California’s role as the leading state in the United States in consumer data privacy protections will become more solidified in 2023 as the California Privacy Rights Act (CPRA) takes effect.
As this legislation builds upon the data privacy protections first enshrined by the California Consumer Privacy Act of 2018 (CCPA), most businesses already complying with current regulations are well-positioned to make adjustments with minimal effort. However, there are still some notable differences that are critical for businesses to understand.
In this article, we’ll break down these differences, what they mean, and what businesses need to do between now and the CPRA effective date of January 1, 2023, to remain compliant.
The California Privacy Rights Act—2023 Effective Date
A majority of California consumers approved The California Privacy Rights Act—also known as Proposition 24—as a ballot measure in 2020. The CPRA will go into effect in 2023 on January 1, but because of pre-existing regulations, most businesses would find themselves partially compliant if it became active today.
To understand why, we need to look at a piece of landmark legislation passed two years before the CPRA showed up on California voters’ ballots.
The California Consumer Privacy Act of 2018
Any discussion of the CPRA is incomplete without the inclusion of its immediate predecessor, the CCPA. Wondering the difference between the CCPA vs. CPRA? The CPRA primarily adds to and expands upon the rights it first codified. As a result, the California Privacy Rights Act is sometimes referred to as “CCPA 2.0.”
While California has previously enacted other data privacy legislation—such as the California Online Privacy Protection Act (CalOPPA) and data breach reporting requirements—the CCPA was the first law of its kind passed in the US. The protections it codifies and its scope are largely influenced by those in the European Union’s General Data Protection Regulation (GDPR).
Like the GDPR, the CCPA doesn’t apply based on where a company is located but, rather, who it does business with—specifically, California residents. And what made CCPA compliance so different from prior federal or state legislation is the establishment of six specific consumer rights regarding personal data:
- The right to know – Consumers may request from businesses an inventory of personal information collected, including:
- The broader data categories the information belongs to
- The categories of the information’s source
- Why the information was collected
- The categories of the third parties with which the business has shared the data
- The specific pieces of information collected about a consumer
- The right to delete – Consumers may request that a business delete their personal information, with exceptions.
- The right to opt-out – Consumers may deny businesses permission to sell their personal information to third parties at any time (i.e., “opting out”).
- The right to non-discrimination – Consumers cannot be punished or discriminated against for having exercised any of their rights established in the CCPA with:
- Pricing changes
- Denial of goods or services
- Suggestions or threats of either such discrimination
- The right to opt-in – Consumers under the age of 16 must provide their consent that businesses can sell their personal information. If a consumer is under the age of 13, this consent must be given by their parent or guardian.
- The right to pursue legal action – Consumers may file lawsuits against businesses that have suffered a data breach if the implemented security controls and practices were insufficient to protect their personal information.
What Changes to California Privacy Protections Does the CPRA Establish?
With the CCPA in effect for a few years now, consumers, legislators, enforcers, and other stakeholders have seen live ways it can be updated and can draft regulations to better serve its purpose. The CPRA adopts these changes, making both new additions and revisions.
First and foremost, California employees, contractors and business contacts will enjoy the same full set of rights like other “consumers”. When the CPRA takes effect on January 1, 2023, (most) businesses currently subject to compliance must adapt their processes and policies accordingly. And they need to do so starting now because the consumer rights within the CPRA implement a retroactive “lookback period” that now also applies to HR and B2B related data.
However, it’s unlikely that businesses not currently subject to the CCPA’s scope will suddenly find themselves so overnight. Instead, a few may even find their obligations removed. This is because, while the CPRA does increase the rights and protections afforded to California residents, the compliance thresholds will be (mildly) relaxed.
Additions to the CCPA’s Rights
CPRA regulation makes the following additions to CCPA protections and rules:
- New consumer rights – The original six consumer rights have been strengthened and added to, and now protect California residents with:
- The right to correction – If consumers determine that the personal information collected by businesses is inaccurate, they may submit a request to have it fixed.
- The right to data portability – In addition to requesting deletion, consumers will soon be able to ask businesses to transfer their personal information to other entities.
- The right to access information about automated decision-making – Consumers will be able to request information about any “profiling” and processing activities that businesses conduct via automations, like artificial intelligence, including work performances, financial standing, health, and behavior.
- The right to opt-out of automated decision-making – If consumers don’t want businesses to process their collected information via automated decision-making, they’ll be able to opt out of it.
- What personal information deserves stricter protections – The CPRA’s definition of personal information (meaning the GDPR-isation of personally identifiable information (PII)) will establish a more-protected tier: “sensitive personal information” (SPI). The data SPI includes poses a greater risk of identity theft, reputational damage, physical harm, and similar consequences if exposed. It includes:
- Forms of government identification, such as social security numbers, driver’s licenses, and passports
- Financial data, such as account credentials and credit or debit card numbers
- Geolocation data, or the precise geographic location of persons or objects
- Private communications and message content
- Memberships to religious or philosophical groups or unions
- Biometric identification data
- Health information, similar to any that would be protected under HIPAA
- Individuals’ racial or ethnic identities
- Individuals’ sexual orientation
- Data minimization – Taking further cues from the GDPR, the CPRA will soon require businesses to adopt data minimization policies, meaning that they must expend an effort considered “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”
These new additions to the current California privacy regime will place some increased burden upon companies’ data management practices, but the most impactful will be those related to automated decision-making and data minimization. For example, many companies currently rely on leveraging AI for analysis but may soon lose individuals’ consent to do so. This may further inhibit their activities by limiting the scope for which collected data can be used.
Updates to the CCPA’s Rights
When the CPRA takes effect on January 1, 2023, businesses currently subject to compliance must also adhere to the following changes to the CCPA:
- Updated consumer rights – Changes to existing California privacy laws include:
- The right to know – The CCPA requires businesses to answer any received requests for what personal information they collected from individuals over the previous year (to date). The CPRA removes this “lookback period,” which means that all information collected on or after January 1, 2022, will be subject to requests unless it would be “impossible” or require “disproportionate effort.”
- The right to opt-out – Whereas the CCPA only specified that consumers have the right to opt-out of businesses selling their personal information to third parties, the CPRA allows consumers to also deny sharing this data with providers of “cross-context behavioral advertising” (meaning, adtech and related analytics providers).
- The right to delete – When consumers submit requests for the deletion of their personal information after January 1, 2023, it will have farther-reaching consequences. Businesses will be obligated to forward that notice to any third-party entities to which they’ve sold or shared any California resident’s information for compliance with the request.
- The right to opt-in – If consumers under the age of 16 don’t give their consent to have their personal information collected, businesses are prohibited from asking permission again for a minimum of 12 months.
- Who enforces the law – Under the CCPA, violation reporting, investigations, enforcement, and rulemaking were conducted by the state’s Office of the Attorney General. The CPRA established the dedicated California Privacy Protection Agency (CPPA) —the first of its kind in the US—and its five-member board to assume these administrative enforcement responsibilities. The AG will retain civil enforcement powers and will coordinate activities with the CPPA.
- Who must comply – Under the CPRA, for-profit companies operating in California or doing business with California residents are subject to the law if they meet any of the following criteria:
- Posts a gross revenue of $25 million or more in the previous calendar year
- Buys, sells, or shares (in any combination) the personal information belonging to 100,000 or more individual consumers, households, or devices
- Earns at least 50% of its revenue from selling or sharing consumers’ personal information
- Violation penalties – The original fines of $2,500 per violation and $7,500 per intentional violation are upheld under the CPRA, but all instances of noncompliance involving consumers under 16 will soon be assessed the larger penalty.
In practice, these additions will primarily affect third-party service providers and contractors who were previously able to avoid requests for deletion. Moving forward, contracts will explicitly define the personal information that third parties can (temporarily) store and what they may do with it. Any changes to agreed-upon practices will require new contracts.
Ensure CPRA 2023 Compliance with Datagrail
Achieving CPRA compliance on January 1, 2023, won’t be too difficult for businesses already adhering to the CCPA. However, as legislation enacting a seismic shift for recent business practices, the CCPA already presents significant challenges for companies and their data management.
But CPRA compliance doesn’t need to shake your business to the core when you partner with Datagrail. Our platform’s Live Data Map will help keep your collected data organized, transparent, and in compliance with all CPRA requirements.
Contact us today to start preparing now for the California Privacy Rights Act. 2023 is coming soon.
Bloomberg Law. CCPA vs CPRA: What’s the Difference? https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-consumer-privacy-act-ccpa/
CPPA. About CPPA. https://cppa.ca.gov/about_us/
CPPA. Frequently Asked Questions. https://cppa.ca.gov/faq.html
IAPP. New categories, new rights: The CPRA’s opt-out provision for sensitive data. https://iapp.org/news/a/new-categories-new-rights-the-cpras-opt-out-provision-for-sensitive-data/
JD Supra. The CPRA Digest: Data Minimization. https://www.jdsupra.com/legalnews/the-cpra-digest-data-minimization-7893221/
JD Supra. CPRA countdown: Changes to consumer rights in California. https://www.jdsupra.com/legalnews/cpra-countdown-changes-to-consumer-7756277/
Legiscan. TITLE 1.81.5. California Consumer Privacy Act of 2018 [1798.100 – 1798.199.100]. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
Orrick. New U.S. State Privacy Laws Zero in on Artificial Intelligence. https://www.orrick.com/en/Insights/2022/08/New-State-Privacy-Laws-Zero-in-on-AI