CCPA 2.0 has passed: Meet the California Privacy Rights Act (CPRA)

It hasn’t been long since the California Consumer Privacy Act (CCPA) enforcement this year, and now there is the California Privacy Rights Act (CPRA)! On November 3, Californians approved the ballot initiative Proposition 24, or California Privacy Rights Act 2020, which expands their rights as consumers. The CPRA was built upon the CCPA; however, the amendments are so significant that it is more similar to GDPR.

The CCPA aims to protect the rights of Californian consumers while mandating certain procedures and practices that consumer-facing businesses need to follow. In contrast, the CPRA introduces innovative consumer rights, corrects existing CCPA rights, establishes a new category of Personally Identifiable Information (PII) with associated rules, and mandates a new privacy enforcement agency for surveillance.

If you have already established CCPA compliance, good job! You will now have to review your privacy policy and add additional provisions pertaining to the California Privacy Rights Act. However, if you aren't CCPA-compliant yet then hurry up because the fines are massive! Regardless, you will need to direct your future data privacy efforts toward CPRA compliance as it will take effect in January 2022. You still have time to comply with this law, but why make double work if you can take care of both the CCPA and the CPRA now?

Let’s scan the key California Privacy Rights Act requirements to see what should be created or modified!

1. Why did the California Privacy Rights Act become law?

Generally speaking, the CPRA became a law due to the majority vote in the general election on November 2nd. However, this begs the question as to why there was a need for a new privacy law when the CCPA was just passed in 2018.

Let’s start at the beginning. The California jurisdiction recognizes a notorious ballot proposition system that drives decisions on a state level. This system enables successful advocates to bypass complex traditional legislative hierarchies, as well as industry and government stakeholders, to establish a completely insulated law without further voter approval or legislative revision.

The group behind the CPRA unsuccessfully tried to capitalize on this ballot system prior to this year. In 2018, Californians for Consumer Privacy collected a sufficient number of signatures to propose the first CPRA clauses. However, the California Legislature disagreed with certain measures and expressed the need for various modifications. They negotiated the withdrawal of such a proposal in exchange for the CCPA.

Even though the CCPA was enacted and represents the country’s most robust privacy act ever, the group behind the first-created privacy act expressed their disappointment and doubled down on reaching their original goal. This group was led by its founder, Alastair Mactaggart, who strongly believed that the CPRA deserved a second ballot measure due to industry efforts to weaken the first privacy policy. His group’s efforts resulted in the California Privacy Rights Act 2020.

2. Who is responsible for the CPRA enforcement?

The California Privacy Rights Act establishes the California Privacy Protection Agency (PPA) for enforcement. This represents a milestone in US privacy legislation and is a major step towards passing the CPRA as a comprehensive federal privacy policy. It transfers all rulemaking, funding, and enforcement authority status from the Attorney General to the PPA. However, the primary enforcement actions remain vested by the state agency with a few minor changes.

3. What are the effects of the CPRA law enactment?

The CPRA is unique to California. In fact, any further modifications are impossible except those made by the federal government, federal court, the CPRA legislative, or subsequent ballot results. That said, if Los Angeles’ government decides to propose a new privacy action or modifies the CPRA, the federal bodies and CPRA group can sue them. On the other hand, if the federal government or court declares an unconstitutional ruling associated with the CPRA then they can claim it as invalid.

4. Who is subject to the CPRA?

Both the CCPA and the CPRA apply to businesses that operate within California. However, the CPRA doubles certain criteria and introduces new concepts.

The old and new criteria for all businesses:

  • Revenue: This category stays the same with 25+ million in annual revenue as a selection line.
  • The number of consumers and households: The CPRA doubles the threshold number of households and consumers from 50,000 to 100,000, reducing the burden for small- and medium-sized businesses.
  • Data Profit: All businesses that profit in any way from sharing consumer or household data need to comply with the CPRA. Under the CPRA, data sharing is defined as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” Previously, the CCPA applied to businesses that derived at least 50% of their annual revenue from data “selling” specifically. Now, the CPRA adds that the same applies to data sharing.
  • Partnerships: The CPRA defines these as joint ventures composed of parties with at least 40% interest.

5. The “Sensitive Data”

With the implementation of the California Privacy Rights Act 2020, the concept of “sensitive data” has gained significant attention. We already have PII defined in the CCPA but this is a new type of categorization The CPRA outlines different categories of personal data and mandates requirements related to each of them. The term sensitive data includes:

  • Government identifiers: ID number, Social Security number, driver’s license data, etc.
  • Financial account: credit or debit card numbers
  • Login credentials: username and/or password
  • Precise geolocation
  • Race and ethnicity
  • Philosophical or religious beliefs: claims and/or union membership
  • Content of nonpublic communications: text messages, mail, and email content
  • Biometric or health information: genetic data
  • Sexual orientation information

6. The CPRA consumer rights

The California Privacy Rights Act 2020 incorporates all the CCPA consumer rights and introduces new obligations for businesses in this field. These new rights closely resemble the GDPR rules, making the US and the EU privacy measures more similar.

A. The new rights:

1. Right to Restrict Use of Sensitive Information

The Californian consumer has a right to permit or deny disclosure and use of sensitive data to third parties that cooperate with an authorized company.

2. Right to Correction

Here, the GDPR and the CPRA overlap completely. Now Californians can also practice the right to correct their collected data if they find it inaccurate. This is a helpful practice for a company too, right?

3. Right to Access Information About Automated Decision Making

Consumers can request an explanation of a company’s  algorithm mechanisms, or in other words, they can ask for details around the hidden automation processes behind their decision making.

4. Audit Obligations

The CPRA mandates cybersecurity audits and risk assessments for any/all high-risk activities.

B. Modified rights:

1. Right to Delete

Now third parties, distributors, and suppliers need to delete the bought data as well.

2. Right to Know

The expanded right to know gives permission to consumers to learn which data was collected beyond the prior 12-month window.

3. Right to Opt Out

The CPRA lawmakers gave consumers the choice to opt-out of both the “selling” and “sharing” of their PII, including sharing for advertising purposes.

4. Right to Data Portability

Californians can request to transmit specific pieces of their data to other parties in machine-readable format, as well as their whole customer history.

5. Right to Data Portability Opt-In Rights for Minors

Businesses need to wait 12 months to ask a minor for consent to use their data for behavioral marketing purposes.

6. The California Privacy Rights Act Timeline

Here are the important CPRA dates to guide you while establishing this compliance:

  • November 3, 2020 - Certification Date;Secretary of State certifies election results
  • November Certification Date + 5 days – B2B and employment exemptions extended; authorization of certain CCPA provisions
  • January 1, 2021 – the CPRA becomes partly operative; all conflicting and subsequent legislations will be blocked
  • July 1, 2021 – rulemaking commences; this may be later depending on when the CCPA notified the Office of the Attorney General (a 6-month window is required)
  • January 1, 2022 – 12-month overview period of the past actions for collected data commences
  • July 1, 2022 – CPPA’s deadline to incorporate final regulations
  • January 1, 2023 – the CPRA becomes fully operative; expiration of employment and B2B exemptions, which then become fully regulated by the CPRA
  • July 1, 2023 – the CPRA will become fully enforceable by the CPPA

Now you can choose to deal with yet another privacy law on your taskboard, or you can hire the most secure and completely CPRA-compliant customer support software out there!