Ninety-four percent of consumers want more control over the data they share with companies and more insight into how that data is used
– Osano
According to Bloomberg Law, the California Privacy Rights Act (CPRA), is an amendment of the CCPA. The CPRA was proposed as ballot Proposition 24 (Prop 24) in the 2020 US General Election. The CPRA is slated to go into effect on January 1st, 2023. One of the main objectives of the CPRA is to amend and expand the scope of CCPA. The CPRA, also known as the “CCPA 2.0”, takes California privacy laws one step further, making them similar to the EU’s General Data Protection Regulation (GDPR).
CCPA vs. CPRA
CPRA does not replace the CCPA, but is an amendment of the CCPA. Bloomberg Law says that “the CPRA ‘amends’ existing provisions of Title 1.81.5 of the California Civil Code (currently known as the CCPA) and ‘adds’ new provisions (related to the establishment of the California Privacy Protection Agency)”. There are several key differences between the CCPA and the CPRA, Osano notes. These cover the definition of businesses, the household or resident threshold, and more.
1. Business Qualification Criteria
Organizations may be considered businesses under the CPRA, if they are a legal entity that is operated for profit, collecting and processing California consumers’ personal information (PI), and who qualify for one or more of the following:
- Have a revenue of over $25 million in the preceding calendar year
- Buy, sell, or share personal information of more than 100,000 consumers/households
- Make 50% or more of their annual revenue from selling or sharing consumers’ personal information
2.Sensitive Personal Information
Sensitive personal information (SPI) is a new category in the CPRA. The CPRA stipulates that businesses need extra layers of technical and operational controls to process such data, and protect consumers’ SPI as part of their consumer rights ethos.
3.Improved Privacy Rights
- Right to Opt-Out of Third-Party Sales and Sharing
- Right to Know
- Right to Delete
- Right to Data Portability
- Opt-In Rights for Minors
4. GDPR Format
One of the key differences between the CCPA and CPRA is that the latter takes streamlined concepts from the EU GDPR. The 3 concepts the CPRA embodies include data minimization, purpose limitation, and storage limitation.
5.Data Breach Risk Mitigation
In the event of a data breach exposing personal information, the CPRA notes that consumer login credentials may be added to the list of personal information categories that can be legally carried out to mitigate risks.
6.New Governance
CPRA transfers governance to the CCPA, which was enforced by the California Office of the Attorney General (OAG). The new shift gives CCPA investigative, enforcement, and rulemaking powers.
Data Subject Access Request (DSAR)
Organizations that adhere to the CPRA have to abide by the rules in protecting and maintaining the privacy of their customers’ data. Once the data is collected, users can submit a data subject access request (DSAR) to find out more about the personal information the organization collected, andand how they will use the personal information.
When an organization receives a DSAR request, they need to respond with the information requested and take the necessary actions. According to the CPRA, organizations need to respond to a DSAR within 30 to 45 days.
Types of DSARs
- DSARs for deletion
- DSARs for correction
- DSARs to opt out of the sale or share of personal information
- Employee DSARs
The California Privacy Rights Act (CPRA) is slated to go into effect on January 1st, 2023. Ensure that your company is compliant with the CPRA and subsequent DSAR mandates.
