CPRA: What You Need to Know
On November 3, 2020, Californians voted the California Privacy Rights and Enforcement Act (also known as CPRA, CCPA 2.0, or Prop24) into law. The CPRA makes a variety of amendments to the requirements in the California Consumer Privacy Act (CCPA).
Although provisions in the CPRA will not go into effect until January 1, 2023, many organizations will need to understand and prepare for these requirements ahead of time to stay ahead of the curve.
Here are some of the main changes between CCPA and CPRA.
Sensitive Personal Information
The CPRA has defined a new type of personal information called Sensitive Personal Information, which includes things such as driver’s license, social security and passport numbers, consumer account logins, precise geolocation, the content of the email, genetic information, sexual orientation, and more.
Under the CPRA, consumers will have the right to direct a business to limit the use of sensitive personal information to what is needed to perform services or provide goods. To fulfill this right, businesses will need to create a “Limit the Use of My Sensitive Personal Information” link, much like the “Do Not Sell My Personal Information” link already required under the CCPA.
“Do Not Sell” Expands to “Do Not Share”
The law will give consumers the right to opt-out of the “sharing” of their data, making it harder for advertisers to target consumers based on data shared about them. The new act will allow for consumers under 16 years old to opt-in to the sale and sharing of data, with consumers under 13 requiring parental consent to opt-in
CPRA also specifically calls out cross-contextual behavioral advertising. Consumers will be able to opt-out from receiving ads third-party data and online behaviors. Publishers will be required to display a “Do Not Sell or Share My Personal Information” link on their homepage to allow consumers to opt-out from receiving targeted ads based on third-party data and online behaviors.
Previously, the CCPA allowed “service providers” to process people’s personal information collected by another company without the sharing of that data being considered a sale under the law. The CPRA now explicitly calls out “cross-context behavior advertising”. As a result, ad tech vendor publisher may no longer use service provider processing as a valid exemption. Downstream vendors will be obligated to comply with those data subject requests.
Updated Consumer Rights
The CPRA provides consumers with a variety of new consumer rights. In addition to the right to opt-out of sharing personal information, and the original “Do Not Sell” link has been adjusted to “Do Not Sell or Share” to reflect this new right.
Additionally, consumers will have the right to correct inaccurate personal information. Businesses must take reasonable steps to do so after verifying the consumer’s identity. In order to be fully compliant businesses should implement internal processes to rectify inaccurate personal information.
The existing right to access has also been amended. Specifically, in the CCPA, businesses were only required to provide information from the twelve months preceding the access request. In the CPRA, however, the twelve-month limit has been removed. If the information is held maintained for more than twelve months, a business may have to provide more information than it did under the CCPA.
Additional differences are included in the below chart.
|Threshold Application||For-profit businesses that collect personal information from California residents, determines the purposes in California and meet any of the following: Have a gross annual revenue of over $25 million; Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or Derive 50% or more of their annual revenue from selling California residents’ personal information.||For-profit businesses that collect personal information from California residents, determines the purposes in California and meet any of the following: Have a gross annual revenue of over $25 million; Buy, sell, or share the personal information of 100,000 or more California residents or households; or Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.|
|Employee and B2B Exemption||Expires on Jan. 1, 2021||Expires on Jan 1, 2023|
|Consumer Rights||Right to Know/Access Right to Delete Right to Opt-out of Sale Right to Non-Discrimination||All rights under the CCPA, plus: Right to Rectification Right to Limit Use and Disclosure of Sensitive Personal Information|
|Covered Personal Information||“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.||Personal information, as well as “Sensitive Personal Information” which includes information such as SSN, driver license numbers, biometric information, precise geolocation, and racial and ethnic origin.|
|Third Parties||“Service Provider” – an entity that processes personal information on behalf of a business pursuant to a written contract.||Also includes “Contractor” – an entity ‘to whom a business makes available a consumer’s personal Information for a business purpose pursuant to a written contract with the business’|
|Enforcement||Attorney General can pursue violations Consumers have a private right of action for a breach of certain information Businesses have a 30–day cure period before being fined for a violation by the AG||Creation of the California Privacy Protection Agency for enforcement and guidance Consumers have a private right of action for a breach of certain information Businesses no longer have a 30–day cure period before being fined for a violation by the CPPA|
|Definition – Sell vs. Share||“Sell” – for monetary or other valuable consideration.||“Sell” – for monetary or other valuable consideration “Share” – share by a business to a third party for cross-context behavioral advertising for the benefit of a business where no money is exchanged.|
|Use Limitation||N/A||Collection, retention, and use should be limited to what is necessary to provide goods or service.|
|Private Right of Action||Available when a consumer’s unredacted or unencrypted personal information has been breached due to a lack or maintenance of reasonable security measures.||In addition to unredacted and unencrypted personal information, a private right of action is available if an email address and password or security question and answer that would allow access to the account is breached.|
|Personal Information of Minors||Fines for violations of the personal information for minors is the same as the fines for other types of personal information – $2,500 for each unintentional and $7,500 for each intentional violation||Automatic $7,500 fine for a violation involving the personal information of minors|
Further CPRA and CCPA reading:
- DataGuidance News: CPRA: What You Need To Know White Paper
- Regulatory body guidance: California Privacy Rights Act – California Department of Justice
Next steps on CPRA:
- To learn more about CPRA and join our upcoming webinar: What the California Privacy Rights Act (CPRA or CCPA 2.0) Means for Your Privacy Program
- Request a Demo Today to learn more about CookiePros’s CPRA solutions!