Discover what updates CPRA will bring to CCPA’s data privacy requirements and realize their implications for your organization.
Within the year after CCPA took effect, another privacy legislation was passed in California. In November 2020, Californians approved Proposition 24, creating the California Privacy Rights Act (CPRA) of 2020. Both laws profoundly impact data privacy and security in California, with CCPA setting the data privacy rule and CPRA updating and strengthening them. CPRA will come into effect on January 1, 2023, and is expected to extend CCPA. By this time, businesses operating in California must be ready to comply with new rules and requirements.
As for now, many businesses are wondering how CPRA and CCPA differ. Continue reading to discover the critical updates CPRA brings to data privacy.
The first change in the upcoming CPRA is increasing threshold criteria regarding covered businesses. According to the current CCPA, an entity can classify as a business if it is a for-profit organization that operates in California and meets any of the following:
Re-evaluating the speed and amount of the data transactions, CPRA increases the CCPA’s threshold criteria to 100,000 or more consumers, thereby relaxing statutory conditions and excluding some entities from the list of CPRA-covered businesses. One more relaxation regards what is considered to be personal information.
Personal information under CCPA is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. As the definition is intentionally made vague to cover the ever-growing stream of data, there is nothing to add. However, the upcoming CPRA broadens the list of information, which is NOT considered to be personal. Specifically, the updates are related to the information which is made publicly available from federal, state, or local government records. The CPRA broadens this concept by including information from other sources besides governmental records. As such, information that is not considered to be personal will also include:
By setting the first update, CPRA aims to cover the First Amendment’s freedom of speech. The second one has an important implication for businesses that will no longer need to disclose the collection of personal data from widely available media.
The above relaxing conditions are rather an exception than the general direction of CPRA. The following updates strengthen the data privacy requirements for businesses and grant consumers a broader spectrum of rights.
CPRA introduces a new category of protected data: sensitive personal information (SPI). Those familiar with the matter of personal data privacy already noticed similarity with Article 9 of GDPR ”Processing of special categories of personal data,” which demands a greater level of personal data protection due to this sensitivity. Follow this link to check what is considered sensitive personal information under the CPRA.
SPI requires businesses to implement additional technical and operational controls for processing. More specifically, organizations will have more strict opt-out requirements regarding SPI use and disclosure as well as will be obligated to get an opt-in consent after previously selected opt-out.
CPRA makes important changes to classifying outside parties that businesses cooperate with. Specifically, it makes some updates regarding service providers and adds a new stakeholder category – contractors.
Thus, in terms of CPRA, a “service provider” is no longer a legal entity, but a person that processes personal information on behalf of a business and receives from or on behalf of the business a consumer’s personal information for a business purpose. As opposed to a service provider who “processes information,” a “contractor” means a person to whom the business makes available a consumer’s personal information for a business purpose.
For both the service provider and the contractor, CPRA imposes similar prohibitions, which must be clearly written in a contract with the business. Thus, the service providers and contractors must be prohibited from:
The changes classifying stakeholders have significant implications for businesses. First, as same as service providers, contractors will not be affected by opt-out requests. Second, a business’s contracts with contractors must meet similar requirements as those of service providers.
The CCPA grants consumers the right to know what personal information businesses are collecting and how that information is being used. To exercise this right, Californians can make a request to know what data has been collected in the prior 12-month period. The CPRA extends this timeline, enabling consumers to request personal information collected beyond the 12 months. Additionally, under the CPRA, consumers can request businesses to transfer specific personal information to another entity “to the extent technically feasible, in a structured, commonly used, machine-readable format.”
The right to know will be also expanded to the right to access personal information. It does not grant any new rights but refers to a consumer’s right to know what specific pieces of personal information a business has collected. In this context, consumers can request “meaningful information about the logic involved in decision-making processes, including profiling, as well as a description of the likely outcome of the process with respect to the consumer.” Consumers will also be granted opt-out rights for the use of automated decision-making. Clarifications and additional information about the right to access are still awaiting.
CCPA grants consumers the right to non-sale of their personal information and requires businesses to respond to consumers’ opt-out requests. According to this requirement, businesses that sell consumers’ personal information must include a “Do Not Sell My Personal Information” link on their homepage to inform consumers how to submit the request. However, Californians often received a denial of their requests due to the ambiguousness of what is called “selling” of personal information.
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
Such a definition was controversial because businesses often disclose customers’ personal information in exchange for services, including interest-based advertising. For instance, businesses commonly use a browser or social media ads for retargeting consumers in exchange for sending personal information of their customers to those platforms. Making such an exchange, some businesses have taken the position that the disclosure of consumer data for purposes of interest-based advertising or retargeting does not qualify as a sale under the original CCPA. To avoid this confusion, CPRA included a category of “sharing” personal information.
Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
By adding the category of sharing, СPRA expands the consumers’ right to opt-out. For most CCPA compliant businesses, the new category of data transaction should involve changing the “Do Not Sell My Personal Information” link to “Do Not Sell or Share My Personal Information.”
Under CCPA, consumers are granted the right to delete personal information that businesses hold about them. To ensure the exercising of this right, businesses are required to designate at least two ways for making deletion requests and notify service providers about the deletion. CPRA strengthens this requirement by obligating businesses to notify not only service providers but all third parties to whom they have sold or shared a consumer’s personal information.
In addition to the existing privacy rights, the CPRA also represents the new rights to Californian consumers.
The CPRA also grants consumers the right to limit the use and disclosure of their SPI “to the extent which is necessary to perform the services or provide the goods.” Such a new right has an important implication for businesses that will need to add the link “Limit the use of my Sensitive Personal Information” on their homepage.
This addition brings the California law closer to the data privacy protections contained in GDPR. It involves such important concepts as data minimization, storage limitation, and purpose limitation for collection, use, storing, and sharing consumers’ data. As such, businesses operating in California must limit the use of consumers’ personal information unless they want to be penalized.
Like CCPA, CPRA grants consumers the right of legal actions if their nonencrypted or nonredacted personal data becomes exposed due to a businesses’ failure to implement reasonable security procedures and practices. CPRA fines for violations of all types of personal information will remain unchangeable and contain $2,500 for each unintentional and $7,500 for each intentional violation. However, businesses will no longer have a 30-day cure period before being fined for a violation under CPRA. The new statute also makes a significant exception for violations of the personal information of minors and declares a $7,500 fine for all kinds of such violations. Finally, it adds consumer login credentials to the list of personal data that may be actionable under the law.
One more important difference is related to the enforcement authority. The enforcement of CCPA was originally imposed on the California Office of the Attorney General (OAG). The CPRA shifts this authority to the California Privacy Protection Agency (CPPA), a newly established agency that will be granted investigative, rulemaking, and enforcement power. The creation of the new enforcement entity will probably increase the number of investigations and enforcement actions taken by the CPPA.
An exceptional difference between CCPA and CPRA is that the last one sets cybersecurity audits and risk assessments requirements. Specifically, CPRA will contain a regulation requiring businesses to perform a thorough and independent cybersecurity audit annually. The size and complexity of a business and the scope of data processing activities will be the main factors in determining the level of risk to personal data security.
CPRA will also require businesses to perform a risk assessment concerning the scope of personal information processed. The risk assessment will determine whether the processing of personal data involves SPI and identify benefits resulting from the data processing to the business, the consumer, and outside parties against the potential risks to the consumer’s rights associated with such processing.
Although CPRA will take effect from January 1, 2023, businesses operating in California should start preparing well in advance. To prepare for the CPRA, organizations should make the following:
Those who already made efforts to comply with CCPA should not have difficulties with CPRA compliance since all necessary measures are in place. These measures, however, should be revised and updated according to CPRA demands.
If you have any questions regarding the upcoming CPRA compliance and data privacy security, consult our Planet9 team. We’ll be happy to assist.