What is California Privacy Rights Act (CPRA)?

California Privacy Rights Act (CPRA) is a comprehensive piece of legislation and can be considered an upgradation to the California Consumer Privacy Act of 2018. CPRA is also known as Proposition 24 or CCPA 2.0. CPRA is all set to expand the purview of California’s consumer privacy rights. This ballot proposition was put forward in the year 2020 and was approved by the majority of voters on 3rd November 2020. 

Effective date: January 1, 2023.

Official text: California Privacy Rights Act of 2020

CPRA is a data protection law. It’s a comprehensive piece of legislation put forward to enhance the prevailing consumer privacy rights in California. CPRA can be considered equivalent to the European data protection law – GDPR. Compliance with CPRA should be a high priority factor to the businesses as it is not just a choice but a legal requirement.  

Does CPRA replace CCPA?

There is a common misconception when it comes to CPRA that it replaces the existing CCPA. When in reality CPRA amends the existing provisions of  CCPA. CCPA took a middle road when it came to the application and enforcement of consumer privacy rights. The CCPA was more like a settlement to please businesses and privacy advocates. Later, it was discovered that CCPA contained several loopholes. CPRA is a remedy to fix these loopholes.

What are the loopholes found in CCPA?

The provisions of CCPA were ambiguous and were in favor of tech companies. It was unclear and ambiguous when it came to the provisions relating to consent, sensitive personal information, profiling, and so on. CPRA makes these provisions more unambiguous which will in turn have an impact that more organizations will come into the purview of hefty fines. 

Further, CPRA gives more power to the hands of authorities against the companies who are not in compliance with the provisions of CPRA. 

What are the new changes brought by CPRA?

1. Enhanced Consumer Rights – 

• Right to correct personal information
• Right to restrict and opt-out of sharing of sensitive personal information
• Right to access and opt-out of automated decision-making
• Right to limit the use of sensitive personal information

Right to rectify or correct any inaccurate information

Private Right of Action can be availed by the consumers in case of theft, unauthorized access, and so on. 

2. New Definition for Consent – CPRA provides a new definition for consent. Consent is a freely given, specific, informed, and unambiguous indication on the part of the consumer, through a statement or by a clear affirmative action that signals consent to the processing of his or her personal information for a clearly defined specific purpose. 

This will require businesses to update their consent policies on their websites and mobile applications.

3. A new category of personal data – Sensitive Personal Information.

According to CPRA, Sensitive Personal Information means any private information that includes the following 

• Personal Identification Numbers including social security numbers, driver’s license, passport, social security card, or state ID card numbers
• Consumer’s ethnic or racial origins; religious or philosophical beliefs; union memberships
• The consumer’s genetic or biometric data 
• Consumer’s mail, email, or text message content unless the information was intentionally sent to the business and so on.

This CPRA clause makes businesses more accountable when handling sensitive personal data. When handling sensitive data, the company must use organizational and technical safeguards to maintain security. Further, the business must notify the consumers in case they are processing sensitive personal information and must provide clear opt-out options.

Who does CPRA apply to? 

CPRA applies to “for-profit” businesses. A “for-profit” business here implies an entity that caters to at least 100,000 consumers or households and achieves $25 million in revenue in the preceding year on January 1, 2023.

Further, CPRA holds that if any for-profit business is making 50% of its revenue through the sale or share of consumers’ personal information then it must also comply with this new regulation. This includes businesses that share consumer data with vendors and service providers.

Who is exempted from CPRA?

CPRA does not apply to:

• non-profit entities,
• governmental organizations, and
• personal information subject to the Fair Credit Reporting Act (FCRA).

 The definition of “personal information” provided under CCPA is – “information that identifies, relates to, or could reasonably be linked with you or your household.” This includes Names, addresses, Social Security Numbers, Internet browsing history, unique cookie id, and so on. 

Moreover, CPRA defines Sensitive Personal Information as a piece of personal information of consumers that reveals their

• Social Security or other State Identification Number; 
• financial information, credit or debit card along with their respective password/security number/ access code;
• ethnic identity, religious or philosophical beliefs, union membership and so on;
• genetic data;
• geolocation; or
• email or text message contents;
• biometric data used for identification;
• sexual orientation or sex life;
• health and health records.

CPRA grants several rights to consumers including those already given under CCPA:

1. Right to know: Consumers have the right to know how their personal information is being used, by whom, and to whom it is being disclosed. When the business gets consumer requests, it must take prompt steps to deliver and disclose the personal information so collected. The right to access personal information by a consumer is an unavoidable right.
2. Right to Delete: If a consumer requests deletion of his personal information, the business must delete the same unless it is necessary to retain the same
3. Right to Portability: Consumers have the right to limit the use of their sensitive personal information, and they should have meaningful options over how it is collected, used, and disclosed.
4. Right to opt-out of sale or share: Consumers have the right to request that businesses stop selling or sharing their personal information.
5. Right to Correct or Rectify: Consumers have the right to request businesses to correct or rectify any wrong information. Along with this, they have the right to request and get corrected, any inaccurate information corrected by a third party as well.
6. Right to access information about automated decision-making: Consumers are entitled to access information about the logic of a company’s decision-making processes as well as a description of the likely outcome for them.
7. Right to opt out of automated decision making: Consumers have the right to opt out of being subject to.
8. Right to limit the use of sensitive information: Consumers have the right to limit the use of their sensitive personal information.
9. Non-Discrimination: The businesses shall not discriminate against consumers by neglecting any kind of goods and services or providing products and services of different quality.

The main principles involved in CPRA are:

• Transparency: CPRA directs businesses to be transparent. They must provide all the necessary details relating to the processing of personal information. This can be done through proper notice. It must reveal the purpose, nature of the data collected, rights of the consumers, their accessibility and so on. 
• Accountability: CPRA holds that businesses should be accountable while handling personal information. It directs businesses to take active organizational and technical steps to ensure data privacy. Moreover, they must be able to demonstrate the same.
• Data minimisation: CPRA ensures that only data which is necessary and relevant are to be collected for a specified purpose. It directs businesses to limit data processing to only necessary and relevant information.
• Purpose limitation: CPRA directs businesses to process data for only specified and stated purposes. The data is not to be processed for any other purposes.
• Storage Limitation: CPRA holds that a business must reveal to the consumers the retention of the data collected and how long the data is going to get retained.
• Consent: Consent must be freely given, specific, informed, and unambiguous indication of the consumer’s agreement to process personal information for a defined particular purpose. Acceptance of a broad or general terms-of-service agreement that contains descriptions of personal information processing along with other, unrelated information does not constitute consent. E.g. hovering over, muting, pausing or closing a given piece of content, or agreeing to terms through the use of dark patterns (i.e., design elements intended to trick users into agreeing to something they otherwise would not want). The CPRA also holds that in case of the sale of personal information of a child under 13 years of age, parental consent is required.

Here are a few things you can implement to comply with CPRA:

• Monitoring and effective redressal of consumer requests through portals. Engaging systems for effective and prompt replies. 
• Introduction of cutting-edge encryption and multi-factor authentication techniques for protecting sensitive personal data.
• Update the Privacy Notice and Disclosure Notification. Privacy notice shall contain all relevant information as to purpose, means, rights and how to exercise such rights by the consumers. Further, information regarding sensitive data and an option to opt-out are to be provided as well.
• Create a “Do Not Sell or Share My Personal Information”  or “Limit the Use of My Sensitive Personal Information” page will help in the case of collecting sensitive data. The consumer will be informed about such collection and will be given an opportunity to limit and opt-out.
• Proper reviewing to identify if any children’s personal information is involved. A proper consent management system will ensure that parental consent is acquired before the sale of personal information of a child under 13 years of age. 
• Monitoring security practices, data mapping, and filtering of data and updating the same.
• Update your cookie banner notices and make proper disclosures.
• Implementing the principles of data protection by design and default. That is integrating data privacy in the design stage of the products and services and limiting the data processing to only reasonable and specific purposes
• Implement privacy tools and technology for seamless monitoring, processing, and compliance.

As per the provisions of CCPA, it currently holds for civil penalties of up to $2500 per unintentional violation and $7500 per intentional violation. Additionally, CPRA holds for a new penalty of up to $7500 for violations of consumer privacy rights of minors, even if such violation is unintentional. 

It is to be noted that CPRA has removed the option available to businesses to avoid penalties by addressing violations within 30 days of being notified by the attorney general.

Does CPRA replace CCPA?

No CPRA does not replace CCPA. It amends certain provisions of CCPA making it more consumer-friendly. It is an upgradation made to CCPA. 

When does CPRA go in to effect?

California Privacy Rights Act. It takes effect on January 1, 2023, with a look back period to January 1st, 2022 and the California Privacy Protection Agency will begin enforcement on July 1, 2023.

How does CPRA change CCPA?

Changes have in brought in relation to the enforcement agency, private right of action and penalty. CPRA has been enacted to combat the incompetencies found in the CCPA.

Does the CPRA apply to Government Agencies?

No. It only applies to those for-profit businesses that cater to at least 100,000 consumers or is making 50% of their revenue through the sale or sharing of consumers’ personal information