CPRA Requirements

If you work in California or sell to Californians, you may need to comply with the California Privacy Rights Act (CPRA). This is yet another data privacy law that Californian businesses need to be aware of.

In addition to businesses in California, U.S. and international businesses may also have to follow the rules.

CPRA is commonly known as CCPA 2.0 due to its similarities with the California Consumer Privacy Act (CCPA). However, it is not an amendment to the California data privacy law. It is a separate law that creates obligations for companies along with the CCPA and CalOPPA (CPRA Full Text Summary).

It was approved by California voters to expand consumer rights and business obligations regarding data privacy. Although it is not as tough as the General Data Protection Regulation (GDPR) of the EU, it brings novelties that have not been seen before in the US. Yet, it shares more similarities with the existing California laws and the privacy laws recently passed in other US states, such as Colorado, Virginia, Utah, and Connecticut. See the main differences between CPRA and GDPR.

This article will give you an idea of what the CPRA requires from your business, what you need to do to achieve CPRA compliance, and what could happen if you do not comply.

Before diving deep into that, you first need to determine if the CPRA applies to your business.

Does California Privacy Rights Act (CPRA) Apply to My Business?

CPRA does not apply to all businesses. It applies only to companies connected to California that meet at least one of the prescribed thresholds.

The connection to California mandates that the company either:

• Operate from California, or
• Offer products or services to Californians.

If your business is based in California or sells to people in California, CPRA will apply if at least one of the following thresholds is met:

• Your annual gross revenue (from January to December) is $25 Million or more. This criterion does not require any further explanation.
• At least 50% of your annual revenue comes from selling or sharing personal information. It doesn’t matter how much your revenue is. All that matters is what percentage of it is due to sales or data sharing. If you earn $100k per year, but $60k of your profits come from selling or sharing users’ personal information, your company must comply with the CPRA. This criterion covers data brokers, data scrapers, analytics tools, and businesses that rely on processing consumer data and providing it to someone else.
• You buy, sell, or share with third parties the personal information of at least 100.000 California residents of households. This is where many businesses may fall easily under the scope of CPRA. Aside from buying and selling data for money, CPRA includes sharing data for cross-context behavioral advertising to be sharing cross-context behavioral advertising to share data with a third party. This means that if your Google Analytics cookies, Facebook Pixel, Twitter Pixel, or a similar tracking technology collects the personal information of at least 100.000 Californians, CPRA applies to you. Simply put, once you have registered 100.000 unique visits in Google Analytics, you need to consider and comply with the CPRA requirements discussed in the rest of the article.
  

What is CPRA Personal Information?

CPRA personal information is any information that could describe a person or reasonably relate to a person or household. This includes most of the usual categories of personal information and the online identifiers that could be linked to them.

Some categories of CPRA consumer data include name, home or email address, phone number, IP address, and so on.

If you are familiar with the CCPA, you’ll notice that it also covers these data categories. CPRA goes a step further by clearly defining sensitive personal information.

What is CPRA Sensitive Personal Information?

CPRA prescribes stricter requirements for the handling of sensitive personal information. To avoid confusion regarding sensitive personal data, the law provides a clear definition of that.

CPRA sensitive personal information includes personal information that reveals:

• Social security number, driver’s license number, state identification card number, or passport number
• A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
• Precise geolocation
• Racial or ethnic origin, religious or philosophical beliefs, or union membership
• The contents of a consumer’s email and text messages (except where the consumer communicates with the business)
• Genetic data
• The processing of biometric information to uniquely identify a consumer
• Health data
• Sex life or sexual orientation data.
  

What Are the CPRA Requirements for My Business?

CPRA is similar to the CCPA, yet there are some differences that you need to take into account in your efforts to comply with it and stay away from penalties.

The CPRA stipulates the following business requirements:

Provide Consumers with a Privacy Notice

You need to inform users about how you handle their data, and you can do so by serving them with a privacy notice. It has to contain some essential elements, such as:

• Which data you process
• The business purpose for processing
• Disclosure of sensitive personal information processing
• Consumer rights
• Categories of third parties with whom data is shared
• How to opt out of the sale of personal information
• How to limit the processing of their data
• The effective date of the notice
• Data retention period, and others.

Having your privacy notices crafted well and tailored to your business is vital because a non-compliant notice may lead to penalties. If you don’t inform consumers about the intended use of their personal information and you process it, you’re non-compliant according to the CPRA regulations. So, ensure that you have a CPRA privacy notice written in language that is easy to understand for the average internet user.

Use the Collected Personal Information Only for The Intended Purposes

You cannot collect personal information just because you may need it for something in the future. You need to know why you collect and process it only for the intended purpose.

If you want to process data for another purpose, you need to obtain explicit consent from the consumer. That’s why it is essential to have a well-crafted privacy notice.

Collect Consent for Processing Data for a New Processing Purpose

Let’s say your fitness app processes users’ health data because that’s what the app is for. Now you want to segment users based on fitness performance and offer them different app features at a price. That means that you wish to process health data for marketing purposes. If you didn’t tell users that you would use their health information for marketing before you collected it, you need their permission to use it for marketing. Learn about Cross-Context Behavioral Advertising under the California Privacy Rights Act (CPRA).

The Data You Process Must Be Adequate for the Processing Purposes

There must be some proportionality between your goals and the amount and categories of data you process. For example, suppose the user provided you with their email address to get customer support. In that case, you cannot use it for retargeting them with other products and services all over the internet. That is not a proportionate use of personal information. Or, if your app requests access to the user’s contact list to allow them to call someone else’s number, you cannot use that information to market your app to the numbers in such a contact list.

Request Explicit Consent from Minors for the Sale or Sharing of Their Personal Information

You must not sell minors’ personal information without consent. If the minor is between 13 and 16 years old, you need consent from them. If they are younger than 13, you need consent from the parent or guardian.

To get a valid opt-in, you need explicit consent, which is:

• Freely given, without any conditions.
• Specific for the sale or sharing of personal information
• Informed so that the consumer or their parent/guardian know what they consent for
• Unambiguous, which means taking action to confirm consent.

As a result, relying on a consent notice saying, “By browsing this website, you agree to the use of cookies and the processing of your personal information,” is no longer valid regarding minors’ data. You need to ask for consent, tell them what it is about, and wait for their affirmative action before collecting any data you intend to sell or share. You need a GDPR-like consent request: “This website uses cookies to process children’s personal information.” Do you agree to the sharing of your or your child’s information? "Read more in our privacy policy.” Then, you have to wait for them to click the ACCEPT button.

Honor Consumer Requests

Your consumers can submit requests to you anytime, and you must honor these requests. Requests are consumers’ tools to exercise their right to know, right to access, right to deletion of data, right to opt-out of profiling or the sales of their data, to limit the use of their personal information, and others.

The CPRA grants the following rights to consumers: 

• Right to know about the personal information that businesses process or sell to other parties;
• Right to delete their personal information, which also requires businesses to notify third parties with whom they have shared data about the deletion;
• Right to opt-out of the sale of the consumer’s data to third parties;
• Right to opt-out of the sharing of the consumer’s data with third parties;
• Right to limit the use or disclosure of their sensitive personal information;
• Right to non-retaliation for exercising their rights;
• Right to data portability;
• Right to correction of inaccurate personal information.

Some of these are new rights that were not part of the CCPA, but some expand on what has already been granted by the other California privacy law.

The CPRA, just like the CCPA, requires you to have a method for consumer identity verification in place. You must ensure that you provide access to the right person. Otherwise, you may become a victim of a data breach.

To avoid such scenarios, train your staff to handle consumer requests. We have courses covering everything about CPRA and CCPA so that your employees know what to do in any given situation and save you from penalties.

Do Not Penalize Consumers for Exercising Their CPRA Rights

You must not penalize or discriminate in any way against consumers who exercise their consumer rights. They have their rights, and you must honor them.

Any discrimination against someone who submits consumer requests or limits the sale or sharing of their personal information will put you in legal trouble.

Add Processing Limitation Mechanisms on Your Homepage

Process sensitive personal information, such as health data, financial data, personal information related to political views, ethnic or racial origin, and other sensitive data. You must allow consumers to limit their use of such information.

You can comply with this requirement by providing them with a limitation mechanism that says, “Limit the use of my sensitive personal information.”

Consumers can also require you not to sell or share their personal information for cross-contextual advertising. You can comply with it by providing them with a “Do Not Sell or Share My Personal Information for Cross-Context Behavioral Advertising” mechanism on the website.

The CCPA obliges you to include a “Do Not Sell My Info” mechanism if you sell consumers’ personal information. If you do both—sales of data and processing of sensitive data—you need both tools for compliance with California privacy laws.

Take Measures to Prevent Data Breaches

Every business should take adequate technical and organizational measures to prevent data breaches because they severely hurt its reputation. Not taking such steps also leads to violations of the CPRA.

You need to estimate the risks to your data and decide what measures are adequate to prevent breaches. You also must conduct regular risk assessments to determine whether you process sensitive personal information and whether the benefits of processing outweigh the risks to consumers, the public, and your business. You must submit such assessments to the California Privacy Protection Agency.

Also, if you handle sensitive personal information, you must do cybersecurity audits at least once a year, such as penetration testing, ethical hacking, etc. 

Ensure That Your Service Providers Meet the CPRA Requirements

Service providers are companies that process personal information on behalf of other companies. SaaS companies that process some of their clients’ data are service providers. Businesses, in their contracts with service providers, are required to:

• Specify that the personal information is sold or shared for limited purposes;
• Oblige the service providers to protect the personal information they’ve been sold or shared with;
• Ensure that the service provider complies with the contractual obligations;
• Require the service provider to notify them if they are no longer able to meet the contractual requirements;
• Ensure mechanisms for taking reasonable steps to stop and remediate the unauthorized use of personal information;
• Ensure that the service provider implements adequate measures for data protection and security.
  

What Other CPRA Requirements Can We Expect in the Future?

The CPRA allows the California Attorney General to pass CPRA regulations (in the same way the GA passes CCPA regulations) to ensure the proper implementation of the law. As a result, we can expect new requirements to allow service providers to use the provided data for their commercial purposes under certain circumstances, establish how often a consumer can submit a consumer request, or determine the opt-out requirements related to automated decision-making and profiling.

What Are the CPRA Exemptions?

CPRA does not apply where:

• The business must comply with legal obligations, most often related to criminal investigations
• Deidentified or aggregate data is processed.
• The sale, sharing, or collection of data happened outside of California (if the consumer is outside of California and the data never reached the Golden State)
• Personal information is collected in clinical trials
• Personal information is collected in an emergency
• Personal information processed is under the scope of the California Confidentiality of Medical Information Act, Fair Credit Reporting Act, Gramm-Leach-Bliley Act, California Financial Information Privacy Act, the Federal Farm Credit Act, or the Driver’s Privacy Protection Act.

There are several other exemptions, but these are the most important ones.

What Are the CPRA Fines for Non-Compliance?

The CPRA fines are the same as the CCPA fines: up to $2,500 for violations per consumer and up to $7,500 for intentional breaches per consumer.

Gross violations of the law, like not responding to customer requests, would be examples of intentional violations.

Although these administrative fines may seem low, they can quickly add up. These are fines per consumer, so if there are 100 consumers involved in the violation, that means a fine of up to $750,000.

On top of that, the court may order statutory damages for consumers. They have a private right of action that could lead to imposing such payments.

The money from the administrative fines goes to the Consumer Privacy Fund. The California Attorney General, the California Privacy Protection Agency (CPPA), and the state courts will use this fund to pay for the costs of their enforcement actions. 

What Are CPRA Statutory Damages for Data Breaches?

Consumers have the right to statutory damages in the case of a data breach, but not every data breach.

The right applies only if the data breach where:

• The personal information breached is email in combination with a password or security question and answer or nonencrypted and nonredacted personal information, and
• The breach led to unauthorized access and exfiltration, theft, or disclosure due to the business’s violation of the duty to implement and maintain reasonable security measures.

This means that consumers have the right to compensation only:

• Concerning certain breaches,
• Where the breach led to data being disclosed, and
• The business failed to implement reasonable measures.

Consumers have no right to statutory damages if these conditions are not met. However, if all three are met, they have the right to collect between $100 and $750 from the liable company. The court may also order a relief.

Who Enforces the CPRA, and Who is the CPRA Rulemaking Authority?

The CPRA brings one important novelty regarding law enforcement: it establishes the California Privacy Protection Agency (CPPA) to enforce the CPRA.

Unlike the enforcement of the CCPA, the CPRA does not allow for a 30-day cure period. Once the CPPA determines that your company violated the law, they’ll proceed with the fines. You won’t get the chance to get things straight before getting hit on your finances.

How to Achieve CPRA Compliance?

You can achieve CPRA compliance by meeting the requirements. This means that you need a compliance program that will ensure to:

• Process only the necessary personal information (data minimization principle)
• Process data only for specific purposes
• Review and update your privacy notice
• Review and update your contracts with the service providers
• Have a “Limit the use of my sensitive personal information” mechanism on your website
• Have a “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising” mechanism on your website
• Have a procedure to honor consumer requests and methods for consumer verification
• Train your staff to handle CPRA
• Conduct regular risk assessments and cybersecurity audit to ensure that the sensitive personal information you process is not under serious threat of a data breach