On Jan. 1, 2023, the California Privacy Rights Act (CPRA) will take effect, placing newly enhanced data privacy and notification requirements onto businesses that handle the personal information of California consumers. Understanding its requirements, including the newly modified proposed regulations, may help companies avoid costly financial and reputational harm associated with unintentional CPRA violations down the road.
In 2018, California became the first U.S. state to pass the most stringent and comprehensive data privacy law in the nation, the California Consumer Privacy Act (CCPA), which established privacy rights for California consumers. In November 2020, the CCPA was repealed and further amended when California passed the CPRA.
Businesses subject to the CPRA are those that make $25 million in annual gross revenue as of Jan. 1 of the preceding calendar year; buy, sell, or share the personal information of at least 100,000 consumers or households; or that derive 50 percent or more of their gross revenue from selling or sharing personal information.
CPRA regulations and requirements
Several provisions in the CPRA take inspiration from the EU’s General Data Protection Regulation (GDPR). Most notably, perhaps, the CPRA introduces a whole new category of data, “sensitive personal information,” and further grants consumers the right to direct a business to limit its use and disclosure. To comply with such requests, businesses must provide a “clear and conspicuous” link on their homepage, titled “Limit the Use of My Sensitive Personal Information.”
The CPRA defines sensitive personal information broadly to include the following types of information:
- Social Security number
- Driver’s license
- State identification card or passport number
- Financial account information and log-in credentials
- Debit or credit card number and access codes
- Precise geolocation data
- Religious or philosophical beliefs
- Ethnic origin
- Genetic data
- Biometric information for identification purposes
- Personal health information
- Sex or sexual orientation information
New notification obligations
Under the CCPA, businesses are already required to inform consumers about the personal information collected on them and the purpose behind the collection of that data. Under the CPRA, however, businesses must provide even more details, informing consumers if their personal information will be sold or shared, how it will be used, and how long they will retain the data collected.
On Nov. 3, 2022, the CPPA issued modified proposed regulations implementing the CPRA, which revise the initial proposed regulations issued in July. The modified proposed regulations, in part, state that a business no longer needs to identify in its “Notice at Collection” the names of third parties that control the collection of personal information. Removal of this requirement saves businesses the compliance headache of having to continuously revise their “Notice at Collection” every time they change or terminate a third-party contract.
Consumers right to opt-out
Unlike the CCPA, the CPRA gives consumers the right to opt out of having their personal information sold or shared for purposes of “cross-context behavioral advertising,” commonly known as “targeted advertising.” To comply with this provision, businesses must provide a clear and conspicuous link on its homepage, titled “Do Not Sell or Share My Personal Information.”
The modified proposed regulations clarify that businesses must treat an opt-out preference signal as valid request to opt out of sale or sharing for not only that browser or device, but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.”
Furthermore, the CPRA grants consumers the right to request that businesses correct inaccurate personal information, or to delete personal information that was sold to or shared with service providers and contractors.
Data minimization requirements
The CPRA’s “purpose limitation” provision requires that businesses have a specific and explicit reason for collecting consumers’ personal information. The CPRA provides that a business’s collection, use, retention, or sharing of a consumer’s personal information be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”
The modified proposed regulations introduce the following five new “factors” for businesses to consider when determining whether their practices satisfy their data minimization requirements:
- The relationship between the consumers and the business
- The type, nature, and amount of personal information that the business seeks to collect or process
- The source of the personal information and the method for collecting or processing it
- The specificity, explicitness, prominence, and clarity of disclosures about the purpose of collecting or processing it
- The degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of personal information is apparent to the consumers
Additionally, the modified proposed regulations identify factors for determining whether other disclosed purposes are compatible with the context for collecting personal information.
Privacy rights of minors
The CPRA requires that a business with “actual knowledge” that it sells or shares the personal information of a consumer under the age of 13 “shall establish, document, and comply with a reasonable method for determining that the person consenting to the sale or sharing of the personal information about the child is the parent or guardian of that child.” Without consent, the business must either wait at least 12 months or wait until the child turns 16 before asking for their opt-in consent again.
The CPRA states that receiving consent for the sale or sharing of personal information is in addition to any verifiable parental consent required under the federal Children’s Online Privacy Protection Act. The CPRA further lists six methods for reasonably calculating whether the person providing consent is the child’s parent or guardian.
Investigations and enforcement
Implementation, oversight, and enforcement of the CPRA falls under the newly created California Privacy Protection Agency (CPPA), the first data protection authority in the United States. However, the CPRA’s enforcement authority for CPRA violations will begin until July 1, 2023, at soonest.
The modified proposed regulations clarify that the CPPA, in deciding whether to pursue investigations of potential or alleged violations, “may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
From a regulatory enforcement standpoint, violations of the CPRA could result in civil penalties of up to $2,500 per violation or $7,500 per each intentional violation. Additionally, a business that does not “implement and maintain reasonable security procedures and practices” resulting in the “unauthorized access and exfiltration, theft, or disclosure” of a consumer’s personal information faces up to $750 per violation or actual damages, whichever is greater.
The CCPA’s five-member board has authority to certify companies deemed to be CPRA-compliant. Businesses that do not fall under the CPRA’s umbrella may still voluntarily seek this certification as a demonstration of their data protection practices’ high standards.
CPRA compliance message
If your business has not done so already, now is the time to revise your data privacy policies and procedures as it concerns disclosure notifications, the more restrictive handling of sensitive personal information, the selling and sharing of consumers’ personal information with third parties, as well as reviewing and revising your data retention policies. Prudent businesses also will want to review and update their data collection and storage practices to ensure compliance with the purpose limitation and data minimization requirements.
For more information on how NAVEX can help your business stay compliant with CPRA privacy regulations