The California Privacy Rights Act (CPRA), often referred to as "CCPA 2.0," represents a significant evolution in data privacy legislation in the United States. Passed by California voters in November 2020, the CPRA builds upon the foundations laid by the California Consumer Privacy Act (CCPA), enhancing consumer rights and imposing stricter obligations on businesses. This blog post delves deep into the CPRA, exploring its key provisions, implications for businesses, and best practices for compliance.
The CPRA was introduced to address gaps and limitations in the CCPA and to provide California residents with more robust data privacy protections. Set to become fully effective on January 1, 2023, with enforcement beginning July 1, 2023, the CPRA marks a critical step forward in empowering consumers and ensuring businesses are accountable for their data practices.
Understanding the CPRA requires familiarity with several key terms and definitions:
- Personal Information: The CPRA retains the broad definition of personal information from the CCPA, including any information that identifies, relates to, describes, or can be linked to an individual.
- Sensitive Personal Information: A new category introduced by the CPRA, sensitive personal information includes data such as Social Security numbers, driver’s license numbers, precise geolocation, racial or ethnic origin, religious beliefs, union membership, and the contents of a consumer’s communications.
- Business: The CPRA applies to for-profit entities that do business in California and meet specific criteria, similar to the CCPA but with some adjustments, including a new threshold for businesses that generate 50% or more of their annual revenues from selling or sharing consumers' personal information.
- Consumer: Any natural person who is a California resident, including anyone in California for other than a temporary or transitory purpose or domiciled in California but outside the state for a temporary or transitory purpose.
The CPRA expands and enhances the rights of California residents, providing them with greater control over their personal data:
Consumers retain the right to know what personal information is being collected about them and to access that information. The CPRA builds on this right by requiring businesses to provide more detailed disclosures, including the categories of sensitive personal information collected and the purposes for which it is used.
Consumers continue to have the right to request the deletion of their personal information, with some exceptions. The CPRA introduces new requirements for businesses to notify third parties with whom they have shared the consumer's information of the deletion request, ensuring a broader application of this right.
A significant addition under the CPRA is the right to correct inaccurate personal information. Consumers can request that businesses correct any inaccuracies in their personal data, promoting data accuracy and integrity.
Building on the CCPA's opt-out right, the CPRA extends this right to include the sharing of personal information for cross-context behavioral advertising. Businesses must provide a clear and conspicuous "Do Not Sell or Share My Personal Information" link on their websites, allowing consumers to opt-out easily.
The CPRA introduces a new right for consumers to limit the use and disclosure of their sensitive personal information. Businesses must provide consumers with the option to restrict the use of sensitive personal information to what is necessary to perform the services or provide the goods requested by the consumer.
Consumers have the right to receive their personal information in a portable, readily usable format and to transmit that information to another entity. This right promotes consumer empowerment and data mobility.
The CPRA reinforces the CCPA's prohibition on discrimination against consumers who exercise their privacy rights. Businesses cannot deny goods or services, charge different prices, or provide a different level of quality based on a consumer’s decision to exercise their rights.
The CPRA imposes several new and enhanced obligations on businesses, ensuring greater accountability and transparency in their data practices:
Businesses must update their privacy policies to include more detailed information about their data practices. This includes:
- Categories of personal information and sensitive personal information collected.
- Purposes for collecting, selling, or sharing personal information.
- Categories of third parties with whom personal information is shared.
- Consumer rights under the CPRA and how to exercise them.
These notices must be accessible, transparent, and easy to understand, ensuring consumers are fully informed about how their data is used.
The CPRA introduces principles of data minimization and purpose limitation, requiring businesses to collect, use, retain, and share personal information only for specific, explicit, and legitimate purposes. This aligns with global data protection standards and promotes responsible data stewardship.
Businesses must include specific provisions in contracts with third parties to ensure compliance with the CPRA. These provisions include requirements for third parties to provide the same level of privacy protection as the business, use personal information only for specified purposes, and assist in responding to consumer rights requests.
The CPRA emphasizes the importance of robust data security measures. Businesses must implement reasonable security practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. In case of a data breach, businesses are required to notify affected consumers promptly and may face increased penalties for breaches involving sensitive personal information.
The CPRA extends its protections to employee and business-to-business (B2B) data, which were previously exempt under the CCPA. Businesses must now ensure that personal information collected from employees and B2B contacts is treated with the same level of protection and transparency as consumer data.
Businesses must maintain comprehensive records of their data processing activities and compliance efforts. Regular audits and assessments are essential to ensure ongoing compliance with the CPRA and to identify and address any gaps or vulnerabilities in data practices.
The CPRA's enhanced protections and obligations have significant implications for businesses operating in California:
Businesses must implement systems and processes to handle consumer requests effectively. This includes setting up web forms, toll-free numbers, and other methods for consumers to exercise their rights. Additionally, businesses must develop workflows to verify, track, and respond to these requests within the stipulated timeframe.
To comply with the CPRA, businesses must have a comprehensive understanding of the personal information they collect, store, and share. Conducting a data inventory and mapping exercise helps identify all data sources, categorize personal information, and document data flows within and outside the organization.
Businesses must review and update contracts with third-party service providers to ensure they include CPRA-compliant data protection provisions. This includes clauses that restrict the sale or sharing of personal information and require service providers to assist in responding to consumer requests.
Achieving and maintaining CPRA compliance involves legal and compliance costs, including legal advice, auditing, and monitoring. Businesses may need to invest in technology solutions to automate compliance tasks and reduce the risk of human error.
While compliance can be challenging, businesses that prioritize data privacy and transparency can gain a competitive advantage. Demonstrating a commitment to protecting consumer data can build trust and loyalty, differentiating a business in a crowded market.
The CPRA establishes the California Privacy Protection Agency (CPPA), a new regulatory body with broad authority to enforce the law and impose penalties for non-compliance. The CPPA's responsibilities include:
- Promulgating regulations to clarify and implement the CPRA.
- Conducting investigations and audits of businesses' data practices.
- Enforcing compliance through administrative actions and fines.
- Educating businesses and consumers about their rights and obligations under the CPRA.
The CPRA imposes significant penalties for non-compliance, including:
- Civil penalties of up to $2,500 for each unintentional violation and up to $7,500 for each intentional violation or violations involving the personal information of minors.
- Increased penalties for violations related to the unauthorized access, theft, or disclosure of sensitive personal information.
Businesses have a 30-day cure period to address alleged violations after receiving notice from the CPPA. This provision allows businesses to rectify issues and avoid penalties, provided they take prompt corrective action.
Given the complexity of the CPRA, businesses should adopt best practices to ensure compliance and protect consumer data effectively:
Start by assessing your current data privacy practices and identifying gaps that need to be addressed. This assessment should cover data collection, storage, sharing, and security practices, as well as existing policies and procedures.
Create a privacy program that encompasses policies, procedures, and controls to ensure ongoing compliance with the CPRA. This program should include employee training, regular audits, and mechanisms for monitoring and responding to privacy incidents.
Review and update your privacy policies and notices to ensure they are CPRA-compliant. Make sure they are easily accessible on your website and clearly explain your data practices and consumer rights.
Invest in robust data security measures to protect personal information from unauthorized access, use, or disclosure. This includes encryption, access controls, and regular security assessments.
Develop clear procedures for handling consumer requests, including processes for verifying identities, tracking requests, and responding within the required timeframe. Ensure these procedures are well-documented and communicated to relevant employees.
Ensure that contracts with third-party service providers include CPRA-compliant data protection provisions. Regularly review and update
Join 1000+ Advertisers, Digital Marketers and Agency Owners
Who Are Saving 30% Per Month on all digital advertising
Audit your ad spend and ensure 100% data accuracy & integrity
Register Free ⮕
