All About the CPRA
The California Privacy Rights Act (CPRA) is an act aimed at bolstering consumer privacy protections set forth by the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020.
The CPRA enhances Californians' rights under the CCPA - hence it's often referred to as CCPA 2.0.
However, while some provisions will be implemented immediately, others will take years.
In other words, businesses struggling to grasp the new act's rules and ramifications have some breathing room.
Let's look more at this act and how compliance will look.
- 1. What is the CCPA?
- 1.1. Who Does the CPRA Apply to?
- 2. How the CPRA Differs from the CCPA
- 3. Key Components of the CPRA
- 3.1. Consumers' Right to Correct Inaccurate Personal Information
- 3.2. Updated Consumer Privacy Rights
- 3.3. Limitations on Tracking
- 3.4. Additional Protections for Minors
- 3.5. Express Information Security Requirements
- 3.6. Anti-retaliation Clause for Employees
- 3.7. Right to Know Length of Data Retention
- 3.8. Expanded Initial Notification Obligations
- 4. Other Changes Introduced by the CPRA
- 5. Important New Terminology
- 6. Penalties for Non-Compliance
- 7. Summary
What is the CCPA?
The CCPA gives California residents and consumers special rights while limiting the activities of businesses related to gathering, storing, using and disseminating their personal data.
It's widely regarded as the most comprehensive regulation of its kind in the country, and in some respects it approaches the scope of the European Union's groundbreaking General Data Protection Regulation (GDPR) which was implemented in mid-2018.
The CCPA grants California consumers the right to:
- Access their personal information
- Know what personal information is being collected
- Opt-out of having it sold or shared
- Request that it be deleted, or corrected if it's inaccurate
- Exercise their rights without fear of retribution or discrimination
It's important to note that under the new CPRA, consumer protections won't be limited to sales and monetary transactions, but may also apply to advertising, marketing and data exchanges.
Who Does the CPRA Apply to?
The CPRA applies to businesses that process the information of at least 100,000 California residents.
Furthermore, It's a common misconception that companies need to be physically located within the state to fall under the CPRA.
On the contrary, the CPRA applies to any entity doing business in the state or interacting with its residents, regardless of where it's located.
How the CPRA Differs from the CCPA
Though the CCPA hasn't yet celebrated its first anniversary, its successor - the CPRA - will significantly strengthen Californians' privacy rights.
The two acts are similar in aim and scope, but the CPRA was crafted to enhance the weak and vaguely defined consumer protection mandates, feeble enforcement, and spotty oversight that plagued the CCPA.
The CPRA will:
- Establish an oversight and enforcement agency called The California Privacy Protection Agency
- Set forth new classifications of personal information deemed especially sensitive
- Offer more avenues of legal recourse for those who've been harmed
- Allow consumers to manage and request corrections to their personal data
- Add new restrictions on tracking
- Provide new and stronger protections for minors
Key Components of the CPRA
The CPRA aims to be clearer, stronger and more enforceable than the CCPA.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
To achieve these goals it focuses on a number of key areas.
Consumers' Right to Correct Inaccurate Personal Information
Addressing consumers' personal information rights is one of the act's primary functions.
Below is Section 1789.106 of the CPRA, which pertains to the right to correct inaccurate personal information:
Updated Consumer Privacy Rights
Included in the CPRA are a number of beefed-up privacy controls, including:
- A consumer's right to limit how their sensitive personal information is collected, used and disclosed
- Additional recourse options for those who've been harmed by online security breaches like the theft of sensitive personal and financial information
Limitations on Tracking
Though "geolocation" may seem like an odd term for a privacy act, most users know they're movements are being tracked by websites, apps, and advertisers.
Thankfully, the CPRA seeks to limit such tracking by giving consumers enhanced rights. Consumers will be able to stop business geolocation tracking for most purposes, within a specific area radius.
Additional Protections for Minors
California's minors will enjoy more protections under the CPRA than they did under the CCPA.
In fact, the CPRA prohibits the selling of their personal information without permission, and unlike its predecessor, consent may require opting in as opposed to opting out.
In other words, children are automatically protected under the CPRA, and in some instances fines for non-compliance will be three times heftier than they were before.
Express Information Security Requirements
Seeking to do away with lax regulations and vague requirements in the previous act, the CRPA's Express Information Security Requirements make it more transparent and manageable for those looking to stay in compliance.
These security requirements include that businesses must "implement reasonable security procedures and practices" to protect the personal information:
Anti-retaliation Clause for Employees
Before employee rights became such an issue, employers often resorted to retaliating against workers who went against the company and exercised their rights under the law.
At least in California that should no longer be an issue, as the CPRA includes an expanded and strengthened anti-retaliation clause:
Right to Know Length of Data Retention
Though the CCPA doesn't address data retention specifically, the CPRA does.
It allows businesses to retain personal information only when it's "necessary and proportionate" for collection, processing, and other clearly disclosed purposes.
Expanded Initial Notification Obligations
The CPRA expands on disclosure requirements in privacy notices found at or before the actual point of collection.
Businesses that collect consumer's information must:
- Disclose whether collected information will be sold or shared
- Identify the sensitive personal information that will be collected
- Either disclose the length of time they'll retain information, or the criteria used to determine it
- Disclose if they don't collect information by conspicuous notice
Other Changes Introduced by the CPRA
The CPRA places new and stricter obligations on the ways companies protect privacy rights, and it applies to:
There may be nuances between the restrictions for each group however, and many detractors claim that the distinctions aren't easy to discern, especially for laymen.
Other terms have been redefined altogether, and in some cases their new meanings include previously overlooked entities.
For instance, "business," doesn't necessarily mean a company selling a product or service to a consumer.
The CPRA also gives The California Privacy Protection Agency the power and flexibility to keep the act's provisions up to date, and limit the ways businesses can circumvent its regulations.
The act's crafters see this as an important feature, because ill-intentioned players began undermining the CCPA's consumer protections as soon as it was passed.
Important New Terminology
Though the CPRA will provide added clarity and oversight, it also throws new terms and concepts into the mix.
Sensitive Personal Information (SPI) - Certain types of information, like your Passport and Social Security Numbers, will carry "sensitive" designations, as will financial, geolocational, racial, religious, and biometric data,
Right to Restriction - Granting consumers the right to limit the use and disclosure of their sensitive personal information.
Right to Rectification - Consumers will have the right to add and update information, as well as correct inaccurate data.
Right to Verifiable Requests - Consumer requests for the right to deletion and disclosure of their personal information must be verifiable and specific to the issue being addressed.
Penalties for Non-Compliance
Compared to the CCPA, enforcement of and penalties for noncompliance under the CPRA will be harsh.
In fact, the California Privacy Protection Agency will be the first enforcement and oversight agency of its kind in the country, even trumping the state's Attorney General in matters related to the CPRA.
The Agency's board will be composed of members theoretically possessing some level of expertise in privacy, consumer rights or technology. The state's Governor will select the board's chair and one member, while the others would be appointed by the Attorney General, Senate Rules Committee, and the Speaker of the California Assembly.
The CPRA enhances consumer privacy rights and protections by requiring businesses to disclose more information, and put protections in place.
Make sure you follow the regulation's requirements if the CPRA applies to you. This will include:
- Ensuring you're offering minors adequate protections
- Meeting notification obligations
- Limiting how you track your users
If you haven't started towards CPRA compliance, now is the time.