While Californian businesses are still coping with becoming compliant with the California Consumer Privacy Act (CCPA), the government has implemented another privacy law – California Privacy Rights Act. And this new law is said to be the strictest privacy law the state has seen till date. Does this mean more work and stricter compliance laws for the organisations dealing with personal data in California? What happens to the CCPA? How do the two laws compare? Let’s find out.
Decoding the CPRA – What Makes it the Ultimate Privacy Law?
To begin with, we need to understand that CPRA is not a different law, it is an extension of the CCPA, which aims to introduce stronger consumer protection practices and clarify some of the unclear aspects of the law for the organisations. The CCPA was designed with a less restrictive approach. The absence of certain consumer rights in the law bothered some privacy advocates, which led to the introduction of CPRA. The idea was to supplement the privacy protections found in the CCPA and address issues within the existing law.
The CPRA favors the creation of a new government agency to handle the compliance and enforcement of new privacy regulations. It means companies will now be responsible for any action other companies take using the personal data of California residents, collected by the former and shared with the latter. It would not be wrong to say that California will now see more compliant businesses in the near future, and stricter enforcement penalties.
Even though CPRA is just an expansion of CCPA, the two do have some definitive distinctions. Let’s understand those in detail.
Under CCPA, the following three thresholds determine if a for-profit entity is a business –
- Has $25M+ revenue.
- Collects personal information from more than 50,000 consumers, households, or devices.
- More than half of revenue is from third-party disclosure of personal information.
As part of the CPRA, the revised threshold for collection of personal data will be 100,000 consumers. The idea is to target the large corporations and take the burden off smaller organisations. In CPRA there is also provision for a new ‘business’ category, which includes entities that voluntarily certify to the California Privacy Protection Agency, the CPRA’s enforcement agency. Thanks to this provision, small businesses which otherwise don’t fall under the scope of CPRA can now self-certify to align with the law and use it as a business differentiator.
Sensitive Personal Information
The classification of personal information varies in both CCPA and CPRA. While under CCPA indirect and direct identifies, geolocation data, biometric data, sensitive information, and internet activity are classified as personal information, CPRA categorizes all of these as ‘sensitive personal information’. And this sensitive information is subject to stricter privacy requirements under CPRA. For instance, consumers have the right to limit the processing of sensitive personal information and organisations must provide consumers with the opt-in link to ‘Limit the Use of My Sensitive Personal Information’. Besides, organisations cannot use sensitive personal information for any purpose other than providing the requested good or service, unless consented by the consumer.
Under the CPRA, there is a provision for a new enforcement agency – the California Privacy Protection Agency (CPPA) – that will have the power to audit privacy practices of covered entities and issue new regulations. Currently, the California Attorney General regulates the CCPA.
Penalties for the Violation of Minors’ Personal Information
The CCPA provisions for a fine of $2500 per violation for violations involving personal information of minors – this is the same as the penalty charged for violation of adult personal information. Under CPRA, this fine is set for $7500 per violation.
Private Right of Action
CCPA allows for consumers to take civil action in case their personal information is subject to unauthorized access, theft, or disclosure. Under CPRA, this private right to action is strengthened with a provision of statutory damages for any breach that falls in the confines of California law. There is no change in the proposed fine of $750 per consumer for damages.
The CPRA eliminates the 30-day ‘cure’ period that was proposed in CCPA to pursue any actions on the alleged non compliance violation. This is because according to CPRA the implementation and maintenance of reasonable security procedures and practices after a breach is not a remedy enough.
Definition of Sale
CCPA has the mandate for organisations to provide consumers certain disclosures and the right to opt-out of the ‘sale’ of their personal data, when they ‘sell’ consumers’ personal data. CPRA provides some more clarity on these lines. It empowers the consumers by giving them the ability to also opt-out of the “sharing” of personal information with third parties. Also, as a provision in the CPRA, companies will now need to place a link titled “Do Not Sell or Share My Personal Information” on their website, when running targeted advertising campaigns.
Consumer Privacy Rights
Right to Access Personal Information: While under CCPA organisations were commissioned to share with consumers their information of preceding 12 months, in CPRA they are required to provide consumers access to their information from beyond 12 months, unless it is impossible or would need strenuous effort on part of the organisation.
Right to Delete Personal Information: This right remains the same even in CPRA – businesses must delete the personal information of consumers and direct service providers, as and when requested.
In addition to the above, CPRA enlists a few more new consumer rights. These are as follows –
Right to Information about Automated Decision-Making: Consumers have the right to opt out of the use of automated decision-making technology and profiling by a business.
Right to Correct: Under CPRA consumers have the right to correct inaccurate personal information stored by a business. Upon receiving a correction request, businesses must use “commercially reasonable efforts” to correct the inaccurate personal information.
Right to Limit Use and Disclosure of Sensitive Personal Information: Consumers can ask businesses to use and/or their sensitive personal information in a limited way. This means businesses can only use consumers’ personal information in the way they have consented for.
How Can You Prepare for the CPRA?
The CPRA gives consumers a greater right over their personal data and its use, while modifying enforcement provisions and bringing into picture a lot more requirements and obligations, and uncertainties for organisations. Achieving compliance might be a completely different feat now. However, the good news is that CPRA will officially take effect only in two years from now. This gives organisations time to prepare for compliance. Here are a few things you can consider doing to become compliant in the future –
- Take a stock of your current privacy program and identify any gaps. CPRA being one of the strictest privacy laws out there, performing a privacy assessment and understanding the maturity of your current program would be a great first step in becoming compliant.
- Ensure you fall in the scope of CPRA by reassessing the applicability of the CCPA. CCPA covers organizations that collect the personal data of more than 50,000 consumers, households, or devices, the CPRA broadens that scope to 100,000.
- Rethink your data mappings and data inventories. Identify how your organisation collects, uses, stores, and transfers consumer data. While performing this analysis, keep your focus on sensitive information (as defined by the CPRA), business-to-business data, employee data, and data flows between third-party vendors.
- Stay up-to-date with the developments around CPRA. Staying on top of the developments will help you prepare better.
Further, keep building on your compliance program to ensure that you have proper procedures and policies in place to comply with CPRA. These practices will help strengthen your existing privacy program and streamline compliance with the CPRA.