The California Privacy Rights Act (CPRA) is an addendum to the California Consumer Privacy Act (CCPA) that was passed as a data privacy bill on November 3, 2020, and was brought into effect post-January 1, 2023. With the ever-increasing threats to consumer privacy making it difficult for customers to trust brands, the CPRA provides reinforcements for the people of California and educates them about their rights in the event of some devastating security incident.
The CPRA greatly extends upon the current California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, underscoring California’s status as the US frontier in data privacy regulation. California is, thereby, considered the Golden State, and CPRA has provided some great improvements to its data privacy systems, including tightening company laws on the use of personally identifiable information (PII) and creating the California Privacy Protection Agency (CPPA), a new government agency for state-wide data privacy enforcement.
However, every time new legislation is drawn up, it is shrouded in mystery. There are many questions about the CPRA, such as who it applies to, the checklist requirements, the cost of non-compliance, etc. In this blog, we will discuss all of this and more. This article aims to educate you about the five most frequently asked questions about the CPRA guidelines and how it has helped improve the enforcement of the CCPA laws.
What is CPRA?
CPRA, or the California Privacy Rights Act, is a privacy law that strengthens customer data protection rights by building upon the current California Customer Privacy Act (CCPA). The purpose of the CPRA is to give people more control over their personal information by enacting new privacy laws and strengthening existing ones. CPRA establishes additional rights, including limiting the use of sensitive personal information, amending inaccurate data, and refusing to have your personal information sold or shared.
The CPRA is more in line with the GDPR than the CCPA. It strengthens the CCPA’s positive aspects and includes new provisions to stop a breach of sensitive data, like:
- Rights of employees and business partners: The CPRA eliminates exemptions for HR and B2B data. Employees, independent contractors, and business associates will have the same level of protection as other California consumers on January 1, 2023, and will be allowed to exercise all their legal rights.
- Expanded opt-out requests: Californians now have the option to reject data sales thanks to the CCPA. By establishing an explicit right for Californians to opt out of having their data shared with providers of cross-context behavioral advertising, the CPRA addresses a gap in the CCPA’s Do Not Sell provision. In other words, Californians can prevent collecting and sharing their personal information along a convoluted targeted marketing ecosystem.
The CPRA also implemented the creation of a new regulatory authority, the California Privacy Protection Agency, which will be discussed in detail below.
Five Most Frequently Asked Questions About the California Privacy Rights Act (CPRA)
- Who is Subject to the CPRA laws?
Businesses fall under the purview of the CPRA if they —
- Have a gross income of more than $25 million annually;
- Purchase, receive, sell, or share data (personally identifiable information (PII)) of at least 100,000 consumer personal information; and/or,
- Generate at least 50% of its yearly revenue from selling or exchanging personal data.
- What are the New Consumer Privacy Rights Outlined Under CPRA?
Under the CPRA guidelines, consumers have new rights pertaining to their personal sensitive information. These include —
- Right to Restrict Use of Sensitive Private Information
Data subjects’ use and disclosure of sensitive personal information may be restricted for various secondary purposes, including disclosure to third parties.
- Right to Correction
Data subjects have the right to ask the organization to amend any of their PII that is incorrectly held by it.
- Right to Information Access Regarding Automated Decision Making
Data subjects are entitled to information regarding automated decision-making based on personal data. Data subjects can also request a description of the expected outcomes of these processes.
- Right to Refuse the Use of Technology that Makes Decisions Automatically
Data subjects can refuse using automated decision-making tools, which may involve “individual profiling.”
- What are the Expanded Privacy Rights Highlighted Under CPRA?
To comply better with CCPA-granted petitions for consumer rights, the CPRA has also largely modified the California Privacy Protection Agency (CCPA) obligations. The amendments made are given as follows:
- Option to Delete
Customers can now ask businesses to direct third-party vendors, service providers, or contractors to remove personal information they may have sold or shared with them.
- Freedom of Access
Businesses must report all PI information listed in the CCPA, as well as the types of PI they have shared with third parties and the third parties with whom they have shared the PI.
- Right to Decline
The right to refuse both the sale and the sharing of PI with third parties, including for cross-context behavioral advertising, is now available to data subjects.
- Right to Data portability
Data subjects have the right to request that organizations send particular pieces of PI to different entities. For the organization, this communication should be technically possible.
- What are the Expanded Notification Requirements Outlined Under CPRA?
Here are some modifications made to the CCPA notification requirements by the CPRA:
- Information on Data Retention Notification at the Point of Collection
Similar to the CCPA, businesses must inform consumers, staff members, potential employees, and other workers at or before the moment of data collection. Businesses must now, however, additionally offer information regarding the duration of data retention for the personal information obtained. Businesses may only keep PI for as long as it is “reasonably necessary” for the business or commercial purpose for which it was collected.
- Collection Notifications for SPI
The CPRA requires businesses to inform customers before or during data collection about the types of SPI being collected, the reason for the collection, and how long the SPI will be kept in their databases.
- Rights for Minors to Opt-in
Businesses must also inform minors when they plan to sell or distribute their data. A company must wait at least 12 months or until the consumer turns 16 before asking for their opt-in consent again if a consumer under the age of 16 has declined to give it to the company for it to sell or distribute their personal information.
CPRA also made some changes to the Privacy Notices of CCPA, as highlighted below: Organizations must update their privacy statements as of January 2023 to incorporate three new kinds of disclosure, including:
- Indicate whether they share customer personal information and specifics (the types of PII shared and with whom);
- Publish details about how they gather, use, and share sensitive personal information; and,
- Declare the timeframe for which they plan to keep each type of PII, or, if that is not possible, the standards they’ll use to choose that timeframe.
- What are the Penalties for Non-compliance Under the CPRA laws?
The CPRA guidelines are imposed by the California Privacy Protection Agency (CPPA), which charges the same prospective administrative penalty fee, as it would under the CCPA. The agency distinguishes between two types of offenses when determining fines:
- Unintentional Infractions – Businesses may be subject to CPRA fines of up to $2,500 per infraction when it accidentally or mistakenly violates the law.
- Intentional Infarctions – Businesses that knowingly commit non-compliance may face fines of up to $7,500 per offense. This is the case when businesses purposefully handle customer data incorrectly.
However, there is a significant distinction under the CPRA: penalties rise to $7,500 for every infraction of the law concerning the personal data of customers under the age of 16.
CCPA Compliance Readiness with Akitra!
Establishing trust is a crucial competitive differentiator when courting new SaaS businesses in today’s era of data breaches and compromised privacy. Customers and partners want assurances that their organizations are doing everything possible to prevent disclosing sensitive data and putting them at risk, and compliance certification fills that need.
Akitra offers an industry-leading, AI-powered Compliance Automation platform for SaaS companies. Using automated evidence collection and continuous monitoring, together with a full suite of customizable policies and controls as a compliance foundation, our compliance automation platform and service help our customers prepare readiness for the CCPA compliance standard, along with other security frameworks like SOC 1, SOC 2, HIPAA, GDPR, PCI DSS, ISO 27001, ISO 27701, ISO 27017, ISO 27018, NIST CSF, NIST 800-53, NIST 800-171, FedRAMP, CMMC, and more such as CIS AWS Foundations Benchmark, etc. In addition, companies can use Akitra’s Risk Management product for overall risk management for your company, Trust Center, and AI-based Automated Questionnaire Response product to streamline and expedite security questionnaire response processes delivering huge cost savings. Our compliance and security experts will provide customized guidance to navigate the end-to-end compliance process confidently.
The benefits of our solution include enormous savings in time, human resources, and cost savings, including discounted audit fees with our audit firm partners. Customers achieve compliance certification fast and cost-effectively, stay continuously compliant as they grow, and can become certified under additional frameworks using a single compliance automation platform.
Build customer trust. Choose Akitra TODAY!
To book your FREE DEMO, contact us right here.