On November 3rd, 2020, California voters approved Proposition 24, a ballot measure that created the California Privacy Rights Act of 2020 (CPRA). Also called the California Privacy Rights and Enforcement Act of 2020, CPRA amends and expands portions of the state’s existing data privacy law, the California Consumer Privacy Act (CCPA).
The CPRA establishes a new baseline for consumer data privacy in California, increasing consumer rights, placing additional obligations on businesses, and establishing a new dedicated agency to oversee and enforce data privacy rules. It also expands the type of data covered through a wider definition of sensitive personal information (PI), including geolocation, race, genetic information, and more. Businesses must make it even easier for consumers to access, correct, or delete their data—and consumers’ opt-out rights from the CCPA have been expanded under CPRA.
Finally, the act introduces new GDPR-style governance measures and establishes a new enforcement body called the California Privacy Protection Agency, the first dedicated privacy protection agency established in the United States. This agency will address policymaking and enforcement of privacy laws previously managed by the California Attorney General.
The CPRA (California Privacy Rights and Enforcement Act) was a ballot initiative supported by a data privacy advocacy group called Californians for Consumer Privacy. In 2018, the group had earned enough signatures to qualify its proposal for a new privacy law on the ballot. But before citizens had the chance to vote on the proposal, the state’s legislature struck a deal with the advocacy group to remove the initiative from the ballot. In exchange, California’s legislature passed the CCPA, the nation’s first consumer privacy law.
However, Californians for Consumer Privacy were not satisfied with the regulatory provisions of the CCPA. By the time it was passed by lawmakers, it had become far less restrictive than the original ballot proposal. Thus, the group sought to pursue a second ballot measure in 2020 that became the CPRA (California Privacy Rights Act).
Californians voted to accept Proposition 24, which set in motion the CPRA to become state law. California is known for its frequent use of ballot propositions, which enable advocates to forgo the usual legislative processes in favor of direct vote by the public people. Through simple majority approval by California residents, a referendum or ballot measure can be passed. That’s exactly how the CPRA was codified into law.
The CPRA will transfer all funding, rulemaking, and enforcement from the California Attorney General to the new California Privacy Protection Agency (PPA).
One of the major impacts of the CPRA is an increase in penalties for security cybersecurity violations. The CPRA triples fines for violations involving children’s data, totaling a maximum of $7,500 per violation. It will also remove the 30-day cure period (time granted to remedy the issue before incurring a penalty) that businesses can currently use under the CCPA.
The CPRA aims to reduce the burden of data privacy regulations on small and mid-sized businesses, while adding more oversight for big businesses that sell and share data. To do so, the act doubles the threshold on consumer or household personal information (PI) from 50,000 to 100,000, so smaller businesses aren’t strapped by the most stringent data privacy rules. At the same time, the CPRA increases scrutiny for businesses that generate most of their revenue from sharing PI, and not just specifically from selling it.
The CPRA imposes new, separate data requirements and restrictions on a more specification of data it defines as “sensitive personal information.” This new category of data includes government-issued identifiers such as Social Security numbers and driver’s licenses, financial account and login information, email addresses, precise geolocation, race, ethnicity, religious beliefs, personal messages, health or genetic data, and sexual orientation or sex life information.
With a focus on strengthening individual rights, the California Privacy Act enhances the control consumers have regarding their own data. In addition to existing measures under the CCPA, such as the right to know, delete, and nondiscrimination—the CPRA adds new rights and expands upon others, like opting out. Brand new rights under the CPRA include the right for consumers to correct information that isn’t accurate. Perhaps the biggest change is the new right to opt out of automated decision-making technology, which often creates “profiles” based on PI. Consumers are now also allowed the right to access information about the automated decision-making process, to better understand this technology and the outcomes generated by the user’s PI (for example, targeted web ads based on search history). Finally, there are also new rights to restrict sensitive PI from reaching third parties, and new audit obligations to ensure PI data is being handled, stored, and used in accordance with the law.
The CPRA adopts some principles from the European Union’s General Data Protection Regulation (GDPR). These concepts include data minimization, purpose limitation, and storage limitation preventing businesses from collecting, using, retaining, or sharing more PI than is required for the specific business purpose. The CPRA also adds more specificity to California’s data “consent” standard, which is more closely aligned with the language used in the GDPR.
While the CPRA has been enacted into law, rules are not scheduled to be enforced until January 1, 2023. The act lays out a compliance timeline over the new two years to help consumers, businesses, and the state prepare—including the establishment of the new California Privacy Protection Agency starting as early as December 2020.
When the CPRA becomes operative in 2023, regulations will apply to PI collected on or after January 1, 2022. Then, enforcement will begin officially in full on July 1, 2023.
The CPRA (sometimes mistakenly abbreviated as CPRA) was introduced to strengthen the existing set of data privacy laws put forth by the CCPA. The act does not replace or repeal the CCPA, but rather adds to California’s existing law and closes some of the loopholes.
In addition to new rights mentioned previously, the CPRA modifies and expands upon many of the California Consumer Privacy Act rights. Those rights include:
Right to Delete: Businesses Companies must now inform third parties to delete any consumer PI that has been shared or bought (pending some exceptions).
Right to Know: This provision has been expanded to include requests for PI collected beyond just the prior 12 months (but will apply only to data collected after January 1, 2022).
Right to Opt Out: The CCPA already provides consumers the right to opt out of the selling of their data, but is expanded under the CPRA to include opt out for cross-context behavioral advertising, which applies to targeted ads and the like.
Opt-in Rights for Minors: Also previously existing under CCPA, this has now been amended to explicitly include the sharing of PI for behavioral advertising.
Right to Data Portability: If it is technically possible, consumers can now request that businesses provide specific pieces of PI to another entity.
Even though there's still time until the CPRA becomes enforced by law, businesses and organizations must start preparing in advance because the process of becoming compliant can be challenging.
Fortunately, there are ways you can better prepare for the change while also ensuring the data your company handles is secure.
Here are a few helpful CPRA compliance tips. In addition, we’ve outlined the steps you should take to prepare for the act becoming law.
The entire purpose of CPRA is to ensure that consumer data collecting and processing is transparent and clearly defined. But for that to happen, companies must know as much as possible about the data they currently have.
So, before you move forward with making your company CPRA compliant, you need to perform a thorough audit, identifying what data you're collecting, how it's used, and how you can sort it to easily find and delete bits of data according to the requirements.
With CCPA compliance already in place, you should know what type of data you're collecting and processing about individuals. However, when CPRA goes into effect, there will be additional security measures that companies will have to comply with, especially those that relate to "sensitive personal information."
Users will have the right to request that this sensitive data be removed. As a result, you'll need to have a way to separate it from the non-sensitive information you collect. The best way to achieve that is to get ahead of the problem and implement ways to separate data accordingly, allowing you to easily comply with the requests when the time comes.
When the CCPA was introduced, it provided an exemption to the data privacy regulations for B2B and HR communications. And with CPRA, that deadline has actually been pushed to 2023.
However, since the compliance programs for B2B and HR will be a big challenge and might take a lot of time, it's good to get a head start and find ways to stay compliant while adding the new CPRA requirements as well.
Map out your data and understand what you're currently using. Find a way to mark and identify personal information data that might need to be deleted.
Update your data collection and management processes according to the CPRA guidelines.
Make sure your privacy notice is aligned with the CPRA disclosure.
If you work with contractors or providers, check with them to see whether they are compliant as well.
Perform a risk assessment and prepare a plan for dealing with situations where you fail to comply.
If you want to learn more about compliance best practices, learn how Delphix provides an API-first data platform enabling teams to find and mask sensitive data for compliance with privacy regulations.