Just signed into law in November 2020, the CPRA will go into full effect January 1, 2023. The ballot measure, also known as Proposition 24, more directly aligns with the EU’s General Data Protection Regulation (GDPR) data privacy law by toughening some requirements and simultaneously reducing some companies’ potential risks and liabilities.
History and Background
The CPRA is an addendum to the CCPA, the existing California Consumer Privacy Act that took effect on January 1, 2020. The CPRA is aimed to strengthen the rights of California residents, but also will change the definition of business to exclude smaller businesses and narrow the focus of the privacy act to target bigger businesses who profit the most from sharing Californians’ personal information. The CPRA doubles the threshold of consumers that companies buy, sell, and share the personal information of from 50,000 to 100,000.
While well-intentioned and the most innovative piece of legislation in the United States providing consumer protections for data privacy, the previous CCPA had a lot of shortcomings. The hastily passed bill lacked clarity for businesses, disproportionately impacted small businesses, and simply did not have the funding and bandwidth for adequate enforcement. The CPRA was designed to “fix” its predecessor in four key areas by:
- Further protecting personal information
- Increasing fines for violating children’s privacy
- Creating more transparency
- Establishing a new enforcement arm
So What’s Changed?
The CPRA establishes the California Privacy Protection Agency as the lead enforcer and supervisor of the CPRA and CCPA data privacy laws. This perhaps the biggest change in California’s data privacy, shifting enforcement of data privacy compliance from the state’s Attorney General to a separate agency, specifically designed to enforce data privacy compliance. The law also creates a Chief Privacy Auditor to conduct audits of businesses.
New Consumer Rights.
The CPRA amends the CCPA to regulate behavioral advertising that uses personal information to target California residents with marketing based on profiling. The CPRA distinguishes between two different types of advertising: cross-context behavioral advertising and non-personalized advertising.
The California consumer already holds the right to know, right to access, right to delete, and the right to opt-out of sale under the CCPA. The CPRA will include new rights such as: the right to correct inaccurate personal information, the right to opt-out of the sharing of one’s personal information, and the right to limit the use and disclosure of one’s sensitive personal information.
Creates New Category of Sensitive Information (SPI)
The new bill creates a new category of sensitive personal information that is regulated separately and even more strongly than personal information.
Introduces new GDPR-like requirements
The CPRA includes three additional requirements businesses must comply with that echo the EU’s GDPR data privacy regime. These include:
- Data minimization
- Purpose limitation
- Storage limitation
Data minimization refers to the new rule that a website or business can only collect, use, and share California consumers’ personal information if it’s deemed what is reasonably necessary and proportionate to the collection purpose. This means that your company is only allowed to collect or share data that is absolutely necessary to your stated purpose of collection.
This ensures that entities have less information that needs to be regulated and tracked and less of consumer’s information is taken.
In addition to this, before you collect, use or share Californians’ data, you must state the purpose of collection. This declaration of stated purpose is called purpose limitation in the CPRA.
You must also notify Californians about the retention time of each collected category of personal information, making your consumers aware of how long you will hold on to their personal information after it is initially collected. This component of the new bill is called storage limitation.
Some of the consent requirements are also expanded in the CPRA, requiring consent for
- Selling or sharing personal information after a user has already opted out
- Selling or sharing the personal information of minors
- Secondary use, selling or sharing of sensitive personal information after a user has opted out
- Research exemptions
- To opt-in to financial incentive
New Audit Obligations.
Finally, the CPRA will authorize regulations that will require mandatory risk assessments and cybersecurity audits on businesses for what the entity considers ‘high-risk’ activities. These risk assessments will be conducted and submitted to the enforcement agency periodically on a “regular basis.”
How Much Time do I Have to Comply?
The CPRA won’t go into full effect until January 2023, and won’t be enforced until July 2023, so there is plenty of time to make your business fully compliant to the Golden State’s new data privacy laws.
The CPRA only requires businesses who have a gross annual revenue of over $25 million and buy, sell, or share the personal information of 100,000 or more California residents, and derive 50% or more of their annual revenue from selling or sharing California residents’ personal information, so if your business does not meet these thresholds, you can breathe a sigh of relief because the new law won’t apply to you.