California replaced the CCPA by enacting the California Privacy Rights Act (“CPRA”). The CPRA amends the California Consumer Privacy Act (“CCPA”). Lazarus Alliance will coordinate directly with your organization to schedule your California Privacy Rights Act (CPRA) assessment. Our assessors will help identify the level of the certification based on your company’s specific business requirements.
The important parts are:
- Businesses will be required to comply with the new regulation if they serve California residents and have at least $25 million in annual revenue.
- Businesses that derive 50% or more of their annual revenues from selling or sharing consumers’ personal information.
- Businesses that are categorized as a “third-party vendors” and “service providers” under the CCPA, the CPRA now adds “contractor” as a distinct class of regulated entities.
- Businesses of any size that have personal data on at least 100,000 people or that collect more than half of their revenues from the sale of personal data.
To support enforcement of CPRA, California created the California Privacy Protection Agency (“Privacy Agency”). The Privacy Agency will have the full administrative power, authority, and jurisdiction to implement and enforce the CCPA and CPRA. The agency is empowered to impose a fine of $2,500 for each violation of the CPRA or $7,500 for each intentional violation or each violation involving a minor. Prior to this act, the CCPA was being enforced by the California Office of the Attorney General.
The CPRA eliminates the CCPA’s 30-day notice and cure provision, but the Privacy Agency has discretion to provide a business with a time period in which to cure the alleged violation and taking into consideration a lack of intent to violate the CPRA and voluntary efforts to cure the alleged violation prior to being notified of a complaint.
Talk with one of our Cybervisors™
Just the facts
What is a Covered Business?
The CPRA modifies the CCPA’s definition of “business,” changing which entities are covered. On the one hand, the CPRA increases the CCPA collection threshold from 50,000 consumers or households to 100,000, and it removes devices from this count. This change will provide relief for small businesses. On the other hand, the CPRA expands coverage to include entities that derive 50% or more of their annual revenues from selling or sharing consumers’ personal information are now covered, regardless of whether they receive monetary compensation. While the act of sharing consumer personal information has been added, the 50% threshold remains unchanged. Other changes include joint ventures or partnerships and self-certifying entities.
Finally, in addition to the categories of “third-party vendors” and “service providers” under the CCPA, the CPRA adds “contractor” as a distinct class of regulated entities. A contractor is a third party to whom the business makes consumer personal information available to for business purposes. As with service providers, contractors must now enter into a written contract and agree to take appropriate steps to protect covered electronic data.
What is Sensitive Personal Information?
One of the most significant changes from the CCPA is the creation of a new classification of personal information—sensitive personal information. This is a subcategory of PI that includes:
- Social Security, driver’s license, state ID, or passport numbers
- Financial account information
- Precise geolocation
- Racial of ethnic origin
- Sex life or sexual orientation
- Religious or philosophical beliefs
- Union membership
- Nonpublic communication
- Genetic, biometric, and health data
Collection of sensitive personal information requires additional disclosure, opt-out, and use requirements. The distinct treatment includes granting consumers the right to limit disclosure and use of sensitive personal information except as necessary to perform the services. Companies must provide a link on their website titled “Limit the Use of My Sensitive Personal Information” in addition to the CCPA’s required opt-out link so that consumers may exercise this right.
What are the New and Expanded Consumer Privacy Rights?
The CCPA extended rights to California residents that went far beyond existing consumer privacy rights in the US: the right to know, the right to access, the right to delete, and a private right of action with statutory damages. The CPRA expands some of these rights and adds new ones.
- Expanded Right to Know/Right to Access. The CPRA expands this right beyond the CCPA’s normal 12-month look-back period as long as doing so is not “impossible” or does not involve a “disproportionate” effort. The CPRA expands the CCPA’s requirement to provide the categories of third parties to whom it discloses personal information to include the categories of service providers and contractors to whom it discloses information.
- Expanded Right to Delete. The CCPA allows California residents the right to request that a business delete their personal information if it is no longer needed to fulfill one of the statutory purposes. The CPRA expands this right, requiring businesses to send the request to delete to third parties that have bought or received the consumer’s personal information, so that all parties must comply with the request.
- Right to Opt-Out. The CCPA allows consumers the right to opt-out of businesses selling their data to third-parties. The CPRA expands this right to include the sharing of personal information, in addition to selling. Businesses now must provide notice to consumers when their information will be shared and also notify them of their right to opt-out.
- Opt-in Rights for Minors. The CCPA requires businesses to obtain opt-in consent to sell the personal information of a California minor under the age of 16. The CPRA expands this right, mandating that businesses wait 12 months before asking a minor for consent in selling or sharing their personal information after the minor has declined.
In addition to expanding several CCPA rights, the CPRA also introduces several new consumer privacy rights:
- Right to Correct Information. California consumers now have the right to request that a business correct any inaccurate personal information.
- Right to Limit Use and Disclosure of Sensitive PI. California consumers now have the right to limit the use and disclosure of sensitive personal information to uses necessary to perform services or provide goods reasonably expected by an average consumer. Service providers and third parties are also required to adhere to this limitation.
- Right to Access Information About Automatic Decision Making. Like the GDPR, consumers now have the right to access information about how companies use automated decision-making technology. The CPRA allows consumers the right to opt-out of any automated decision-making processes.
- Right to Data Portability. California consumers now have the right to request that businesses transfer personal information to another entity, to the extent it is technically feasible.
What are the Adoption of Certain GDPR Principles?
The CPRA has codified the following GDPR-inspired provisions:
- Data Minimization. The CPRA restricts personal information collected by businesses to that which is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected.” This section also prevents companies from avoiding CPRA obligations by sending personal information out of state or through third parties, contractors, or service providers. When a business collects personal information and passes it on to another entity for a business purpose, the CPRA also requires an agreement to be entered into that specifies the limited purposes of the given personal information. The receiving parties also must comply with the CPRA obligations and provide the same level of privacy while the information-sharing business is allowed to take reasonable steps to help ensure that the information is transferred appropriately.
- Purpose Limitation. The CPRA allows businesses to collect personal information only for “specific, explicit, and legitimate disclosed purposes” that are disclosed in advance to consumers.
- Data Retention Limitation. The CPRA contains data retention limitations that, like the GDPR, require that businesses disclose to consumers “the length of time the business intends to retain each category of personal information or if that is not possible the criteria used to determine such period . . . .”
- Reasonable Security. The CPRA expressly addresses security and security breaches, which is another GDPR-inspired provision. If a business violates its duty to implement and maintain proper security procedures and practices than consumers may have a civil action to recover damages, injunctive or declaratory relief, or any other relief the court deems proper.
What is the Private Right of Action?
The CPRA’s expansion of the private right of action is arguably one of the most important provisions for businesses, given the recent rise in data breaches. The CCPA gives California consumers the private right to take legal action if their nonecrypted or nonredacted personal information becomes exposed because a business failed to implement reasonable security measures. The CPRA expands that private right of action to include unauthorized access to email addresses and passwords or security questions.
These are just a few of the changes the CPRA is making to the world of data and privacy compliance. Although all aspects of the CPRA do not take full effect until January 1, 2023, companies that do business in California should start laying the internal groundwork for CPRA compliance throughout the course of 2021 and 2022.
To prepare for the CPRA, organizations can take proactive steps such as:
- Determine If You Are Subject To The CPRA. Some businesses that were not subject to the CCPA will be impacted by the CPRA, and vice versa.
- Consumer Requests: Businesses should ensure they have sufficient internal processes for handling consumer requests and identify how to expand such processes to enable consumers to exercise new and expanded rights under the CPRA.
- Update Privacy Policies. Businesses should review and consider what updates should be made to their initial collection notice and website privacy notice to reflect new requirements, including those regarding sensitive personal information and the new/expanded rights.
- Data-Mapping and Audits. Businesses should consider conducting a data-mapping exercise to identify the types of data the organization stores, how it flows throughout the organization, who has access to the data, and the impact of a potential breach.
- Review agreements with third parties. Businesses should audit agreements with third parties to determine whether a data protection addendum is needed to bring the agreement into compliance with the CPRA.
Finally, it is important to remember that the CCPA is still very much in effect and will remain so until 2023. In the meantime, Lazarus Alliance is ready to help your company ensure compliance with the CCPA and CPRA.
Benefits to working with Lazarus Alliance ...
We work smarter, not harder, to drive down your costs by giving you access to Continuum GRC's ITAM application, the number one ranked CCPA-ready SaaS GRC audit software solution. This solution is the only assessment application tailor-made for the CPRA and CCPA.
With years of experience working with our clients for our clients, not against them with scope-creep and annual price hikes.
Proactive not Reactive
We work with our CPRA and CCPA clients proactively throughout the year to help prevent threats to your compliance program.
With the time and expense required to remain compliant, you don't want to risk a compliance exposure that would drive up your costs and invalidate your valuable attestation.
Start to Finish in Record Time
Our proven CPRA and CCPA assessment approach and technology dramatically improves the completion process. We average a huge 46% reduction in the traditional assessment time due to our critical path methodology, proactive philosophy and usage of the Continuum GRC ITAM platform, you have 24/7 access allowing everyone to get-in-and-get-out quickly.
Talk with one of our experts
Our Lazarus Alliance Cybervisor™ teams have experience performing thousands of assessments for organizations providing services to clients around the world.