CCPA vs CPRA: What is new in DSAR?
What is CPRA?
The California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot measure that was approved by California voters on Nov. 3, 2020. It amends and expands the CCPA, and also referred to as “CCPA 2.0.”
Also, in enacting this Act, it is the purpose and intent of the people of the State of California to further protect consumers’ rights, including the constitutional right of privacy.
While this Act came effective from December 16, 2020, but exemption has been given until January 1, 2023. Enforcement will begin from July 1, 2023.
CPRA will work as an addendum to CCPA, which will strengthen the rights of Californian residents.
A quick overlook of the CPRA:
- According to the CPRA, the California Privacy Protection Agency (CPPA) will be the lead enforcer and supervisor of the CPRA/CCPA data privacy regime.
- CPRA changes the definition of business.
- CPRA bring new rights and modifies some rights for Californian residents.
- CPRA includes provisions for sensitive personal information.
- CPRA cover more scenarios for the requirement of consent.
- CPRA makes the business responsible for how the third party will share, use, or sell personal information.
- CPRA brings a change in regulatory focus for opt-out by giving Californian residents the right to opt-out especially from behavioural advertisement.
- CPRA brings additional requirements for the businesses which states that the business can collect, use, or share personal information only when it is necessary and has a specific purpose. You can’t collect data apart from the stated purpose.
Moreover, CCPA DSARs empower Californians to see what data companies, like their employers, hold about them.
California Consumer Privacy Act [CCPA]
Applicability:
Businesses are obligated to take steps to comply with CCPA and provide consumers’ rights if the businesses collect personal information from California residents and do business in the state if any of the following apply:
The business:
(A) Has annual gross revenues above twenty-five million dollars ($25,000,000);
or
(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices;
or
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
What is DSAR?
Knowing your rights? CCPA data subject access requests allow Californians to see the information companies hold about them.
A data subject access request (DSAR) is a request for information from the data subject whose personal data you hold. If your organization collects personal data, anyone whose data you have can request access to their information.
This includes employees, contractors, suppliers, partners, and so on. A DSAR is a request an individual makes to know what data you have collected about them.
Did you know California employees can now submit a CCPA data subject access request (DSAR) to their employer, allowing them to see what personal information is being collected, used, and potentially shared about them within the workplace?
Californian residents have the following rights under CCPA:
- Right to know about the personal information collected of the consumer and its use.
- Right to opt out of sale of data.
- Right to opt-in for a child under 16.
- Right to deletion of data.
- Right to portability of data.
- Right Not to be Discriminated Against for Exercising Any of the Consumer’s Rights Under CCPA.
Under CCPA, employee data is not expressly protected just like consumer data is in CCPA. In CCPA employee data acts as an exemption to consumer rights. But due to CPRA, that exemption will expire on January 1, 2023.
California Privacy Rights Act [CPRA]
In addition to the original legislation, the new initiative expands individual rights.
While maintaining the original intent of the CCPA, the new legislation expands, modifies, and updates the existing rules to protect consumer privacy.
The CPRA regulation mandates that businesses meeting specific criteria must be equipped to handle data subject access requests efficiently and in compliance with the law.
CPRA Applicability:
The new regulation revises the scope of business:
CPRA will be applicable on the businesses who meets any of the following conditions:
As of January 1, of the calendar year, had
- Annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year or
- Alone or in combination, annually buys or sells or shares the personal information of 1,00,000 or more consumers or households or
- Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal Information.
For Californian residents, the CPRA creates four new rights and modifies five existing ones. Following rights have been added:
- Right to correct inaccurate information.
- Right to opt-out of automated decision making.
- Right to know about automated decision making.
- Right to limit the use of sensitive personal information.
DSAR in CPRA:
CPRA brings new rights for employees with regard to how the businesses will collect, use, store and process their information. CPRA will now offer six new privacy rights to the employees with respect to their data. Due to the CCPA employee exemption it prevented the employees to exercise the same rights as consumers, but the exemption will now expire on January 1, 2023.
The expansion of rights to employees will enable greater transparency to them and will also provide greater agency over the management and protection for their data.
Under the CPRA regulation, businesses meeting specified thresholds must be prepared to address CPRA data subject access requests in compliance with the law
Following rights have been given to employees under CPRA:
- Right to access the data.
- Right to correction of the data.
- Right to deletion of data.
- Right to opt out of sale of data.
- Right to limit the use of sensitive information.
- Right Not to be Discriminated Against for Exercising Any of the Employee’s Rights Under CPRA.
The key difference between CCPA Vs CPRA lies in their scopes. While CCPA applies to organizations collecting personal information from over 50,000 consumers, CPRA extends its reach to those gathering data from over 100,000 consumers
Conclusion
Understanding and adhering to CCPA DSAR requirements is crucial for businesses operating in California
Organizations will need to prepare carefully to comply with the CPRA’s employee rights provision. In order to respond to data subject rights request, existing system will not suffice.
Mandatly’s Data Subject Rights Module will help you fulfil employee rights requests with an end-to-end DSAR fulfilment solution with automated identity verification and data discovery to fulfil the data subject requests timely, securely, and efficiently.
How Mandatly helps?
Mandatly’s DSAR solution provides you with seamless and efficient data subject access request management from submission to fulfilment.
DSAR Portal: Centralizes Data Subject/Consumer rights request management.
Identity verification: Allows you to verify the identity of the requestors in multiple ways.
Auto data discovery: Identifies the system and discovers the data automatically to fulfil subject or consumer requests.
Response: Pre-defined response templates with secure delivery of information to the requestor.
Reporting: Demonstrates compliance by reporting/logging every action performed in the DSAR process.
FAQs
The California Privacy Rights Act (CPRA) brings notable changes to Data Subject Access Requests (DSARs) compared to the California Consumer Privacy Act (CCPA). Key modifications include:
- Correction of Inaccurate Information: CPRA introduces the right for consumers to correct inaccuracies in their personal information.
- Control over Sensitive Personal Data: CPRA empowers consumers to limit the use and disclosure of their sensitive personal data.
- Opt-out for Data Sharing: CPRA specifies that individuals must have the option to opt-out not just for data sales but also for sharing with third parties for advertising.
- Enhanced Data Access: CPRA expands consumers’ access to their personal data.
- Adjusted Applicability Threshold: CPRA changes the threshold for businesses, applying to for-profit entities dealing with the personal information of 100,000 or more California residents or households.
- Elimination of 30-day Cure Period: CPRA removes the 30-day cure period for businesses before facing fines for violations.
DSR, or Data Subject Request, is a right for California residents under California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These laws grant control over personal data. With a DSR, you can access, correct, and delete your data, opt-out of data selling, and limit how businesses use sensitive information.
CCPA grants rights like knowing and controlling personal information, while CPRA, effective from January 1, 2023, expands metrics reporting and opt-out options for data sharing.
CPRA introduces the concept of “sensitive personal information,” which includes additional data types beyond what was covered under the California Consumer Privacy Act (CCPA).
Under CPRA, sensitive personal information encompasses:
- Social security, driver’s license, and identification card numbers.
- Account login and financial account information.
- Precise geolocation data.
- Racial or ethnic origin, religious or philosophical beliefs, or union membership.
- Contents of personal communications, such as email, text, and private messages.
Yes, the California Privacy Rights Act (CPRA) imposes additional disclosure requirements Some key disclosure requirements under CPRA include:
Expanded Information in Privacy Policies: Organizations must include more details in privacy policies, specifying the retention period for each category of personal information.
Automated Decision-Making Disclosure: If organizations use automated decision-making processes, they need to disclose this information and provide insights into the logic involved.
Sensitive Personal Information Use: When handling sensitive personal information, organizations must inform consumers about the purposes for which this data will be used.
Retention Period Disclosure: Organizations are required to disclose the length of time they intend to retain each category of personal information or the criteria used for determining retention.
Organizations can prepare for the changes in Data Subject Access Requests (DSARs) under the California Privacy Rights Act (CPRA) by following these steps:
- Gain a clear understanding of the personal information your organization collects.
- Determine where the collected data is stored.
- Ensure comprehensive disclosure of all data collection activities in your privacy policy.
- Establish a plan for responding to Data Subject Access Requests (DSARs) in accordance with CPRA rules, adhering to the 45-day timeframe.
- Examine data retention practices and modify your retention policy and schedule to conform to the requirements outlined in CPRA.
- Update necessary disclosures and agreements in line with CPRA regulations.
- Evaluate relationships with contractors within the CPRA framework, update contracts to meet CPRA requirements, and establish processes for monitoring compliance.
Related Blogs
Why Data Redaction is Essential for Fulfilling Data Subject Access Requests?
Navigating Data Subject Access Requests: Insights from Case Studies
Building customer trust through data privacy: The role of DSRs
Getting Started with Privacy Impact Assessment (PIA) Software
LGPD Compliance: Checklist & Best Practices
Brazilian Data Protection Law (LGPD)
From Manual to Automated: Transitioning Your DSAR Process
Understanding the 7 Foundational Principles of Privacy by Design
Key Consideration for Data Inventory Mapping
Data Subject Request Handling Procedure
