With data breaches and identity theft continually rising, more and more people are becoming aware of how critical it is to have personal information protected. According to a Pew Research study, 81% of Americans feel the risks outweigh the benefits when it comes to companies collecting their data. Additionally, 79% are concerned with how companies use their personal data. Laws like the California Privacy Rights Act (CPRA) in California and General Data Protection Regulation (GDPR) in the European Union are steppingstones to hold businesses to a reasonable standard when handling personal consumer data.
What’s the Difference between the CPRA and CCPA?
The California Privacy Rights Act (CPRA) is an amendment to California Consumer Privacy Act (CCPA) which passed in November 2020 and has gone into effect January 1, 2023. The CPRA will not replace the CCPA but its policies will supersede an prior legislation. The CPRA filled in many of the gaps which were left unaddressed in the CCPA.
What’s New in the CPRA
Some of the more notable changes the CPRA introduces include:
- The California Privacy Protection Agency (CPPA): The CPRA established this agency which enforces the law alongside The Attorney General. In April 2022, rulemaking authority under the CCPA was formally transferred to the CPPA.
- Protecting Employee Data: The CPRA will eliminate the CCPA’s exemptions that apply to employee data, so that businesses will have to comply with specified obligations when processing employee data. As a result, businesses will need to be transparent with their staff regarding data collection.
- More Transparency & Control: Under the CPRA, consumers have the right to correct their personal information, know how long it’s stored, allowing it to be used and the ability to opt-out of geolocation-based ads.
- Redefining Personal Information: The term “sensitive personal information” has been defined to include Race/ethic origin, health information, religious beliefs, sexual orientation, Social Security number, biometric/genetic information, and personal message contents.
- Restrictions on Existing Data: If a business plans to use consumer data that’s already been collected in a way that is different than what was originally disclosed, the consumer would need to be informed of this change.
- Limited Disclosure Link: In addition to the “Do Not Sell or Share My Personal Information” link mandated by the CCPA, the CPRA also requires a link labeled “Limit the Use of My Sensitive Personal Information” for applicable businesses. This allows consumers to limit the use or disclosure of sensitive personal information.
- Marketing Restrictions: Advertising deemed to use “profiling” tactics is banned.
What’s New in the CPRA
Some of the more notable changes the CPRA introduces include:
- The California Privacy Protection Agency (CPPA): The CPRA established this agency which enforces the law alongside The Attorney General. In April 2022, rulemaking authority under the CCPA was formally transferred to the CPPA.
- Protecting Employee Data: The CPRA will eliminate the CCPA’s exemptions that apply to employee data, so that businesses will have to comply with specified obligations when processing employee data. As a result, businesses will need to be transparent with their staff regarding data collection.
- More Transparency & Control: Under the CPRA, consumers have the right to correct their personal information, know how long it’s stored, allowing it to be used and the ability to opt-out of geolocation-based ads.
- Redefining Personal Information: The term “sensitive personal information” has been defined to include Race/ethic origin, health information, religious beliefs, sexual orientation, Social Security number, biometric/genetic information, and personal message contents.
- Restrictions on Existing Data: If a business plans to use consumer data that’s already been collected in a way that is different than what was originally disclosed, the consumer would need to be informed of this change.
- Limited Disclosure Link: In addition to the “Do Not Sell or Share My Personal Information” link mandated by the CCPA, the CPRA also requires a link labeled “Limit the Use of My Sensitive Personal Information” for applicable businesses. This allows consumers to limit the use or disclosure of sensitive personal information.
- Marketing Restrictions: Advertising deemed to use “profiling” tactics is banned.
There are other bills pending in California Legislature which could affect the CCPA/CPRA. However, August 2022 was the last day for new bills to be passed. You can view more information on these additional bills at https://iapp.org/resources/topics/ccpa-and-cpra/
Who Does the CPRA Apply To?
The rules follow the same three qualifiers as the CCPA, but with additional clarification. The CPRA applies to you if you meet any one of these criteria (the CPRA changes are bolded):
- Gross annual revenue of over $25 million, in the previous calendar year.
- Buy, receive, or sell the personal information of 100,000 or more California residents’ households, or devices. The baseline number was 50,000 in CCPA.
- Obtain 50% or more of annual revenue from selling California residents’ personal information, OR 50% of revenue from sharing personal information with third parties.
Additionally, the CPRA includes more precise wording on personal information shared between related companies. The following changes will likely make more businesses fall under the CPRA.
- Common Branding: The CPRA has defined the term “common branding” to mean “a shared name, service, or trademark, such that the average consumer would understand that two or more entities are commonly owned.” This means that larger companies cannot avoid regulations for sister companies under the same brand.
- B2B Sharing: If two related businesses share personal information, in which one falls under the CPRA, then both businesses. This applies to both businesses either share a trademark or have more than 40% shared interests as partners, regardless of branding.
CPRA Compliance Suggestions
Business will need to give consumers more comprehensive options to opt-out whenever they interact with them. Even if your business doesn’t fall under the CPRA/CCPA, it’s a good idea to begin implementing compliance strategies now. Some ways to implement online compliance use opt-out forms, using strategy in geolocation targeted advertising, and implementation of stronger organization security postures through multi-factor authentication and zero trust protocols. Additionally, companies will have to satisfy the “do not sell my personal information” mandate. This means adding specific links for consumers to set preferences for data sharing on businesses who sell, share, or disclose personal data. For more ideas on compliance, read our article “CCPA Compliance Putting Your Business At Risk?”
CPRA Fines for Data Breaches
Businesses under the CPRA are subject to fines up to $2,500 for adults and $7,500 for minors per violation. The newly formed CPPA will be authorized to enforce these fines. In addition, any business under the CPRA will have to notify customers in the event of a data breach if their sensitive information has been compromised.
Preparing for the CPRA and Privacy Changes
The CPRA is fully enforceable, and you don’t want to wait to become compliant. As time passes, the CPPA taskforce will grow and become more effective at auditing businesses and enforcing fines for violations. Although it may seem like a chore, CPRA compliance can gain consumer trust while staying legal. Additionally, making these changes will also put you ahead of the game when other states begin to adopt similar legislation. Now may be good to revisit you online privacy policy as well. The CPRA is an extension CCPA, and over time both may change. It is always best to seek legal consultancy to ensure your legal documentation and business practices are fully compliant.
Have questions about CPRA Compliance for Your Business Website?
Contact us today to learn how NetSource Technologies can keep your business compliant with CPRA & CPPA laws!