A guide to the California Privacy Rights Act

What is the CPRA?

The California Privacy Rights Act (CPRA) is a California law that aims to protect the privacy rights of residents. It makes amendments to the earlier California Consumer Privacy Act (CCPA). Put into effect on January 1, 2023, and enforced by the California Privacy Protection Agency, it was created to protect consumers against data misuse following public scandals that were in clear violation of their privacy. The CPRA was designed to impose stricter requirements on businesses to safeguard personal information, promptly report data breaches, and ensure compliance.

Purpose and scope of the CPRA regulations

The CPRA's primary objectives include:

• Protecting consumer privacy: The CPRA aims to safeguard individual privacy rights by establishing clear rules on how personal data should be handled.
• Regulating business practices: It imposes guidelines on businesses to ensure ethical data management and compliance with privacy laws.
• Enhancing transparency: The CPRA mandates that companies be more transparent about their data collection, usage, and sharing practices.
• Addressing the sale of personal information: The law gives consumers greater control over their personal information, particularly regarding its sale to third parties.

The CPRA vs. the CCPA

While the CCPA established a comprehensive data privacy regime in California (legislation that gives California residents control over their personal data collected by businesses), the CPRA builds upon this foundation and gives them more rights and control over their own data. The CPRA does not function as a separate law but as an enhancement to the existing CCPA.

The CPRA enhances the CCPA by introducing additional regulations and implementing new safeguards. It expands consumer rights to include the right to correct inaccurate personal information and limit the use of sensitive personal information. Something interesting to note is that the CPRA was inspired by the stringent clauses regarding privacy in the General Data Protection Regulation (GDPR).

Caption: The CPRA is modeled after the European Union's (EU) GDPR, which sets stringent requirements for data privacy.

Let’s now break down the CPRA granularly to understand exactly how it changes, expands, and renews the CCPA-established data privacy regime.

1. Broadening the scope of personally identifiable information

The CPRA refines the definition of personally identifiable information (PII), ensuring that a broader range of data is protected. "Personal information" refers to data that can identify or relate to an individual or household.

a. The CPRA broadens the general definition of personal information to encompass a wider range of data types, including internet activity information, geolocation data, and professional or employment-related information.

b. The CPRA also introduces a new category called sensitive personal information (SPI), which includes data such as Social Security numbers, geolocation, and racial or ethnic origin. SPI is a subset of PII that reveals more specific details about an individual's attributes, often leading to significant harm if exposed.

Under the CPRA, PII includes:

• Identifiers: In the context of the CCPA and the CPRA, identifiers are pieces of information that can be used to directly or indirectly identify a specific individual. Examples: Real names, addresses, Social Security numbers, or email addresses
• Protected characteristics: Traits covered under California or federal law. Examples: Race, religion, color, national origin, sex, sexual orientation, disabilities, or genetic information
• Commercial data: Information on purchases and consumption habits. Examples: Purchase history, product preferences, or browsing history
• Biometric data: Information on unique biological traits. Examples: Facial recognition, fingerprints, or iris scans
• Internet activity: Information on the consumer's online activity.
  Examples: Browsing history or interactions with websites
• Geolocation data: Consumer's location tracking information. Examples: Cell tower triangulation, IP addresses, or GPS coordinates
• Multimedia information: Any information that is conveyed through audio, video, or similar formats. Examples: Audio, video, or photographic material
• Employment information: Any information that is collected or generated about a consumer's employment status. Examples: Job title, salary, or disciplinary records
• Education information: Any non-public educational records.
  Examples: Academic transcripts or student loan information
• Inferences: Profiles created from the above data reflecting personal traits and behaviors. Examples: Custom product recommendations, predictions of consumer purchases, or targeted consumer interests Note: Examples provided are not an exhaustive list.

The new category SPI is a subset of PII that requires extra protection due to its sensitive nature. Consumers have the right to limit the use and disclosure of their SPI.

The following is what is considered SPI as per the CPRA.

• Driver’s license numbers
• Social Security numbers
• Passport numbers
• Credit and debit card numbers
• Login information for financial accounts
• Data on a consumer’s religion, ethnicity, or race
• Geolocation data
• Biometric and genetic data
• Data about a consumer's sexual orientation or health
• A consumer's mail, email, or texts

The CPRA imposes stricter regulations on SPI as compared to the other PII of a consumer.

• Disclosures: Businesses are expected to provide more detailed disclosures on how a consumer's SPI is being used.
• Consumer rights: Consumers have additional rights regarding SPI, such as limiting its use.
• Security measures: Stronger security measures are mandated for SPI.
• Data minimization: There are stricter limitations on the collection, use, and retention of SPI.

The sensitive nature of SPI and the mandates for its greater protection mean that the penalties and legal implications of SPI breaches are far more severe than those of PII.

2. Changing the scope of the CCPA

The CPRA modifies the scope of the CCPA by adjusting the minimum thresholds required for businesses to comply. This includes changes to the data processing threshold. The revenue threshold, on the other hand, is held constant.

Data processing threshold

CCPA: Businesses were required to process the personal information of at least 50,000 California residents annually.

CPRA: This threshold has been doubled to 100,000 consumers. This means that fewer businesses will fall under the CPRA's jurisdiction.

Although the increased threshold seems counterintuitive to the goal of improving data privacy in California, it is likely that the change was made for two reasons.

• Reduce compliance burden on smaller businesses: By raising the threshold, fewer businesses would be subject to the CPRA's stringent data privacy regulations. This aims to reduce the compliance burden on smaller businesses, which may lack the resources to implement comprehensive data privacy programs.
• Focus on larger data processors: The increased threshold allows regulatory agencies to focus their efforts on larger businesses that process significant amounts of personal information. This enables more effective oversight and enforcement of data privacy laws.

Revenue threshold:

• CCPA: Businesses with annual gross revenues exceeding $25 million were subject to the law.
• CPRA: This revenue threshold remains unchanged.

3. Changing the CCPA rights for California residents and adding new rights

The CPRA enhances existing consumer rights and introduces new ones, such as the right to correct inaccurate personal information and the right to limit the use of SPI.

Enhanced existing rights

• Right to know: The CPRA strengthens the consumer's right to know about the personal information collected, used, shared, and sold by businesses. Under the CCPA, businesses were required to disclose categories of personal information collected, sources of information, and purposes of collection. Under the CPRA, businesses must provide more detailed information about the specific categories of personal information they collect. Businesses must disclose the sources from which they collect personal information. Businesses must explain the specific purposes for which they collect personal information. For example, imagine you're a customer of an online retailer. Under the CCPA, the retailer might have told you it collects "personal information" about you. However, under the CPRA, the retailer would need to be more specific. It might say something like:
  Personal information collected: Name, address, email address, phone number, credit card number, purchase history, browsing history. Sources of information: Information provided by you directly, information collected through website cookies, and information from third-party marketing partners. Purpose of collection: To process orders, personalize marketing, and improve the customer experience.
• Right to delete: Consumers can now request the deletion of their personal information not only from the business but also from third parties with whom the business has shared the information. For example, a consumer using an online fitness app decides they no longer want their data on the business's servers and wants to ensure their personal information is completely erased. They go to the app’s privacy settings or contact customer support to request the deletion of their account and all associated data. The fitness app is required to comply with their request and delete their personal information from its databases. The app must also inform any third-party service providers or contractors who have access to the data to delete it from their records.

New rights

• Right to correct: Consumers have the right to request that businesses correct inaccurate personal information about them. This is a new right not explicitly included in the CCPA. If a consumer discovers that their personal information is inaccurate or incomplete, they can submit a request to the business to correct the information. The CCPA also didn't provide detailed guidelines on how businesses should handle correction requests. The CPRA states that businesses need to verify the consumer's identity before processing the request. Under the CPRA, the right to correction applies to a wide range of personal information, including names, addresses, email addresses, and financial information.
• Right to limit the use of SPI: The CPRA gives consumers the new right to limit the use of SPI. Consumers can opt out of the sale or sharing of their SPI. Consumers can request businesses to limit the use of their SPI for purposes other than those for which it was collected. They also have the right to limit the sharing of their SPI with third parties. This means that consumers can opt out of the sale of their personal information to third parties for a profit. This right was not explicitly included in the CCPA but it was implied through the CCPA's provisions regarding the sale of personal information. The CCPA allowed consumers to submit "do not sell my personal information" requests to businesses, which effectively limited the sale of their data. However, the CPRA codified this right and made it more explicit.

4. Changing the regulatory area of focus towards behavioral advertisement

The CPRA places more emphasis on regulating behavioral advertising, requiring businesses to provide clear opt-out options for consumers when it comes to the sale or sharing of their personal information. Cross-context behavioral advertising involves targeting ads to consumers based on personal information collected from their activities across different businesses, websites, applications, or services. With the enforcement of the CPRA:

• Service providers cannot engage in cross-context behavioral advertising without potentially violating the CPRA. For example: A popular recipe website collects data about its users’ recipe searches and ingredient preferences. The site shares this data with an advertising network. The network uses this information to display targeted ads for cooking gadgets and meal kits on various other websites the users visit, like news or social media platforms. This practice, known as cross-context behavioral advertising, is potentially a violation under the CPRA unless the recipe site and the advertising network have explicit authorization and have notified users accordingly.
• Ad tech companies that have been involved in cross-context behavioral advertising since January 1, 2022, are at risk of facing fines if they are found to be in violation of the CPRA.

How do companies avoid the penalties associated with cross-context behavioral advertising?

Review and update contracts: Ensure that contracts with businesses clearly state the purposes for which personal information is sold or shared and that the service provider complies with CPRA requirements. Contracts should also include provisions for remediation in case of unauthorized use.

• Implement data minimization: Collect and process only the data necessary for the specified business purposes. Avoid unnecessary data collection and retention.
• Obtain explicit consent: When engaging in cross-context behavioral advertising, obtain explicit consent from consumers. Inform them about how their data will be used and provide them with the option to opt out.

5. Establishing a new government enforcement agency

The CPRA establishes the California Privacy Protection Agency (CPPA), a dedicated agency responsible for enforcing and implementing the CPRA. This agency has the authority to issue fines and ensure compliance.

Responsibilities of the CPPA:

• Enforcement: The CPPA has the authority to investigate complaints, conduct audits, and take legal action against businesses that violate the CPRA.
• Rule-making: The agency can issue regulations to clarify and interpret the CPRA, providing guidance to businesses and consumers.
• Public education: The CPPA is responsible for educating the public about their privacy rights and the requirements of the CPRA.
• Fines: The CPPA has the power to impose significant fines on businesses that fail to comply with the law. These fines can be substantial, acting as a deterrent to non-compliance.

By having a dedicated agency focused on enforcing the CPRA, California aims to ensure that businesses are held accountable for their data practices and that consumers have their rights protected.

6. Adding GDPR-like features to the CCPA

The CPRA aligns more closely with the EU’s GDPR by introducing stricter consent requirements, data minimization principles, and enhanced consumer rights.

• Explicit consent: Both the CPRA and the GDPR require explicit, informed consent from individuals before their personal data is collected and processed. This means that businesses must obtain clear, affirmative consent, and they cannot rely on prechecked boxes or implied consent.
• Purpose limitation: Both regulations emphasize that data should only be collected and processed for specific, legitimate purposes and should not be used for other purposes without additional consent.

Data minimization principles

• Necessity: Both the CPRA and GDPR require businesses to collect only the personal data that is necessary for the stated purpose and avoid collecting excessive data.
• Retention limits: Both regulations impose limits on how long businesses can retain personal data. Data should be deleted or anonymized when it is no longer needed.

Enhanced consumer rights

• Right to access and rectification: Both the CPRA and GDPR grant individuals the right to access their personal data and to request corrections or updates.
• Right to erasure: Individuals have the right to request the deletion of their personal data under certain circumstances, such as when the data is no longer necessary for the original purpose.

Who does the CPRA apply to?

The CPRA applies to businesses that meet specific criteria.

• Data collection: Collects the private information of at least 100,000 California residents (updated from 50,000 to exclude small businesses).
• Revenue: Annual global revenue exceeds $25 million (revenue can be from any source, not just California residents).
• Data sales: Earns more than half of its global annual gross revenue from selling consumer personal data (revenue can be from any source).

Only one of the criteria needs to be met for a business to be subject to the CPRA. So, if a business hits any one of those thresholds—whether it's collecting personal information from 100,000 California residents, having over $25 million in annual revenue, or deriving more than 50% of its revenue from selling personal data—it must comply with the CPRA regulations.

The CPRA imposes significant obligations on businesses, service providers, and third parties, and it also introduces a new category—contractors—that wasn't present in the CCPA. The obligations for these three categories are as follows:

Businesses must provide notice of consumer rights, honor those rights, fulfill disclosure and retention obligations, facilitate consumer requests, and implement security safeguards. The CPRA expands the definition of a business to include entities that meet certain revenue or data volume thresholds.

Service providers are entities that process personal information on behalf of businesses. They must use personal information only as specified in a contract, comply with that contract, implement security safeguards, and avoid combining personal information from different businesses. The CPRA requires service providers to notify businesses about their use of subcontractors, who must be contractually bound to the same terms.

Third parties are entities that receive personal information from businesses but don't qualify as service providers or contractors. They must use personal information consistently with promises made at receipt, provide notice of new or changed practices, and offer consumers the opportunity to opt out of additional sales of personal information.

Contractors, a new category introduced by the CPRA, are similar to service providers but are bound by a written contract that includes a certification of understanding and compliance with the contract's terms. They have the same obligations as service providers, including using personal information only as specified in the contract, complying with the contract, implementing security safeguards, and avoiding combining personal information from different businesses.

Check out how your business can comply with the CPRA

What rights do consumers have?

Here's a breakdown of the key consumer rights protected by the act:

• Transparency and awareness: Consumers have the right to know who is collecting their personal information, how it's being used, and with whom it's being shared. This knowledge empowers them to make informed decisions about their data.
• Control and choice: Consumers can limit how their personal information is used, especially sensitive data that could pose a higher risk. They also have options regarding how their data is collected, used, and disclosed.
• Access and correction: Consumers can access their personal information, correct any inaccuracies, and delete it. They can also transfer their data from one business to another. Imagine a consumer has been using a fitness app to track their workouts and nutrition. They decide to switch to a new fitness app that offers better features. Under the CPRA, the consumer can request their personal data, including workout logs and dietary information, from the original app. The original app must provide this data in a structured, commonly used format, enabling them to easily import it into the new app without starting from scratch.
• Easy access: Consumers can exercise their rights through user-friendly self-service tools.
• No penalties: Consumers won't face any negative consequences for exercising their rights.
• Data security: Businesses must take reasonable steps to protect consumers' SPI from cyberattackers and security breaches.
• Benefits of data use: Consumers should benefit from businesses' use of their personal information.
• Employee privacy: The CPRA also protects the privacy of employees and independent contractors, while acknowledging the differences in their relationships with businesses compared to consumer-business relationships. The law doesn't interfere with labor rights like organizing and collective bargaining.