures and practices" to protect the personal information:

Transcend: CPRA Section 1798 100 - Implement reasonable security procedures

Anti-retaliation Clause for Employees

Before employee rights became such an issue, employers often resorted to retaliating against workers who went against the company and exercised their rights under the law.

At least in California that should no longer be an issue, as the CPRA includes an expanded and strengthened anti-retaliation clause:

Transcend: CPRA Section 1798 125 - No business discrimination against consumers

Right to Know Length of Data Retention

Though the CCPA doesn't address data retention specifically, the CPRA does.

It allows businesses to retain personal information only when it's "necessary and proportionate" for collection, processing, and other clearly disclosed purposes.

Expanded Initial Notification Obligations

The CPRA expands on disclosure requirements in privacy notices found at or before the actual point of collection.

Businesses that collect consumer's information must:

  • Disclose whether collected information will be sold or shared
  • Identify the sensitive personal information that will be collected
  • Either disclose the length of time they'll retain information, or the criteria used to determine it
  • Disclose if they don't collect information by conspicuous notice

Other Changes Introduced by the CPRA

Other Changes Introduced by the CPRA

The CPRA places new and stricter obligations on the ways companies protect privacy rights, and it applies to:

  • Employees
  • Contractors
  • Customers/consumers

There may be nuances between the restrictions for each group however, and many detractors claim that the distinctions aren't easy to discern, especially for laymen.

Other terms have been redefined altogether, and in some cases their new meanings include previously overlooked entities.

For instance, "business," doesn't necessarily mean a company selling a product or service to a consumer.

The CPRA also gives The California Privacy Protection Agency the power and flexibility to keep the act's provisions up to date, and limit the ways businesses can circumvent its regulations.

The act's crafters see this as an important feature, because ill-intentioned players began undermining the CCPA's consumer protections as soon as it was passed.

Important New Terminology

Important New Terminology

Though the CPRA will provide added clarity and oversight, it also throws new terms and concepts into the mix.

They include:

Sensitive Personal Information (SPI) - Certain types of information, like your Passport and Social Security Numbers, will carry "sensitive" designations, as will financial, geolocational, racial, religious, and biometric data,

Right to Restriction - Granting consumers the right to limit the use and disclosure of their sensitive personal information.

Right to Rectification - Consumers will have the right to add and update information, as well as correct inaccurate data.

Right to Verifiable Requests - Consumer requests for the right to deletion and disclosure of their personal information must be verifiable and specific to the issue being addressed.

Penalties for Non-Compliance

Compared to the CCPA, enforcement of and penalties for noncompliance under the CPRA will be harsh.

In fact, the California Privacy Protection Agency will be the first enforcement and oversight agency of its kind in the country, even trumping the state's Attorney General in matters related to the CPRA.

The Agency's board will be composed of members theoretically possessing some level of expertise in privacy, consumer rights or technology. The state's Governor will select the board's chair and one member, while the others would be appointed by the Attorney General, Senate Rules Committee, and the Speaker of the California Assembly.

Summary

The CPRA enhances consumer privacy rights and protections by requiring businesses to disclose more information, and put protections in place.

Make sure you follow the regulation's requirements if the CPRA applies to you. This will include:

  • Updating your Privacy Policy with information about consumer rights and other key points
  • Ensuring you're offering minors adequate protections
  • Meeting notification obligations
  • Limiting how you track your users

If you haven't started towards CPRA compliance, now is the time.