CPRA is commonly known as CCPA 2.0 due to its similarities with the California Consumer Privacy Act (CCPA). However, it is not an amendment to the California data privacy law. It is a separate law that creates obligations for companies along with the CCPA and CalOPPA. Read our CPRA here.
If you work in California or sell to Californians, you may need to comply with the California Privacy Rights Act (CPRA). This is yet another data privacy law that Californian businesses need to be aware of.
In addition to businesses in California, U.S. and international businesses may also have to follow the rules.
Explore more privacy compliance insights and best practices
CPRA is commonly known as CCPA 2.0 due to its similarities with the California Consumer Privacy Act (CCPA). However, it is not an amendment to the California data privacy law. It is a separate law that creates obligations for companies along with the CCPA and CalOPPA (CPRA Full Text Summary).
It was approved by California voters to expand consumer rights and business obligations regarding data privacy. Although it is not as tough as the General Data Protection Regulation (GDPR) of the EU, it brings novelties that have not been seen before in the US. Yet, it shares more similarities with the existing California laws and the privacy laws recently passed in other US states, such as Colorado, Virginia, Utah, and Connecticut. See the main differences between CPRA and GDPR.
This article will give you an idea of what the CPRA requires from your business, what you need to do to achieve CPRA compliance, and what could happen if you do not comply.
Before diving deep into that, you first need to determine if the CPRA applies to your business.
CPRA does not apply to all businesses. It applies only to companies connected to California that meet at least one of the prescribed thresholds.
The connection to California mandates that the company either:
If your business is based in California or sells to people in California, CPRA will apply if at least one of the following thresholds is met:
CPRA personal information is any information that could describe a person or reasonably relate to a person or household. This includes most of the usual categories of personal information and the online identifiers that could be linked to them.
Some categories of CPRA consumer data include name, home or email address, phone number, IP address, and so on.
If you are familiar with the CCPA, you’ll notice that it also covers these data categories. CPRA goes a step further by clearly defining sensitive personal information.
CPRA prescribes stricter requirements for the handling of sensitive personal information. To avoid confusion regarding sensitive personal data, the law provides a clear definition of that.
CPRA sensitive personal information includes personal information that reveals:
CPRA is similar to the CCPA, yet there are some differences that you need to take into account in your efforts to comply with it and stay away from penalties.
The CPRA stipulates the following business requirements:
You need to inform users about how you handle their data, and you can do so by serving them with a privacy notice. It has to contain some essential elements, such as:
Having your privacy notices crafted well and tailored to your business is vital because a non-compliant notice may lead to penalties. If you don’t inform consumers about the intended use of their personal information and you process it, you’re non-compliant according to the CPRA regulations. So, ensure that you have a CPRA privacy notice written in language that is easy to understand for the average internet user.
Use the Collected Personal Information Only for The Intended Purposes
You cannot collect personal information just because you may need it for something in the future. You need to know why you collect and process it only for the intended purpose.
If you want to process data for another purpose, you need to obtain explicit consent from the consumer. That’s why it is essential to have a well-crafted privacy notice.
Let’s say your fitness app processes users’ health data because that’s what the app is for. Now you want to segment users based on fitness performance and offer them different app features at a price. That means that you wish to process health data for marketing purposes. If you didn’t tell users that you would use their health information for marketing before you collected it, you need their permission to use it for marketing. Learn about Cross-Context Behavioral Advertising under the California Privacy Rights Act (CPRA).
There must be some proportionality between your goals and the amount and categories of data you process. For example, suppose the user provided you with their email address to get customer support. In that case, you cannot use it for retargeting them with other products and services all over the internet. That is not a proportionate use of personal information. Or, if your app requests access to the user’s contact list to allow them to call someone else’s number, you cannot use that information to market your app to the numbers in such a contact list.
You must not sell minors’ personal information without consent. If the minor is between 13 and 16 years old, you need consent from them. If they are younger than 13, you need consent from the parent or guardian.
To get a valid opt-in, you need explicit consent, which is:
As a result, relying on a consent notice saying, “By browsing this website, you agree to the use of cookies and the processing of your personal information,” is no longer valid regarding minors’ data. You need to ask for consent, tell them what it is about, and wait for their affirmative action before collecting any data you intend to sell or share. You need a GDPR-like consent request: “This website uses cookies to process children’s personal information.” Do you agree to the sharing of your or your child’s information? "Read more in our privacy policy.” Then, you have to wait for them to click the ACCEPT button.
Your consumers can submit requests to you anytime, and you must honor these requests. Requests are consumers’ tools to exercise their right to know, right to access, right to deletion of data, right to opt-out of profiling or the sales of their data, to limit the use of their personal information, and others.
The CPRA grants the following rights to consumers:
Some of these are new rights that were not part of the CCPA, but some expand on what has already been granted by the other California privacy law.
The CPRA, just like the CCPA, requires you to have a method for consumer identity verification in place. You must ensure that you provide access to the right person. Otherwise, you may become a victim of a data breach.
To avoid such scenarios, train your staff to handle consumer requests. We have courses covering everything about CPRA and CCPA so that your employees know what to do in any given situation and save you from penalties.
You must not penalize or discriminate in any way against consumers who exercise their consumer rights. They have their rights, and you must honor them.
Any discrimination against someone who submits consumer requests or limits the sale or sharing of their personal information will put you in legal trouble.
Process sensitive personal information, such as health data, financial data, personal information related to political views, ethnic or racial origin, and other sensitive data. You must allow consumers to limit their use of such information.
You can comply with this requirement by providing them with a limitation mechanism that says, “Limit the use of my sensitive personal information.”
Consumers can also require you not to sell or share their personal information for cross-contextual advertising. You can comply with it by providing them with a “Do Not Sell or Share My Personal Information for Cross-Context Behavioral Advertising” mechanism on the website.
The CCPA obliges you to include a “Do Not Sell My Info” mechanism if you sell consumers’ personal information. If you do both—sales of data and processing of sensitive data—you need both tools for compliance with California privacy laws.
Every business should take adequate technical and organizational measures to prevent data breaches because they severely hurt its reputation. Not taking such steps also leads to violations of the CPRA.
You need to estimate the risks to your data and decide what measures are adequate to prevent breaches. You also must conduct regular risk assessments to determine whether you process sensitive personal information and whether the benefits of processing outweigh the risks to consumers, the public, and your business. You must submit such assessments to the California Privacy Protection Agency.
Also, if you handle sensitive personal information, you must do cybersecurity audits at least once a year, such as penetration testing, ethical hacking, etc.
Service providers are companies that process personal information on behalf of other companies. SaaS companies that process some of their clients’ data are service providers. Businesses, in their contracts with service providers, are required to:
The CPRA allows the California Attorney General to pass CPRA regulations (in the same way the GA passes CCPA regulations) to ensure the proper implementation of the law. As a result, we can expect new requirements to allow service providers to use the provided data for their commercial purposes under certain circumstances, establish how often a consumer can submit a consumer request, or determine the opt-out requirements related to automated decision-making and profiling.
CPRA does not apply where:
There are several other exemptions, but these are the most important ones.
The CPRA fines are the same as the CCPA fines: up to $2,500 for violations per consumer and up to $7,500 for intentional breaches per consumer.
Gross violations of the law, like not responding to customer requests, would be examples of intentional violations.
Although these administrative fines may seem low, they can quickly add up. These are fines per consumer, so if there are 100 consumers involved in the violation, that means a fine of up to $750,000.
On top of that, the court may order statutory damages for consumers. They have a private right of action that could lead to imposing such payments.
The money from the administrative fines goes to the Consumer Privacy Fund. The California Attorney General, the California Privacy Protection Agency (CPPA), and the state courts will use this fund to pay for the costs of their enforcement actions.
Consumers have the right to statutory damages in the case of a data breach, but not every data breach.
The right applies only if the data breach where:
This means that consumers have the right to compensation only:
Consumers have no right to statutory damages if these conditions are not met. However, if all three are met, they have the right to collect between $100 and $750 from the liable company. The court may also order a relief.
The CPRA brings one important novelty regarding law enforcement: it establishes the California Privacy Protection Agency (CPPA) to enforce the CPRA.
Unlike the enforcement of the CCPA, the CPRA does not allow for a 30-day cure period. Once the CPPA determines that your company violated the law, they’ll proceed with the fines. You won’t get the chance to get things straight before getting hit on your finances.
You can achieve CPRA compliance by meeting the requirements. This means that you need a compliance program that will ensure to:
