On January 1, 2023, the California Privacy Rights Act (“CPRA”) will go into effect, adding new consumer protections and business obligations. The Attorney General of California has signalled an intention to strictly enforce the CPRA, so it’s important to make sure your business is compliant from the start. Here’s what you need to know about the CPRA.
What are the key changes under the CPRA?
The key changes under the CPRA are as follows:
- There are new consumer rights, including the right to delete data and the right to opt-out of sale of personal information.
- There are new definition for terms like “personal information” and “sale of personal information”.
- Businesses must now disclose data collection practices more clearly. This includes specifying the categories of personal information that are collected and the purposes for which they are used. businesses must also provide a “Do Not Sell My Personal Information” link on their website or mobile app.
- The CPRA creates a new enforcement agency called the California Privacy Protection Agency (“CPPA”). The CPPA will have authority to impose fines for violations of up to $2,500 per violation or up to $7,500 per intentional violation. The Attorney General will still have enforcement authority under the law as well.
- The CPRA exempts certain businesses, like those with under $25 million in annual revenue or those that collect only certain types of data like health information.
CPRA Enforcement Expansion
The CPRA enhances the CCPA’s penalty for collecting and selling children’s information (under the age of 16) and creates a new enforcement agency with fine-issuing jurisdiction. The California Privacy Protection Agency (CalPPA) will be in charge of enforcing privacy laws.
Consumer Rights Have Been Expanded
The CPRA extends consumer rights established under the CCPA and introduces additional consumer rights and safeguards. The CPRA guarantees the following consumer rights:
- NEW – The right to correct inaccurate information
- NEW – The right to limit the use and disclosure of sensitive personal information
- NEW – The right to opt-out of automated decision-making technology
- OLD – The right to delete personal information
- OLD – The right to know categories and specific pieces of personal information
- OLD – The right to opt-out of the sale or sharing of personal information
- OLD – The right of non-retaliation
Requirements for Data Retention and Minimization
With the passage of the California Privacy Rights Act (CPRA), there are now clear guidelines for data preservation and minimization: Corporations will now be subject to obligations comparable to those imposed on EU businesses under the General Data Protection Regulation (GDPR).
The CPRA codifies data minimization; holding sensitive personal data that no longer serves a commercial purpose will result in a penalty. The failure to limit customer data will be immediately enforced by the California Attorney General, regardless of whether it leads to other breaches of the law. The CPRA basically divides this into two parts:
DATA MINIMIZATION: According to the CPRA, any information gathered must be “reasonably required and proportional to either the purposes for which it was gathered or another declared purpose” comparable to the context in which it was gathered. Without alerting and obtaining further permission from the consumer, the individual’s data cannot be used in any other manner.
RETENTION OBLIGATIONS: Unlike the GDPR, which emphasized record retention, the CCPA did not contain provisions governing the amount of time an individual’s data might be retained. Storing too much data is typical (and greatly raises liability in the event of a data breach), but now organizations must concentrate on setting and implementing new data retention regulations.
Requirements for Cybersecurity
While some businesses were already required to implement cybersecurity measures, those covered by the CPRA must now “implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosures.”
Requirements for a Third Party/Vendor
The CPRA requires organizations that your organization contracts with to “offer the same degree of privacy protection” as required by law. If the vendor is unable to satisfy its third-party duties under the CPRA for whatever reason, they may notify the contracting organization, allowing the covered firm to “take reasonable and necessary actions to cease and remedy improper use of personal information.” However, third parties are not permitted to sell, distribute, or otherwise disclose personal information for any reason other than those specified in the contract.
Businesses should be prepared to react quickly to any regulatory obligations when it comes to CPRA compliance. Companies must be prepared to meet data needs at scale with sophisticated reporting, which may include executive reports, trends, and native reporting.
Furthermore, firms must automatically locate, identify, and categorize any sensitive personal information (SPI) kept wherever. According to the CPRA, this information includes:
- Driver’s licenses
- State identification numbers
- Precise geolocation
- Username and password
- “Sex life” or sexual orientation information on a passport
- Data on racial or ethnic origin
- Biometric or genetic data
- Membership in a union
- Mail, email, and SMS message content
- Religious or philosophical views
- Social Security Numbers
Notices to Customers
Companies are now obligated to send four different forms of consumer notifications. These notifications must be simple to read, conspicuous enough to catch the consumer’s attention, accessible to consumers with disabilities, and available in languages spoken where an organization does business on a regular basis.
- Notice at the time of collection. Personal data may only be used for the reasons specified at the time of collection. To use personal data for a new purpose, a corporation must get express permission.
- Notice about the right to opt-out of personal information sales. Consumers may choose not to have their personal information sold to another entity.
- Notification of financial incentives These notifications must provide a description of the incentive, material conditions, how to opt-in, how to withdraw, and why the CCPA allows the incentive.
According to the CCPA, organizations must provide two options for filing requests. One of them must represent the primary way the company communicates with customers (an online form, or toll-free phone number, for instance). If the engagement is primarily offline, a paper form may be required as well. Simply said, the legislation was meant to make it simple for people to access their data, putting the onus on corporations to do the same.
CCRA adds a few more stages to the 45-day schedule for completing requests, such as stating that the organization must confirm receipt of an individual’s request within 10 business days, rather than calendar days (the 45-day fulfilment timeline remains calendar days). Now, businesses have to:
- Within 10 business days, confirm receipt of the request.
- Within 15 business days, respond to opt-out requests.
- Inform third parties that they must cease selling customer information within 90 days.
- Keep request record logs for two years.
- There is also a two-year recordkeeping requirement—companies must have a well-documented mechanism for reporting and monitoring. When regulators come knocking, you’ll have a paper trail to show you’ve been following the rules.
Businesses will no longer be required to reply to inquiries about whether:
- The personal information is kept in a searchable or generally accessible manner. The information is kept for legal or compliance reasons.
- The personal information information is kept in a searchable or generally accessible manner.
- The information is kept for legal or compliance reasons.
Regulations such as the CCPA actually increase the risk of personal data breaches if the company does not have a closely knit mechanism in place to authenticate the identity of the requestor. Before a corporation may provide personal information, it must be able to verify that the requestor is who they claim to be! Otherwise, there will be a slew of privacy and legal difficulties as a result of an unintended breach of personal data. As a result, businesses must create, record, and adhere to acceptable verification techniques.
So, what is an acceptable verification method? There are many options. It might be as follows:
- – Based on previously stored personal information
- – Currently active password-protected account
- – Utilization of a third-party verification service
- – Businesses should also refrain from collecting more personal information throughout the authentication process.
According to the statute, obtaining more personal information—an address, Social Security number, or other sensitive information—creates additional privacy concerns when it comes to verification. As a result, utilizing current data to check is optimal. The more sensitive and extensive the information, the more stringent the verification procedure must be.
The Right to Correct
With the above in mind, businesses doing business in California must be able to create an inventory of all personal and sensitive information associated with an identity. This knowledge may be obtained directly or indirectly.
You should inventory all of that data to get a full view of what consumer information your company is gathering.
Because the CPRA requires companies to offer consumers with the ability to correct and amend any information the firm holds that the consumer believes is wrong.
The Right to Know
Your company should also aim to enhance whatever privacy management program it already has in place by tracking data flows and automating the “right to know” fulfillment process.
The CPRA defines a consumer’s “right to know” as personal information that is not only collected, but also shared or sold. Your business must now disclose which data categories it collects, distributes, or sells to other parties. Furthermore, bear in mind that the right to know goes beyond the CCPA’s existing 12-month lookback provision.
The Right to Restrict the Disclosure and Use of Sensitive Personal Information
Your organization should add context to the data it gathers by inferring new qualities, discovering connections, and visualizing data based on its intended purpose.
This is owing to the CPRA’s requirement that customers restrict the gathering and processing of their sensitive personal data to just “necessary” purposes with the objective of delivering the services or products they’ve requested.
The Right to Delete
Your company must be able to establish where information is stored, what should be erased, and guarantee that continual deletion validation is automated.
This is because the CPRA requires enterprises to notify service providers, contractors, and third parties of consumer deletion requests. The key point to note here is that once your organization gets the deletion request, you are now responsible for ensuring that all third parties collaborate to continue removing the consumer’s data in the future.
To comply with the CPRA, you should concentrate on:
- Data security
- Reducing data retention
- Reducing data collecting
Also, bear in mind that your company must prominently display a “Limit the Use of My Sensitive Information” link or button on its website. The only exception is if you provide customers the chance to restrict information usage through a preference signal (as in from a browser).
- Determine if the CPRA applies to your company. Examine if your company satisfies the new criteria, since organizations that fulfill the CCPA standards may now be free from CPRA. Also, keep in mind that CPRA compliance extends beyond the borders of California. If a California resident may visit your website, CPRA compliance is required.
- Include consumer request forms. The CPRA provides consumers with enhanced rights as well as the ability to make specific requests about personal data. Create online request forms that allow customers to simply submit their requests. According to the CPRA, companies must provide at least two means for customers to make requests. You may also provide a toll-free phone number where customers can make requests. Make your phone number readily visible on your website or privacy page.
- Include a ‘Do not share’ opt-out notice. The CCPA already requires opt-out of sale links. The CPRA broadens the right to opt-out to encompass the “sharing” of personal information with third parties for targeted advertising. As a result, companies should change their links to “Do not sell or disclose my personal information” and place them on the homepage of their website.
- Conduct a data inventory. Perform a data inventory to determine the kind of information you gather and if you collect sensitive personal information. Determine which companies you share data with, where it is kept, and how it is transported. Regular audits should be performed to examine and improve data mapping activities, including monitoring and protection of sensitive personal information.
- Examine your contracts. Examine the CPRA’s amended contractual terms and be prepared to change contracts with service providers, contractors, and third parties. Check that your suppliers have acceptable data privacy safeguards in accordance with the most recent CCPA reforms.
Does the CPRA apply to me?
If you reply “yes” to any of the questions below, you are subject to the CPRA.
- Is your company’s yearly sales more than $25 million, AND do you keep personal information about California residents or households?
- Do you purchase, trade, or distribute personal information on 100,000 or more California consumers or households?
- Is at least half of your company’s yearly income generated from selling or exchanging California customer information?
What exactly is the CPRA’s “purpose limitation” mandate?
The CPRA codifies a concept found in the Fair Information Practice Principles and the GDPR, requiring a business to collect, use, retain, and share a consumer’s personal information only as “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected or processed.” Cal. Civ. Code § 1798.100
Data over-collection is ubiquitous in all sectors and enterprises of all sizes. Some businesses, especially those that have not gone through a GDPR compliance process, may find it difficult to break the habit of too broad data gathering methods in order to guarantee that data acquisition is appropriate and proportional to the company’s legitimate business purpose. Furthermore, because the CPRA requires businesses to provide notice of the purpose of data processing at the point of collection, a covered business may need to be much more thoughtful when crafting such disclosures, leaving some flexibility to enable the business to use data for both current and reasonably anticipated future purposes. Finally, a covered organization may benefit from implementing guardrails to prevent its business teams from utilizing personal information for new or secondary purposes in the future, which may exceed the scope of the processing revealed to the consumer at the time the data was obtained.
What is the new Right to Correct Inaccurate Personal Information?
The CPRA establishes a new consumer right to request that a company update erroneous personal information held by the firm. This right to rectify information, like the rights granted by the CCPA, must be mentioned to consumers in the privacy notice. When a company gets a confirmed request to update erroneous personal information, it must take “commercially reasonable efforts” to correct the information as specified by the customer and the established rules. The CPRA requests that the California Attorney General issue regulations governing how a business should respond to such a request, including exceptions for requests for which a response would be impossible or would have disproportionate effects, as well as how concerns about the accuracy of personal information should be addressed. Cal. Civ. Code Sections 1798.106, 1798.185
What is the new Right to Limit Use and Disclosure of Sensitive Personal Information?
The CPRA creates a new consumer right to opt out of or limit the use and disclosure of their “sensitive personal information” by businesses. The law defines sensitive personal information as including, but not being limited to, the contents of a consumer’s mail, email and text messages, social security numbers, driver’s license numbers, passport numbers, biometric data (e.g. fingerprints and iris scans), precise geolocation data, account passwords, race or ethnicity, religious beliefs, and sexual orientation. Cal. Civ. Code Section 1798.121.
California residents will now be able to direct businesses to limit their use of “sensitive personal information” to what is “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services,” or for specific enumerated business purposes. According to the CPRA, a second link on the website’s homepage labeled “Limit the Use of My Sensitive Personal Information” will be required. In certain cases, a company may give a single homepage link that combines this link with the Do Not Sell or Share My Personal Information link, allowing customers to choose one or both options. The CPRA also contemplates the creation of a “opt-out preference signal” sent by the consumer’s request indicating the consumer’s intent to opt-out of the sale or sharing of the consumer’s personal information, or to limit the use and disclosure of sensitive personal information, or both, but leaves the specifics to the Attorney General Regulations.
What is the new Right to Access Information About, and Opt-Out of, Automated Decision-Making Technology?
While the CPRA is mostly quiet on the subject of automated decision-making technology, it does direct the Attorney General to draft rules controlling access and opt-out rights with regard to businesses’ use of automated decision-making technology and profiling. Profiling is defined in the Act as any automated processing of personal information to evaluate personal aspects related to a natural person, or to analyze or predict aspects concerning the person’s work performance, economic situation, health, personal preferences, interests, dependability, behavior, location, and movements. According to the text, such restrictions may force a company to publish information about the logic involved in the automated decision-making process in response to a customer request. Cal. Civ. Code Sections 1798.185(a)(16).
What is the difference between the CCPA’s Right to Opt Out of Sales and the CPRA’s Right to Opt Out of Sharing?
The California Consumer Privacy Act of 2018 (CCPA) gives consumers the right to opt out of the “sale” of their personal information, while the California Privacy Rights Act of 2020 (CPRA) provides consumers with the right to opt out of the “sharing” of their personal information. While there are some similarities between these two rights, there are also some important differences.
The CCPA’s right to opt out of sales applies to the transfer of personal information for monetary or other valuable consideration. The CPRA’s right to opt out of sharing, on the other hand, encompasses the disclosure of personal information to a third party for a business purpose that is not otherwise specified in the consumer’s request.
The CCPA defines a sale as the exchange of personal information for monetary or other valuable consideration. The CPRA, however, specifically excludes from the definition of sharing any disclosures made pursuant to a consumer’s request or direction, or in connection with the performance of a contract between the consumer and the business.
In order to opt out of the sale of their personal information under the CCPA, a consumer must submit a request to the business through a designated method, such as a link on the business’s website. The CPRA does not specifically require businesses to provide a link on their website for consumers to opt out of sharing, but it does give the Attorney General the authority to promulgate regulations requiring businesses to do so.
Is health information covered by the CCPA?
The CCPA does not apply to medical information covered by the Confidentiality of Medical Information Act (CMIA) or protected health information collected by a covered entity or business associate covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. While this is good news for healthcare providers, health plans, and their business partners, these exclusions do not completely exclude them from the law; rather, they give relief only to the extent that the information at issue is subject to those regulations (e.g., to protected health information under HIPAA). As a result, a healthcare practitioner may nonetheless be subject to CCPA responsibilities, but not with regard to patients’ protected health information.
What are the penalties for violating the CPRA?
The CPRA imposes civil penalties of up to $7,500 per violation for businesses that willfully violate its provisions. In addition, the Attorney General may bring an enforcement action against a business for violations of the Act. If the court finds that a business has violated the CPRA, it may order the business to pay a civil penalty of up to $2,500 for each violation. The court may also order the business to stop violating the CPRA and to take steps to remedy the violation.
In addition to these monetary penalties, the CPRA also allows consumers to bring a private right of action against businesses that violate the Act. If a consumer prevails in such an action, they may be entitled to recover damages of up to $750 per violation, or actual damages, whichever is greater. The court may also award attorneys’ fees and costs to the prevailing party.
Finally, the CPRA gives the Attorney General the authority to pursue injunctive relief against businesses that violate the Act. This means that the Attorney General can ask the court to order a business to stop violating the CPRA and to take steps to remedy the violation.
The enactment of the CPRA signals increased scrutiny from regulators on how businesses handle consumer data. To avoid costly fines and reputational damage, it is essential that businesses take steps now to ensure compliance with this complex law. By taking stock of their data collection practices and updating their policies and notices accordingly, businesses can position themselves for success when the CPRA takes effect on January 1, 2023.