CPRA - California Privacy Rights Act

The California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot measure that was approved by California voters on Nov. 3, 2020. It amends and expands the CCPA, and also referred to as “CCPA 2.0.”

In enacting this Act, it is the purpose and intent of the people of the State of California to further protect consumers’ rights, including the constitutional right of privacy. The substantive provisions of the California Privacy Rights Act (CPRA) became effective on January 1, 2023.

To comply with the California Privacy Rights Act (CPRA), you need to understand the law’s requirements and take steps to meet them. A CPRA checklist can help you track your progress and ensure that you’re on track to comply.

Following are the steps which businesses can take in order to understand CPRA requirements:

CPRA Applicability:

CPRA will be applicable on the businesses who meets any of the following conditions:

As of January 1, of the calendar year, had

• Annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year or
• Alone or in combination, annually buys or sells or shares the personal information of 1,00,000 or more consumers or households or
• Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal Information.

CPRA Privacy Policy Requirements

Privacy Policy must be updated according to the CPRA requirements. Privacy policy will include description of Consumers’ privacy rights and two or more designated methods for submitting that requests and business must update that information at least once every 12 months.

CPRA Privacy notice should clearly demonstrate what you are doing for the protection of the data of your consumers. Privacy notice must be served to the users as soon as they arrive on the website. Privacy notices discloses what information business gather, how they collect, use, disclose and store it, and how you can access and update it.

CPRA Cookie Requirements

The CPRA doesn’t mention anything about the cookie banners, a CPRA cookie banner must still comply with its requirements for giving notice, as outlined in Section 1798.100.

Data Mapping

One of the important things in CPRA is creating an efficient data inventory and effective workflows so that individual rights requests can be managed easily. Data mapping should help the business know for what purpose data is collected and to whom it has been shared. A thorough data mapping process is a must requirement. CPRA specially focus on the collection of sensitive information, so business must keep on track what information they are collecting, for what purpose and to whom they are sharing.

Data Subject Access Requests (DSARs)

CPRA requires business to able to respond to individual rights from consumers regarding access, delete or correct the data, which the business has collected about them. Consumers have the right to opt-out of having their information shared or sold and to limit the use and disclosure of sensitive information. Businesses will only be able to handle these requests smoothly when they have an effective data mapping process.

Business shall fulfil the CPRA data subject access request or consumer request within 45 days of receiving a verifiable data subject or consumer. This time period may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period.

A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, considering the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.

Opt-Out of Sale or Sharing of Personal Information

A business that shares or sells consumers personal information shall provide a notice to consumers, that this information may be shared or sold and that the consumers have the right to opt-out of sharing or selling of their information.

A business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age unless:

• The consumer has affirmatively authorized in the case of consumers of at least 13 years of age and less than 16 years of age, or
• The consumer’s parent or guardian has affirmatively authorized the sale or sharing of the consumer’s personal information in the case of consumers who are less than 13 years of age.

A business that wilfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.

Training Your Staff

One of the important step to comply CPRA is to train your employees so that they know how to comply and so that the Company can address any compliance gaps on time. Identify team members from different departments and form a committee that can help share the work. Your Compliance program is only effective if your employees have an understanding of it.

CPRA Privacy Impact Assessment

Businesses should constantly review the risks by conducting a regular privacy impact assessments (PIAs) to evaluate and mitigate privacy risks associated with personal data processing, and they should take appropriate steps to mitigate that risk. Reasonable security measures must be taken to protect the data of the consumers. A business shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure.

Any business, service provider, contractor or other person that violates the provisions of CPRA shall be liable for an administrative fine of not more than two thousand five hundred dollars ($2,500) for each violation, or seven thousand five hundred dollars ($7,500) for each Intentional violation or violations involving the personal information of consumers in an administrative enforcement action brought by the California Privacy Protection Agency.

Any consumer whose personal information was subject to unauthorized access and exfiltration, theft or disclosure, may institute a civil action to recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

This Act will be fully enforceable with effect from January 1, 2023. There is one exception to the 2023 effective date and that is with respect to the right of access. The CPRA’s right to know or right of access applies to personal information collected by a business on or after January 1, 2022.

While many of the CPRA obligations are adopted from the CCPA, compliance with that law is not sufficient to ensure CPRA compliance or vice versa. As a result, organizations need to comply with multiple regulatory schemes which will be partially overlapping, with the possibility that the additional states adopting similar or different privacy laws in the future.