Companies have barely had time to catch their breath since the California Consumer Privacy Act (CCPA) took effect this year, and California has already passed a second, possibly tougher law. Many considered the CCPA to be the strictest privacy law ever in the U.S., which may not be true soon. Instead, the California Privacy Rights Act (CPRA), often referred to as “CCPA 2.0,” could earn that title after passing in the November 2020 general elections.

Backed by the Californians for Consumer Privacy (the group that first drafted the CCPA), the CPRA will amend the CCPA, creating new privacy obligations for organizations and significantly expanding the rights of consumers. The CPRA is set to go into effect on January 1, 2023, but certain provisions like those pertaining to the collection of personal information would go into effect immediately. Therefore, companies will once again need to update their privacy programs in order to comply with an even more rigorous set of data protection requirements.

In this blog, we’ll take a closer look at the CPRA, how the law compares to the CCPA, and what your company can do now to start preparing for its requirements.

Background of the CPRA

To understand the origins of the CPRA, we must start with the CCPA. When the CCPA was drafted by California legislature in 2018, it was based on an original California ballot initiative created by the Californians for Consumer Privacy. While the ballot proposition took an aggressive approach to data protection, the California legislature ultimately designed the CCPA to be less restrictive. However, many privacy advocates were bothered by the absence of certain consumer rights.

Despite these concerns, a week after its introduction, the CCPA was passed, and it was amended and edited into the law we know today. Now, the same privacy rights group that formed the CCPA drafted the CPRA to supplement the privacy protections found in the CCPA and address issues within the existing law.

To qualify for the November 2020 ballot, the CPRA needed to collect the signatures of at least 5% of the registered voters in California. This meant that during a global pandemic, resulting in a period of social distancing, this group would need to collect over 600,000 signatures. Despite many doubts, on May 4, 2020, the Californians for Consumer Privacy presented over 900,000 signatures to the California Secretary of State. Then, just days before the enforcement of the CCPA began in July, the CPRA qualified to be on California’s November 3 ballot.

Timeline of the CPRA

DATE KEY EVENT

September 24, 2019

Alastair Mactaggart, founder of Californians for Consumer Privacy, announced the filing of the CPRA for the November 2020 ballot

November 13, 2019

The final text of the CPRA was published

May 4, 2020

The Californians for Consumer Privacy submitted signatures to qualify the CPRA for the November ballot

June 25, 2020

The CPRA qualified to be on California’s ballot in the November general elections

November 3, 2020

Election Day

5 days after the Secretary of State certifies the election results

The California Privacy Protection Agency (CPPA) will be created and funded

January 1, 2022

12-month look back period begins for the CPRA

January 1, 2023

CPRA effective date

July 1, 2023

CPRA enforcement date

 

Comparison Between the CCPA and CPRA

The CCPA has been highly criticized by privacy advocates for its sweeping definitions, ambiguous language, and complex advertising and sale rules. The CPRA attempts to clarify these confusions, while strengthening and expanding the regulations established by the CCPA. From stronger enforcement to expanded consumer rights to heightened disclosure obligations, the CPRA builds upon the CCPA’s foundation to establish a more comprehensive privacy law.

 

Here’s how the CPRA compares to the CCPA:

 

Scope

The CCPA include three thresholds that determine if a for-profit entity qualifies as a business:

  1. Has $25M+ revenue.
  2. Collects personal information from more than 50,000 consumers, households, or devices.
  3. More than half of revenue is from third-party disclosure of personal information.

Under the CPRA, that threshold is increased to 100,000 consumers to try and target giant corporations, rather than burden smaller businesses. The CPRA also adds a new “business” category, which includes entities that voluntarily certify to the California Privacy Protection Agency, the CPRA’s enforcement agency. This option gives small businesses outside the scope of the CPRA the option to self-certify their alignment to the law in order to use as a business differentiator. These companies will agree to be bound by the law’s requirements, and their names will be made available to the public.

Sensitive Personal Information

Whereas the CCPA defines “personal information” to include direct identifiers, indirect identifiers, biometric data, geolocation data, internet activity, and sensitive information, the CPRA considers all of these categories to be “sensitive personal information.”

Sensitive personal information under the CPRA has heightened requirements, including a consumer’s right to limit the processing of sensitive personal information, additional notice requirements, and a new requirement to add a “Limit the Use of My Sensitive Personal Information” link. In addition, sensitive personal information cannot be used or disclosed for any purpose that is not necessary for providing the requested good or service by the consumer unless they have provided consent.

Enforcement Agency

The CPRA creates a new enforcement agency - the California Privacy Protection Agency (CPPA) - that will have the power to audit privacy practices of covered entities and issue new regulations. The CPPA will be governed by a five-member board with each member serving an eight-year term. The Governor will appoint the chair and one board member, while the California Attorney General, the Senate Rules Committee, and the Speaker of the Assembly will appoint the other three, respectively. A Chief Privacy Auditor will also be appointed by the CPPA to ensure compliance with the CPRA.

The California Attorney General is the current regulator under the CCPA.

Penalties for the Violation of Minors' Personal Information

Under the CCPA, violations involving the personal information of minors (those under 16 years of age) would incur fines of $2,500 per violation – the same amount as violations of adult personal information. The CPRA would increase these fines to $7,500 per violation.

 

Private Right of Action

Under the CCPA, consumers are able to pursue a civil action if their personal information is subject to unauthorized access, theft, or disclosure. The CPRA expands this private right of action by providing statutory damages for any breach under California law. The amount of $750 per consumer for damages remains the same.

 

Cure Period

With the CCPA, certain actions can be pursued only after a consumer has provided a business 30 days to “cure” the alleged noncompliance violation. The CPRA does not consider the implementation and maintenance of reasonable security procedures and practices after a breach to be a suitable remedy for noncompliance violations, thereby eliminating the “cure” period.

 

Definition of Sale

Currently, businesses that “sell” the personal information of California consumers must provide consumers with certain disclosures and the right to opt-out of the sale by posting a “Do Not Sell My Personal Information” link on their website.

 

The CPRA expands and clarifies this right by providing consumers the ability to also opt-out of the “sharing” of personal information with third parties. Companies that engage in targeted advertising will now need to place a link titled “Do Not Sell or Share My Personal Information” on their website.

 

Consumer Privacy Rights

  • Right to Access Personal Information: Under the CCPA, businesses that receive a request for information must provide the consumer their information from the preceding 12 months. The CPRA expands this obligation, requiring businesses to provide access to information beyond the 12-month period unless doing so would be impossible or would involve a disproportionate effort.
  • Right to Delete Personal Information: Businesses must delete the personal information of consumers and direct service providers to do the same upon receiving a request under the CCPA. This right would remain the same even after the CPRA takes effect.

New CPRA Consumer Privacy Rights

  • Right to Correct: This provides consumer the right to correct inaccurate personal information held by a business. Businesses must use “commercially reasonable efforts” to correct the inaccurate personal information after receiving the request.
  • Right to Limit Use and Disclosure of Sensitive Personal Information: This right would give consumers the ability to direct a business to limit the use and disclosure of sensitive personal information. This means that businesses are prohibited from using a consumer’s sensitive personal information for any other purpose than that to which the consumer has consented.
  • Right to Information about Automated Decision-Making: This right would give consumers the right to opt out of the use of automated decision-making technology and profiling by a business.

The CPRA is Passed

Even though the CPRA was voted into law at the November elections, the CCPA will continue to be the governing privacy law of California until January 1, 2023. Businesses will only have a year to prepare, though, because the CPRA will apply to sensitive personal information collected by companies starting January 1, 2022. The CPRA will also require that the CCPA creates a rulemaking process for new regulations by July 1, 2021. Certain provisions of the CPRA will take effect immediately, including:

  • The extensions of the personal/employee and B2B exception.
  • The modification of the methods used for allocating funds, hereby creating the Consumer Privacy Fund.
  • The creation and funding of the California Privacy Protection Agency.
  • The adoption of regulations by the Attorney General to transfer regulatory authority to the California Privacy Protection Agency.

Preparing for the CPRA

The CPRA will significantly expand the measures of the CCPA, granting new rights to consumers, modifying enforcement provisions, and imposing various other obligations and requirements. But, the CPRA will also introduce new uncertainties to organizations and require additional budget, time, and resources in order to achieve compliance.

While the CPRA won't officially take effect for two years, here are a few steps your company can take now to prepare for CPRA compliance in the future.

  • Evaluate the maturity of your current privacy program: The CPRA is an expansive data privacy law with strict requirements beyond those of the CCPA. Therefore, understanding the current state and maturity of your privacy program is a critical step when attempting to achieve compliance with the CPRA. Performing a Privacy Maturity Assessment can help you benchmark your policies, processes, and technologies against privacy frameworks and regulations like the CPRA and effectively identify any existing gaps and opportunities to streamline compliance.
  • Reassess the applicability of the CCPA: While the CCPA covers organizations that collect the personal data of more than 50,000 consumers, households, or devices, the CPRA broadens that scope to 100,000. Companies should reassess their applicability to ensure they still remain in scope.
  • Determine which existing CCPA compliance processes can be leveraged: The CPRA is attempting to strengthen the requirements of the CCPA. Therefore, many of the obligations will either remain the same, or will be amended to increase protections. Examining your existing compliance processes to learn which can still be applied will save your company time and money.
  • Reevaluate data inventories and data mappings: It is important to identify how consumer data is collected, used, stored, and transferred within your organization to determine if those processes remain sufficient under the CPRA. When performing these exercises, ensure your company focuses on sensitive information (as defined by the CPRA), employee data, business-to-business data, and data flows between vendors as these categories are expanded upon under the CPRA.
  • Closely monitor CPRA developments and updates: Staying current on the latest developments will help your company prepare for any changes in the law between now and its effective date in 2023. 

In addition, your company should continue to build out its compliance program to ensure the proper policies and procedures are in place to comply with the CPRA and the appropriate measures are taken to safeguard consumer information. These practices will help strengthen your existing privacy program and streamline compliance with the CPRA.


 

To keep pace with a constantly changing privacy landscape and give consumers back control over their personal information, the Californians for Consumer Privacy developed the CPRA. Companies will soon have to address with the requirements brought on by the U.S.’s newest and strictest privacy law. Although the law provides a year to prepare, these new regulations and requirements will take significant time to implement, so there’s no time to delay. With 56% of voters' support, November 3, 2020 will be remembered as a pivotal day for privacy in California, the United States, and the global privacy landscape.

 


Get more insights into the latest privacy news.

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.