In November 2020, California residents voted the California Privacy Rights Act (CPRA) into law — an amendment and expansion of the 2018 California Consumer Privacy Act (CCPA).
The CPRA went into effect on January 1, 2023 and is now fully in force.
Organizations should make changes to both their privacy and business practices as soon as possible. Otherwise, you may expose yourself to the risk of falling behind the curve and even getting in trouble for not implementing the proper policy changes.
Read on to learn more about the CPRA, how it may affect your organization, and how you can comply with it. You can also read our full comparison of the CCPA vs. CPRA.
What Is the CPRA?
The CPRA, which stands for California Privacy Rights Act, amended the CCPA and introduced several changes to the privacy rules.
Compared to its predecessor, this act is more small-business friendly. However, it also:
- Grants consumers more rights
- Establishes an agency to implement and enforce the CPRA
- Places new requirements on organizations
It’s currently entirely in force with a look back to July 1, 2023, but this was not the original plan.
At first, the amendments were scheduled to come into effect on January 1, 2023, with a look back to January 2022. However, the California Privacy Protection Agency (CCPA) was late finalizing the official enforcement rules.
As a result, California courts extended the enforcement date to March 29, 2024, and only the statutory requirements were considered enforceable.
The CPPA then appealed this decision, and on February 9, 2024, California’s Third District Court of Appeal sided with the CPPA, reverting the enforcement date to July 1, 2023.
Which Organizations Does the CPRA Apply To?
The CPRA applies to for-profit organizations that do business in the State of California and meet one or more of the following criteria:
- Had $25 million in annual gross revenues as of January 1 of the preceding calendar year
- Sell, buy, or share the personal information of 100,000 California households or consumers
- Derive 50% or more of its revenues from sharing (a newly defined term) or selling personal information
These new thresholds exempt some small businesses from CPRA regulations. However, they also expand the scope of applicability since companies that make 50% or more of their revenue from sharing personal information also fall under the law.
The following types of entities will also be subject to the CPRA:
- Joint ventures or partnerships in which each business has at least 40% interest — each business in this relationship will be considered a single separate business
-
Commonly controlled entities, which are entities that:
- Controlled or control a covered business
- Share common branding with the business
- Have access to the personal information of the covered business’s consumers
- Any business that wants to comply with the CPRA, even if it doesn’t fall under the thresholds above
CPRA Exemptions
Personal data from the following people are now exempt from CPRA provisions:
- People taking part in clinical trials or biomedical research
- Healthcare providers, including medical data that is protected by the Confidentiality of Medical Information Act
The CPRA also extended exemptions given to business-to-business (B2B) and employment data until January 1, 2023.
CPRA Enforcement
One of the most significant changes the CPRA introduces is the establishment of the California Privacy Protection Agency (CPPA).
The agency initiates actions through the Administrative Law Court to enforce, regulate, and implement the CPRA. Unlike the state court system — which previously enforced the CCPA — the Administrative Law Court provides independent, neutral hearings that are less formal and more transparent.
This change shifts the responsibility to enforce the CPRA from the Office of the Attorney General to the CPPA. It’s also be responsible for educating the public about consumer and privacy rights.
The CPPA was established in March 2021 and features a five-member board of experts in consumer rights, technology, and privacy.
New and Expanded Definitions in the CPRA
The CPRA adds new and expanded definitions and concepts to California’s privacy laws.
Sharing
The CPRA defines sharing as the disclosure of personal information to third parties for cross-context behavioral advertising. It includes sharing for free, for monetary gain, or any other consideration of value.
Businesses that share personal information must give consumers an obvious “Do Not Share My Personal Information” link and an option to opt out of sharing. A “Do not Share link” may be combined with a “Do not Sell link.”
Sensitive Personal Information (SPI)
The CPRA has kept its predecessor’s definition of personal information but has also added a new category called sensitive personal information (SPI), which has increased compliance requirements and includes:
- Driver’s license numbers
- Social Security Numbers (SSN)
- State ID numbers
- Union membership
- Passport numbers
- User credentials such as usernames and passwords
- Biometric data and genetics
- Ethnic or racial origins
- Precise geolocations
- Religious or philosophical beliefs
- Information about a consumer’s sexual orientation, sex life, or health
- Contents of a consumer’s text, mail, and email
If your business deals with SPI of any sort, be careful where you store this information and what you do with it. Under the CPRA amendments, consumers have the right to limit your use and disclosure of SPI — they can tell you to use it only when necessary.
Contractors
The CPRA defines a contractor as an individual to whom an organization has made a consumer’s personal information available for a business purpose established by a written contract.
Contractors must certify that they understand and will comply with CPRA requirements. They have to notify the business if they are unable to comply.
Profiling
Profiling is any automated processing of personal information that a business does to make predictions about an individual’s economic situation, preferences, health, reliability, location, behavior, movements, and performance at work.
For example, a company is profiling if it uses AI interview software to observe an applicant’s personal attributes and behavior and predict how they will perform in the workplace.
Publicly Available Information
The CPRA has expanded the definition of “publicly available” information. It now includes:
- Information that a business reasonably believes has been lawfully made available to the general public from widely distributed media or by the consumer
- Information given by a person to whom the consumer has disclosed the information — if the consumer hasn’t limited the information to a specific group of people
This update makes compliance easier for companies that collect data from sources where users don’t restrict access to their content.
Examples include social media platforms like Instagram, Facebook, and YouTube.
Expanded Consumer Rights
Additionally, the CPRA provides consumers with some new and expanded rights, which include:
The Ability To Opt Out of Sharing Personal Information
Consumers now have the right to opt out of both the sale and sharing of personal information. They have this right, whether or not money — or another valuable consideration — is exchanged as a result of sharing the personal information.
The Right To Correct and Delete Inaccurate Personal Information
The CPRA gives consumers the right to correct and delete inaccurate personal information. Covered businesses also need to disclose this right to consumers and use reasonable efforts to fix or delete mistakes after receiving a verified consumer request.
The Right to Access Data
In contrast to the current legislation, the CPRA lets consumers request information collected from them beyond a 12-month look-back period. The only exception to this rule is if doing so is impossible or requires “disproportionate effort.” The CPPA will determine what “disproportionate effort” means by and through its rulemaking.
The Right To Opt Out of Automated Decision-Making and Profiling
Consumers have the right to know about and opt out of any type of automated decision-making. Therefore, businesses must provide adequate information to the public about how automated decision-making works and the likely outcome of the process.
An Expanded Private Right of Action
Consumers now have a private right of action against businesses when data breaches occur and the following are exposed or compromised:
- Email address in combination with a password or security question and answer that would permit access to the account
- Nonencrypted and nonredacted personal information due to a business’s negligence to implement and maintain reasonable security procedures
Expanded Rights for Consumers Who Are Minors
This legislation also strengthens consumer rights for minors. For example, businesses must obtain explicit opt-in consent before sharing or selling the personal information of a consumer who is under 16 years old.
Businesses must also establish a way for a minor consumer or their parent/s to specify that the consumer is between 13 and 16 years old or less than 13.
Expanded Obligations for Businesses
To protect consumer rights, the CPRA has also expanded obligations for businesses, which include:
Requirements for Security Implementation
The CPRA requires businesses to actively implement “reasonable security procedures and practices” to protect personal information. If your business is expected to create a significant risk to consumers’ privacy, you must perform annual cybersecurity checks and submit your results to the CPPA.
A draft of these cybersecurity audit requirements was released by the CPPA in December 2023.
New Contractual Obligations
To protect consumer rights further, the CPRA imposes broader obligations for businesses that share, sell, or disclose personal information to contractors, third parties, and service providers.
If you work with any of those parties, you must do the following in your written contracts with them:
- Specify that the information disclosed or sold by your business is only for specified and limited purposes
- Make it necessary for them to comply with the CPRA and “provide the same level of privacy protection” required
- Require them to notify the business if they can no longer meet their CPRA obligations
- Tell them you have the right to take appropriate and reasonable steps to stop unauthorized use of personal information
Limited Defenses Following Data Breaches
The CPRA also limits businesses from pursuing certain defenses to private actions.
Specifically, the maintenance and implementation of reasonable security practices and procedures after a data breach will not be considered a proper defense or “cure” for that data breach.
Storage Limitation and Data Minimization
Last but not least, this act establishes the concepts of storage limitation and data minimization.
Like the European Union’s General Data Protection Regulation (GDPR), the CPRA stipulates that businesses can only collect personal information when it’s required or “reasonably necessary” for the purpose it is collected.
In addition, businesses can’t retain personal information for longer than necessary for the purpose it was collected.
CPRA Penalties and Fines
The CPRA has added a new penalty: You can now be fined up to $7,500 in administrative fines for intentional violations or violations involving the personal information of people under the age of 16.
The CPRA will also remove the 30-day cure period that automatically begins after being charged with an alleged violation. Instead, the CPPA decides how much time you have to correct your mistakes. They will take into account the following factors:
- Whether you meant to violate the CPRA
- Whether you made efforts to cure the alleged violation
General Tips for CPRA Compliance
All in all, the CPRA has made many changes and additions to California’s current data privacy law and is now fully in enforceable.
Because the CPRA applies to all personal information collected on or after July 1, 2023, keep the following tips in mind when ensuring your organization complies with the rules:
1. Check if the CPRA will apply to your company.
Since the thresholds have changed, some companies are no longer covered by the amended act.
Also, keep in mind that CPRA compliance extends outside California. So as long as California residents can access your website and you meet the CPRA criteria, you need to comply with the CPRA.
2. Update your privacy policy.
Make sure your privacy policy complies with the CPRA. Remember to include sections about:
- Consumers’ rights
- How consumers can request access, delete, or change personal information
- How minors and their parents can give consent to the sharing or selling of minor consumers’ personal information with a consent form
Be as detailed as possible so that consumers know their rights before giving you any personal information. If there are too many changes to make, consider rewriting your privacy policy or using a privacy policy generator
3. Update your contracts.
Read over the contractual provisions in CPRA and start amending the contracts and contract templates for third parties, contractors, and service providers. Then check if they can accommodate these new requirements. If not, you may need to find new vendors who can comply with CPRA.
4. Update your website.
To comply with the CPRA’s expanded right to opt out of sharing personal information with third parties for advertising, you need to add a “Do Not Sell My Personal Information“ link on your homepage.
You also need to add a “Limit the Use of My Sensitive Personal Information” link to comply with the CPRA’s limitation of using consumers’ sensitive data.
For both links, you need to use a large, readable font that’s easy to read on mobile and desktop versions of your website.
