- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. The California Consumer Privacy Act (CCPA)
- 2. The California Privacy Rights Act (CPRA)
- 2.1. CPRA Privacy Rights
- 2.1.1. Sensitive Information
- 2.1.2. Data Retention
- 2.1.3. Automated Decision-Making
- 2.1.4. Right of Correction
- 2.1.5. Right to Opt Out of Data Sharing
- 3.1. Sensitive Information Clause
- 3.2. Limiting Use of Sensitive Information
- 3.3. Data Retention Clause
- 3.4. Data Profiling
- 3.5. Right to Correct Inaccuracies
- 3.6. Third Party Data Sharing
- 5. Penalties for Failing to Comply With the CPRA
- 6. Conclusion
The California Consumer Privacy Act (CCPA)
Introduced in 2018, the CCPA is one of the United State's most significant privacy laws. Under the act, consumers now have a wide range of rights over how businesses collect, use, and process their personal information.
As per Section 1798.140(o)(1) of the CCPA, personal information is any data you can use to identify a person or household.
- Whether you collect personal information, and how it's used
- What rights Californians have over their personal data, and
- How they can exercise those rights
- What categories of personal information you collect
- The reasons why you collect personal data
- How this data is used
- How the data is shared
You must also tell people about their rights to:
- Request deletion of their personal data (subject to exceptions)
- Opt-out of the sale of personal data
You cannot discriminate against any customer for exercising these rights.
The California Privacy Rights Act (CPRA)
The CPRA came into force on December 16, 2020. However, businesses have until January 1, 2023, to learn how the CPRA affects them and comply with the changes.
Essentially, the CPRA introduces three major changes to the CCPA:
- The CPRA gives Californians new rights over their personal information and expands some existing rights
- The Act creates the California Privacy Protection Agency, which can enforce the CPRA alongside the Attorney General
- The CPRA introduces a new category - contractors - which must comply with the CPRA
We're confining our focus here to Privacy Policies, but you should consider how the other changes may affect your business, as well.
To be clear, the CPRA doesn't replace the CCPA, meaning the CCPA is still in force.
CPRA Privacy Rights
Sensitive information includes, for example:
- Private personal data e.g. passport number, driver's license numbers
- Health information e.g. biodata
- Racial and ethnic origins
- Religious beliefs
- Financial information e.g. credit card details
- Account login data
Under the CPRA, Californians have the right to limit what sensitive data you collect, how it's used, and how it's shared.
You must, under the CPRA, tell customers how long you intend to retain their personal data. If you do not have a specific duration in mind, then you should explain how you will determine the appropriate time frame. For example, set out what criteria you'll use to decide how long you need a certain type of data for.
Your business should not retain data for any longer than reasonably necessary to fulfill a disclosed purpose. So, bear this in mind when you're considering how long you will retain personal information.
Although there's no automatic right for people to stop you using their data for automated decision-making, they can stop you using it for certain purposes defined in Section 1798.140(z).
Under this section, people can stop you using their data for automated decision-making relating to:
- Workplace performance
- Economic situation
- Behavior and reliability
- Personal preferences and interests
- Location and movements
Right of Correction
Now, Californians have the right to request amendments to their personal data if it's inaccurate or outdated in any way. You must honor this right if a customer makes the request.
Right to Opt Out of Data Sharing
The CCPA gave Californians the right to opt out of the sale of personal information. The CPRA allows Californians to stop you sharing their data with any third party, even if you're not selling it.
This change aligns the CCPA more closely with the EU's GDPR, which allows individuals to stop businesses from disclosing their data to third parties.
- Sensitive information
- Data retention
- Automated decision-making
- Right of correction
- Third party disclosures
Sensitive Information Clause
For example, the Bank of America collects a variety of sensitive data, including a customer's Social Security number and biometric data and discloses it as such:
If you're unsure what counts as sensitive data, refer to CCPA Section 1798.140(ae)(1).
Limiting Use of Sensitive Information
It's not enough just to list the type of sensitive information you collect. Under the CPRA, people can request that you only use sensitive information to fulfill a specified purpose i.e. to provide the ordered goods or services.
If a customer makes this request, you can't use the data for any other reason unless the individual gives you permission to do so. This is set out in Section 1798.121.
If you collect sensitive data, provide a clear link in your website homepage to a page titled "Limit the Use of My Sensitive Information." Alternatively, you can have one page for opting out of both the sale of personal data, and the sharing of sensitive information. This is set out in Section 1798.135.
Data Retention Clause
Include a clause explaining either how long you retain data or how you'll decide the appropriate time frame for retaining data.
Etsy, for example, has a clause concerning data retention. It's a good example as there is some breakdown of different categories of data and how long information will be retained. However, the categories could be more specific to achieve CPRA compliance:
Although there's no automatic right for people to turn off all data profiling, you must confirm how they can contact you to opt out when permitted by the act as described above.
See Section 1798.140(z) for more information.
Right to Correct Inaccuracies
- A statement that people have the right to correct inaccuracies, and
- Details for how they can exercise this right
Etsy includes a "Right to Correction" section in its "Your Rights and Choices" clause. There are also clear instructions for how to change details:
Krispy Kreme includes the right to amend account information in its "Your Choices" section:
Third Party Data Sharing
The CPRA lets Californians stop companies from sharing their data with any third party even if there's no sale involved. So, include a clause explaining:
- Customers have the right to restrict any sharing of their data with third parties
- How they can exercise this right
For example, here's how Walmart lists its consumer rights:
At a minimum, this means there must be a link in the header, footer, or sidebar.
Penalties for Failing to Comply With the CPRA
The financial penalties for non-compliance vary depending on the severity of the violation:
- Accidental breach: up to $2,500 per violation
- Deliberate breach: up to $7,500 per violation
However, businesses should only be fined if they're made aware of the breach and fail to "cure" it within 30 days.
Affected consumers can also bring a private right of action and seek statutory damages. However, again, businesses must have the opportunity to cure the breach before seeking compensation.
The California Privacy Rights Act (CPRA), which came into force in December 2020, significantly amends the California Consumer Privacy Act (CCPA).
- Businesses, third parties, service providers and contractors doing business in California should comply with the CPRA.
The CPRA gives Californians new rights over their data:
- Right to amend incorrect personal data
- Right to opt out of data sharing
- Right to limit the disclosure of sensitive personal information
- You should also tell customers if you use their data for automated decision-making
- Sensitive information disclosure: What counts as sensitive data, whether you collect it, and how people can restrict data processing
- Data retention clause: How long your business keeps personal data from customers
Penalties for non-compliance include civil penalties and statutory damages.