The California Privacy Rights Act 2020, the CPRA, is a US state privacy law that took effect in December 2020 and comes into force fully on 1 January 2023. The CPRA expands the existing California Consumer Privacy Act (CCPA) to protect the rights of California consumers. CPRA defines and protects sensitive personal information, places a duty on businesses to put in place reasonable information security measures and expands the right to delete personal information. The right to opt-out of the sale of personal information (called “Do Not Sell”) has been extended to include limits on non-sale data sharing (“Do Not Share”). The law creates a new regulator called the California Privacy Protection Agency, which will inherit the California Attorney General’s rule making and enforcement powers from 1 July 2021.
- What types or organisations are covered by CPRA?
The law applies to Businesses, defined in four categories 1.1, 1.2, 1.3 and 1.4:
(1.1) A legal entity organised or operated for the profit or the financial benefit of shareholders, that collect consumers’ personal information or have personal information collected on its behalf. This entity also determines the purposes and means of the processing of consumers’ personal information, alone, or jointly with others, does business in the state of California and meets one or more of the following threshold criteria:
(a) As of January 1, of the calendar year, have annual gross revenues more than $25,000,000 in the last calendar year, or
(b) Alone or in combination, annually buy or sell, or share the personal information of 100,000 or more consumers or households, or
(c) Creates 50% or more of its annual revenues from selling or sharing consumers’ personal information.
(1.2) Any entity that controls or is controlled by a business falling within criteria 1.1 (above) and that share common branding and consumers’ personal information with each other.
(1.3) A Joint Venture or Partnership composed of businesses in which each business has at least a 40 percent interest. Each business in the Joint Venture or Partnership is seen as a separate single business.
(1.4) Organisations doing business in California, but are not covered by criteria 1.1, 1.2 or 1.3 above and voluntarily certifies to the California Privacy Protection Authority that they are compliant.
2. What types of data or information are covered by CPRA?
Like the CCPA, the CPRA protects the personal information of California consumers. Personal information includes many different types of data and information including identifiers (name, address, social security number and online identifiers etc), protected characteristics, commercial information, biometric information, internet activity, geolocation data, audio files, visual files, employment information, education information, profiles and inferences taken from data that reveal a consumer’s characteristics, psychology, predispositions, attitudes and intelligence.
The CPRA introduces a new category of sensitive personal information which includes a wide range of personal data such as passport details, driving licence details, specific geolocation information, race or ethnic origin information, genetic data and biometric data. These types of data require greater protection.
3. What are the main CPRA obligations for businesses?
Businesses must ensure that:
(i) When selling or sharing personal information with third parties, binding contracts are in place to ensure that third parties comply with CPRA requirements and their contractual obligations.
(ii) Service providers and contractors must help businesses to respond to verifiable personal information CPRA requests. Service providers are not required to fulfil requests received directly from consumers.
(iii) They inform consumers about the data categories they collect and whether information will be sold or shared.
(iv) Businesses cannot collect additional categories of personal information in ways that are incompatible with the original purposes, once the businesses inform consumers of these purposes.
(v) Third-parties that control personal information collection must provide the same disclosures on their website, as the business that engages them.
(vi) Have systems that protect availability, authenticity, integrity, and confidentiality of personal information. Detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions and ensure the physical safety of individuals. Reasonable security practices and procedures must be introduced, including robust email address and password protections.
(vii) Ensure that consumers can exercise their right to limit or restrict the use of sensitive personal information and receive full notices about data use, purposes and retention.
(viii) Ensure that consumers can exercise their rights to request deletion and correction of their personal information.
(ix) Put in place clear policy and procedures for children under 16 years old to opt-in to the selling or sharing of their personal information.
(x) Develop clear data retention and deletion policy and retention schedules to ensure that personal information is deleted when legitimate use ends.
4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR) and the CCPA, will they automatically comply with CPRA?
No. GDPR, CCPA and CPRA have different scopes, definitions and compliance requirements. However, there are important similarities. Organisations that are governed by CCPA are very likely to fall within the CPRA’s scope. CPRA is more closely aligned with GDPR than CCPA. GDPR data mapping and records of processing activity logs can help to identify California consumers’ personal information. Data privacy notices, policies, information security frameworks created for another law can be tailored to meet the requirements of CPRA. Data processing agreements, supply chain contracts and online notices must be specifically updated for CPRA. Do Not Sell and Do Not Share notices and their underlying management systems are unique to CCPA and CPRA and require specific technical solutions.
5. Does the CPRA apply to businesses or organisations in other US states or to foreign companies?
Yes, it can. If a business or organisation falls within the CPRA qualifying criteria and holds personal information about California consumers, then CPRA applies. Businesses that are based in other US states and companies from outside of the United States may also have to comply with the CCPA. All organisations should seek specialist advice, review new CPRA regulations, monitor the development of the CPRA enforcement, examine official guidance and watch the regulator, the California Privacy Protection Agency for interpretation and priorities.