CPRA Compliance Checklist: Key Changes And How To Implement Them In Your Business
In the ever-evolving landscape of digital privacy, the California Privacy Rights Act (CPRA) marks a significant milestone for businesses and consumers alike in the Golden State. Enacted to enhance and expand upon the foundations laid by the California Consumer Privacy Act (CCPA), the CPRA introduces a new era of stringent data protection standards and consumer privacy rights.
As businesses navigate the complexities of compliance, understanding the CPRA's requirements becomes not just a legal obligation but a crucial element in building trust and transparency with customers.
Below, we explain the essentials of CPRA compliance, offering a comprehensive guide to help organizations align their practices with the law's provisions. We’ll cover the key aspects of CPRA compliance, from understanding consumer rights to implementing robust data protection measures, to help your business meet legal obligations and embrace data privacy as a core value.
The California Privacy Rights Act explained
The CPRA is new legislation that amends and builds on the existing CCPA to give Californian consumers stronger data privacy protections. It was enacted on November 3, 2020, after being approved by California voters through a ballot initiative during the general election.
CPRA expands the definition of personal information established by CCPA and creates new consumer rights, including the right to:
- Correct inaccurate personal information
- Delete personal information
- Know what personal information is collected and how it is used
- Opt out of the sale of their personal information
If the CCPA already granted California residents data privacy protections, why is the CPRA necessary, and what is its purpose? The CPRA was enacted for several reasons:
- Strengthen consumer privacy rights: The CPRA provides California residents with even greater control over their personal information, such as the right to correct inaccurate information and the right to limit the use of sensitive personal information.
- Address new privacy challenges: As technology and data practices evolve, new privacy challenges emerge. The CPRA was designed to address these challenges by updating and expanding the regulatory framework to better protect consumers in a rapidly changing digital landscape.
- Strengthen enforcement: The CPRA established the California Privacy Protection Agency (CPPA), a new regulatory agency dedicated to enforcing the state's privacy laws. This move was aimed at strengthening the enforcement of privacy rights and ensuring businesses comply with the law.
- Clarify and expand regulations: The CPRA also sought to clarify certain aspects of the CCPA that were ambiguous or subject to varying interpretations. It also closes gaps in the legislation that could have been exploited to the detriment of consumer privacy.
- Align with global privacy standards: With the global trend towards stronger privacy protections, such as the European Union's General Data Protection Regulation (GDPR), the CPRA aimed to bring California's privacy laws closer in line with international standards.
Recommended reading
CCPA Compliance: A Guide to California’s Data Privacy Law as Amended by CPRA
Which businesses must comply with the CPRA?
Like the CCPA, CPRA applies to any for-profit organization that collects or processes Californian consumers’ personal information. This includes:
- Technology companies, such as social media, advertising technology, educational technology, and cloud services
- Ecommerce companies and online retailers
- Fintech and financial institutions such as banks and credit unions
- Travel and hospitality companies including hotels, airlines, and travel agencies
- Subscription services such as streaming providers, online publications, and membership programs
- Real estate businesses and online platforms
- Data brokers and marketing firms that buy, sell, or share personal information
Certain exemptions exist for small businesses that:
- Have an annual gross revenue of less than $25 million
- Buy, sell, or process the personal information of fewer than 100,000 consumers or households annually
- Derive less than 50% of their annual revenue from selling or sharing consumers’ personal information
CPRA vs CCPA vs GDPR: Comparing Data Privacy Regulations
CCPA | CPRA | GDPR | |
Affects | California residents | California residents | EU residents |
Applicable to | For-profit businesses that collect California residents' personal information | For-profit businesses that collect California residents' personal information | Organizations that process the personal data of EU residents |
Consumer rights | Rights to access, delete, and know about personal information collected, sold, or disclosed; right to opt-out of the sale of personal information | Grants additional rights to correct inaccuracies and limit the use of sensitive personal information | Rights regarding access, rectification, erasure, restriction of processing, data portability, objection, and rights related to automated decision-making and profiling |
Data protection requirements | Focus on transparency, accountability, and giving consumers control over their personal information | Introduces more specific requirements for risk assessments and cybersecurity audits for high-risk activities and sensitive data | Emphasizes data protection by design and requires data controllers and processors to implement appropriate technical and organizational measures to ensure and demonstrate compliance |
Data sharing restrictions | No specific provisions regarding cross-border data transfers but requires contracts with service providers and third parties to ensure protections extend to data processed on behalf of businesses | No specific provisions regarding cross-border data transfers but requires contracts with service providers and third parties to ensure protections extend to data processed on behalf of businesses | Imposes strict requirements for transferring personal data outside the EU, ensuring such transfers only occur to countries deemed to provide an adequate level of data protection or through approved mechanisms like Standard Contractual Clauses (SCCs) |
Enforcement | Enforced by the California Attorney General, with provisions for civil penalties and a limited private right of action for data breaches | Establishes the California Privacy Protection Agency (CPPA) for enforcement, expands the private right of action, and introduces administrative fines | Enforced by data protection authorities in each EU member state, with provisions for substantial fines up to €20 million or 4% of annual global revenue, whichever is higher |
What types of personal information are protected by the CPRA?
Like the CCPA, the CPRA defines "personal information" fairly broadly. It encompasses several types of data that could be linked to a specific consumer or household, either directly or indirectly. Personal information under the CPRA includes:
Identifiers:
- Name or alias
- Mailing address
- Unique personal identifier or online identifier
- IP address
- Email address
- Account name
- Social Security number
- Driver's license number
- Passport number
Customer records information:
- Name
- Signature
- Social Security number
- Physical characteristics or description
- Mailing address
- Telephone number
- Passport number
- Driver's license or state ID number
- Insurance policy number
- Education or employment history
- Bank account, credit card, and debit card numbers, or any other financial information
- Medical or health insurance information
Protected classifications:
- Race
- Religion
- Sexual orientation
- Gender identity or expression
- Age
- Disability
Commercial information:
- Records of personal property
- Products or services purchased, obtained, or considered
- Purchasing or consuming histories or tendencies
Internet or other electronic network activity information:
- Browsing and search history
- Information regarding interactions with a website, application, or online advertisement
Biometric and sensory information:
- Fingerprints, faceprints, and voiceprints
- Iris or retina scans
- Keystroke, gait, or other physical patterns
- Sleep, health, or exercise data that contain identifying information
- Audio, electronic, visual, thermal, olfactory, or similar information
Geolocation data:
- Precise geographic location information about a particular individual or device
Employment or education information:
- Job history and performance evaluations
- Information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA)
Inferences drawn:
- Consumer profiles created to reflect the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
This expansive definition of personal information under the CPRA underscores the law's broad approach to privacy and data protection, requiring businesses to carefully consider the consumer data they collect, use, and share to ensure compliance with the law.
However, not all consumer information is considered personal information protected under the CPRA and CCPA. Categories of data not considered personal information include:
- Publicly Available Information: Information that is lawfully made available from federal, state, or local government records.
- Deidentified, Aggregated, or Anonymized Information: Data that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer or household.
- Information Excluded Under Other Laws: Certain personal information is covered by sector-specific privacy laws and is therefore not considered personal information under the CPRA. Examples include:
- -Health or medical information covered by the Health Insurance Portability and Accountability Act (HIPAA) and the California Confidentiality of Medical Information Act (CMIA)
- -Personal information collected, processed, sold, or disclosed under the Gramm-Leach-Bliley Act (GLBA) concerning financial institutions and services
- -Personal information covered by the Fair Credit Reporting Act (FCRA)
- -Personal information collected, processed, sold, or disclosed under the Driver's Privacy Protection Act of 1994
What qualifies as sensitive personal information under the CPRA?
The CPRA introduces the concept of "sensitive personal information," which is considered more private and has a higher risk of causing harm if misused or disclosed. This new category of personal information includes:
- Driver's license, State ID, passport, or Social Security number
- Financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials
- Precise geolocation
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union membership
- The contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication
- Genetic data
- Biometric information that can uniquely identify a consumer
- Personal information collected and analyzed concerning a consumer's health, sex life, or sexual orientation
The CPRA provides consumers with new rights specifically related to sensitive personal information, along with stricter obligations for businesses handling this type of data.
Right to Limit Use and Disclosure: Consumers have the right to direct businesses to limit the use of their sensitive personal information to only those purposes necessary to perform the services or provide the goods requested by the consumer. For example, performing a transaction, providing goods or services requested, ensuring security and integrity, and undertaking activities to verify or maintain the quality or safety of a service or device.
Transparency Requirements: Businesses are required to provide clear disclosures to consumers about their rights regarding sensitive personal information, including the right to limit its use.
Purpose Limitation: Businesses must limit their use of sensitive personal information to only those purposes necessary to perform the services or provide the goods agreed upon — unless they receive explicit consent from the consumer for additional uses.
Privacy Notice Template
Download our sample privacy notice template, modify the contents based on how you use data, then publish the notice to comply with CPRA requirements.
Consumer rights under the CPRA
The CPRA grants consumers significant rights regarding their personal information. These rights build upon those established by the CCPA and introduce new provisions to enhance consumer privacy.
Here's an overview of consumer rights under the CPRA and CCPA:
Right to Know: Consumers have the right to know:
- What personal information is being collected about them
- The sources of the information collected
- The purpose for collecting or selling the information
- The categories of third parties with whom the information is shared
Right to Access: Consumers can request access to the specific personal information a business has collected about them.
Right to Delete: Consumers have the right to request the deletion of their personal information held by a business and, by extension, by the business's service providers.
Right to Correct: A new right under the CPRA allows consumers to correct inaccurate personal information that a business holds about them.
Right to Opt-Out of Sale or Sharing: Consumers can opt out of the sale or sharing of their personal information. The CPRA expands this right to include the sharing of personal information for cross-context behavioral advertising.
Right to Limit Use and Disclosure of Sensitive Personal Information: Consumers can direct businesses to limit the use of their sensitive personal information to only that which is necessary to perform the services or provide the goods requested by the consumer.
Right to Data Portability: Upon request, consumers have the right to receive a copy of their personal information in a portable and readily usable format that allows them to transmit the information to another entity.
Right to Non-Discrimination: Businesses cannot discriminate against consumers for exercising their CPRA rights, including by denying goods or services, charging different prices or rates, or providing a different level or quality of goods or services.
Right to Opt-Out of Automated Decision-Making: The CPRA introduces a right for consumers to opt out of automated decision-making, including profiling in certain contexts.
Right to Restrict Sensitive Personal Information: Consumers have the right to restrict the use of their sensitive personal information for purposes other than those explicitly allowed by the CPRA, such as performing the services or providing the goods requested by the consumer.
Penalties for non-compliance with California data privacy laws
The CPPA is primarily responsible for enforcing the CPRA. It has the authority to audit businesses for compliance, investigate potential violations, and issue fines and penalties for noncompliance. The creation of the CPPA is a significant development in privacy regulations, as it is the first agency in the United States dedicated solely to consumer privacy.
While the CPPA is the primary enforcement body, the California Attorney General also retains the authority to enforce the CPRA, particularly in cases where civil penalties may be sought.
Depending on the severity of the violation, non-compliance with CPRA can result in the following penalties:
- Administrative Fines: The CPPA can levy administrative fines up to $2,500 for each violation and up to $7,500 for each intentional violation or violations involving minors' personal information. These fines are assessed per violation, which can add up to substantial penalties for widespread or systemic issues.
- Civil Penalties: In addition to administrative fines, businesses may face civil penalties enforced through legal action brought by the Attorney General of California. The potential for civil penalties adds another layer of financial risk for non-compliant businesses.
- Private Right of Action: In the event of a data breach that results from a business's failure to implement and maintain reasonable security procedures and practices, consumers can seek statutory damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. This provision allows individuals to take legal action independently of the CPPA or Attorney General's enforcement activities.
What CCPA-compliant organizations need to do to comply with the CPRA
If your organization is already compliant with the CCPA, you've established a solid foundation for data privacy practices. However, given the CPRA's broader scope and the CPPA’s enforcement powers, it's essential to proactively address new requirements. To ensure full CPRA compliance, you’ll need to take the following steps:
- Understand CPRA enhancements: Familiarize yourself with the CPRA's expanded definitions and concepts, such as sensitive personal information, sharing of personal information, and new consumer rights.
- Train employees: Provide updated data privacy training to employees who handle personal information or consumer inquiries about your organization's privacy practices, ensuring they are aware of the CPRA's requirements and how to comply with them.
- Review and update data inventory: Conduct a comprehensive review of the personal information your organization collects, processes, stores, and shares. Pay special attention to any sensitive personal information and ensure that data handling meets the new stricter requirements.
- Update privacy notices and policies: Revise your privacy policies and consumer notices to include the additional rights and protections under the CPRA, such as the right to correct inaccuracies and the right to limit the use of sensitive personal information. Ensure that your policies clearly communicate how consumers can exercise their rights.
- Assess and strengthen data security: Given the expanded private right of action for data breaches, it’s important to assess your current security measures to identify and close any gaps to protect against unauthorized access, disclosure, and use of personal information.
- Review vendor and third-party contracts: Examine agreements with service providers, contractors, and third parties to ensure they include terms that comply with CPRA requirements. This includes obligations to comply with CPRA provisions, process personal information following your organization's instructions, and assist in fulfilling consumer rights requests.
- Implement processes for new consumer rights: Develop and implement processes to accommodate consumers' rights to correct their personal information and to limit the use and disclosure of their sensitive personal information. This may involve adjusting your existing systems for handling consumer requests under the CCPA.
- Conduct regular internal compliance audits: Periodically audit your CPRA compliance efforts to identify and rectify any gaps or weaknesses and ensure ongoing compliance with the law.
- Document compliance efforts: Keep detailed records of your compliance activities, including data mapping, risk assessments, policy updates, employee training, and processing of consumer rights requests. This documentation can be crucial for demonstrating compliance in the case of regulatory inquiries or audits.
CPRA Compliance Checklist
Get a step-by-step checklist to walk you through the process of achieving CPRA and CCPA compliance.
Ensure data privacy compliance with Secureframe’s GRC automation
Automation is fundamentally changing the security, privacy, and compliance landscape, making it faster and easier to build and maintain your data privacy program and ensure compliance with an evolving regulatory landscape.
With Secureframe, you can:
- Set up the right data privacy policies and procedures
- Deliver and track employee training
- Automate CPRA compliance evidence collection
- Stay current with the latest data privacy requirements
An automation platform also makes it easier to achieve and prove compliance with multiple data privacy regulations, including GDPR. Instead of starting from ground zero, compliance software can help map what you’ve already done for the CPRA and CCPA to other regulations and information security frameworks.
To learn more about Secureframe’s capabilities, schedule a demo with a product expert today.
Use trust to accelerate growth
Request a demoFAQs
How is CPRA different from CCPA?
Here are some of the key ways in which the CPRA differs from the CCPA:
- Enhanced Consumer Rights: The CPRA introduces new rights for consumers, such as the right to correct inaccurate personal information, the right to limit the use and disclosure of sensitive personal information, and the right to opt out of automated decision-making.
- Stricter Obligations for Businesses: The CPRA imposes additional obligations on businesses, including requirements related to data minimization, purpose limitation, and the protection of sensitive personal information. It also updates the thresholds for businesses to be subject to the law, potentially broadening its applicability.
- Establishment of the CPPA: The CPRA creates the California Privacy Protection Agency, a new regulatory body responsible for enforcing the law, which takes over from the California Attorney General's office as the primary enforcement authority.
- Expanded Scope of Enforcement and Penalties: The CPRA expands the scope of enforcement and penalties, including the introduction of administrative fines for violations and the expansion of the private right of action to include breaches involving a consumer's email address in combination with a password or security question and answer.
- New Requirements for Service Providers, Contractors, and Third Parties: The CPRA introduces specific obligations for service providers, contractors, and third parties who process personal information on behalf of businesses, including contractual and direct statutory obligations.
Does CPRA override CCPA?
The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA). It does not replace the CCPA but extends the law in several significant ways. The CPRA, approved by California voters in November 2020, expands consumer privacy rights, introduces new regulatory requirements, and establishes a new enforcement agency, the California Privacy Protection Agency (CPPA).
What businesses must comply with CPRA?
CPRA sets specific thresholds to determine which businesses must comply with its provisions. Compliance is required for businesses that operate in California and meet any of the following criteria:
- Has annual gross revenues above $25 million
- The business buys, sells, or shares the personal information of 100,000 or more consumers or households
- The business derives 50% or more of its annual revenues from selling or sharing consumers' personal information
CPRA regulations also extend certain obligations to service providers, contractors, and third parties who process personal information on behalf of covered businesses, as well as for "joint ventures" and "partnerships" where two or more businesses jointly meet the threshold criteria. This ensures that consumer protections extend through the entire ecosystem of personal information processing related to the services offered to California residents.
What is the difference between CPRA and GDPR?
Here are some key differences between the CPRA and the GDPR:
- Geographical Scope:
- CPRA: Applies specifically to businesses that collect personal information of Californians and meet certain thresholds.
- GDPR: Applies to all organizations operating within the EU and the EEA, as well as organizations outside these regions that offer goods or services to, or monitor the behavior of, EU residents.
- Applicability and Thresholds:
- CPRA: Targets businesses with over $25 million in annual gross revenues, those that buy, sell, or share the personal information of 100,000 or more consumers or households, or those that derive 50% or more of their annual revenues from selling or sharing consumers' personal information.
- GDPR: Applies broadly to any entity that processes personal data of EU residents, regardless of the size of the organization or the volume of data it processes.
- Consumer Rights:
- CPRA: Enhances rights introduced by the CCPA, such as the rights to know, delete, and opt-out of the sale or sharing of personal information, and introduces new rights like the right to correct inaccurate information and limit the use of sensitive data.
- GDPR: Establishes comprehensive rights for individuals, including the right to be informed, the right of access, the right to rectification, the right to erasure ("right to be forgotten"), the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision-making and profiling.
- Data Protection Measures:
- CPRA: Introduces concepts like data minimization, purpose limitation, and storage limitation, requiring businesses to collect only the personal information necessary for the purposes stated at the time of collection and to retain it only for as long as necessary for these purposes.
- GDPR: Emphasizes principles of data protection by design and by default, requiring data controllers and processors to implement appropriate technical and organizational measures to ensure and demonstrate compliance, including data minimization and integrating necessary safeguards into the processing.
- Regulatory Authority:
- CPRA: Establishes the California Privacy Protection Agency (CPPA) as the dedicated regulatory authority for enforcing the new law.
- GDPR: Enforced by data protection authorities (DPAs) in each EU member state, with coordination and consistency mechanisms provided by the European Data Protection Board (EDPB).
- Cross-border Data Transfers:
- CPRA: Does not specifically focus on cross-border data transfers but requires contracts with third parties, service providers, and contractors to include certain provisions to ensure the protection of personal information.
- GDPR: Includes strict requirements for transferring personal data outside the EU, ensuring that such transfers only occur to countries that provide an adequate level of data protection or through mechanisms that ensure the protection of the transferred data, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
- Enforcement and Penalties:
- CPRA: Imposes fines for violations and provides a private right of action for consumers in case of data breaches involving non-encrypted and non-redacted personal information.
- GDPR: Imposes significant fines for non-compliance, up to €20 million or 4% of the annual global turnover of the preceding financial year, whichever is higher, and provides for individual compensation claims for damages.