Data protection laws always come with the potential for amendments to change those laws in light of both prevailing cybersecurity risks and the perception of consumer privacy rights not being fully protected. In California, the California Privacy Rights Act (CPRA) brings important changes to the state’s current data privacy law, the CCPA. Read on to find out about the CPRA’s amendments and how to get your business ready for compliance by its effective date of January 1, 2023.
CPRA: A Brief Primer
The California Consumer Privacy Act became effective on January 1, 2020, with the aim of providing greater protection, control, and visibility to California residents over how organizations collect, use and share their personal data. The California Attorney General enforces this law and hears complaints about alleged violations of consumer rights under the CCPA rules. Seen as California’s answer to GDPR in Europe, ongoing threats to consumer data from data breaches and other incidents called for greater care over personal data.
In November 2020, a ballot of California voters resulted in the approval of Proposition 24, which created the new California Privacy Rights Act (CPRA). The passing of this ballot by Californians reflects a perception that the CCPA didn’t go far enough with its data privacy rights or in restricting the sharing of personal information. Today’s discerning customers want increased insight into what businesses do with their personal information and increased rights to control those actions.
CPRA both provides new rights and increases the obligations for businesses that collect Californians’ personal data. The law also strengthens employee rights around personal data so that the law applies to consumers and employees alike.
CPRA Key Changes
To avoid non-compliance, it’s pivotal for businesses to understand the key changes introduced to CCPA regulations by the CPRA.
Minor Threshold Changes
The thresholds that determine whether businesses need to comply with CPRA remain largely the same as CCPA in terms of annual gross revenues. For-profit companies that do business in California must comply if their annual revenue exceeds $25 million. Another condition for compliance is if a company derives 50% of annual revenue from selling or sharing personal information (previously, the wording was limited to just “selling”).
A minor regulatory change to the third compliance threshold is that businesses must comply only if they collect the personal information of 100,000 or more consumers or households each year. This differs from the previous CCPA rule of 50,000 consumers, households, or devices.
New Category of Sensitive Personal Information
The new category of personal information known as “Sensitive Personal Information” (SPI) mirrors GDPR’s rulemaking. This category of data singles out certain information as being particularly sensitive and requiring extra protection measures. The CPRA’s definition of SPI is that it’s any consumer’s personal information that reveals their:
- biometric data that identifies a particular customer
- genetic data
- racial or ethnic origin, religious or philosophical beliefs
- precise geolocation
- union membership
- social security number, driver’s license, state identification card, or passport number
- credentials and account, debit, and credit card numbers that provide access to a financial account
Another interesting power granted by the CPRA is that any consumer has the right to tell a business to “limit the use of my sensitive personal information” for only a business purpose that is necessary for the business to provide products or services to the consumer. These rights also extend to limiting the disclosure of sensitive personal information to service providers, contractors, and third parties.
Look-Back Provision
The CPRA establishes a 12-month look-back provision for consumer requests related to what data a company has collected about them. In practice, this means that customers can start requesting information from the CPRA’s January 1, 2023 effective date and businesses need to provide information stretching back to 12 months prior to the date of such a request. So, continuing the example from the CPRA effective date, a business would need to inform customers about what information was collected, how it was used, and with whom it was shared going back to January 1, 2022.
California Privacy Protection Agency
The CPRA establishes the California Privacy Protection Agency (CPPA) as a new enforcement agency for the regulations. The agency will have a five-member board composed of experts in data privacy, technology, and consumer rights. CPPA can take enforcement actions, such as levying $7500 fines per intentional violation or $2500 per violation for other violations.
Data Collection and Retention Restrictions
Aside from the limitations on SPI, the CPRA also has a general data minimization principle for personal data such that businesses can’t collect more personal information than is reasonably necessary and proportionate to the purpose of collecting and/or processing that customer’s information. There is also a data retention restriction that requires businesses not to retain data for longer than is needed for the described business purpose while also necessitating a statement about the length of time for which they will retain data at the point of collection.
The Right to Correct Inaccurate Personal Information
Another change is how CPRA gives consumers the right to correct inaccurate personal information. The obligation to have inaccurate information corrected extends to service providers and contractors. Consumers should have their legitimate requests for correction verified and instigated within 45 days of a business receiving such a request.
Profiling Opt Out
The CPRA gives consumers opt-out rights relating to the use of automated decision making technology, including any profiling to evaluate certain personal aspects of a natural person, and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Tips to Prepare for CPRA Compliance
Privacy compliance is a critical business concern for legal, financial, and reputational reasons. Here are some tips to ensure alignment with the more stringent rules being introduced by the CPRA.
Update Your Opt-In and Opt-Out
Updating privacy notices in line with the CPRA’s stricter rules is a valuable consideration that helps align with increased opt-in and opt-out rights. Ideally, a privacy notice should be linked from your company website’s homepage. Pairing this notice with opt-in and opt-out functionality ensures customers and employees can easily access data privacy policies and opt-out of the sale or sharing of personal information.
Conduct Regular Risk Assessments
CPRA compliance for certain businesses requires an independent cybersecurity audit carried out annually, the results of which must be submitted to the CPPA. The criteria for who needs to conduct an audit are somewhat imprecise; factors taken into account include the size and complexity of the business and the nature and scope of data processing activities.
Even if an audit doesn’t apply to your business, all organizations that need to comply with CPRA must conduct regular risk assessments. There are no exemptions from this requirement because it’s essential to have an ongoing picture of the privacy risks created by data processing activities. It’s good practice to streamline the assessment process by using templates and frameworks that remove bottlenecks and provide a good foundation for repeatable processes.
Prepare to Fulfill More Consumer Requests
The right to opt-out, the right to access, and the right to correct are just some of the rights that have broadened under CPRA. The expansion of and increase in the available data subject requests makes it inevitable that businesses will receive larger volumes of these requests. Companies that don’t prepare to scale up their operations and fulfill requests will quickly get inundated and eventually fail to comply with the 45-day deadline.
Clearly, the human resources needed for adequately scaling up data subject requests might be untenable for some businesses. It’s prudent to leverage technology and automation where possible here, such as using collaboration tools, data consolidation, and automatic identity verification. Investing in automation and technology can speed up the fulfillment of consumer requests at scale.
Identify and Protect Sensitive Personal Information
A crucial element in CPRA compliance is identifying sensitive personal information and putting in place appropriate security measures to protect it. In today’s complex IT ecosystems, data is collected at many different points, stored in disparate locations, and potentially downloaded onto various endpoint devices.
Dedicated data loss prevention (DLP) solutions can prove invaluable in scanning and identifying the SPI data in companies’ endpoints. Admins can monitor data flows and take actions, such as encrypting data, blocking file transfers, and preventing its exfiltration.
Endpoint Protector is an industry-leading cross-platform DLP solution that helps achieve compliance with CPRA and other regulations.
Frequently Asked Questions
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.