What is CPRA and How Does it Affect CCPA?
This past November, Californians voted to pass Proposition 24, also known as the California Privacy Rights Act (CPRA). With 56 percent of the vote, this legislation will act as an expansion of the California Consumer Protection Act (CCPA) which went into effect on January 1, 2020.
When the CCPA passed, it was considered groundbreaking legislation that gave new control and protections to private citizens over their personal data — similar to the General Data Protection Regulation in Europe. Since implementation, the CCPA helps individuals have greater transparency and power over their online footprint.
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Due to businesses being required to give consumers notice explaining their privacy practices, and what they do with that data, companies have been legally forced to re-evaluate and update their policies.
The CPRA further strengthens some of the measures and end goals of the CCPA legislation and moves California’s privacy law into closer alignment with Europe’s standards. CPRA will go into effect on January 1, 2023, but apply to personal information collected by businesses on or after January 1, 2022.
This gives businesses one year to rework and implement privacy policies that adhere to the new legislation. Here are several key points to be made aware of within the CPRA:
- New sub-category of “sensitive” personal information
- New definition of “third party”
- New definition of (and partial limitation on) “profiling”
- Limits data retention and requires disclosure of retention periods
- Adds a right to limit the use and disclosure of Sensitive PI
- Adds a right to correct inaccurate PI
- Extends consumer’s opt-out rights to the sharing of PI for cross-contextual advertising
- Extends the non-discrimination provision to include non-retaliation
- Adds contract requirements for all persons that receive PI
- Increases administrative fines for children’s PI
- Requires opt-In consent for sharing PI of children under 16
- Requires a new rulemaking on insurance
- Requires a new rulemaking on cybersecurity and privacy
- Extends the scope of the private right of action
One of the biggest components of the CPRA legislation is the immediate creation of the California Privacy Protection Agency. This agency is responsible for enforcing consumer protection laws and ensuring fines and penalties are administered to the respective violators. This agency makes California the first U.S. state with a consumer privacy regulating body.
How to Follow CPRA Regulations
Step 1: Commit to a cybersecurity program. The best way to avoid a state audit is to proactively commit to a cybersecurity program that secures PI within your online environment.
Step 2: Obtain board-level support of CPRA. Executive support will help align both the business and technical sides of the organization and ensure that you are in alignment minimizing potential gaps.
Step 3: Prioritize level of effort through a Gap Analysis.
Step 4: Ensure you have a list of all of your assets and map a data flow.
Step 5: Create Policies, Procedures, and Processes to effectively manage CPRA.
Step 6: Implement a security program to secure personal information or partner with a firm like Cyber Defense Group for security advisory services.
Step 7: Ensure proper employee communication and training is completed.
Step 8: Monitor and audit for compliance regularly. Assessments should be created annually.
If you’d like more industry knowledge about the California Privacy Rights Act (CPRA) and how to implement the new privacy policies, please request an appointment time to discuss your questions and concerns.