CPRA Compliance Software Solution

CPRA stands for the California Privacy Rights Act. It is a privacy law that was passed in California, United States. The CPRA was introduced as a ballot initiative and California voters approved California Consumer Privacy Act (CCPA) in November 2020. It is considered an expansion of the existing California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020.

The CPRA builds upon the privacy rights and protections provided by the CCPA, aiming to enhance consumer privacy and further regulate businesses’ collection, use, and sharing of personal information. It introduces several new requirements and establishes a new enforcement agency, the California Privacy Protection Agency (CPPA), to oversee and enforce the law.

The CPRA applies to businesses that collect and process the personal information of California residents and meet specific criteria. The law defines a business as any legal entity that operates for profit and:

• Has annual gross revenue exceeding $25 million.
• Buys, sells, or shares personal information of 100,000 consumers or households.
• Derives 50% or more of its annual revenue from selling consumers’ personal information.

Additionally, the CPRA applies to entities that control or are controlled by a business and share common branding with the business covered by the law.

The California Privacy Rights Act (CPRA) went into effect on January 1, 2023. This means that the provisions and requirements outlined in the CPRA will become enforceable starting from that date. Businesses and organizations covered by the CPRA must ensure compliance with the new regulations and adjust their privacy practices and policies accordingly.

The CPRA (California Privacy Rights Act) regulation introduces several key requirements for businesses that collect and process personal information of California residents. Some of the main requirements under CPRA include:

• Expanded Definition of Personal Information: CPRA broadens the definition of personal information to include additional categories such as geolocation data, sensitive personal information, and certain types of profiling information.
• Enhanced Consumer Rights: CPRA grants consumers new rights, the right to correct their personal information, the right to limit the use of sensitive personal information, and the right to opt-out of the sale and sharing of personal information.
• Stricter Data Protection Obligations: CPRA imposes new obligations on businesses, such as the requirement to implement reasonable security measures to protect personal information and the implementation of data minimization and retention practices.
• Obligations for Service Providers: CPRA clarifies the responsibilities and obligations of service providers that process personal information on behalf of businesses, including specific contractual requirements and limitations on the use of personal information.
• Establishment of the California Privacy Protection Agency (CPPA): CPRA establishes the CPPA as an independent agency responsible for enforcing and implementing the CPRA. The CPPA has the authority to issue regulations, conduct audits, and enforce penalties for violations of the law.
• Additional Accountability Measures: CPRA introduces accountability measures, such as requiring businesses to conduct regular privacy assessments and audits, and maintaining records of data processing activities.
• Consent Requirements for Data Sharing: CPRA imposes stricter requirements for businesses to obtain consent from consumers before sharing their personal information with third parties.

It is important to note that these are key requirements under CPRA, and the law contains additional provisions and nuances that businesses need to comply with.

The CPRA (California Privacy Rights Act) can have several impacts on businesses that collect and process personal information of California residents. Here are some ways in which CPRA may affect your business:

• Expanded Compliance Obligations: CPRA introduces new compliance requirements, such as implementing reasonable security measures to protect personal information, conducting regular privacy assessments, and maintaining records of data processing activities. Your business will need to assess and update its data handling practices to ensure compliance with these obligations.
• Enhanced Consumer Rights: CPRA grants consumers new rights, the right to correct their personal information, the right to limit the use of sensitive personal information, and the right to opt-out of the sale and sharing of personal information. Your business will need to establish processes and mechanisms to handle these consumer requests and honor their privacy preferences.
• Stricter Data Processing Restrictions: CPRA imposes limitations on using and sharing personal information, requiring businesses to obtain explicit consent from consumers before sharing their data with third parties. Your business will need to review and revise its data sharing practices to align with these restrictions and ensure proper consent management.
• Potential Impact on Service Provider Relationships: CPRA clarifies the responsibilities and obligations of service providers that process personal information on behalf of businesses. Your business will need to review and update agreements with service providers to ensure compliance with CPRA requirements and establish appropriate data protection measures.
• Potential Financial Implications: Non-compliance with CPRA can result in penalties and fines imposed by the California Privacy Protection Agency (CPPA). Your business may face financial consequences if found to be in violation of CPRA requirements. Therefore, it is essential to understand and implement the necessary measures to comply with the law.
• Impact on Reputation and Customer Trust: With a growing focus on privacy and data protection, consumers are increasingly aware of their rights and expectations. Complying with CPRA can help build customer trust and enhance your reputation as a privacy-conscious organization.

Under the CPRA (California Privacy Rights Act), sensitive personal information is a specific category of personal information subject to additional protection and regulations. The CPRA defines sensitive personal information as:

• Social Security Numbers, driver’s license numbers, passport numbers, and other government-issued identification numbers.
• Financial account information, such as bank account numbers and credit card numbers, in combination with any required security or access codes.
• Precise geolocation information, such as the exact location of an individual derived through GPS, Wi-Fi, or similar technologies.
• Racial or ethnic origin, religious or philosophical beliefs, union membership, genetic data, biometric information for the purpose of uniquely identifying an individual, health information, or information concerning sex life or sexual orientation.

The CPRA (California Privacy Rights Act) significantly enhances and introduces new data subject rights, empowering individuals with greater control over their personal information. These expanded rights surpass the provisions of the California Consumer Privacy Act (CCPA). Let’s explore the new and expanded data subject rights under CPRA:

• The right to correct inaccurate information: CPRA introduces a fresh right for consumers to request businesses to correct any inaccuracies in the personal information they hold.
• The right to limit the use of sensitive personal information: CPRA introduces a new category called sensitive personal information. Consumers now have the authority to instruct businesses to restrict the use of their sensitive personal information. Businesses must provide a dedicated link on their website titled “Limit the use of my sensitive personal information” to facilitate this request. Alternatively, they can combine this link with the existing “Do not share or sell my personal information” link.
• The right to opt-out of automated decision-making: CPRA extends the rights of individuals by granting them the ability to opt-out of automated decision-making processes.

CPRA also amends and expands upon existing data subject rights under CCPA:

• The right to delete personal information: Under CPRA, businesses are required to notify not only service providers but also any third parties to delete consumers’ personal information. Additionally, CPRA introduces new exceptions to the deletion requirement.
• The right to know: CPRA broadens the right to know by imposing additional obligations on businesses, including providing information about the categories of personal information shared with third parties. Moreover, businesses must now provide information for a period exceeding 12 months unless it would be impossible or involve disproportionate effort.
• The right to opt-out of sale: CPRA expands the existing opt-out right by encompassing the sale and sharing of personal information. Accordingly, the link posted on websites should be labeled “Do not sell or share my personal information.”
• The right of non-discrimination: CPRA extends the right of non-discrimination to cover not only consumers but also employees, job applicants, and independent contractors.

Under the CPRA, the potential administrative fine remains the same as under the CCPA (California Consumer Privacy Act): up to $2,500 per violation or $7,500 per intentional violation. However, the CPRA introduces a higher fine for violations involving consumers under 16 years of age.  Furthermore, Section 1798.199.55(b) of the CPRA states that if multiple individuals or entities are responsible for a violation, they can be jointly and severally liable for the fine.

The CPRA introduces a clear requirement for businesses regarding reasonable security measures. Unlike the CCPA, which refers to a business’s duty to maintain reasonable security procedures, the CPRA explicitly states this obligation.

CPRA Section 1798.155 outlines the scope of the CPPA’s “Administrative Enforcement.” It modifies the CCPA by removing references to the attorney general’s enforcement authority. It eliminates the provision that allowed businesses or third parties to seek compliance guidance from the attorney general (Subsection (a)). Additionally, the 30-day period for businesses to address alleged violations is no longer guaranteed, as the CPPA has discretion in this matter (CPRA Section 1798.199.45). The CPPA is responsible for guiding businesses (Section 1798.199.40(f)).

CPRA gives additional protections for the personal information of children under the age of 16. The CPRA restricts a business from selling or sharing the personal information of a consumer under the age of 16 unless the consumer (for consumers at least 13 years old) or the consumer’s parent (for consumers who are less than 13 years old) have authorized the sale or sharing. If the consumer under 16 (or the consumer’s parent if the consumer is under the age of 13) does not provide consent, the business must wait at least 12 months before requesting the consumer’s consent again or until the consumer turns 16.

These obligations apply if the business has “actual knowledge” of the child’s age. Notwithstanding anything in the CPRA, a business must comply with its obligations under the federal Children’s Online Privacy Protection Act for the personal information of children under the age of 13.

The CPRA imposes higher administrative and civil penalties for violations relating to the personal information of children and minors.

Under CCPA, employee data is not expressly protected just like consumer data is in CCPA. In CCPA employee data acts as an exemption to consumer rights. But due to CPRA, that exemption will expire on January 1, 2023.

CPRA brings new rights for employees with regard to how the businesses will collect, use, store and process their information. CPRA will now offer six new privacy rights to the employees with respect to their data. Due to the CCPA employee exemption it prevented the employees to exercise the same rights as consumers, but the exemption will now expire on January 1, 2023.

The expansion of rights to employees will enable greater transparency to them and will also provide greater agency over the management and protection for their data.

Following rights have been given to employees under CPRA:

• Right to access the data.
• Right to correction of the data.
• Right to deletion of data.
• Right to opt out of sale of data.
• Right to limit the use of sensitive information.
• Right Not to be Discriminated Against for Exercising Any of the Employee’s Rights Under CPRA.

California Privacy Protection Agency, which is vested with full administrative power, authority, and Jurisdiction to Implement and enforce the California Consumer Privacy Act. The Agency shall be governed by a five-member board, including the Chair. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.

The Agency board shall appoint an executive director who shall act in accordance with Agency policies and regulations and with applicable law.

The agency shall perform the following functions:

• Administer, implement, and enforce the CPRA.
• Protect the fundamental privacy rights of natural persons with respect to the use of their personal information.
• Promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal Information, Including the rights of minors with respect to their own information.
• Provide guidance to consumers regarding their rights under this title.
• Provide guidance to businesses regarding their duties and responsibilities.
• Provide technical assistance and advice to the Legislature, upon request, with respect to privacy-related legislation.
• Monitor relevant developments relating to the protection of personal Information, and In particular, the development of Information and communication technologies and commercial practices.
• Cooperate with other agencies with Jurisdiction over privacy laws and with data processing authorities In California, other states, territories, and countries to ensure consistent application of privacy protections.
• Perform all other acts necessary or appropriate In the exercise of its power, authority, and Jurisdiction, and seek to balance the goals of strengthening consumer privacy while giving attention to the impact on businesses.