All About the CPRA
The California Privacy Rights Act (CPRA) is an act aimed at bolstering consumer privacy protections set forth by the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020.
The CPRA enhances Californians' rights under the CCPA - hence it's often referred to as CCPA 2.0.
However, while some provisions will be implemented immediately, others will take years.
In other words, businesses struggling to grasp the new act's rules and ramifications have some breathing room.
Let's look more at this act and how compliance will look.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. What is the CCCPA (CPRA)?
- 2. How the CPRA Differs from the CCPA
- 3. Key Components of the CPRA Amendments
- 3.1. Consumers' Right to Correct Inaccurate Personal Information
- 3.2. Updated Consumer Privacy Rights
- 3.3. Limitations on Tracking
- 3.4. Additional Protections for Minors
- 3.5. Express Information Security Requirements
- 3.6. Anti-Retaliation Clause for Employees
- 3.7. Right to Know Length of Data Retention
- 3.8. Expanded Initial Notification Obligations
- 4. Other Changes Introduced by the CPRA
- 5. Important New Terminology
- 6. Penalties for Non-Compliance with the CPRA Amendments
- 7. Summary
What is the CCCPA (CPRA)?
The CCPA (CPRA) gives California residents and consumers special rights while limiting the activities of businesses related to gathering, storing, using and disseminating their personal data.
It's widely regarded as the most comprehensive regulation of its kind in the country, and in some respects it approaches the scope of the European Union's groundbreaking General Data Protection Regulation (GDPR) which was implemented in mid-2018.
It's important to note that under the CPRA amendments, consumer protections won't be limited to sales and monetary transactions, but may also apply to advertising, marketing and data exchanges.
How the CPRA Differs from the CCPA
The CPRA amendments:
- Establish an oversight and enforcement agency called The California Privacy Protection Agency
- Set forth new classifications of personal information deemed especially sensitive
- Offer more avenues of legal recourse for those who've been harmed
- Allow consumers to manage and request corrections to their personal data
- Add new restrictions on tracking
- Provide new and stronger protections for minors
Key Components of the CPRA Amendments
The CPRA amendments aim to make the CCPA clearer, stronger and more enforceable.
To achieve these goals it focuses on a number of key areas.
Consumers' Right to Correct Inaccurate Personal Information
Addressing consumers' personal information rights is one of the act's primary functions.
Below is Section 1789.106 of the CPRA, which pertains to the right to correct inaccurate personal information:
Updated Consumer Privacy Rights
Included in the CPRA amendments are a number of beefed-up privacy controls, including:
- A consumer's right to limit how their sensitive personal information is collected, used and disclosed
- Additional recourse options for those who've been harmed by online security breaches like the theft of sensitive personal and financial information
Limitations on Tracking
Though "geolocation" may seem like an odd term for a privacy act, most users know they're movements are being tracked by websites, apps, and advertisers.
Thankfully, the CPRA seeks to limit such tracking by giving consumers enhanced rights. Consumers will be able to stop business geolocation tracking for most purposes, within a specific area radius.
Additional Protections for Minors
California's minors will enjoy more protections under the CPRA amendments. The amendments prohibit the selling of their personal information without permission, and unlike its predecessor, consent may require opting in as opposed to opting out.
In other words, children are automatically protected under the CPRA amendments, and in some instances fines for non-compliance will be three times heftier than they were before.
Express Information Security Requirements
Seeking to do away with lax regulations and vague requirements in the previous act, the CRPA's Express Information Security Requirements make it more transparent and manageable for those looking to stay in compliance.
These security requirements include that businesses must "implement reasonable security procedures and practices" to protect the personal information:
Anti-Retaliation Clause for Employees
Before employee rights became such an issue, employers often resorted to retaliating against workers who went against the company and exercised their rights under the law.
At least in California that should no longer be an issue, as the CPRA adds an expanded and strengthened anti-retaliation clause:
Right to Know Length of Data Retention
The CPRA amendment allows businesses to retain personal information only when it's "necessary and proportionate" for collection, processing, and other clearly disclosed purposes.
Expanded Initial Notification Obligations
The CPRA expands on disclosure requirements in privacy notices found at or before the actual point of collection.
Businesses that collect consumer's information must:
- Disclose whether collected information will be sold or shared
- Identify the sensitive personal information that will be collected
- Either disclose the length of time they'll retain information, or the criteria used to determine it
- Disclose if they don't collect information by conspicuous notice
Other Changes Introduced by the CPRA
The CPRA amendments place new and stricter obligations on the ways companies protect privacy rights, and it applies to:
There may be nuances between the restrictions for each group however, and many detractors claim that the distinctions aren't easy to discern, especially for laymen.
Other terms have been redefined altogether, and in some cases their new meanings include previously overlooked entities.
For instance, "business," doesn't necessarily mean a company selling a product or service to a consumer.
The CPRA amendments give The California Privacy Protection Agency the power and flexibility to keep the act's provisions up to date, and limit the ways businesses can circumvent its regulations.
The act's crafters see this as an important feature, because ill-intentioned players began undermining the CCPA/CPRA's consumer protections as soon as it was passed.
Important New Terminology
Though the CPRA will provide added clarity and oversight, it also throws new terms and concepts into the mix.
Sensitive Personal Information (SPI) - Certain types of information, like your Passport and Social Security Numbers, will carry "sensitive" designations, as will financial, geolocational, racial, religious, and biometric data,
Right to Restriction - Granting consumers the right to limit the use and disclosure of their sensitive personal information.
Right to Rectification - Consumers will have the right to add and update information, as well as correct inaccurate data.
Right to Verifiable Requests - Consumer requests for the right to deletion and disclosure of their personal information must be verifiable and specific to the issue being addressed.
Penalties for Non-Compliance with the CPRA Amendments
In fact, the California Privacy Protection Agency will be the first enforcement and oversight agency of its kind in the country, even trumping the state's Attorney General in matters related to the CCPA (CPRA).
The Agency's board will be composed of members theoretically possessing some level of expertise in privacy, consumer rights or technology. The state's Governor will select the board's chair and one member, while the others would be appointed by the Attorney General, Senate Rules Committee, and the Speaker of the California Assembly.
The CPRA amends the CCPA by enhancing consumer privacy rights and protections by requiring businesses to disclose more information, and put protections in place.
Make sure you follow the regulation's requirements if the CCPA (CPRA) applies to you. This will include:
- Ensuring you're offering minors adequate protections
- Meeting notification obligations
- Limiting how you track your users
If you haven't started towards CCPA (CPRA) compliance, now is the time.