What is the CPRA?
In June 2018, the California Consumer Privacy Act (CCPA) was signed into law. The act created new privacy rights for California consumers and new data protection obligations for businesses operating in California.
The act went into effect in January of 2020. In November of 2020, the California Privacy Rights Act (CPRA) was passed as a ballot initiative to amend the CCPA and include additional protections for consumers, employees, and small and non-profit businesses, while also establishing a new government agency for data privacy enforcement. The majority of the CPRA’s provisions went into effect on January 1, 2023, with a look back to January of 2022, meaning data collected from that date forward is still liable for compliance. On July 1, 2023, enforcement of the CPRA will begin under the California Privacy Protection Agency.
What does the CPRA do?
The new amendments include changing the definition of a business to exclude smaller businesses and include larger businesses that generate large incomes from the collection, sharing, or selling of consumer personal information.
California has also become the first state to provide expansive privacy rights to employees. These new rights go well beyond the existing rights of the California Labor Code and apply not only to current employees, but former employees, job applicants, and independent contractors as well. Additionally, the CPRA creates a new category of sensitive personal information, referred to as SPI. This includes information such as data on race and ethnicity, religious beliefs, sexual orientation, health data, social security and driver’s license numbers, financial information, union membership, precise geolocation, and more. Businesses are also responsible for how service providers, contractors, or third parties share and sell personal information disclosed by the business. Lastly, the business requirement to obtain prior opt-in consent has been expanded to cover more scenarios.
Who needs to be up to date on the new regulations?
Applicable businesses outside of California need to pay attention if they have California-based remote workers or job applicants. As of January 1, 2023, applicable businesses include those that meet one of the following thresholds:
1) have a gross annual revenue exceeding $25 million, or
2) buy, sell, or share personal information of more than 100,000 consumers or households per year, or
3) derive 50% or more of their annual revenues from selling or sharing consumers’ personal information.
All company departments that interact with consumer or employee data in California should be familiar with the CPRA because it will impact everyone from product development to HR and records management.
What kind of liability does my business need to worry about?
The CPRA has expanded obligations for collection notices, privacy policies, opt-out notices, and financial incentive notices. Users should be able to opt out of having their personal information sold or shared, including in cross-context behavioral advertising. This adds requirements to how websites interact with users to limit the use of their SPI. Businesses are additionally required to minimize data collection to what is reasonably necessary for the disclosed collection purpose, and implement proactive risk-based controls, such as encryption and multi-factor authentication. Lastly, the four new rights the CPRA creates are:
- To request correction of inaccurate personal information.
- To know about automated decision making.
- To opt out of automated decision making.
- To limit use of sensitive personal information.
What should I do next?
The best way to set your business up for success is to prepare for compliance before enforcement begins on July 1, 2023. The first step is to perform a data audit to see what information you are collecting for what purposes, and whether that can be minimized. Next, you should map out how the stored data moves throughout your company, from consumers and employees to relevant departments and vendors or third parties.
Lastly, you should have good data hygiene processes in place that enable you to protect data subjects’ rights over their personal information and easily respond to access and opt-out requests.
By auditing your company’s data and putting appropriate policies in place, you will be in a great position to comply with California’s new legal framework.