In the ever-evolving landscape of digital privacy, the California Privacy Rights Act (CPRA) marks a significant milestone for businesses and consumers alike in the Golden State. Enacted to enhance and expand upon the foundations laid by the California Consumer Privacy Act (CCPA), the CPRA introduces a new era of stringent data protection standards and consumer privacy rights.

As businesses navigate the complexities of compliance, understanding the CPRA's requirements becomes not just a legal obligation but a crucial element in building trust and transparency with customers.

Below, we explain the essentials of CPRA compliance, offering a comprehensive guide to help organizations align their practices with the law's provisions. We’ll cover the key aspects of CPRA compliance, from understanding consumer rights to implementing robust data protection measures, to help your business meet legal obligations and embrace data privacy as a core value.

The California Privacy Rights Act explained

The CPRA is new legislation that amends and builds on the existing CCPA to give Californian consumers stronger data privacy protections. It was enacted on November 3, 2020, after being approved by California voters through a ballot initiative during the general election.

CPRA expands the definition of personal information established by CCPA and creates new consumer rights, including the right to: 

• Correct inaccurate personal information
• Delete personal information
• Know what personal information is collected and how it is used
• Opt out of the sale of their personal information

If the CCPA already granted California residents data privacy protections, why is the CPRA necessary, and what is its purpose? The CPRA was enacted for several reasons:

1. Strengthen consumer privacy rights: The CPRA provides California residents with even greater control over their personal information, such as the right to correct inaccurate information and the right to limit the use of sensitive personal information.
2. Address new privacy challenges: As technology and data practices evolve, new privacy challenges emerge. The CPRA was designed to address these challenges by updating and expanding the regulatory framework to better protect consumers in a rapidly changing digital landscape.
3. Strengthen enforcement: The CPRA established the California Privacy Protection Agency (CPPA), a new regulatory agency dedicated to enforcing the state's privacy laws. This move was aimed at strengthening the enforcement of privacy rights and ensuring businesses comply with the law.
4. Clarify and expand regulations: The CPRA also sought to clarify certain aspects of the CCPA that were ambiguous or subject to varying interpretations. It also closes gaps in the legislation that could have been exploited to the detriment of consumer privacy.
5. Align with global privacy standards: With the global trend towards stronger privacy protections, such as the European Union's General Data Protection Regulation (GDPR), the CPRA aimed to bring California's privacy laws closer in line with international standards.

Which businesses must comply with the CPRA?

Like the CCPA, CPRA applies to any for-profit organization that collects or processes Californian consumers’ personal information. This includes:

• Technology companies, such as social media, advertising technology, educational technology, and cloud services
• Ecommerce companies and online retailers
• Fintech and financial institutions such as banks and credit unions
• Travel and hospitality companies including hotels, airlines, and travel agencies
• Subscription services such as streaming providers, online publications, and membership programs
• Real estate businesses and online platforms
• Data brokers and marketing firms that buy, sell, or share personal information

Certain exemptions exist for small businesses that:

• Have an annual gross revenue of less than $25 million
• Buy, sell, or process the personal information of fewer than 100,000 consumers or households annually
• Derive less than 50% of their annual revenue from selling or sharing consumers’ personal information 

CPRA vs CCPA vs GDPR: Comparing Data Privacy Regulations

What types of personal information are protected by the CPRA?

Like the CCPA, the CPRA defines "personal information" fairly broadly. It encompasses several types of data that could be linked to a specific consumer or household, either directly or indirectly. Personal information under the CPRA includes:

Identifiers:

• Name or alias
• Mailing address
• Unique personal identifier or online identifier
• IP address
• Email address
• Account name
• Social Security number
• Driver's license number
• Passport number

Customer records information:

• Name
• Signature
• Social Security number
• Physical characteristics or description
• Mailing address
• Telephone number
• Passport number
• Driver's license or state ID number
• Insurance policy number
• Education or employment history
• Bank account, credit card, and debit card numbers, or any other financial information
• Medical or health insurance information

Protected classifications:

• Race
• Religion
• Sexual orientation
• Gender identity or expression
• Age
• Disability

Commercial information:

• Records of personal property
• Products or services purchased, obtained, or considered
• Purchasing or consuming histories or tendencies

Internet or other electronic network activity information:

• Browsing and search history
• Information regarding interactions with a website, application, or online advertisement

Biometric and sensory information:

• Fingerprints, faceprints, and voiceprints
• Iris or retina scans
• Keystroke, gait, or other physical patterns
• Sleep, health, or exercise data that contain identifying information
• Audio, electronic, visual, thermal, olfactory, or similar information

Geolocation data:

• Precise geographic location information about a particular individual or device

Employment or education information:

• Job history and performance evaluations
• Information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA)

Inferences drawn:

• Consumer profiles created to reflect the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes

This expansive definition of personal information under the CPRA underscores the law's broad approach to privacy and data protection, requiring businesses to carefully consider the consumer data they collect, use, and share to ensure compliance with the law.

However, not all consumer information is considered personal information protected under the CPRA and CCPA. Categories of data not considered personal information include:

• Publicly Available Information: Information that is lawfully made available from federal, state, or local government records.
• Deidentified, Aggregated, or Anonymized Information: Data that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer or household.
• Information Excluded Under Other Laws: Certain personal information is covered by sector-specific privacy laws and is therefore not considered personal information under the CPRA. Examples include:
• -Health or medical information covered by the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act (CMIA)
• -Personal information collected, processed, sold, or disclosed under the Gramm-Leach-Bliley Act (GLBA) concerning financial institutions and services
• -Personal information covered by the Fair Credit Reporting Act (FCRA)
• -Personal information collected, processed, sold, or disclosed under the Driver's Privacy Protection Act of 1994

What qualifies as sensitive personal information under the CPRA?

The CPRA introduces the concept of "sensitive personal information," which is considered more private and has a higher risk of causing harm if misused or disclosed. This new category of personal information includes:

• Driver's license, State ID, passport, or Social Security number
• Financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials
• Precise geolocation
• Racial or ethnic origin
• Religious or philosophical beliefs
• Union membership
• The contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication
• Genetic data
• Biometric information that can uniquely identify a consumer
• Personal information collected and analyzed concerning a consumer's health, sex life, or sexual orientation

The CPRA provides consumers with new rights specifically related to sensitive personal information, along with stricter obligations for businesses handling this type of data.

Right to Limit Use and Disclosure: Consumers have the right to direct businesses to limit the use of their sensitive personal information to only those purposes necessary to perform the services or provide the goods requested by the consumer. For example, performing a transaction, providing goods or services requested, ensuring security and integrity, and undertaking activities to verify or maintain the quality or safety of a service or device.

Transparency Requirements: Businesses are required to provide clear disclosures to consumers about their rights regarding sensitive personal information, including the right to limit its use.

Purpose Limitation: Businesses must limit their use of sensitive personal information to only those purposes necessary to perform the services or provide the goods agreed upon — unless they receive explicit consent from the consumer for additional uses.

Consumer rights under the CPRA

The CPRA grants consumers significant rights regarding their personal information. These rights build upon those established by the CCPA and introduce new provisions to enhance consumer privacy.

Here's an overview of consumer rights under the CPRA and CCPA:

Right to Know: Consumers have the right to know: 

• What personal information is being collected about them
• The sources of the information collected
• The purpose for collecting or selling the information
• The categories of third parties with whom the information is shared

Right to Access: Consumers can request access to the specific personal information a business has collected about them.

Right to Delete: Consumers have the right to request the deletion of their personal information held by a business and, by extension, by the business's service providers.

Right to Correct: A new right under the CPRA allows consumers to correct inaccurate personal information that a business holds about them.

Right to Opt-Out of Sale or Sharing: Consumers can opt out of the sale or sharing of their personal information. The CPRA expands this right to include the sharing of personal information for cross-context behavioral advertising.

Right to Limit Use and Disclosure of Sensitive Personal Information: Consumers can direct businesses to limit the use of their sensitive personal information to only that which is necessary to perform the services or provide the goods requested by the consumer.

Right to Data Portability: Upon request, consumers have the right to receive a copy of their personal information in a portable and readily usable format that allows them to transmit the information to another entity.

Right to Non-Discrimination: Businesses cannot discriminate against consumers for exercising their CPRA rights, including by denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services.

Right to Opt-Out of Automated Decision-Making: The CPRA introduces a right for consumers to opt out of automated decision-making, including profiling in certain contexts.

Right to Restrict Sensitive Personal Information: Consumers have the right to restrict the use of their sensitive personal information for purposes other than those explicitly allowed by the CPRA, such as performing the services or providing the goods requested by the consumer.

Penalties for non-compliance with California data privacy laws

The CPPA is primarily responsible for enforcing the CPRA. It has the authority to audit businesses for compliance, investigate potential violations, and issue fines and penalties for noncompliance. The creation of the CPPA is a significant development in privacy regulations, as it is the first agency in the United States dedicated solely to consumer privacy.

While the CPPA is the primary enforcement body, the California Attorney General also retains the authority to enforce the CPRA, particularly in cases where civil penalties may be sought.

Depending on the severity of the violation, non-compliance with CPRA can result in the following penalties:

• Administrative Fines: The CPPA can levy administrative fines up to $2,500 for each violation and up to $7,500 for each intentional violation or violations involving minors' personal information. These fines are assessed per violation, which can add up to substantial penalties for widespread or systemic issues.
• Civil Penalties: In addition to administrative fines, businesses may face civil penalties enforced through legal action brought by the Attorney General of California. The potential for civil penalties adds another layer of financial risk for non-compliant businesses.
• Private Right of Action: In the event of a data breach that results from a business's failure to implement and maintain reasonable security procedures and practices, consumers can seek statutory damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. This provision allows individuals to take legal action independently of the CPPA or Attorney General's enforcement activities.

What CCPA-compliant organizations need to do to comply with the CPRA

If your organization is already compliant with the CCPA, you've established a solid foundation for data privacy practices. However, given the CPRA's broader scope and the CPPA’s enforcement powers, it's essential to proactively address new requirements. To ensure full CPRA compliance, you’ll need to take the following steps:

1. Understand CPRA enhancements: Familiarize yourself with the CPRA's expanded definitions and concepts, such as sensitive personal information, sharing of personal information, and new consumer rights.
2. Train employees: Provide updated data privacy training to employees who handle personal information or consumer inquiries about your organization's privacy practices, ensuring they are aware of the CPRA's requirements and how to comply with them.
3. Review and update data inventory: Conduct a comprehensive review of the personal information your organization collects, processes, stores, and shares. Pay special attention to any sensitive personal information and ensure that data handling meets the new stricter requirements.
4. Update privacy notices and policies: Revise your privacy policies and consumer notices to include the additional rights and protections under the CPRA, such as the right to correct inaccuracies and the right to limit the use of sensitive personal information. Ensure that your policies clearly communicate how consumers can exercise their rights.
5. Assess and strengthen data security: Given the expanded private right of action for data breaches, it’s important to assess your current security measures to identify and close any gaps to protect against unauthorized access, disclosure, and use of personal information.
6. Review vendor and third-party contracts: Examine agreements with service providers, contractors, and third parties to ensure they include terms that comply with CPRA requirements. This includes obligations to comply with CPRA provisions, process personal information following your organization's instructions, and assist in fulfilling consumer rights requests.
7. Implement processes for new consumer rights: Develop and implement processes to accommodate consumers' rights to correct their personal information and to limit the use and disclosure of their sensitive personal information. This may involve adjusting your existing systems for handling consumer requests under the CCPA.
8. Conduct regular internal compliance audits: Periodically audit your CPRA compliance efforts to identify and rectify any gaps or weaknesses and ensure ongoing compliance with the law.
9. Document compliance efforts: Keep detailed records of your compliance activities, including data mapping, risk assessments, policy updates, employee training, and processing of consumer rights requests. This documentation can be crucial for demonstrating compliance in the case of regulatory inquiries or audits.

Ensure data privacy compliance with Secureframe’s GRC automation

Automation is fundamentally changing the security, privacy, and compliance landscape, making it faster and easier to build and maintain your data privacy program and ensure compliance with an evolving regulatory landscape.

With Secureframe, you can: 

• Set up the right data privacy policies and procedures
• Deliver and track employee training
• Automate CPRA compliance evidence collection
• Stay current with the latest data privacy requirements

An automation platform also makes it easier to achieve and prove compliance with multiple data privacy regulations, including GDPR. Instead of starting from ground zero, compliance software can help map what you’ve already done for the CPRA and CCPA to other regulations and information security frameworks.

To learn more about Secureframe’s capabilities, schedule a demo with a product expert today.