CPRA: An Overview
Passed on November 3, 2020, the California Privacy Rights Act (CPRA) – sometimes referred to as CCPA 2.0 – is a ballot initiative that amends and expands the CCPA. This CPRA compliance is effective on Jan 1, 2023 and enforcement is expected to begin sometime in the summer or fall of 2023.
Compared to the CCPA, the CPRA aligns more closely with the GDPR. It bolsters the strengths of the CCPA and adds additional provisions to prevent a sensitive data breach, such as:
- Employee and business contact rights – The CPRA ends exemptions for HR and B2B data. On Jan 1, 2023 employees, contractors and business contacts will enjoy the same level of protection and will be able to exercise all of the same rights as other California “consumers”.
- Expanded opt-out requests – The CCPA made it possible for California residents to opt-out of data “sales”. The CPRA closes a loophole in the CCPA’s Do Not Sell provision by including an explicit right for Californians to opt-out of having their data “shared” with providers of cross-context behavioral advertising. In other words, California consumers will have the right to stop their data from being collected and shared along a complex targeted advertising ecosystem.
CPRA provides additional protection to consumers by explicitly defining “sensitive personal information”, and giving the right to limit its use and sharing with few exceptions. Sensitive data includes precise geolocation, financial account with login information, social security number, and email contents among other kinds of risky data.
The California Privacy Protection Agency
Perhaps one of the most unique changes already implemented by the CPRA is the creation of a brand-new administrative agency, the California Privacy Protection Agency. As the first-ever state agency dedicated solely to privacy, the organization is responsible for enforcing and regulating privacy laws for Californians and making additional rules and guidelines under the CPRA.
The California Privacy Protection Agency is governed by a five-member board. Board members are elected and assisted by an executive director. This board will largely influence which parts of the law will be enforced on which companies. The CPRA has funding allocated towards the agency, including an appropriation of $5 million in 2021 and $10 million each year after.
Rulemaking will be a primary part of the agency’s role in the future. The CPRA requires regulations to be adopted in 22 areas—including 15 not originally identified in the CCPA. These will need to be fully fleshed out by the new agency to fully specify requirements.
In addition to rulemaking and enforcement, the agency will have several other functions, including:
- Privacy rights education and awareness
- Advisement for consumers and businesses
- Cooperation with agencies and collaboration with other states that enforce privacy laws
- Advisory on new privacy-related regulation
CCPA vs CPRA: Who is Subject?
A business falls within the scope of the CCPA statute if one or more of the following applies:
- Has in excess of $25 million in annual gross revenue
- Buys, receives, sells, or shares the personal data of 50,000 or more consumers
- Derives 50% or more of its annual revenue from selling or sharing personal data
The CPRA, on the other hand, modifies these thresholds. A business falls under its purview if it:
- Has in excess of $25 million in annual gross revenue
- Buys, receives, sells, or shares the personal data of 100,000 or more consumers
- Derives 50% or more of its annual revenue from selling or sharing personal data
The CPRA updates, expands, and amends 2018’s California Consumer Privacy Act (CCPA), and like most regulations, there are a lot of nuances in the CPRA, and it is easy to get bogged down in the details. Compared to the CCPA, the CPRA aligns more closely with the GDPR. It includes employees, contractors and business contacts as “consumers” (data subjects), grants Californians additional rights, to limit how businesses handle and share their data beyond the requests allowed under CCPA.
It also introduces European style data minimization, use limitation and risk mitigation obligations (we’ll cover more on this later). The CPRA also clarifies which businesses are covered under the California regime. Despite the CPRA moving protections closer to Europe’s, its requirements diverge for the GDPR’s in a number of important ways, and so the regime remains uniquely Californian.
The Birth of the CPPA – A Regulatory Agency
One of the biggest changes already implemented by the CPRA is developing a European-style data protection authority – the Consumer Privacy Protection Agency – to create rules, issue guidelines, and enforce the CPRA.
Most companies have already sought to comply with GDPR and/or CCPA, putting them on the right track for CPRA readiness. However, on the right track does not mean automatically complaint. The challenge remains in the details.
For one, the CPRA moves past the CCPA and the Agency is tasked with issuing new implementing Regulations. For another, California-specific nuances ensure that GDPR-aligned companies will need to mind the definition and operational differences.
As the CPPA ramps up the differences – but perhaps also the similarities – will come into clearer focus.
Consumer Privacy Protection Agency
The CPPA is a new state-run agency devoted to implementing and enforcing the CPRA using powers similar to those of Europe’s Data
Protection Authorities. It is separate from the Office of the Attorney General tasked with enforcing the CCPA.
Opt-Out Expands to Include Data Sharing
When CPRA goes into effect, many more organizations will be required to give consumers the ability to opt out of third-party sales and sharing for “cross-context behavioral advertising”. One of the many advocate criticisms of CCPA was that it only enabled an opt-out for the selling of personal data, but not sharing it.
Companies like Facebook took advantage of this lack of clarity and do not offer users the option to opt-out of their data being shared.
CCPA vs CPRA: Consumer Requests
Further improving upon standards set by the CCPA, the CPRA broadens the range of information that consumers can request from businesses. Under the CPRA, consumers can request five primary kinds of information from companies that collect and store their personal data. These include:
- Categories of personal information – Consumers have the right to know what kind of personal data may be collected from various organizations, including race or ethnicity, citizenship status, and religious beliefs.
- Categories of collection sources – CPRA allows consumers to request information regarding where their personal data was harvested.
- Collection purpose – Consumers have the right to request information from businesses on the business’s purpose for collecting, selling, or sharing personal information.
- Third-party access – Consumers have the right to know the categories of third parties to whom the business discloses personal data.
- The specific information collected – Under the CPRA, consumers have the right to know what specific personal data businesses are collecting.