Companies have barely had time to catch their breath since the California Consumer Privacy Act (CCPA) took effect this year, and California has already passed a second, possibly tougher law. Many considered the CCPA to be the strictest privacy law ever in the U.S., which may not be true soon. Instead, the California Privacy Rights Act (CPRA), often referred to as “CCPA 2.0,” could earn that title after passing in the November 2020 general elections.
Backed by the Californians for Consumer Privacy (the group that first drafted the CCPA), the CPRA will amend the CCPA, creating new privacy obligations for organizations and significantly expanding the rights of consumers. The CPRA is set to go into effect on January 1, 2023, but certain provisions like those pertaining to the collection of personal information would go into effect immediately. Therefore, companies will once again need to update their privacy programs in order to comply with an even more rigorous set of data protection requirements.
In this blog, we’ll take a closer look at the CPRA, how the law compares to the CCPA, and what your company can do now to start preparing for its requirements.
To understand the origins of the CPRA, we must start with the CCPA. When the CCPA was drafted by California legislature in 2018, it was based on an original California ballot initiative created by the Californians for Consumer Privacy. While the ballot proposition took an aggressive approach to data protection, the California legislature ultimately designed the CCPA to be less restrictive. However, many privacy advocates were bothered by the absence of certain consumer rights.
Despite these concerns, a week after its introduction, the CCPA was passed, and it was amended and edited into the law we know today. Now, the same privacy rights group that formed the CCPA drafted the CPRA to supplement the privacy protections found in the CCPA and address issues within the existing law.
To qualify for the November 2020 ballot, the CPRA needed to collect the signatures of at least 5% of the registered voters in California. This meant that during a global pandemic, resulting in a period of social distancing, this group would need to collect over 600,000 signatures. Despite many doubts, on May 4, 2020, the Californians for Consumer Privacy presented over 900,000 signatures to the California Secretary of State. Then, just days before the enforcement of the CCPA began in July, the CPRA qualified to be on California’s November 3 ballot.
DATE | KEY EVENT |
September 24, 2019 |
Alastair Mactaggart, founder of Californians for Consumer Privacy, announced the filing of the CPRA for the November 2020 ballot |
November 13, 2019 |
The final text of the CPRA was published |
May 4, 2020 |
The Californians for Consumer Privacy submitted signatures to qualify the CPRA for the November ballot |
June 25, 2020 |
The CPRA qualified to be on California’s ballot in the November general elections |
November 3, 2020 |
Election Day |
5 days after the Secretary of State certifies the election results |
The California Privacy Protection Agency (CPPA) will be created and funded |
January 1, 2022 |
12-month look back period begins for the CPRA |
January 1, 2023 |
CPRA effective date |
July 1, 2023 |
CPRA enforcement date |
The CCPA has been highly criticized by privacy advocates for its sweeping definitions, ambiguous language, and complex advertising and sale rules. The CPRA attempts to clarify these confusions, while strengthening and expanding the regulations established by the CCPA. From stronger enforcement to expanded consumer rights to heightened disclosure obligations, the CPRA builds upon the CCPA’s foundation to establish a more comprehensive privacy law.
Here’s how the CPRA compares to the CCPA:
The CCPA include three thresholds that determine if a for-profit entity qualifies as a business:
Under the CPRA, that threshold is increased to 100,000 consumers to try and target giant corporations, rather than burden smaller businesses. The CPRA also adds a new “business” category, which includes entities that voluntarily certify to the California Privacy Protection Agency, the CPRA’s enforcement agency. This option gives small businesses outside the scope of the CPRA the option to self-certify their alignment to the law in order to use as a business differentiator. These companies will agree to be bound by the law’s requirements, and their names will be made available to the public.
Whereas the CCPA defines “personal information” to include direct identifiers, indirect identifiers, biometric data, geolocation data, internet activity, and sensitive information, the CPRA considers all of these categories to be “sensitive personal information.”
Sensitive personal information under the CPRA has heightened requirements, including a consumer’s right to limit the processing of sensitive personal information, additional notice requirements, and a new requirement to add a “Limit the Use of My Sensitive Personal Information” link. In addition, sensitive personal information cannot be used or disclosed for any purpose that is not necessary for providing the requested good or service by the consumer unless they have provided consent.
The CPRA creates a new enforcement agency - the California Privacy Protection Agency (CPPA) - that will have the power to audit privacy practices of covered entities and issue new regulations. The CPPA will be governed by a five-member board with each member serving an eight-year term. The Governor will appoint the chair and one board member, while the California Attorney General, the Senate Rules Committee, and the Speaker of the Assembly will appoint the other three, respectively. A Chief Privacy Auditor will also be appointed by the CPPA to ensure compliance with the CPRA.
The California Attorney General is the current regulator under the CCPA.
Under the CCPA, violations involving the personal information of minors (those under 16 years of age) would incur fines of $2,500 per violation – the same amount as violations of adult personal information. The CPRA would increase these fines to $7,500 per violation.
Under the CCPA, consumers are able to pursue a civil action if their personal information is subject to unauthorized access, theft, or disclosure. The CPRA expands this private right of action by providing statutory damages for any breach under California law. The amount of $750 per consumer for damages remains the same.
With the CCPA, certain actions can be pursued only after a consumer has provided a business 30 days to “cure” the alleged noncompliance violation. The CPRA does not consider the implementation and maintenance of reasonable security procedures and practices after a breach to be a suitable remedy for noncompliance violations, thereby eliminating the “cure” period.
Currently, businesses that “sell” the personal information of California consumers must provide consumers with certain disclosures and the right to opt-out of the sale by posting a “Do Not Sell My Personal Information” link on their website.
The CPRA expands and clarifies this right by providing consumers the ability to also opt-out of the “sharing” of personal information with third parties. Companies that engage in targeted advertising will now need to place a link titled “Do Not Sell or Share My Personal Information” on their website.
Even though the CPRA was voted into law at the November elections, the CCPA will continue to be the governing privacy law of California until January 1, 2023. Businesses will only have a year to prepare, though, because the CPRA will apply to sensitive personal information collected by companies starting January 1, 2022. The CPRA will also require that the CCPA creates a rulemaking process for new regulations by July 1, 2021. Certain provisions of the CPRA will take effect immediately, including:
The CPRA will significantly expand the measures of the CCPA, granting new rights to consumers, modifying enforcement provisions, and imposing various other obligations and requirements. But, the CPRA will also introduce new uncertainties to organizations and require additional budget, time, and resources in order to achieve compliance.
While the CPRA won't officially take effect for two years, here are a few steps your company can take now to prepare for CPRA compliance in the future.
In addition, your company should continue to build out its compliance program to ensure the proper policies and procedures are in place to comply with the CPRA and the appropriate measures are taken to safeguard consumer information. These practices will help strengthen your existing privacy program and streamline compliance with the CPRA.
To keep pace with a constantly changing privacy landscape and give consumers back control over their personal information, the Californians for Consumer Privacy developed the CPRA. Companies will soon have to address with the requirements brought on by the U.S.’s newest and strictest privacy law. Although the law provides a year to prepare, these new regulations and requirements will take significant time to implement, so there’s no time to delay. With 56% of voters' support, November 3, 2020 will be remembered as a pivotal day for privacy in California, the United States, and the global privacy landscape.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.