What is the CPRA (California Privacy Rights Act)?
The CPRA (California Privacy Rights Act) is a data privacy law that came into effect on January 1, 2023. It enhances existing privacy laws in California, such as the CCPA (California Consumer Privacy Act).
Who does the CPRA apply to?
The CPRA applies to any legal entity that does business in the State of California (regardless of where they are located), collects consumers’ personal information, and:
- Buys, sells, or shares the personal information of 100,000 or more consumers or households in a year; or
- Derives 50% or more of its annual revenue from selling or sharing consumers’ data.
Understand the new data privacy law with our free green paper
Discover the basics of the CPRA, how expertise in the EU GDPR can help your understanding of the Act, and the key aspects your organization may want to consider.
Free CCPA and CPRA webinars on-demand
Join IT Governance USA for our exciting on-demand webinar series to learn more about the CCPA and the CPRA.
Find out more
Free infographic: CPRA vs. GDPR
Get an understanding of the similarities and differences between privacy regulations in California and Europe with our high-level comparison.
Under the CPRA, what is considered personal information?
The CPRA protects personal information, which is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This includes information such as name, address, phone number, email address, Social Security number, driver’s license number, IP address, geolocation data, biometric data, and Internet activity.
What rights do consumers have under the CPRA?
The CPRA grants California residents several new privacy rights that businesses must facilitate:
1. The right to know and be informed
The CPRA gives California residents the right to know and be informed about the personal information that businesses collect about them. This includes the right to be informed about the categories of personal information collected, the purpose for which it is collected, and the third parties with which it is shared.
2. The right to access data
The CPRA grants California residents the right to access their personal data that is held by a business. This includes the right to request the categories of personal information that have been collected, the categories of sources from which the information was collected, the business or commercial purpose for collecting or selling the information, and the categories of third parties with which the information has been shared.
In addition, individuals have the right to request a copy of their personal data in an easily readable format. Businesses must respond to these requests within 45 days and must provide the data free of charge.
3. The right to deletion
The CPRA grants consumers the right to request the deletion of their personal information from a business that collects it. This right is sometimes referred to as the “right to be forgotten.”
Consumers can make a request to delete their personal information, and the business must delete the information unless it is needed for a legitimate business purpose, a legal obligation, or to exercise a right or defense.
Businesses are also obligated to inform third parties with which they have shared the consumer’s information of the consumer’s request to delete their data.
4. The right to correct personal information
Under the CPRA, individuals have the right to correct personal information that a business holds about them. If a business holds inaccurate or incomplete personal information about an individual, the individual can submit a request to the business asking them to correct the information.
The business must acknowledge the request and take reasonable steps to assess the accuracy of the data and take appropriate action to correct any inaccuracies.
Businesses must also provide individuals with information about how to submit a request to correct their personal information and how the business will respond to the request.
5. The right to opt out
The right to opt out under the CPRA allows consumers to prevent businesses from selling their personal information. Businesses must provide a “Do Not Sell My Personal Information” link on their website or other online service that allows consumers to exercise their right to opt out. If a consumer opts out, the business must not sell the consumer’s personal information.
6. The right to limit the use and disclosure of sensitive personal information
Under the CPRA, consumers have the right to limit the use and disclosure of their sensitive personal information. This includes any data that reveals a person’s race or ethnicity, religious or philosophical beliefs, physical or mental health condition, sexual orientation, or biometric or genetic data.
Consumers can exercise this right by making a request to the business that collected their sensitive personal information. The business must then comply with the request unless it can demonstrate a compelling reason not to do so.
We’re here to help
Whether you’re looking to educate your employees about the CPRA through our online training course or assess your organization’s current level of compliance with the Act and help identify key work areas that you must address, IT Governance has a solution for you.
Speak to an expert
The CPRA vs. the EU GDPR
The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation). Like the GDPR, the CPRA gives people more control over their personal data and holds businesses more accountable for protecting the data they collect and process.
However, there are many differences between the two laws, so even if your organization complies with the GDPR, it might not meet certain CPRA requirements.
Contact us to discuss your CPRA compliance needs
What are the penalties for non-compliance with the CPRA?
California’s Attorney General and the newly created California Privacy Protection Agency can bring injunctions against non-compliant businesses if they fail to address their non-compliance within 30 days of being notified. Civil penalties are capped at $2,500 per violation, or $7,500 for intentional violations. Higher penalties will also be applied to violations involving the information of children.
In addition, consumers may bring a civil action for security breaches to recover between $100 and $750 in damages, or actual damages (whichever is greater); injunctive or declaratory relief; or “any other relief the court deems proper.” Again, they must wait 30 days after serving written notice to allow the business to address any violation of the law.
What are the benefits of CPRA compliance?
The CPRA introduces greater visibility and responsibility when it comes to collecting and processing consumers’ personal data, and brings many benefits, including:
- Greater customer trust
- Enhanced brand image and reputation
- Improved data governance
- More robust information security
- Increased competitive advantage
CPRA compliance solutions from IT Governance
IT Governance, a leading global provider of IT governance, risk management, and compliance solutions, is at the forefront of helping businesses address the challenges of CPRA compliance.