What is the CPRA (California Privacy Rights Act)?
The CPRA (California Privacy Rights Act)is a data privacy law that takes effect on January 1, 2023. It enhances existing privacy laws in California, such as the CCPA (California Consumer Privacy Act).
The CPRA applies to businesses that collect California residents’ personal information. Its privacy requirements are similar to those of the EU’s GDPR (General Data Protection Regulation).
Who does the CPRA apply to?
The CPRA applies to any legal entity that does business in the State of California (regardless of where they are located), collects consumers’ personal information, and:
- Buys, sells, or shares the personal information of 100,000 or more consumers or households in a year; or
- Derives 50% or more of its annual revenue from selling or sharing consumers’ data.
Understand the new data privacy law with our free green paper.
Discover the basics of the CPRA, how expertise in the EU GDPR can help your understanding of the Act, and the key aspects your organization may want to consider.
Free CCPA and CPRA webinars on-demand
Join IT Governance USA for our exciting on-demand webinar series to learn more about the CCPA and the CPRA.
Find out more
Free infographic: CPRA vs. GDPR
Get an understanding of the similarities and differences between privacy regulations in California and Europe with our high-level comparison.
Under the CPRA, what is considered personal information? What are consumers’ rights under the CPRA?
The CPRA grants California residents (‘consumers’) several new privacy rights that businesses must facilitate:
1. The right to know and be informed (Sections 1798.100 and 1798.115)
In their privacy notices posted online, businesses that collect consumers’ personal information must inform them of:
- The categories of personal information and sensitive personal information they will collect or use.
- The types of sources from which information is collected.
- The purposes for which the information is collected and used.
- The length of time that the business intends to retain each category of personal and sensitive personal data.
- Whether that information is sold or shared, and the business purpose for doing so; and
- Consumer rights under California law, including the right to request specific pieces of information.
Within 45 days of receiving a verifiable consumer request, businesses that collect consumers’ personal information must inform them of:
- The categories of personal information they have collected.
- The types of sources from which they collected the personal data.
- The business or commercial purpose collecting, selling, or sharing the personal information.
- The categories of third parties to which the business discloses personal information; and
- The specific pieces of personal information collected about that consumer.
Businesses that sell consumers’ personal information, or disclose it for a business purpose, must inform them of:
- The categories of personal information they have collected.
- The categories of personal information they have sold or shared and the types of third parties to which they sold or shared it; and
- The categories of personal information they have disclosed for a business purpose, and who it was disclosed to.
2. The right to access data (Section 1798.110)
Upon receiving a verifiable consumer request to access their personal information, businesses that have collected it must “promptly take steps to disclose and deliver” it to the consumer.
Businesses are not required to provide this information more than twice in 12 months.
The information must be provided free of charge and can be delivered electronically or by mail. If provided electronically, the information should be portable, allowing the consumer to transmit it to another entity.
3. The right to deletion (Section 1798.105)
Upon receiving a verifiable consumer request, businesses must delete the consumer’s personal information, unless it is necessary to retain it to:
- Complete a transaction, provide goods or services, or otherwise perform a contract between the business and the consumer.
- Help ensure security and integrity (to the extent that using the consumer’s personal information is necessary).
- Debug to identify and repair errors.
- Ensure the exercise of free speech or another right provided by law.
- Comply with the CalECPA (California Electronic Communications Privacy Act).
- Engage in scientific, historical, or statistical research – subject to consumer consent.
- Enable “solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business”; or
- Comply with a legal obligation.
4. The right to correct personal information (Section 1798.106)
Consumers have the right to request businesses correct inaccurate information, including having that information corrected by any relevant third parties.
5. The right to opt-out (Section 1798.120)
Consumers have the right to direct businesses not to sell or share their personal information.
Businesses must notify consumers if they sell or share their personal information to third parties and inform them of their right to opt-out of the sale or sharing via a “clear and conspicuous link” on the business’s homepage titled “Do Not Sell or Share My Personal Information.”
Businesses must not sell information relating to consumers under age 16 unless they or, in the case of under-13s, their parents or guardians have opted in.
Consumers must not be discriminated against for exercising these rights (Section 1798.125).
6. The right to limit the use and disclosure of sensitive personal information (Section 1798.121)
Consumers have the right to direct a business that collects sensitive personal information to limit its use. Companies should only use sensitive personal information when necessary to perform a service or provide goods.
We’re here to help
Whether you’re looking to educate your employees about the CPRA through our online training course, or assess your organization’s current level of compliance with the Act and help identify key work areas that you must address, IT Governance has a solution for you.
Speak to an expert
The CPRA vs. the EU GDPR
The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation). Like the GDPR, the CPRA gives people more control over their personal data, and holds businesses more accountable for protecting the data they collect and process.
However, there are many differences between the two laws, so even if your organization complies with the GDPR, it might not meet certain CPRA requirements.
Contact us to discuss your CPRA compliance needs
Definitions of key terms used in the CPRA
Business: a for-profit legal entity that collects personal information, or on whose behalf personal information is collected, and:
- Had annual revenue of more than $25 million in the preceding calendar year.
- Annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or
- Derives 50% or more of its annual revenue from the selling or sharing of personal information.
Collection: buying, renting, gathering, obtaining, receiving, or accessing personal information by any means. This includes receiving datafrom the consumer either actively or passively (e.g., observing consumer behavior).
Consumer: a natural person who is a resident of California as defined in Section 17014 of Title 18 of the California Code of Regulations.
Personal information: any “information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device.” This includes:
- Names, aliases, postal and email addresses, IP addresses, unique personal identifiers, account names, online identifiers, etc.
- Commercial information like records, receipts, or purchasing trends
- Biometric data
- Internet or other electronic network activity information like browsing history, search history, or interactions with a website
- Geolocation data
- Psychometric information
- Professional or employment-related information
- Education information
- Inferences drawn from any of the above to create a profile reflecting preferences, trends, or predispositions (including behavior and attitudes, intelligence, and aptitudes).
- Sensitive personal information – including Social Security, driver’s license, or passport numbers; account login or account numbers in combination with access credentials; precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; the contents of mail, email, and text messages; genetic data; biometric data processed for identification purposes; health data; or information concerning sex or sexual orientation.
Publicly available information – “information that is lawfully made available from federal, state, or local government records” that is lawfully made available to the general public by the consumer or widely distributed media.
CPRA enforcement and penalties
California’s Attorney General and the newly created California Privacy Protection Agency can bring injunctions against non-compliant businesses if they fail to address their non-compliance within 30 days of being notified. Civil penalties are capped at $2,500 per violation, or $7,500 for intentional violations. Higher penalties will also be applied to violations involving the information of children.
In addition, consumers may bring a civil action for security breaches to recover between $100 and $750 in damages, or actual damages (whichever is greater); injunctive or declaratory relief; or “any other relief the court deems proper.” Again, they must wait 30 days after serving written notice to allow the business to address any violation of the law.
What are the benefits of CPRA compliance?
The CPRA introduces greater visibility and responsibility when it comes to collecting and processing consumers’ personal data, and brings many benefits, including:
- Greater customer trust
- Enhanced brand image and reputation
- Improved data governance
- More robust information security
- Increased competitive advantage
CPRA compliance solutions from IT Governance
IT Governance, a leading global provider of IT governance, risk management, and compliance solutions, is at the forefront of helping businesses address the challenges of CPRA compliance.