California Privacy Rights Act (CPRA) Compliance: Regulations & Checklist
The California Privacy Rights Act (CRPA), or Proposition 24, is a California voter-led ballot initiative to clarify and strengthen the California Consumer Privacy Act (CCPA). Changes from the CPRA take effect on January 1, 2023, amending the existing California Consumer Privacy Act (CCPA) enacted in 2018. Many organizations operating in California must now comply with the CPRA’s expanded obligations (with some baseline exceptions covered below).
To help simplify the process, we’ve assembled our CPRA compliance checklist.
What is CPRA Compliance?
The California Privacy Rights Act (CPRA) creates new and strengthens existing protections for Californias.
Notably, the CPRA adopts more concepts and more language from the European Union’s General Data Protection Regulation (GDPR). This includes enshrining the GDPR principles of data minimization and collection limitation; explicitly defining sensitive personal information; introducing DPIA style privacy risk assessments; and clarifying that valid consent must freely-given, specific and unambiguous.
CCPA—Before CPRA Amendments
Understanding the CPRA is significantly easier if you’re familiar with the California Consumer Privacy Act. This is because the former largely expands upon and clarifies existing obligations for businesses, and expands the consumer rights established by the latter.
The four primary rights the CCPA granted California residents are:
- Right to know – The right to know what sensitive personal information businesses collect and how it is used or shared, specifically:
- Categories (of data and sources)
- Specific consumer data
- Collection purposes
- Categories of third parties a business may sell the data to
- Categories of data the business may sell to those third parties
- Right to delete – The right to have that collected information deleted, except for cases involving:
- Unverified requests
- Completing transactions, providing anticipated products or services, or facilitating warranties and recalls
- Specific data security practices
- Reasonable internal practices consistent with consumer expectations or collection context
- Legal purposes
- Information exempt from the CCPA (e.g., medical records, credit history)
- Right to opt-out of data “sales”– The right to prohibit the sale of the consumer’s personal information, or PII data, to third parties
- Right to non-discrimination – Businesses cannot discriminate the price or delivery of their goods and services because a California citizen has exercised their CCPA rights
TL;DR: CPRA amends the CCPA; it does not create a separate, new law. As of Jan 1, 2023 the CCPA is ‘as amended’ by the CPRA.
To put it another way, Prop 24 (CPRA) is a voter-led expansion pack that includes:
- Creating a dedicated agency and requiring annual assessment (new) – The CCPA was enforced by California’s Office of the Attorney General. Still, the CPRA establishes California Privacy Protection Agency (CPPA) to oversee enforcement. The new agency will also evaluate and approve the now mandatory annual risk assessment and report that organizations must submit to it.
- Qualifying criteria (updated) – The CPRA applies to for-profit organizations meeting one or more of the following criteria:
- Gross annual revenue of $25 million in the previous year (unchanged)
- Buys, sells, or shares the consumers personal information of 100,000 or more consumers or households (added “shares” and increased the threshold from 50,000 compared to the CCPA)
- 50% or more annual revenue is based on selling or sharing personal information (adds “shares”)
- Establishes “sensitive personal information” (SPI) as a special category (new) – Stricter disclosures, limitations, and opt-in and -out clauses apply to:
- Government IDs (e.g., driver’s license, social security number)
- Financial information
- Precise locations
- Race, religion, and union memberships
- Communication contents
- Genetics and biometrics
- Sexual orientation
- Updates to existing CCPA rights – Some CCPA rights have been updated in the following ways:
- The CCPA elevates employee rights alongside consumer rights.
- The CPRA applies to businesses sharing sensitive personal information, not only those selling it.
- The timeline for disclosing to individuals what personal data was collected has been extended beyond the CCPA’s 12 months in specific circumstances.
- Data deletion consumer requests must be sent by the recipient organization to any third parties they’ve sold the data to or shared with.
- Individuals can now request that specific information is shared with other entities based on their right to receive a copy of their collected data.
- Businesses must observe a 12-month waiting period before re-requesting consent to share or sell a minor’s data.
- New rights within the CPRA – Previously unestablished rights that the CPRA codifies include:
- Right to correct information – Individuals can request that businesses update or fix inaccurate data.
- Right to limit use or disclosure of SPI – Individuals can limit the use and disclosure of SPI to the minimum necessary for standard goods and service delivery.
- Right to access information related to automated decision making – Individuals can request insight into the logic involved in automated processing and the expected outcomes.
- Right to opt-out of automated decision making technology – Individuals can request their removal from having automated decision-making applied to their data.
- Data and collection minimization – Data collection and use (including sharing and selling) must reasonably stick to stated purposes.
- Storage – Businesses cannot retain individuals’ sensitive data longer than is reasonably necessary to fulfill the collection purpose.
- Expansion of individuals’ permitted legal action – Individuals could bring legal action against businesses that failed to implement reasonably expected data security controls under the CCPA. The CPRA adds login credentials to the list of compromised information that can initiate a lawsuit.
CPRA Compliance Checklist
Adjusting to CPRA compliance should be very straightforward for organizations already adhering to the CCPA. The threshold for which organizations are subject to the data privacy laws is extremely similar, and the updates and new additions remain firmly aligned with the CCPA’s current obligations.
Still, we’ve put together a short checklist any organization can follow to better ensure compliance:
- Determine whether the CCPA applies to your organization based on the updated threshold criteria.
- Apply your policies to employee information.
- Build processes for individuals to update their information.
- Add additional information about SPI to your consent forms and other disclosures.
- Adjust policies to reflect changing verbiage (e.g., add “sharing”)
- Build an appeals process for individuals to contest decisions.
- Evaluate third-party partnerships and service provider to ensure those relationships will not complicate CPRA compliance.
- Evaluate automated decision-making processes per the new rights to consumer request information on or opt-out of them.
- Adjust collection and storage to reflect updated minimization, purpose limitation, and storage restrictions.
- Implement an annual risk assessment to comply with updated reporting requirements.
Achieve CCPA/CPRA Compliance with DataGrail
Most service provider organizations shouldn’t face major difficulties implementing the CPRA because of the CCPA similarities. However, compliance efforts are often challenging, and violations quickly become costly. Implementing DataGrail’s privacy platform will simplify the process and streamline ongoing management.
Contact us to find out how data mapping, automated data subject requests, and unified preference management will make your compliance efforts (and life) easier.
Greenberg Traurig. CPRA Full Text. https://cpra.gtlaw.com/cpra-full-text/
International Association of Privacy Professionals. New categories, new rights: The CPRA’s opt-out provision for sensitive data. https://iapp.org/news/a/new-categories-new-rights-the-cpras-opt-out-provision-for-sensitive-data/
Office of the Attorney General of California. California Consumer Privacy Act (CCPA). https://oag.ca.gov/privacy/ccpa