Search
Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

California Privacy Rights Act (CPRA)- Everything you need to know

California Privacy Rights Act (CPRA)

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) passed as a state-wide data privacy bill reshaping the U.S. data protection landscape and marking a significant data protection development at the state level.

Taking effect on January 1, 2023, and going into full enforcement on July 1, 2023, the CPRA holds significant implications for businesses.

The CPRA stands as the most robust consumer privacy law ever implemented in the United States, achieving a substantial and overarching alignment with the most comprehensive laws like the EU’s GDPR.

In this overview, we delve into the CPRA, exploring its implications and potential consequences for businesses.

CCPA vs. CPRA – Two Sides of the Same Coin?

If you’re pondering how the California Privacy Rights Act (CPRA) integrates with the California Consumer Privacy Act (CCPA), the straightforward explanation lies in California having a unified legal data privacy framework established by the CCPA on January 1, 2020.

The CPRA acts as an overlay, more of a renovation than an entirely new law. It addresses ambiguities, introduces additional regulations, and establishes new safeguards for consumers. The CCPA paved the way, and the CPRA is now fortifying and reinforcing this path.

In essence, California doesn’t operate with two distinct data privacy laws but rather embraces a singular data privacy regime comprising the CCPA/CPRA setup.

CPRA Introduces California Privacy Protection Agency

CPRA established a data protection authority akin to the GDPR-mandated national DPAs overseeing and enforcing the EU’s data privacy laws.

Taking a central role as the primary enforcer and supervisor of the CCPA/CPRA, the California Privacy Protection Agency (CPPA) has the authority to investigate and impose fines for violations.

With full enforcement authority over the CCPA/CPRA regime, the CPPA is empowered to investigate potential breaches and violations.

The establishment of the California Privacy Protection Agency (CPPA) marks a shift in enforcement responsibilities from the Office of the Attorney General to this new government agency.

Moreover, the CPRA eliminates the 30-day grace period businesses previously enjoyed after receiving notification of an alleged breach or violation while also increasing the maximum fines for violations.

New and Expanded Rights for California Consumers

The California Privacy Rights Act (CPRA) introduces four novel rights and revises five existing rights for residents of California.

The CPRA expanded the scope of “consumers” to encompass employees. Formerly, employees and other business partners were excluded from the protection of California privacy laws, but this exemption no longer applies.

The four new rights under CPRA include:

  1. Right to correction: Users can request the correction of their personal and sensitive personal information if deemed inaccurate.
  2. Right to limit the use of sensitive personal information: California residents can compel businesses to restrict the usage of sensitive personal information, especially concerning third-party sharing.
  3. Right to opt-out of automated decision-making: California residents can decline the use of their personal data for automated decision-making, such as profiling for targeted behavioral advertising.
  4. Right to know about automated decision-making: California residents have the prerogative to request access to and information about the workings of automated decision technologies and their likely outcomes.

The five modified rights under CPRA are:

  1. Right to data portability: California residents can request to transfer their personal information to other businesses or organizations.
  2. Right to delete: California residents can request the deletion of their personal information, and businesses are now obligated to notify third parties and request the removal.
  3. Rights of minors: The opt-in requirement for businesses dealing with minors is expanded to encompass the sharing of personal information for behavioral advertising.
  4. Right to know: Residents can now seek access to personal information collected beyond the original 12-month limit stipulated in the CCPA.
  5. Right to opt-out: California residents can opt out of businesses sharing and selling their personal information specifically for behavioral advertising, extending beyond the CCPA’s focus on selling personal information.

Who Needs to Comply with the CPRA

Additionally, the CPRA sets new threshold criteria for businesses that are obligated to comply. A company is categorized as a “business” under the CPRA if it is:

  • Exceeding $25 million in gross revenue in the preceding calendar year
  • Buying, selling, or sharing personal information of 100,000 or more consumers or households
  • Deriving 50% or more of annual revenue from selling or sharing consumers’ personal information

What is Personal Information According to the CPRA

The CPRA characterizes personal information as data that identifies, pertains to, describes, is reasonably capable of being linked with, or could reasonably be connected, directly or indirectly, to a specific consumer or household.

Special conditions apply to the collection and processing of sensitive personal information that is subject to additional requirements during its collection and processing, like:

  • Consumer identifiers like social security numbers and driver’s licenses.
  • Account access information.
  • Precise geolocation data.
  • Details regarding sexual identity, ethnicity, etc.
  • Genetic and biometric data.
  • And other related categories.

New Obligations on Businesses

Applying to for-profit entities operating in California and collecting personal information from California consumers, the CPRA introduces clarified and heightened obligations.

The CPRA introduces three additional requirements for business that are closely modeled after the EU’s GDPR regime:

In other words, businesses can only collectuse, store, and share Californians’ personal information if it’s in accordance with what is reasonably necessary and proportionate to the collection purpose.

What About Consent?

The CPRA mandates that businesses accept opt-out requests, allowing them to default to collecting users’ personal information as long as they provide notice about the collection and a method for opting out.

Businesses are required to include a “do not sell or share my personal information” link, particularly for targeted advertising. They must also respect opt-out requests from authorized third-party signals.

Additionally, businesses must provide a “limit the use of my sensitive personal information” link, restricting the sale or sharing of sensitive personal information unless essential for product or service provision or specific purposes outlined in the law (such as customer service).

While most personal data collection operates on an opt-out basis, opt-in consent is required for:

  1. Selling or sharing the personal information of minors.
  2. Offering participation in financial incentive programs.
  3. Selling or sharing the personal information of consumers who have previously opted out.
  4. Using personal information for a secondary purpose beyond the original purpose.
  5. Using personal information for scientific research.

CPRA Regulates Behavioral Advertising

The CPRA amends the CCPA,  particularly regulating behavioral advertising and focusing on personalized marketing that utilizes personal information for targeting California residents.

The CCPA initially outlined the right to opt-out, limiting the use, sale, and sharing of personal information for advertising purposes.

However, the CPRA introduces two distinct advertising categories: cross-context behavioral advertising and non-personalized advertising. The right to opt-out regulates the former, while the latter remains unaffected by this regulation.

CPRA Introduces Changes in Penalties

Penalties under the CPRA consist of:

  • $2500 per offense for negligent mistakes
  • $7500 per offense for willful offenses

Each affected individual in a violation is considered a separate offense, leading to potential rapid accumulation of fines, particularly for willful negligence.

However, the CPRA also introduces changes to the penalties and enforcement mechanisms compared to the California Consumer Privacy Act (CCPA).

Triple Penalties for Violations Involving Minors

The CPRA triples the penalties for privacy violations involving the personal information of minors under the age of 16. This is a notable increase compared to the CCPA.

Additionally, a noteworthy change is that if consent for collecting a child’s data is not obtained, a mandatory waiting period is 12 months before another request can be made.

New Category of Violation for Sensitive Personal Information

The CPRA introduces a new category of violation specific to processing sensitive personal information. Violations related to this category may incur higher penalties.

How to Get Compliant

Navigating an intricate web of data privacy laws can be overwhelming, especially for businesses operating internationally. These are some of the things you can set up on your compliance checklist:

1. Conduct an Audit

The best way to find out where you stand is to conduct a specialized audit. The audit will help you understand where you stand, as well as identify any areas for improvement.

By evaluating your privacy program, you can gain a clear understanding of data practices, identify risks, and implement necessary changes.

The external privacy audit typically involves conducting interviews, reviewing documentation and records, analyzing systems and processes, and performing on-site visits.

The auditors may also assess the organization’s privacy governance structure, training and awareness programs, and data breach response preparedness.

CPRA audit

2. Implement Organizational and Technical Measures

Implement organizational and technical measures to protect personal information from unauthorized access, disclosure, alteration, and destruction.

This may involve pseudonymization and anonymization, conducting DPIAs or LIAs regular audits, employee training, and the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

3. Establish a Privacy Program

Compliance is an ongoing activity that involves different stakeholders and departments within your company. Having a robust privacy program in place will help you coordinate compliance activities for the CPRA and any other privacy laws applicable to your business.

For a successful privacy program, it is crucial to automate the processes and employ specialized software for personal data management.

4. Minimize Data Collection

Adopt a data minimization approach. Only collect and retain data necessary for the specified purpose. The less personal information you hold, the lower the risk of a data breach.

Conduct periodic reviews of your data collection practices. As business needs evolve, so do data requirements. Regularly reassess the necessity of collecting certain types of data and adjust your practices.

5. Manage Collected Consents

Review your consent mechanisms and ensure that your consent notices are easy to understand and that individuals can easily opt-in and opt-out. Keep records of consent to demonstrate compliance.

To track and monitor consent collection, you can utilize Consent Management platforms that can give you real-time insight into the complete personal data lifecycle from the moment of opt-in to the data removal.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top