What Is CPRA and What Does It Mean for Your Business?
As a business leader, your primary focus should be meeting consumer needs exceptionally well to keep them coming back. Traditionally, this involved offering impeccable products and at the right price.
However, you need to offer a lot more to win modern-day consumers. For instance, your brand needs relatable values, and the consumer journey must be smooth and desirable. And with the recent issues with cybersecurity and data breaches, consumers need to know they can trust you with their data.
According to PEW Research Report, concern about companies' data usage is widespread among Americans, with 79% expressing anxiety on the issue. As a result, most consumers are only willing to share their data with brands.
To help protect its residents, California has taken a progressive and stern approach to data privacy regulation. At the forefront of such efforts is the California Consumer Privacy Act (CCPA), passed in 2018 and came into effect in January 2020.
But in the future, businesses targeting California residents will also have to comply with stricter regulations. This will be under the California Privacy Rights Act (CPRA) of 2020, an extension of CCPA.
Considering the impact and potential ramifications, it's important to understand what CPRA entails and prepare for it. In this article, you'll learn all there is to know about CPRA.
A Recap of CCPA
Before going into what California Privacy Rights Act will entail for your company, it's vital to look at the current nature of California's privacy regulations. Since CPRA builds on the CCPA, it's important to understand the latter first.
For starters, CCPA was a response to public outcry in the wake of large-scale data breaches. It gives Californian residents more control over their personal information by:
- Giving them the right to know what information is being collected about them.
- Allowing them to request the deletion of their data.
- Asking businesses to get explicit consent before selling their data.
- Prohibiting discrimination against individuals who exercise these rights.
The law applies to any for-profit company that does business in California, regardless of whether they have a physical presence there. And if a company fails to comply, it could be fined up to $7,500 per violation.
What Is CPRA?
CPRA is an extension of the California Consumer Privacy Act passed by Californian voters in 2020. The law will come into effect on January 2023 and will give Californian residents greater control over their data.
CPRA builds on the already existing regulations set out by CCPA. But it also includes new provisions designed to protect consumer privacy further. For instance, CPRA will:
- Give consumers the right to opt out of having their data sold.
- Place stricter limits on how businesses can use sensitive personal information.
- Create a new state agency, the California Privacy Protection Agency (CPPA), to enforce these rules.
In addition, CPRA will also expand the definition of personal information to include things like IP addresses, biometric data, and geolocation data.
Does CPRA Replace CCPA?
No, CPRA does not replace CCPA. Instead, it builds on existing regulations to create an even stronger framework for protecting consumer privacy. Businesses that are compliant with CCPA will still need to comply with CPRA when it comes into effect in 2023.
What Does CPRA Entail?
Now that you know the basics of CPRA, take a more detailed look at what the law entails.
As mentioned, CPRA builds on the existing regulations set out by CCPA. But it also includes new provisions designed to enhance consumer privacy protection.
- Eligibility
CPRA applies to any for-profit company that does business in California and collects the personal information of Californian residents, regardless of whether they have a physical presence there.
Moreover, under the CPRA, fewer businesses will be required to comply. However, those that are eligible, they'll need to do a lot more to achieve compliance.
Once it comes into effect:
- Devices will no longer be included in the threshold.
- The number of people or households required will increase to 100,000. - Sensitive Personal Information
Another key change CPRA brings is the expansion of the definition of sensitive personal information. Under CPRA, sensitive personal information will include the following:
- Geolocation data
- Biometric data
- Race
- Ethnicity
- Political views
- Religion
- Health data
- Sexual orientation
This is a significant expansion from the California Consumer Privacy Act, which only included social security and driver's license numbers.
The expanded definition of sensitive personal information means businesses must take extra care to protect this type of data. They'll also need explicit consumer consent before collecting, using, or sharing it. - Consumer Rights
Along with a broader definition of sensitive information, CPRA also expands consumer rights. CPRA will give Californian residents the right to:
- Know what personal information is being collected about them.
- Request deletion of their data.
- Opt-out of having their data sold.
- Receive equal service, regardless of whether they exercise their privacy rights.
These are similar to the rights that CCPA established. But CPRA goes a step further by giving consumers the right to dictate how you use their data.
For instance, under CPRA, if a consumer opts out of having their data sold, you'll need to stop selling it. So, unlike with the California Consumer Privacy Act, it's not about notifying customers about how you're using their data but getting their approval first. - Links to Display
With California's current privacy laws, companies must include a "Do Not Sell My Personal Information" link on the homepage. It should lead to a dedicated page where consumers can exercise their opt-out rights. With CPRA, you'll also have to add a second link dubbed "Limit The Use of My Sensitive Personal Information." It should link to a dedicated page where they can dictate how you can use their personal information. Moreover, as long as the customer's intent is clear, you could let them express it in other ways. - Enforcement
The California Privacy Rights Act will create a new state agency, the California Privacy Protection Agency (CPPA), to enforce these rules. The CPPA will have the power to impose fines of up to $7,500 for each violation. And it can also bring civil action against companies that violate the law. This is a big step considering the California Consumer Privacy Act left enforcement up to the state attorney general's office. The California Privacy Protection Agency will have more resources and be better equipped to handle enforcement than the attorney general's office. - Consumer Restrictions
The California Consumer Privacy Act (CCPA) allows consumers to opt-out of your ability to sell their data. The California Privacy Rights Act takes it a step further by giving individuals the right to opt-out of any disclosure or sharing of their information with third parties, regardless of whether or not it involves payment. - Automated Decision Making
In the age of big data, data profiling is an invaluable asset for companies. It helps them to target ads, personalize content, and improve the customer experience. However, CPRA will put some restrictions on automated decision-making. Companies will still be able to do it, but they'll need to get explicit consumer consent first. And they'll need to explain how the process works in a way that's easy for consumers to understand. - Data Correction
CPRA will also give consumers the right to correct any inaccurate or incomplete data companies have about them. This is in stark contrast to CCPA, which only allowed consumers to request the deletion of their data.
Now, if a consumer thinks that some of your information about them is wrong, they can contact you and ask you to fix it. If you don't comply with their request, they can file a complaint with the California Privacy Protection Agency. - Data Retention
As dictated by CCPA, businesses must provide detailed explanations of the data they collect, how it is used, and if it is shared with any other parties. But that's not all. For each data category, you must inform the data subject how long you'll retain the data or explain the methods of determining how long.
Furthermore, CPRA will put some restrictions on how long companies can keep consumer data. Companies will only be able to retain data for as long as it's necessary to achieve the purpose for which it was collected.
This is one of the major changes from the California Consumer Privacy Act, which allowed companies to keep data for up to seven years. CPRA will force companies to reevaluate their data retention practices and ensure they're not holding onto data longer than needed.
Other Notable Changes Under CPRA
In addition to the key features of the regulation, CPRA will also make a few other notable changes, including:
- If you know the data subject is 16 or younger, the maximum penalty for a violation is tripled. You could be fined up to $7,500 for an intentional violation and only $2,500 for an unintentional one.
- The temporary exemption on business-to-business and human resources data expired on January 1, 2023.
- Under the CCPA, individuals can take civil action for any data breaches involving unencrypted personal information. The CPRA expands this to any breach where hackers access any combination of personal information that gives them access to an account. These include passwords, usernames, and security questions.
How CPRA Compares to GDPR
The CPRA has been described as the "GDPR of California." And while there are some similarities between the two regulations, there are also some key differences.
First, CPRA is much narrower in scope than GDPR. It only applies to companies that do business in California or process the data of California residents. GDPR, on the other hand, applies to any company that processes the data of EU citizens, regardless of where they are located.
Second, CPRA gives consumers more rights than GDPR. For example, CPRA gives consumers the right to opt-out of any disclosure or sharing of their information with third parties, regardless of whether or not it involves payment. GDPR only allows individuals to opt out of personal data from being used for marketing purposes.
Finally, CPRA is much more lenient when it comes to enforcement. The maximum fine for a CPRA violation is $7,500, while the maximum for a GDPR violation is 20 million euros (about $24 million).
What Does CPRA Mean for Businesses?
The California Privacy Rights Act is the most comprehensive privacy law in the United States. And other states will likely follow California's lead and pass similar laws of their own. This means that CPRA compliance isn't just a good idea; it's essential for businesses that want to stay ahead of the curve.
If your business collects Californian residents' personal information, you must prepare for CPRA now and make sure you compliant.
Achieving CPRA Compliance
If your business is subject to CCPA, then you're already most of the way there regarding compliance with CPRA. But there are still some key steps you need to take.
- Conduct a Gap Assessment.
Before you can achieve CPRA compliance, you must first determine where you fall short. Conduct a gap assessment to identify areas where your privacy practices don't meet CPRA standards. - Update Your Privacy Policy.
Once you know what needs to change, you can update your privacy policy. Make sure your policy is clear and concise and covers all the bases. Include information on what personal data you collect, why you collect it, how you use it, and how long you retain it. - Implement Changes to Your Data Handling Practices.
After you've updated your privacy policy, it's time to implement changes to your data handling practices. If CPRA requires you to change how you collect or process data, make sure these changes are reflected in your systems and processes. - Train Your Employees.
Your employees are the key to CPRA compliance. They must be up-to-date on the law and your company's privacy practices. Ensure they know what they can and can't do with personal data and understand CPRA's opt-out provisions. - Identify and Evaluate All Uses of Sensitive Personal Information.
The California Privacy Rights Act defines sensitive personal information more broadly than CCPA. Personal information will now include race, ethnicity, sexual orientation, and health data. You need to identify all the ways you collect and use this type of information. Then you can determine whether or not these uses are CPRA-compliant. - Create a Data Map.
A data map will help you keep track of all the personal data you collect, where it comes from, and where it goes. This is a valuable tool for CPRA compliance because it allows you to see at a glance whether or not you're meeting CPRA's requirements. - Give Customers Access to Mandated Consent and Disclosures.
Under CPRA, businesses must provide customers with certain disclosures before personal data is collected. These include your company's contact information and a description of the customer's rights under CPRA.
You must also get explicit consent from customers before collecting sensitive personal information. So, include the mandated links for opt-out and personal information usage. - Update Customer and Vendor Contracts.
If you share personal data with third parties, you must have contracts that ensure CPRA compliance. These contracts should stipulate that the third party will only use the data for the purpose specified in the contract and that they will protect the data in accordance with CPRA's requirements. - Use Tag Management Software to Conduct Privacy Risk Analysis.
Considering the ramifications of non-compliance, it will be vital to perform privacy risk analysis regularly. And the best way to do this is with tag management software. This software will help you identify and assess risks, so you can take steps to mitigate them.
In addition, tag management software will help you manage consents, track opt-outs, and generate reports. These features will be invaluable as you work to achieve CPRA compliance. - Avoid Enforcement and Litigation Pitfalls.
There are several potential pitfalls when it comes to CPRA enforcement and litigation. To avoid these, you must be familiar with the law and your rights and obligations.
Some of the things you should know include:
- The types of penalties that can be imposed for CPRA violations.
- The types of damages that can be awarded in CPRA litigation.
- How CPRA's private right of action works.
- The statute of limitations for CPRA claims. - Embrace Data Minimalization.
Data minimalization is the practice of only collecting and retaining the data you need for a specific purpose. This is a good CPRA compliance strategy because it reduces the risk of data breaches and unauthorized use of personal data. - Be Proactive About Security.
Security should be a top priority for any business, but it's especially important when dealing with personal data. CPRA requires businesses to take reasonable security measures to protect personal data from unauthorized access, destruction, or use.
Some of the things you can do to improve your security include:
- Implementing strong access control measures.
- Encrypting personal data in transit and at rest.
- Conducting regular security audits.
- Keeping your software up-to-date.
Benefits of CPRA Compliance for Businesses
CPRA compliance may seem like a lot of work, but it's worth it. There are many benefits of CPRA compliance for businesses, including:
- Increased consumer trust: Consumers are increasingly concerned about their privacy and are more likely to do business with companies that respect their rights. Complying with CPRA will show consumers that you're committed to protecting their personal data.
- Improved security: CPRA compliance will help you identify and mitigate risks to avoid data breaches and unauthorized use of personal data.
- Greater efficiency: CPRA compliance doesn't have to be complicated or time-consuming. You can automate many tasks associated with CPRA compliance using tag management software.
- Avoid Non-compliance fines: CPRA has harsh monetary penalties for companies that violate the law. These can range from $2,500 to $7,500 per consumer per incident. CPRA compliance will help you avoid these costly fines.
- Litigation protection: CPRA provides a private right of action for consumers harmed by a company's violation of the law. If you're sued for CPRA violations, compliance will be used as a defense against liability.
- Better business practices: CPRA compliance will force you to reevaluate your data collection and storage practices. As a result, you may discover more efficient and effective ways of doing business.
How Arctera Can Help
With the California Privacy Rights Act looming, it's vital that you enhance your data compliance and governance policies and procedures. As you do this, keep in mind that other data privacy regulations may emerge with time. So, it's not just about complying with CPRA but ensuring you adopt ideal data handling practices.
With this in mind, it's important to have data archiving capabilities to help retain and speed up the retrieval of relevant information. This is where a solution like the Arctera Data Compliance portfolio comes in handy.
Data archiving helps you index, search, and audit data while ensuring the security and privacy of information.
The portfolio also includes Data Insight which uses machine learning to identify sensitive data across an organization's entire network. This solution gives you visibility into how data is being used, shared, and accessed. As a result, you can take steps to mitigate risks and improve compliance.
Conclusion
CPRA is a complex law with many requirements. Other states will likely follow California's lead and pass similar laws of their own. This means that CPRA compliance isn't just a good idea; it's essential for businesses that want to stay ahead of the curve.
Conduct a gap assessment to identify areas where your privacy practices don't meet CPRA standards and update your privacy policy to reflect the new law. CPRA compliance may seem like a lot of work, but it's worth it.
Contact us today to learn more about how we can help keep your organization in compliance.
About Arctera
Arctera helps organizations around the world thrive by ensuring they can trust, access, and illuminate their data from creation to retirement. Created in 2024 from Veritas Technologies, an industry leader in secure multi-cloud data resilience, Arctera comprises three business units: Data Compliance, Data Protection and Data Resilience. Arctera provides tens of thousands of customers worldwide, including 70% of the Fortune 100, with market-leading solutions that help them to manage one of their most valuable assets: data.
Learn more at www.arctera.io
Follow us on X @arcteraio