The California Privacy Rights Act (CPRA) will go into effect on January 1, 2023. The CPRA will amend existing provisions by creating new and expanded rights for California consumers and increasing obligations on businesses. It also establishes the California Privacy Protection Agency to implement and enforce the law.
Differences Between CCPA and CPRA
The new California state privacy law clarifies and amends existing provisions of the California Consumer Privacy Act (CCPA), includes additional privacy protections for consumers, creates additional obligations on businesses that collect California consumers' personal data, and creates a new enforcement agency called the California Privacy Protection Agency.
Expanded rights for California Consumers
The new rights under the CPRA are the following:
Right to correction. California consumers can request correction of their personal data held by a business if that data is inaccurate.
Right to opt-out of automated decision-making technology. California consumers could request to opt-out of the use of automated decision-making technology in connection with decisions related to the economic situation, health, personal preferences, interests, behavior, geo-location, racial or ethnic origin, religious or philosophical beliefs, etc.
Right to access information about automated decision-making. California consumers could requests access to information about how the automated decision-making processes are performed and access to a description of the likely outcome based on that process.
Right to opt-out of sharing sensitive personal information. California consumers may restrict the use and disclosure of sensitive personal information for certain secondary purposes to third-parties for cross-context behavioral advertising, which essentially refers to interest-based advertising.
Right to opt-out of certain uses and disclosures of sensitive personal information. Sensitive personal information could refer to the following information: consumer’s account log-in details; financial account, debit card, or credit card number in combination with a security or access code, password, or credentials; social security number, driver’s license, state ID card, or passport number; precise geo-location; racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a consumer’s email and text messages unless the business is the intended recipient of the communications; genetic data and biometric data; health, sex life or sexual orientation.
Rights for children. A company must obtain implied opt-in consent before selling or sharing the personal information of a consumer under 16. The consent should be specific, freely given, informed, and unambiguous.
Right to data portability. California consumers can request businesses to transmit their personal information or a part of it to another company. CPRA also points out that the data should be provided in a format easily understandable and in a commonly used, machine-readable format.
Right to know, right to delete, and right to opt-out remain the same in both the CCPA and the CPRA. California consumers have the right to access and delete their personal information and to opt-out of the sale or sharing of their personal data.
Increased obligations on businesses
Like the CCPA, the CPRA applies to businesses that act in California, collect personal information from California consumers, and meet certain criteria. The businesses must satisfy these new criteria to apply the CPRA to their business:
- The company exceeds $25 million in the annual gross revenues in the preceding calendar year. In comparison, the CCPA applies to a company, which has annual gross revenues over $25 million, without stating anything about the preceding calendar year.
- The company buys, sells, or shares the personal information of 100,000 or more consumers or households. In comparison, the CCPA applies to a company, which buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices for commercial purposes.
- The company gets 50% or more of its annual revenue from selling or sharing consumers' personal information. In comparison, the CCPA applies to a company, which gets 50% or more of its annual revenues from selling consumers' personal information.
The CPRA imposes new obligations on businesses for the minimization of personal data collection and the use just for a needed purpose.
The CPRA also imposes new requirements regarding contractors and third-parties to which the businesses sell or share information. The law mandates additional provisions regarding the collection and the use of personal information that businesses must include in their contracts with service providers, contractors, and other third-parties. Upon data deletion request from a consumer, a business must pass the deletion request not only to service providers but also to contractors and third parties to which the businesses have sold or shared information.
New obligations for websites
There are also new requirements for websites:
- Under the CPRA, websites will have to provide a link titled “Do Not Sell Or Share My Personal Information”, instead of “Do Not Sell”, which was required under the CCPA.
- Under the CPRA, websites will have a new requirement to provide a link titled “Limit The Use Of My Sensitive Personal Information”.
The CPRA also encourages businesses to create “a single, clearly-labeled link” that combines both above-mentioned links.
New Definitions of The CPRA
The CPRA provides these new definitions or expands the previous ones:
Sensitive personal information. The CPRA expands the sensitive personal information, which now includes:
- Social security, driver’s license, state ID, or passport number
- Account log-in credentials like password, security, or access code
- Precise geographic location
- Racial or ethnic origin, religious belief, or union membership
- Contents of mail, email, or text
- Genetic information
- Biometric information
- Health status and medical data
- Sex life or sexual orientation
Contractor. The CPRA introduces a new term — a contractor. The contractor is defined as a person with who the business “makes available a consumer’s personal information for a business purpose pursuant to a written contract”. Under the CPRA, contractors must ensure that they understand and will comply with the CPRA regulations. When the contractor is unable to comply with CPRA, he should immediately notify the business.
Third-party and service provider. A service provider is “a person that processes personal information on behalf of a business” for business purposes under contract. Third-parties are defined as anyone other than the business, contractor, or service provider. A third party cannot be a business with whom the consumer intentionally interacts and shares his personal information.
Sharing. Under the CPRA, sharing is defined as any disclosure of personal information to third parties for cross-context advertising, independently for monetary or not monetary actions.
Profiling. Profiling is defined as any form of “automated processing” of personal information with the help of an automated decision-making technology, which is used to make predictions on “performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements”.
How to Comply with the CPRA?