Effective date: January 1, 2023
The CPRA modifies the scope outlined by the CCPA.
Namely, CPRA applies to a company that operates for profit and processes the personal information of California residents if it:
- Has a gross annual revenue greater than or equal to $25 million
- Obtains information of 100,000 or more California residents/households or devices annually
- Generates at least 50% of their annual income from selling or sharing the information of California residents
Increasing the threshold from 50,000 California residents in the CCPA to 100,000 may reduce the number of businesses that fall under the law. But including “sharing” in the provision on generating 50% or more revenue from selling personal information can potentially increase the number of organizations that the law applies to.
How it defines personal information
The definition of personal data aligns with that in the CCPA and is quite broad. It covers:
“[I]nformation that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The definition of personal information includes unique identifiers – many of which are the fuel that powers marketing activities:
“Unique identifier” means a persistent identifier that can be used to recognize a consumer or a device over time and across different services, including but not limited to, a device identifier; Internet Protocol address(es); cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
This means that, just as in the case of GDPR, tracking cookies and other types of online identifiers are also covered by the regulation!
How it defines sensitive personal information
The CPRA provides a new category of data – specifically, sensitive personal information (SPI). Such data requires appropriate security measures, and consumers have the right to request that organizations limit the use of their SPI.
Sensitive personal information can include:
- Social Security Number
- Driver’s license
- State identification card
- Passport number
- Financial account information and log-in credentials
- Debit card or credit card number and access codes
- Precise geolocation data
- Religious or philosophical beliefs
- Ethnic origin
- Contents of communication
- Genetic data
- Biometric information for the purposes of identification
- Health information
- Information about sex or sexual orientation
Key responsibilities under the CPRA
Take measures to protect the data of minors
There is a mandatory opt-in for selling the personal data of minors (under 16 years old). Businesses also must wait 12 months before asking a minor consumer for consent to sell or share their personal information after the minor has declined.
Map your data processes
Make sure you know what kinds of personal information you collect and that the data is prepared for access, deletion and portability requests from your clients.
Consumers have the right to:
- Obtain a record of the personal information companies have on them (from the last 12 months and, under certain circumstances, also from beyond the 12-month period)
- Request that a business transfer specific personal information to another entity
- Request to have their data deleted
- Request the companies to stop the sale or sharing of their information
- Be informed about the length of data retention
The CPRA introduces additional consumer privacy rights that didn’t appear in the CCPA, namely:
- The right to request that a business correct any inaccurate personal information
- The right to access information about automated decision-making (such as profiling) and opt out of it
Importantly, a business can’t discriminate against consumers who have decided to exercise their rights.
Check your third-party data sources
Under the CCPA, operating on stolen or breached data is an offense. Companies that buy customer data from third parties should always make sure that it comes from a legitimate source.
On a consumer’s request, businesses need to send the deletion request to third parties that have bought or received the consumer’s personal information.
Come up with a way for handling consumer requests
Provide users with at least two methods for placing requests. The link to those forms should be placed somewhere on your homepage, along with the text: do not sell my personal information.
The CPRA expands on the disclosure requirements and obligates you to:
- Disclose whether collected information will be sold or shared
- Identify the sensitive personal information that you will collect
- Either disclose the length of time you’ll retain information or the criteria used to determine it
- Disclose if you don’t collect information by conspicuous notice
Take appropriate security measures to protect data
Under CPRA, any business that collects consumers’ personal information is obligated to:
“[…] implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.”
California residents have the right to sue companies that use their data if it was stolen or disclosed in a data breach. In addition, they can also sue companies that neglected the safety of their data (for instance, by failing to encrypt it).
The new law also introduces an exclusive agency for interpreting and regulating the law – the California Privacy Protection Agency (CPPA). It will provide guidance on the enforcement of the CPRA and have powers to investigate violations, conduct hearings and assign liability to covered entities for violations. Crucially, the CPPA will be the first US-based regulatory authority exclusively focused on data privacy issues.
The California law also imposes sanctions on businesses that fail to comply with its provisions. The fines include:
- In the case of a suit filed by consumers: $100-750 (or the cost of actual damages, whichever is higher) per resident and incident in the case of data breaches or data theft if data was not properly protected.
- In the case of a suit by the State Attorney General: $2,500 per unintentional violation and up to $7,500 per intentional violation of privacy. In cases involving minors, the maximum fine is $7,500 for both intentional and unintentional violations.
With the CPRA, there is no 30-day period for businesses to remedy the violation once they’re informed of noncompliance, as is the case under CCPA.
How Piwik PRO Analytics Suite helps you comply with CPRA:
- Get full control over collected data
- Quickly set up banners to inform visitors about the collection of their data and give them a way to opt out and send data request
- Collect and process user requests using Piwik PRO Consent Manager