A Simple Guide to California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) is a comprehensive privacy law passed by the California attorney general in 2020 and went into effect on January 1, 2023. It was enacted in response to growing concerns about businesses’ collection, use, and sharing of personal information and the lack of comprehensive privacy for individuals. This data privacy law builds and expands upon the California Consumer Privacy Act (CCPA), which was passed in 2018 and went into effect in 2020.

The California Privacy Rights Act was passed by a majority of the vote from Californians in the California General Election held in November 2020. The CPRA amends several provisions of the California Consumer Privacy Act (CCPA): a broader application threshold, expanded consumer rights, the establishment of the California Privacy Protection Agency (CPPA), the inclusion of employee data, and a new definition for sensitive personal information, among other things.

The California Privacy Rights Act gives California residents more control over their personal information and provides additional protections for their privacy. The CPRA is a significant step forward in protecting the privacy of individuals. It is one of the most comprehensive privacy laws in the United States. Privacy advocates have widely praised it. It is expected to set a new standard for privacy regime in the United States and worldwide.

In contrast to CCPA, the CPRA has a broader application threshold and applies to for-profit businesses that collect or process personal information of California residents and meet the following thresholds

As of January 1, 2023 of the calendar year, had

• Annual gross revenues over twenty-five million dollars ($25,000,000) in the preceding calendar year or
• Alone or in combination, annually buys or sells or shares the personal information of 1,00,000 or more consumers or households or
• Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

The CPRA was passed on November 3, 2020, and will be effective on January 1, 2023. It contains a lookback period for personal information collected by covered businesses on or after January 1, 2022.

Here are some of the significant changes introduced by the California Privacy Rights Act (CPRA) as compared to the CCPA:

• Expansion of consumer rights under California privacy law
  The CPRA expands upon the rights of consumers under the CCPA. For the residents of California, it added the following rights that give consumers more control over their personal information:
  • Right to correct inaccurate information.
  • Right to opt-out of automated decision-making.
  • Right to know about automated decision-making.
  • Right to limit the use of sensitive personal information.

  CPRA brings new rights for employees with regard to how the businesses will collect, use, store and process their information. It will now offer six new privacy rights to the employees with respect to their personal data. The CCPA employee exemption prevented the employees from exercising the same rights as consumers. However, the exemption will now expire on January 1, 2023.

  Expanding rights to employees will enable greater transparency to them. They will also provide greater agency over the management and protection of their data.

  The following rights have been given to employees under CPRA

  • Right to access the data.
  • Right to correction of the data.
  • Right to deletion of data.
  • Right to opt-out of the sale of data.
  • Right to limit the use of sensitive information.
  • Right Not to be Discriminated Against for Exercising Any of the Employee’s Rights Under CPRA.
• A new category of sensitive personal information
  The CPRA introduces a new category of sensitive personal information similar to sensitive data found under other privacy and data protection laws and is subject to additional protections. Businesses must obtain explicit consent from consumers before collecting, using, or disclosing this data.
  Sensitive personal information under the CPRA includes:
  • Driver’s license number
  • Social Security Numbers (SSN)
  • State ID numbers
  • Union membership
  • Passport numbers
  • Genetic or biometric data
  • Racial or ethnic origins
  • Precise geolocation
  • Religious or philosophical beliefs
  • Sexual orientation, sex life, or health
  • Contents of a consumer’s text, mail, and email
• More stringent requirements for businesses
  The CPRA imposes more stringent requirements on businesses regarding their data protection practices. It requires businesses to implement and maintain reasonable security measures to protect personal data. It imposes additional obligations on businesses that process sensitive personal data.
• Newly created California Privacy Protection Agency (CPPA)
  The CPRA establishes a new state agency, the California Privacy Protection Agency (CPPA), to enforce the provisions of the law. The CPPA will have the authority to investigate alleged violations of the CPRA and to impose penalties on businesses that are found to be in noncompliance with the law.
• Increased penalties for violations
  The CPRA increases the potential penalties for violations of the law. It allows for fines of up to $2,500 per violation for unintentional violations and up to $7,500 for intentional violations.

Complying with the  (California Privacy Rights Act) CPRA can be challenging for businesses, as it imposes many new obligations on them in terms of their data protection practices. However, there are several steps that businesses can take to ensure compliance with the law:

• Review and update privacy notice:
  Businesses should review and update their privacy notices to ensure compliance with the disclosure requirements of the CPRA. This may involve providing greater transparency about personal data types that are being collected, the sources from which the data is being collected, the purposes for which the data is being collected, and the categories of third parties with whom the data is being shared.
• Conduct a data inventory and mapping exercise:
  Conduct an audit to determine what personal information the business collects, where it is stored, and how it is used and shared. This will help the business to understand the scope of its data collection and processing activities and identify any areas that may need to be modified to comply with the CPRA.
• Obtain affirmative express consent:
  The CPRA requires businesses to obtain affirmative express consent from consumers before collecting, using or disclosing sensitive personal data. This means that businesses must provide clear and concise notice to consumers about their data collection practices and obtain explicit consent from consumers before collecting, using, or disclosing sensitive data.
• Offers opt-out options:
  The CPRA grants consumers the right to opt-out of the sale of their personal information. Businesses should provide clear and conspicuous notice of this right and make it easy for consumers to exercise it.
• Respond to consumer requests:
  The CPRA gives consumers the right to access, correct, delete, and restrict the processing of their personal data and the right to data portability. Businesses must have a process in place to receive and respond to these requests in a timely and effective manner.

By taking these steps, businesses can ensure that they comply with California Privacy Laws and prepare for many other upcoming privacy regulations.