The California Consumer Protection Act (CCPA) was a landmark law passed in California to support data privacy and consumer rights. As time has marched onward, new technologies and insights from stakeholders have introduced new approaches to the challenges addressed by CCPA. That’s why Proposition 24, the California Privacy Rights Act (CPRA), was drafted and passed into law.
With the provisions of CPRA set to become operative on January 1 of 2022, businesses must understand the shift from CCPA to CPRA.
What Are the Regulations of CCPA?
The CCPA somewhat resembles the General Data Protection Regulation (GDPR), a set of EU laws dictating information security and consumer protections. GDPR is known for being perhaps one of the most consumer-focused laws globally, with strict regulations on privacy and data ownership and significant penalties for non-compliance.
CCPA uses some of the same approaches to privacy and security, with privacy and data ownerships serving as the main distinctions between CCPA and U.S. data laws.
Some of the major provisions of CCPA include the following:
- CCPA applies to for-profit businesses in any part of the world that sells the personal information of more than 50,000 California residents per year, derives more than 50% of its annual revenue from such sales or derives gross yearly income of over $25M from such activity.
- CCPA also applies to companies that share common branding with a company regulated under CCPA. “Common branding” is when brands collaborate on a product or service under a shared banner containing both brand names.
- Consumers can “opt-out” of having regulated businesses sell their personal information to third parties. Organizations must provide easily seen, understood and executable opt-out mechanisms. This excludes complex opt-out procedures, using lengthy terms or services after consumers have opted out of information sale, using double negatives to confuse consumers or collecting excessive information as a condition of opting out.
- Consumers can request disclosure and deletion of all data collected and stored by regulated businesses.
- Regulated businesses are prohibited from adjusting prices based on the exercise of CCPA rights.
CCPA serves as a sort of middle ground between U.S. and EU laws. GDPR creates barriers for businesses to reach across before collecting and using data. CCPA opens doors for California consumers to exercise their data rights.
What is the CPRA?
The California Privacy Rights Act was passed into law in November 2020 as part of Proposition 24. The CPRA amends and expands the CCPA to strengthen consumer rights.
Some of the additions that the CPRA implements include the following:
- Establishes the California Privacy Protection Agency (CPPA) as an supervisory agency of CPRA. The CPPA is responsible for enforcing regulations in the state of California.
- Changes the Definition of a Regulated Business. Under CPRA, a regulated business is one with $25 million of annual revenue, sharing or selling the personal information of 100,000 or more consumers or deriving 50% of revenue from such sale. Notably, this increases the threshold for businesses based on the metric of information sales. Now, some smaller companies may no longer fall under CPRA jurisdiction.
- Introduces the category of Sensitive Personal Information (SPI). Similar to Article 9 of GDPR, the designation of SPI may call for businesses to implement stricter security and privacy controls, including updated disclosure requirements, limitation of processing capabilities, updated opt-out requirements and additional opt-in requirements.
- Integrates GDPR Principles. The new principles integrated into CPRA include data minimization (a business may only collect or use information reasonably necessary for direct business purposes), purpose limitation (businesses can only collect data for very specific business purposes and no others) and storage limitation (businesses may only keep information for a time reasonable to their stated business need).
- Expands the rights of consumers to take legal actions against businesses due to data breaches due to non-compliance or lack of security measures.
- Modifies Consumer Rights. CPRA adjusts five key privacy rights outlined in the CCPA.
This final item is significant because it aligns the new law more with GDPR than with U.S. law. These rights include:
- Right to Opt-Out of Third-Party Information Sales and Sharing: Under CCPA, consumers could only block the sale of their information to third parties. CPRA expands this to any form of sharing as well.
- Right to Know: CPRA expands the application of the CCPA’s Right to Know laws from information collected in the previous 12 months to beyond that window, depending on the data type.
- Right to Delete: CPRA requires that the business forward any request to delete information to any third party with whom they have sold or shared that information. Those third parties must also comply with the deletion request.
- Right to Data Portability: Businesses, under the consumer’s request, must transfer collected and stored data under feasible means to other third parties.
- Laws for Minors: Along with opt-in consent for the sale of information related to a minor under 16 years of age, a business must wait at least 12 months before asking again for permission after an initial denial.
How Are Businesses Preparing for CPRA?
With the law taking effect on January 1, 2022, businesses under jurisdiction are looking for ways to maintain their compliance.
There are a few steps that businesses can take to address compliance and privacy issues:
- Map their data to identify personal information and consent and determine what falls under the scope of CPRA.
- Further, catalog potential SPI and understand any additional requirements your organization may face in using it.
- Audit third-party and vendor relationships. Not only can you be liable for the sale of personal information, but even for sharing it.
- Review and update all privacy notices on websites, data collection items and marketing materials.
Audit Security and Privacy Infrastructure with Lazarus Alliance
Privacy and security are going to be major topics of discussion for California businesses falling under new CPRA regulations. Lazarus Alliance provides advanced security and privacy audits and support for new regulatory requirements, operated by experts with extensive experience in CCPA and GDPR compliance. Discover Lazarus Alliance privacy services and compliance support or contact us now to get started planning your CPRA strategy.
Call Lazarus Alliance at 1-888-896-7580 or fill our this form.