California Privacy Rights Act (CPRA) is an expansion of the existing California Consumer Privacy Act (CCPA). This new law – effective January 1, 2023 – marks the beginning of one of the US’s strongest privacy laws for consumer data.
The CPRA raises the bar for identifying a covered ‘enterprise.’ The amending law, called ‘CCPA 2.0’, extends its safeguard to customers and employers by expanding opt-out and breach reporting policies.
In this article, we will look at the legislation mentioned above, including the difference between CCPA and CPRA, the amended rights, and how it can impact your organization.
CCPA Vs. CPRA: What’s the difference?
The California Consumer Privacy Act (CCPA), signed into law on June 28, 2018, and implemented on January 1, 2020, establishes consumer privacy rights and company obligations in acquiring and selling personal information.
On the other hand, the California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot proposal that California voters approved on November 3, 2020.
After the amendments, there is a clear distinction between CCPA and CPRA. This means;
- Any business operating in California is subject to the CCPA’s current regulations until January 1, 2023, if it meets either of the following requirements:
- As of January 1, 2023, the ‘original’ version of the CCPA has been modified, and the surviving CPRA will only cover businesses that meet the following requirements:
In light of these revisions, most companies that met the coverage threshold based on annual revenues will likely continue to be covered. However, many organizations that were covered by the CCPA simply because they obtained the personal information of 50,000 devices will now fall outside the scope of the CPRA.
Changes introduced under California Privacy Rights Act 2023
Even though CPRA is an amendment to the CCPA, it leaves many statutory provisions unchanged. The changes introduced under CPRA, however, pertain to how organizations have been collecting and using consumers’ personal information.
Below is a detailed description of each revised provision under the California Privacy Rights Act 2023 and what it entails.
1. The Right to Delete Personal Information
According to the CCPA, customers can ask businesses to remove their data from the systems. The company must erase the customer’s information upon receiving a valid request.
The CPRA requires businesses to notify their service providers, contractors, and any third parties to whom they have sold or transferred the consumer’s personal information unless doing so ‘proves impracticable or involves excessive effort.’
Moreover, each service provider must notify its downstream providers to delete the consumer’s information.
The CPRA does, however, provide several new exceptions or clarifications to this requirement. The organizations are not obligated to delete:
- Household data is the information an organization stores on consumers who live at the same address and share common devices or services.
- Personal information about the customer that belongs to, or is maintained by, another natural person.
- Personal information about a student’s grades, test scores, or educational test results is held by the company on behalf of a local education organization.
- A specific piece of information if the consumer has approved the business’s use of that information to generate a physical item (e.g., a yearbook)
2. The Right to Correct Inaccurate Personal Information
The CPRA introduces a new consumer right wherein customers can request a business to update inaccurate personal information. This Right to correct information, like the rights granted by the CCPA, must be mentioned to consumers in the privacy notice.
When a company gets a verified request to update erroneous personal information, it must take ‘commercially reasonable efforts’ to correct the information as specified by the consumer and the established regulations.
3. The Right to Know Specific Pieces of Personal Information
Under the CCPA, a consumer may request an organization to inform its customer about the collection and treatment of personal information, including
- The categories of personal information businesses gathered about them in the past 12 months and their sources
- The business/commercial purpose for collecting or selling such personal information
- The categories of third parties to whom they sold the personal information, and
- The types of personal information provided for business purposes
The California Privacy Rights Act modifies and/or expands these rights by
- Requiring the company to provide information on the types of personal information shared with third parties, where “shared” means sending personal information to a third party for cross-contextual advertising.
- Removing the 12-month look-back limitation by forcing a firm to submit more than 12 months of information if doing so would not be ‘difficult’ or ‘involve a disproportionate effort.’
- Clarifying the right-to-know requests include personal data gathered directly or indirectly by the business, including through a service provider or contractor.
- Clarifying the business’s obligation to provide particular personal information in a structured, frequently used, machine-readable format. These pieces of information may also be “communicated to another organization without hindrance at the consumer’s request” to the extent technically practicable.
4. The Right to Opt-Out of Selling or Sharing of Personal Information
The CPRA broadens the existing opt-out provision to encompass the sale and the “sharing” of personal information. The CPRA defines sharing as “the transfer or making available by the business of a consumer’s personal information to a third party for cross-context advertising.”
The business shall not sell or disclose a consumer’s personal information under the age of 16 unless the consumer (for consumers over the age of 13) or the consumer’s parent (for consumers under the age of 13) has expressly allowed the sale or sharing.
5. The Right to restrict how sensitive personal information is used and disclosed
CPRA has changed the definition of “sensitive personal information” to cover nearly two dozen data elements, including
The use of “sensitive personal information” by companies in California must now be restricted to what is necessary to perform the services or for the accomplishment of specifically listed business purposes.
According to the CPRA, a second link on the website’s homepage titled “Limit the Use of My Sensitive Personal Information” will be necessary. In some circumstances, the ‘Do Not Sell or Share My Personal Information’ link may be combined with this link on an organization’s homepage, giving customers a choice to select either one or both options.
6. The Right of No Retaliation
Any organization cannot discriminate against a consumer because they exercised any of the consumer rights as listed in the CPRA; unless the price or service difference is properly tied to the value supplied by the consumer’s data to the business.
The CPRA broadens these protections by prohibiting retaliation against employees, job candidates, or independent contractors. The CPRA further states that consumer non-discrimination laws do not preclude businesses from offering loyalty rewards, premium features, or discounts.
7. Right to Opt-Out of Automated Decision-Making Technology
While the CPRA has chosen to remain silent on automated decision technology, it instructs the Attorney General to draft regulations limiting access and opt-out rights in the use of automated decision-making technology and profiling by businesses.
According to the California Privacy Rights Act, profiling is the automated processing of personal information to assess or forecast aspects of a person’s natural behavior, location, and movements, as well as their employment performance, financial condition, health, and personal preferences and interests.
What is the California Privacy Protection Agency?
One of the most significant institutional changes to privacy administration introduced under the CPRA is the creation of a new administrative body. The CCPA will be administered, implemented, and enforced by the California Privacy Protection Agency (CPPA).
The investigation and enforcement of violations will be one of the Agency’s most important responsibilities. The CPPA may look into possible violations after receiving a complaint or on its initiative. If it discovers reasonable grounds to believe a violation has occurred, it must notify the business and hold a hearing.
What are the consequences of non-compliance with the CPRA?
In the event of non-compliance, the modified CCPA allows for the following alternatives for imposing liability.
- Businesses may be subject to civil penalties of up to $7,500 for willful violations and $2,500 for unintentional violations in actions brought by the California Attorney General.
- Consumers may receive statutory damages of up to $750 per event per consumer or actual damages, whichever is greater, in proceedings brought by them for security breach violations. Consumers must first give firms written notice and an opportunity to remedy before filing claims for statutory damages.
- Consumers may seek injunctive or declaratory remedies for security violations and any other relief the court deems appropriate.
- In cases when the Attorney General brings an action, businesses may also be susceptible to an injunction.
Learn more about CPRA and how it may affect your business by talking to leading industry compliance experts. Schedule a free demo with Scrut here.
Frequently Asked Questions
The California Attorney General has the enforcement power under the CCPA. The Attorney General continues to have enforcement authority despite the CPRA giving the California Privacy Protection Agency ‘complete administrative power, authority, and jurisdiction to execute and enforce’ the CCPA.
According to the CCPA, “personal information” is any information that can reasonably be used to directly or indirectly identify, describe, relate to, or be associated with a specific consumer or household.
According to the CCPA, a third party is any company or legal organization that obtains personal information from a business but does not fit the bill as a service provider. A third party must use consumers’ personal information following the agreements made when it was first obtained. It should notify consumers of new or altered procedures, give them explicit notice of any additional sales of their personal information, and provide them with the option to opt-out of it.