What exactly is CPRA?
The California Privacy Rights Act (CPRA), commonly referred to as “CCPA 2.0,” has been making headlines recently for its presumed effect on privacy regulation. CPRA is an amendment and expansion of the recently enacted California Consumer Privacy Act—California’s current data privacy law that has been in effect since Jan. 1, 2020. This blog outlines and explains the parts of CPRA that are the most prominent for organizations seeking to comply with California’s latest privacy law.
CPRA legislative history?
During the California general election in November of 2020, Californians voted to approve Proposition 24, a ballot measure that formed the California Privacy Rights Act. CPRA was initially supported in 2018 on the November ballot, but the California legislature offered to pass CCPA in exchange for the withdrawal of CPRA and its more restrictive initiatives. As it turns out, the group that originally spearheaded CPRA—Californians for Consumer Privacy—felt more needed to be done after the bargained passage of CCPA and once again sought to pass CPRA in 2020 and succeeded.
When does the CPRA go into effect?
January 1, 2023, is when most of the CPRA’s provisions will go into effect, providing organizations a little more than two years to prepare. The CPRA extends the CCPA’s existing exemptions for employee information and B2B data until January 1, 2023, as well.
Comparing CCPA and CPRA: What has changed?
Definition of a covered “business”
The CPRA’s definition of a covered business changes the number of businesses in scope of the CCPA. The original threshold numbers regarding consumers or households has been doubled from 50,000 to 100,000. This results in reduced applicability of the law for smaller businesses compared to what the CCPA currently intended. Applicability of the law has also shifted to businesses that generate a majority of revenue from sharing PI of consumers, not just businesses that sell it. Also, the definition of ‘businesses’ now includes joint ventures or partnerships in which each business has at least 40% interest. Note that the CRPA now applies to entities having only a minority, non-controlling interest.
A new category of “sensitive personal information”
“Sensitive personal information” was introduced with the CPRA with new disclosure and purpose limitation requirements, and consumers have additional rights intended to limit what businesses can do with their sensitive personal information.
Sensitive personal data covers government identifiers, financial account information, precise geolocation data, race, ethnicity, religious or philosophical beliefs, union membership, the content of non-public communications, genetic data, biometric or health information, sex life, or sexual orientation information.
This type of information is subject to separate requirements and has additional restrictions under the CPRA. These changes include new opt-out requirements, opt-in consent standard, purpose limitation requirements, and disclosure requirements
New and expanded consumer privacy rights
There are both new rights introduced in the CPRA as well as rights that were modified from their original definitions in the CCPA.
New rights introduced with the CPRA
Right to Correction
Consumers are now able to request a correction of any inaccurate personal information held by a business.
Right to Opt-Out of Automated Decision-Making Technology
Consumers can now opt-out of the use of automated decision-making technology on their personal information, including “profiling,” decisions related to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Right to Access Information About Automated Decision Making
Consumers may now request to obtain access to the information regarding the logic involved in the decision-making processes and a description of the potential outcome for them based on that process.
Right to Restrict Sensitive Personal Information
Consumers can request to limit how their sensitive personal information is used and disclosed for certain secondary purposes.
The CPRA now requires mandatory risk assessments and cybersecurity audits for high-risk activities. The risk assessments must be submitted regularly to the California Privacy Protection Agency—CPRA’s newly established privacy enforcement authority.
CCPA rights modified by the CPRA
Right to Delete
Now, when consumers request businesses to delete their personal information, those businesses are required to also notify any applicable third parties to also delete any consumer personal information bought or received from the business.
Right to Know
Personal information covered in a “right to know” response is being expanded to include the personal information collected beyond the previous 12 months.
Right to Opt-Out
The “right to opt-out” that was granted to consumers under the CCPA now covers the sharing of personal information for cross-context behavioral advertising (more on this later).
Opt-in Rights for Minors
Another expansion of an existing right, the “opt-in right for minors” now includes the sharing of personal information for behavioral advertising purposes. Also, businesses must wait at least 12 months before asking a minor for consent to sell or share their personal information if that minor has already declined.
Right to Data Portability
Now, consumers can request that the business provide personal information to another entity, as long as it is structured in a commonly used, and machine-readable format.
Direct regulation for the sharing of personal information for cross-context behavioral advertising
The CPRA differentiates between two distinct types of advertising. These are “cross-context behavioral advertising” and “non-personalized advertising.” The sharing of personal information for cross-context behavioral advertising is subject to the “right to opt-out,” as mentioned earlier. Regarding non-personalized advertising, this type of advertising is designated an internal “business purpose” and is not subject to the “right to opt-out.”
Adoption of certain General Data Protection Regulation (GDPR) principles
Like many data regulations, the CPRA categorizes concepts similar to the European Union’s General Data Protection Regulation (GDPR). These concepts include “data minimization,” “purpose limitation,” and “storage limitation.”
Data minimization concerns a business’s collection, use, retention, and sharing of personal information. That concept requires a business to collect/retain only that level/amount of data necessary to accomplish the purpose for which the data was collected in the first place. The objective here is to drive businesses to think about exactly what it is they need to collect, and limit collection to the minimum necessary for that objective.
Purpose limitation prohibits businesses from collecting or using personal information for purposes that are incompatible with any previously disclosed purposes without having provided that consumer with notification of the new purpose beforehand.
At the time of collection, businesses are required to disclose their retention periods for each category of personal information. Also, businesses are prohibited from retaining personal information for longer than is “reasonably necessary” for each of their disclosed purposes.
The creation of a new privacy enforcement authority
Another piece of GDPR that the CPRA looked to adopt was the creation of an agency to investigate, enforce, and make rules regarding data regulation. Unlike the GDPR, which uses Data Protection Authorities for each member state to enforce its laws, the CPRA established the California Privacy Protection Agency (CPPA). The CPPA has jurisdiction over any person or company to whom the CPRA applies.
An amended definition of “service providers” and introduction of “contractors”
The CPRA has amended the previous definition of “service provider” and has introduced “contractors” as a new category of recipients of personal information who process personal information made available to them by businesses via a written contract. The CPRA imposes the same obligations on contractors that it does on service providers and requires them to certify that their understanding and willingness to comply with the CPRA regarding all contact they have with PI that is within the scope of CPRA.
A new consent standard
Again, the CPRA follows the GDPR by introducing a more restrictive consent standard, which requires specific consent, by either the consumer or his/her parent. The consent standard only applies to certain scenarios, with some already being covered by the CCPA. These include:
- Consenting to the sale or sharing of personal information after an opt-out
- Minor opt-in consent for sale and sharing of personal information
- Consenting to secondary use and disclosure of sensitive personal information after an opt-out
- The research exemptions
- Opt-in consent for financial incentive programs
With CPRA going into effect on January 1, 2023, businesses should use this window of time to review their efforts regarding current CCPA requirements, while also looking to ensure their organization is compliant with the upcoming changes. One of the best places to start is by securing the personal data your organization holds. Utilizing technology like pseudonymization through tokenization will allow your organization to protect its consumers' sensitive data while meeting compliance obligations for current and future laws in multiple jurisdictions.
Founded in 2010, TokenEx is a cloud tokenization provider committed to protecting the world’s most sensitive data from a breach. Its industry-leading solution for data protection can secure and desensitize any structured data element to reduce risk, streamline operations, and enable its clients’ most critical business processes.