On November 4, 2020, the California Privacy Rights and Enforcement Act (CPRA) was passed by California voters. The CPRA replaces and amends several parts of the existing Act, the California Consumer Privacy Act (CCPA). The new Act will come into effect from January 1, 2023.
There is enough time for businesses to prepare for the change before the CPRA comes into force. So it is important that you first understand what are the changes brought about by this new legislation and how it compares to the CCPA.
Here are some of the key things you should know.
CCPA vs CPRA – What has changed?
The new data privacy act, California Privacy Rights Act (CPRA), expands on several areas of the existing CCPA. CPRA introduces new privacy rights for California’s people and adds more stringent regulations for businesses on the use of personal information. The CPRA has also established a new government agency for the enforcement of data privacy laws in California, named the California Privacy Protection Agency (CPPA).
Though the CPRA comes into effect on January 1, 2023, any data collected by businesses from January 1, 2022, will be subject to compliance with the CPRA. This is termed as the lookback period.
Some of the key changes introduced in the CPRA include –
- It expands the definition of “businesses” covered by the privacy act and includes those “sharing” information as liable as well. Commonly controlled businesses or businesses sharing common branding are exempted unless they also share consumers’ personal information.
- It introduces a new classification of personal information (PI), named sensitive personal information (SPI) that has additional use, disclosure, and opt-out requirements. This includes details like Social Security, state ID, driver’s license, financial account information, precise geolocation, religious or philosophical beliefs, non-public communication, genetic, biometric, and health data, etc.
- It requires companies holding high-risk data to conduct annual cybersecurity audits, the results of which must be submitted to the CPPA.
- It expands on the CCPA’s right to opt-out and states that companies must allow consumers the right to opt-out of third-party sharing for advertising purposes.
- It strengthens consumers’ rights by adding the right to delete or correct their personal information. If the said PI has been shared with third parties by the business, the business must notify them of the request to delete/amend as well.
- It expands on the consumers’ right to know provisions in the CCPA.
- It introduces changes in data governance and transparency, including limitations on storage, data minimization, and contract requirements. Only data that is necessary for the purpose stated by the business must be collected, used, or disclosed. Also, data must be retained only for as long as it is necessary for the said purpose.
- It increases the penalties for violation of CPRA involving the personal information of consumers under the age of 16. Also, the CPPA can investigate violations on its own initiative.
There are several other changes that work in favour of consumers and make compliance a little more challenging for businesses.
How does the CPRA compare with the CCPA?
The CPRA can be called a refinement or up-gradation of the CCPA. The CCPA formed the basis of the data privacy landscape of California. The CPRA builds upon it to strengthen the privacy regulations in the State and bring it to par with the GDPR of the European Union.
The CPRA does not replace the CCPA per se but surely amends it, to benefit consumers and increase the compliance requirements for small and big businesses alike.
How will the CPRA impact businesses?
Like any other comprehensive data privacy law, the CPRA also requires businesses to be more responsible with consumers’ personal information. Businesses will need to develop stronger data protection processes and controls to be able to respond to consumer requests quickly. Businesses will also need to be agile and adaptive enough to pivot in case of any new additions to the data privacy compliance requirements in the future.
The CCPA and CPRA impact both California business and International businesses that fall under the regulation due to their processing of California consumer data. If your company operations encompass many regions it may pay to partner with a data privacy managed service provider with expertise that covers global privacy regulations, therefore, releasing your internal valuable resources to concentrate on executing the corporate business strategy.