CPRA: New Data Privacy Rules for Companies Doing Business in California Now in Effect

In observance of Data Privacy Day 2023, we thought it was a good time to draw attention to the California Privacy Rights and Enforcement Act (CPRA) which is now in force. The CPRA modifies and expands the existing California Consumer Privacy Act (CCPA). In light of these developments, we provide a table below that summarizes the most impactful rights and obligations now in effect as a result of these acts and highlights the differences, as well as the commonalities, of the laws under these acts. 

Businesses doing or planning to do business in California (CA) should be aware that they may be subject to the laws now in place under the CCPA, as modified by the CPRA, if they meet a gross revenue threshold or collect personal information (PI) from a significant number of CA residents. Conversely, businesses previously subjected to the CCPA may not be subject to the statute if they do not meet the increased PI collection threshold introduced by the CPRA.

 

Please contact us if you need help navigating these laws, or getting started, should you now fall under the purview of the CPRA.  We can assist with data privacy and cybersecurity audits, employee training, and the implementation of best practices and procedures to ensure your business complies with data privacy laws and well-poised to keep customer data safe and secure.

 

 

CCPA

CCPA as modified by the CPRA

Enacted

Jun. 28, 2018

Dec. 16, 2020

Effective

Jan. 1, 2020

Jan. 1, 2023 (but look-back period extends back to Jan. 1, 2022)

Enforceable

As of Jul. 1, 2020

Beginning Jul. 1, 2023

Covered Businesses

For-profit entities collecting PI from CA residents and

  • (i) having annual gross revenues over $25 million; OR
  • (ii) buying, receiving for commercial purposes, selling, or sharing for commercial purposes the PI of 50,000 or more CA residents, households, or devices; OR
  • (iii) deriving 50% or more of annual revenues from selling the PI

 

For-profit entitles collecting PI from CA residents and

  • (i) having annual gross revenues over $25 million; OR
  • (ii) buying, selling, or sharing the PI of 100,000 or more CA residents or households (devices not counted individually); OR
  • (iii) deriving 50% or more of annual revenues from selling or sharing the PI

where “sharing” is “by the business to a 3rd party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration”

Personal Information (PI)

Information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Categories include, but are not limited to:

  • (i) Identifiers (e.g., real name, postal address, email address, driver’s license number, social security number, passport number);
  • (ii) Commercial information (e.g., personal property records, purchased product or services records);
  • (iii) Biometric information;
  • (iv) Internet or electronic network activity;
  • (v) Geolocation data;
  • (vi) Audio, electronic, visual, thermal, olfactory, or similar information;
  • (vii) Professional or employment-related information; and
  • (viii) Education information not publicly available

Information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Categories of PI are the same as under the CCPA

 

“Sensitive” PI subject to stricter restrictions and requirements

N/A

PI that reveals:

  • (i) Social Security, driver’s license, state ID, or passport numbers;
  • (ii) Account (e.g., financial) information with password or other credentials;
  • (iii) Precise geolocation;
  • (iv) Racial or ethnic origin;
  • (v) Religious or philosophical beliefs or union membership;
  • (vi) Contents of consumer communications unless business is intended recipient;
  • (vii) Genetic, biometric, and health PI; or
  • (viii) Sex life or sexual orientation PI

Right to Know PI Being Collected / Right to Access PI

Allows

  • (i) CA residents to request information from a business about the PI collected; and
  • (ii) for 12-month look-back period

Same as CCPA and further extends look-back period if not “impossible” or not involving “disproportionate effort”

Right to Know PI Being Sold or Shared and to Whom

Allows

  • (i) CA residents to request information from a business about the PI collected, sold, or shared; and
  • (ii) for 12-month look-back period

Same as CCPA and further extends look-back period if not “impossible” or not involving “disproportionate effort”

Right to Delete PI

Allows CA residents to request businesses to delete PI no longer needed to fulfill statutory purposes

Same as CCPA and further requires businesses to send customer request for deletion to all 3rd parties that purchased or received PI

Right to Opt-Out of Sale (or Sharing under CPRA) of PI

Allows CA residents to opt-out of having PI sold to 3rd parties and requires notice when the PI will be sold

Same as CCPA and further

  • (i) allows consumers to opt-out of having PI shared with 3rd parties
  • (ii) requires notice to consumers when PI will be shared

Right to Opt-In for Minors

Requires

  • (i) consent from minors between 13 and 16 years of age to sell PI of such minors; and
  • (ii) parental consent to sell PI of minors less than 13 years of age

Same as CCPA and further

  • (i) requiring consent when sharing PI of minors in the same manner as consent required when PI of minors is sold; and
  • (ii) mandating 12-month wait before requesting consent to sell or share PI of minors after consent previously declined

Right to No Retaliation

Prevents discrimination (e.g., denying, charging different prices for, or providing different level or quality of goods or services) in response to consumers’ opt-outs or exercising of other rights

Same as CCPA and further

  • (i) extends prohibitions to retaliation against employees, applicants for employment, or independent contractors; and
  • (ii) expressly allows businesses to offer “loyalty, rewards, premium features, discounts, or club card programs consistent with this title”

Right to Correct Inaccurate PI

N/A

 

Allows CA residents to request correction of inaccurate PI

Right to Limit Use and Disclosure of Sensitive PI

N/A

Allows CA residents to limit the use of sensitive PI to that “necessary to perform the services or provide the goods”

Right to Access Information about Automated Decision Making

N/A

Provides right to access information and opt-out rights concerning automated decision making technology, including “profiling” defined as “any form of automated processing of [PI]”

Right to Data Portability

N/A

Requires provision of “specific pieces of [PI]” collected to be “easily understandable to the average consumer”

Additional Restrictions

N/A
  • (i) Data Minimization: Restricts “collection, use, retention and sharing” of PI collected to that “reasonably necessary and proportionate to achieve the purposes for which the [PI] was collected”
  • (ii) Purpose Restriction: Prohibits collection of PI “for additional purposes that are incompatible with the disclosed purpose” for collecting the PI
  • (iii) Data Retention Requirements: Requires disclosure of “the length of time the business intends to retain each category of [PI], or if that is not possible, the criteria used to determine such period”

Private Right of Action

Available if nonencrypted or nonredacted PI is exposed due to a failure to implement reasonable security measures

Same as CCPA and allows private right of action for unauthorized access to email addresses and passwords or security questions

Government Enforcement

Office of the Attorney General (OAG)

California Privacy Protection Agency (CPPA)

  1. Can impose $2,500 fine for each CPRA violation
  2. Can impose $7,500 fine for each intentional CPRA violation or intentional violation involving a minor
  3. Has discretion on time period to cure each violation based on factors

Notice and Cure Period To Avoid Fine

30 days

N/A

Required Audits/Assessments for Businesses Whose Processing of PI Presents Significant Privacy or Security Risks

N/A
  • (i) Cybersecurity audit on an annual basis
  • (ii) Submission to CPPA of a risk assessment on a regular basis regarding the processing of PI