The California Privacy Rights Act (CPRA) will go into effect on January 1, 2023. The CPRA will amend existing provisions by creating new and expanded rights for California consumers and increasing obligations on businesses. It also establishes the California Privacy Protection Agency to implement and enforce the law.
What Is CPRA?
The California Consumer Privacy Act (CCPA), the first data privacy law in the US took effect on January 1, 2020. The California Privacy Rights Act (CPRA) was approved by a majority of voters after appearing on the ballot for the general election on November 3, 2020, and will take effect on January 1, 2023, and applies to information collected on or after January 1, 2022.
The CPRA will not replace CCPA but strengthens the existing framework by including additional privacy protections for consumers. Read the full document of the proposed CPRA on the California Legislative Information website.
The key changes of CPRA vs CCPA are in the following fields:
- Expanded consumer rights
- Increased obligations on businesses
- New definitions
- Enforcement of the law: California Privacy Protection Agency.
California Privacy Protection Agency (CPPA)
While the CCPA is presently enforced by the California Office of the Attorney General, the CPRA establishes a new enforcement agency, the California Privacy Protection Agency (CPPA). The CPPA will have investigative, enforcement, and rule-making powers. CPPA will have full administrative power, authority, and jurisdiction to implement and enforce both the CCPA and the CPRA laws.
How to Comply With CPRA?
To comply with the CPRA, you should follow both the above-mentioned CCPA and CPRA requirements. In particular, you should keep in mind the following aspects:
Perform personal data inventory to find out the type of information you collect, and if you collect sensitive personal information. Figure out the businesses you share data with, and what data is transferred to them.
Review your agreements with service providers, contractors, and third parties and ensure that they have adequate data privacy provisions according to the latest privacy requirements under the CPRA.
Update your Cookie Banner notices. You should disclose if you sell or share personal information, and provide the details of the service providers, contractors, and third-parties you share the data with. Disclose if you collect and process sensitive personal information, how and for what reasons you collect and process this information. Indicate how long you will keep each category of the personal information collected.
Add new opt-out links on your website. Add links ”Do not sell or share my personal information” and “Limit the use of my sensitive personal information” and display them on the website’s homepage. It is also recommended to add “a single, clearly-labeled link” that combines both above-mentioned links.
- Disclosures regarding personal information and sensitive personal information
- Disclosure of how to access, change, or delete personal information
- Method how to opt-out of selling or sharing personal information
- Consent notice for minors (13-16 years) and children under 13 years (consent from parents).
Provide a method to get consumers' requests. Under the CPRA, consumers have the right to be informed about their personal information collected. The CPRA requires businesses to have at least two methods for consumers to submit such requests. You can create web request forms, provide a phone number, or e-mail for the consumer to make requests. Ensure that these request methods are easily accessible and displayed on your website or privacy page.