Just when you thought you had your ducks in a row for the California Consumer Privacy Act (CCPA), California voters moved the goalposts by passing the California Privacy Rights Act (CPRA). This new law went into effect on January 1, 2023 and increases the privacy rights of California consumers by enforcing more stringent rules for companies that do business in the Golden State — whether based in the state or not.
Like the EU’s General Data Protection Regulation (GDPR) law, CPRA is positioned to set the standard for the entire United States, filling the void created by the lack of federal privacy laws. And although CPRA doesn’t officially become enforceable until January 2023, it includes a one-year lookback provision. This means any data collected on or after January 1, 2022 is subject to CPRA regulations.
You can think about CPRA as a more comprehensive version of CCPA: consumers can now control whether companies share their personal information as well as whether they sell it. Why the change? Because many organizations that were served with lawsuits for non-compliance with CCPA claimed they were merely sharing rather than selling consumers’ information in order to serve ads.
What’s more, CPRA establishes the California Privacy Protection Agency (CPPA), which has the power to enforce compliance with the regulation and investigate non-compliance.
Now that the law is in effect, there’s no time to waste in becoming compliant with CPRA. That is, if you need to — some companies that are subject to CCPA compliance won’t be required to comply with CPRA.
To help you determine the impact CPRA may have on your company, we’ve outlined five key changes you should be aware of in the new regulation, along with their implications:
1. Closes the business purpose loophole
Under CPRA, an organization that collects the personal information of California consumers — whether or not that information is for commercial purposes — and satisfies one or more of the following criteria, must demonstrate compliance:
- Grosses more than $25M in annual revenues
- Derives 50% or more of its annual revenue from sharing or selling the personal information of California residents, or
- Buys, sells, or shares the personal information of more than 100,000 California residents or households.
The most notable change from CCPA is that CPRA removes the requirement that personal information must be used “for commercial purposes.” So now, even if your company is not profiting from the use of consumers’ personal information, you still need to comply with the law. This change, along with the addition of “sharing” to the list of business purposes that are governed by the law, closes an oft-exploited loophole in CCPA where many companies skirted compliance by claiming they were only sharing — not selling — data with vendors in order to target ads. In fact, CPRA explicitly states that targeted advertising is not a business purpose under the law.
Finally, while the first two bullets essentially mirror the criteria in CCPA — with the addition of revenue gained from sharing data — the last criterion doubles the number of consumers or households from 50,000 to 100,000.
Why is this important? Because if you are a small- to medium-sized business, you may not fall under the scope of CPRA, but you’ll still need to comply with CCPA. You’ll want to make sure you know where you stand as soon as possible, in case you do need to get your compliance strategy in place.
Implications: CPRA loosens some requirements of CCPA, including narrowing the scope of businesses subject to compliance, meaning some small and medium-sized businesses may not fall under the CPRA umbrella. However, it also strengthens a few of CCPA’s weak links, including adding “sharing” to the list of business purposes governed by the law.
2. Introduces new category of protected data
CPRA introduces the idea of “sensitive personal information,” or SPI, which requires businesses that collect this information to implement stronger data protection. Even broader than the “special categories of personal data” outlined in Article 9 of the GDPR, SPI includes personal information such as:
- Government-issued identifiers (e.g. Social Security numbers, driver’s licenses, state ID cards, or passport numbers)
- Racial or ethnic origin
- Religious beliefs
- Financial account information
- Account log-in credentials
- Exact geolocation
- Contents of email and text messages
- Genetic data
- Biometric information
- Health data
- Data concerning a person’s sex life or sexual orientation
You can find the entire list defined in CPRA here.
CPRA then places specific restrictions on this new category of data and adds new requirements for companies collecting SPI, including updated disclosure and purpose limitation requirements, opt-out requirements for use and disclosure, and opt-in consent requirements after a previous opt-out.
Implications: This new class of data — and the restrictions on it — mean you must be prepared to not only protect consumers’ SPI but also respond to a sure-to-be-growing number of consumers in a timely manner when they submit an opt-out request. Plus, if you decide to process and store consumers’ SPI as defined in CPRA, you must adhere to additional requirements, such as placing a clear and conspicuous link on your website that enables consumers to easily opt out of your use of their SPI.
3. Expands consumer privacy rights
CPRA introduces three new privacy rights, giving the consumer the right to:
- Correct inaccurate personal information
- Have personal information collected subject to data minimization and purpose limitations
- Limit the use and disclosure of SPI and request to opt out
It also modifies or expands some of the consumer privacy rights previously outlined in CCPA, including the right to:
- Opt out of the sale or sharing of personal information to third parties
- Access personal information collected beyond the prior 12-month window
- Opt out of automated decision-making technology, such as profiling, which CPRA defines as “any form of automated processing of personal information to evaluate personal aspects related to the consumer”
- Request information about the logic involved in the above-described decision-making processes, as well as the likely outcome of the process with respect to the consumer
Additionally, CPRA mandates that businesses wait 12 months before asking a minor for consent to sell or share their personal information.
Implications: CPRA strengthens the power of the consumer over their personal information and expands their rights. Some of these new privacy rights require businesses to add new links to their website, making it easy for consumers to exercise their rights.
4. Adopts some GDPR principles
Since the introduction of GDPR, creators of new privacy regulations have looked to it as a template. CPRA is no different. CPRA adopts a few GDPR principles, including how much personal information a business can collect, the purpose for which the business will use that personal information, and how long the businesses may retain or store that personal information.
The newly created CPPA, described above, enforces these principles and penalizes businesses that fail to adhere to these new limits.
Implications: With a new agency created to enforce CPRA, businesses won’t be able to evade compliance as easily as before. The first of its kind in the US, the CPPA will consist of a five-member board and has the power to conduct hearings, subpoena witnesses and compel their testimony, review evidence, and impose fines and other penalties.
5. Widens scope of legally actionable data in a breach
When a business experiences a data breach, hackers extract sensitive information that puts both the company and its customers at risk. CCPA granted consumers the right to take legal action if their non-encrypted personal information is exposed due to a failure of the business to implement appropriate security controls and processes. CPRA expands on CCPA by adding consumer login credentials (i.e. usernames and passwords) to the list of personal information categories that are legally actionable.
Implications: Data breaches are not slowing down, and consumers are fed up with their personal information showing up on the dark web and being used for identity theft, account takeover fraud, and more. Whereas CCPA gave consumers the right to sue a business if it exposes their personal information through a data breach, CPRA expands this right to sue if the data breached includes their username and password.
What does this mean for companies?
For businesses, the burden for compliance is huge and can feel insurmountable. You might be thinking, “how am I ever going to be able to track and store customer information compliantly?” Persona can help.
CPRA requires businesses to maintain a data inventory to track data processing history in the event the consumer requests to see the personal data the business has collected or that their personal information be deleted or not shared or sold with other businesses.
With Persona, it’s simple to retrieve and export all PII related to any specific individual because all information about that customer is stored under that user’s Account.
If you have compliance or legal restrictions on how long you can store PII, Persona can help there, too. You can configure Persona to automate PII removal on a customized cadence. When an individual’s account is redacted, all PII collected up to that point will also be redacted.
The bottom line
If CPRA applies to your business, it’s important to comply, as any data collected in 2022 and beyond is subject to CPRA regulations. If you’re one of the thousands of businesses that must comply with CPRA, contact us to learn how Persona can help or get started for free.