The California Privacy Rights Act (CPRA) is a data privacy law that is designed to enhance the existing CCPA (California Consumer Privacy Act). The CPRA will come into effect on January 1, 2023, and applies to any business that collects personal information belonging to Californian residents.
The CPRA also applies to businesses that buy, sell or share the personal information of 100,000 or more consumers or households in a year, or derive 50% or more of their annual revenue from selling or sharing personal information.
The New Us Data Privacy Environment: Are You Ready?
How Does the CPRA Compare to the CCPA?
The California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020, is a data privacy law that regulates how businesses (regardless of where they are located) handle personal information belonging to Californian residents.
So, will the CPRA replace the CCPA on January 1, 2023? Well, sort of, although it is generally considered to be more of an amendment than a replacement. There are number of key differences between the CRPA and the CCPA, which include:
- Updated criteria for qualifying as a business.
- A new category of sensitive personal information.
- The private right to take legal action in the event of a data breach.
- Creation of a new privacy enforcement authority.
- Adoption of select GDPR principles.
- New and expanded consumer privacy rights.
The last two points on the list are arguably the most relevant, as many of the CPRA requirements are similar to those of the GDPR (General Data Protection Regulation).
California Privacy Right Act Summary
1. The right to know and be informed
Businesses must have a clear online privacy notice which informs consumers of:
- The categories of personal information they collect/use, and the sources from which the information is collected.
- The reasons for collecting/using personal information.
- The retention period for each category of personal information.
- Whether their personal data will be sold or shared, and the reasons for doing so.
Within 45 days of receiving a consumer request, businesses that collect personal information must inform their customers about the following:
- The specific information collected about the consumer.
- The categories of personal information they have collected, along with the categories of sources from which they collected it.
- The reasons for collecting/using personal information.
- The categories of third parties with whom they shared personal information with.
Businesses that sell or disclose personal information for business purposes must inform their users about:
- The categories of personal information they have collected, sold or shared with third parties.
- The categories of third-parties with whom they have sold/shared personal information with.
- The categories of personal information they have disclosed for business purposes, and who it was disclosed to.
2. The right to access data
Businesses are required to respond to subject access requests (SAR’s) in timely manner, although they are not obligated to respond to SAR’s more than twice a year. The information must be provided free of charge, either via email, “snail mail”, or another suitable method. Any electronic information must be provided in a format that can be easily ported to a different service provider – similar to the GDPR’s “right to portability”.
3. The right to deletion
Upon request, businesses are required to delete any personal information held about a given subject. However, there are exceptional circumstances where it may be necessary for a company to retain their information following a request, such as when:
- The information is required to comply with legal obligations.
- A transaction to provide goods or services to a consumer is carried out.
- A contract between the business and the consumer needs to be executed.
- The information is required for security reasons, such as a forensic analysis following a security breach.
- The information is required to protect a subject’s free speech, or some other legal right.
- The information is required to comply with the California Electronic Communications Privacy Act (CalECPA).
- The information is required for scientific, historical, or statistical research.
- The information is used for internal uses only, and are aligned with the expectations of the consumer.
5. The right to opt out
Consumers have the right to prevent businesses from selling or sharing their personal information. Businesses are also required to notify their customers about their right to opt out, anytime they sell or share their personal information with a third-party. Instructions about how to opt out must be provided on the company’s homepage in a clear and conspicuous manner. This should include a link that says “Do Not Sell or Share My Personal Information”. Businesses are prohibited from selling personal information belonging to consumers under the age of 16, unless their parents or guardians have explicitly opted in. Consumers must not be discriminated against for exercising these rights.
6. The right to limit use and disclosure of sensitive personal information
Consumers have the right to limit the use and disclosure of sensitive personal information. It should be emphasized that businesses should only collect, process and store sensitive personal information if it is absolutely necessary to do so.
How to Prepare for the California Privacy Rights Act
To summarize, under the CPRA, consumers have the right to know what sensitive personal information is collected, why it is collected, how long it will be retained, whether it is sold or shared, and the reasons for doing so.
They also have the right to accessed and delete their personal information, as well as opt out and limit the use and disclosure of sensitive personal information. These elevated rights will put companies under pressure to ensure that they know exactly what data they store, and where it is located.
The most efficient way to achieve this level of visibility is to use a data discovery and classification solution, which will automatically scan repositories for sensitive personal information, and classify it accordingly. Most sophisticated solutions will also provide options that allow you to select the data privacy laws that are most relevant to your business, and thus classify the data according to a pre-defined criteria.