Data privacy is a growing concern for consumers and a critical issue for businesses. With the constant collection of personal information online, ensuring privacy and protecting sensitive data has become a key regulatory focus around the world. In the U.S., one of the most influential pieces of legislation addressing this issue is the California Privacy Rights Act (CPRA).

The CPRA, which builds on the California Consumer Privacy Act (CCPA), represents a significant expansion of data privacy protections for California residents and imposes stricter requirements on businesses. Signed into law in November 2020 and taking full effect on January 1, 2023, the CPRA has broad implications not just for businesses operating in California, but for any company that handles the personal data of California residents. In this post, we will break down what the CPRA is, how it differs from the CCPA, and what both businesses and consumers need to know about this important law.

What is the CPRA?

The California Privacy Rights Act (CPRA) is a state law that enhances and expands upon the California Consumer Privacy Act (CCPA), which was the first comprehensive privacy law in the U.S. The CCPA, enacted in 2018, gave California residents new privacy rights over their personal information, allowing them to access, delete, and opt-out of the sale of their data. The CPRA takes these protections further by introducing new rights, increasing transparency, and establishing stricter rules around data handling.

The CPRA is often referred to as “CCPA 2.0” because it builds on the foundation laid by the CCPA, but with more stringent provisions and greater accountability for businesses. It also creates the California Privacy Protection Agency (CPPA), the first dedicated privacy enforcement body in the United States, to oversee compliance and enforce the law.

Key Changes Introduced by the CPRA

While the CPRA keeps many of the core provisions of the CCPA, it introduces several important changes that enhance consumer protections and increase obligations for businesses. Here are some of the most significant updates:

1. Creation of New Privacy Rights for Consumers

The CPRA introduces new rights for California residents, including:

  • The Right to Correct Inaccurate Personal Information: Consumers can request that businesses correct inaccurate personal data they have collected.
  • The Right to Limit the Use of Sensitive Personal Information: Consumers can restrict the use of sensitive personal information, such as race, health information, and precise geolocation data, to only necessary purposes.
  • The Right to Opt-Out of Automated Decision-Making: The CPRA adds protections around automated decision-making processes, giving consumers the ability to opt-out of certain profiling practices.

2. Expanded Definition of Personal Information

The CPRA broadens the definition of sensitive personal information to include categories like race, religion, sexual orientation, health data, genetic information, and precise geolocation. This sensitive data is subject to stricter handling rules, and businesses must provide consumers with clear opt-out mechanisms for its use.

3. Increased Data Minimization and Storage Limitation

Under the CPRA, businesses are required to limit their collection of personal data to only what is necessary for the intended purpose and to store it only for as long as needed. This concept of data minimization ensures that businesses are not collecting or keeping data beyond what is necessary, reducing the risk of misuse.

4. The Establishment of the California Privacy Protection Agency (CPPA)

One of the most significant changes introduced by the CPRA is the creation of the California Privacy Protection Agency (CPPA), a new agency dedicated to enforcing data privacy laws. The CPPA is empowered to investigate violations, levy fines, and oversee compliance with the law. This agency replaces the California Attorney General’s office as the primary enforcer of the law, bringing more focused oversight to privacy protection in the state.

5. Stronger Protections for Children’s Data

The CPRA imposes higher fines for businesses that violate privacy protections related to children’s data. Specifically, companies face triple fines for mishandling the personal information of minors under the age of 16, emphasizing the importance of protecting young users’ privacy.

6. Expanded Scope for Businesses

The CPRA changes the thresholds that determine which businesses are subject to the law. Under the CCPA, businesses were covered if they bought, sold, or shared the personal information of 50,000 or more California residents. The CPRA raises this threshold to 100,000, exempting smaller businesses from some of the law’s requirements. However, businesses that generate more than 50% of their annual revenue from selling or sharing personal data are still covered, regardless of size.

7. Enhanced Data Security Obligations

The CPRA mandates that businesses implement reasonable security measures to protect personal information. If a company fails to do so, and a data breach occurs as a result, they may face penalties under the CPRA, in addition to consumer lawsuits.

8. Extended Opt-Out for Data Sharing

While the CCPA allowed consumers to opt-out of the sale of their personal data, the CPRA expands this right to include data sharing. This means consumers can now stop businesses from sharing their personal information with third parties for targeted advertising purposes, even if no money is exchanged.

What the CPRA Means for Businesses

For businesses, the CPRA introduces more stringent requirements that necessitate stronger data governance practices. Some key impacts on businesses include:

  • More Complex Compliance: Businesses must now provide clearer disclosures about how they collect, use, and share personal data, especially sensitive information. They need to offer consumers more control over their data and implement processes to respond to new rights, such as correction requests.
  • Data Protection by Design: Companies will need to adopt a proactive approach to data privacy by implementing data protection measures from the outset of any new product or service, in line with the law’s data minimization principles.
  • Stronger Fines and Penalties: With the establishment of the California Privacy Protection Agency, businesses face the prospect of more frequent audits and stronger enforcement actions. Fines for non-compliance, particularly regarding children’s data, have been increased, making it essential for businesses to have robust data protection policies in place.
  • Increased Accountability for Third-Party Vendors: The CPRA requires businesses to ensure that any third-party service providers they work with are also compliant with the law. This means companies must closely monitor and regulate how vendors handle consumer data.

What the CPRA Means for Consumers

The CPRA significantly enhances the privacy rights of California residents, giving them greater control over their personal information. For consumers, the law means:

  • Greater Control Over Personal Data: California residents now have more rights when it comes to accessing, correcting, and limiting the use of their personal information, including sensitive data.
  • Improved Transparency: Businesses are required to be more transparent about how they collect, use, and share personal data. This means consumers will have a clearer understanding of how their information is being handled and for what purposes.
  • Stronger Protections for Vulnerable Groups: The CPRA provides heightened protections for minors and their data, offering families peace of mind about how children’s information is managed online.

The bottom line

The California Privacy Rights Act (CPRA) marks a significant step forward in the evolution of data privacy laws in the U.S. As businesses adapt to its requirements, they will need to prioritize consumer privacy and adopt comprehensive data protection practices. For consumers, the CPRA offers more rights and protections, ensuring greater control over personal information in an increasingly digital world.

While the CPRA primarily applies to California, its influence is likely to spread. As more states and countries consider similar privacy laws, businesses that adopt strong data privacy practices today will be better positioned to navigate the global shift toward stricter data regulation.

In this new era of privacy, the CPRA stands as a blueprint for how future regulations might shape the relationship between consumers, their data, and the companies that collect it.