What is the CPRA?
The California Privacy Rights Act 2020 (CPRA) is a California privacy law first passed by voters on November 3, 2020. It expands upon the California Consumer Privacy Act (CCPA) of 2018, which lays the groundwork for consumer privacy regulations in the state. The California Personal Data Protection Act will enter into force on January 1, 2023 and will apply to personal information collected after January 1, 2022.
Changes From the CCPA
Data Subject Rights
The CPRA retains the consumer rights detailed in the CCPA and adds two more:
- The right to rectification. California citizens will have the right to correct any inaccurate personal information.
- The right to limit the use and disclosure of sensitive personal information. Sensitive personal information is defined as any data that includes precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information.
'Do Not Share' Button
In addition to requiring a "do not sell my personal information" button, as mandated by the CCPA, the CPRA will require a "do not share my personal data" button, which will allow consumers to opt-out from having their data shared with third parties. If a consumer opts out, businesses are now responsible not only for what they do with customer data but also for what third-party partners do with the data. For example, if you post website ads from a third party, you must ensure they do not store customer data. The same requirement extends to services such as trackers, telemetry, online assistants, and shopping carts. You will need to monitor and control all data flows with third parties, and you will be responsible for any data leakage.
The CRPA maintains two of the three thresholds established by CCPA while modifying the third threshold. Both regulations pertain to for-profit businesses that have annual revenue over $25 million or generate 50% or more of their revenue from selling or sharing the personal information of California residents. The third threshold now states that any entity buying, selling, or sharing the personal information of 100,000 or more California residents must now comply. This is up from 50,000 as stipulated by CCPA. If your organization meets any one of these three criteria, you are subject to CRPA regulations.
The CPRA will improve California’s compliance enforcement capabilities by creating a dedicated agency--the California Privacy Agency (CPA)--to enforce state privacy laws, investigate violations, and evaluate fines for violators.
Businesses will also lose the 30-day “heal” period, which the CCPA allots to give organizations time to mitigate violations that are discovered before being fined. It will also be illegal to share personal information with third parties unless the involved individuals elect to opt-in. Previously, CCPA only made it illegal to sell personal information.
From a fine standpoint, the base penalties for violations do not change between CCPA and CRPA—$2,500 for each unintentional and $7,500 for each intentional violation. But CRPA does add automatic fines ($7,500) for each violation involving the personal information of minors.
Want to know more about CPRA compliance and consent management? Check out these articles: