The California Consumer Privacy Act (CCPA) is a US privacy law that came into effect in January of 2020. It was created after the GDPR, a sweeping European Union law governing data protection and privacy. As an addendum to the CCPA, the California Privacy Rights Act (CPRA) goes into effect in January 2023. As the most populated state, with nearly 40 million residents, this means many businesses may find themselves scrambling to understand how to maintain their customer base in California under the new privacy rules.
The CCPA and CPRA are the frontier of privacy regulation in the United States, and come 2023; they will function as one law. Here we look at how they work together and why this is important to start treating the two as a single law now.
What is the California Privacy Rights Act?
The California Privacy Rights Act was added as an addendum to the CCPA in late 2020, establishing a lookback period to January 2022. Therefore data collected from that date is liable for compliance. It is important to understand now what the CPRA is, how it affects you, and how you can become compliant before 2022.
As the frontier of US privacy regulations, other states are starting to create privacy laws that match the CCPA/CPRA (and the GDPR) to protect consumers from having their private data tampered with in any way. Some of the states following suit include Washington, Virginia, and New York. It might make sense for businesses to treat all consumers as the same (regardless of residency) and create policies that establish a robust data protection compliance approach.
More often than not, consumers feel that their personal data is not adequately protected and is falling into the wrong hands. Data is a profitable resource, and consumers would rather not have their private data collected, bought, and sold without their permission. For this reason, data privacy has become a primary topic in protecting the rights of consumers online and off.
Who Does the California Privacy Rights Act Apply To?
Businesses need to meet one of these three thresholds to be subject to the CPRA:
- The business derives at least 50% of annual revenue from sharing or selling the personal information of California consumers.
- The business has a gross annual revenue of over $25 million.
- The business buys, sells, or shares the personal information of more than 100,000 Californian consumers or households.
Even if you maintain an e-commerce website or online business that operates outside of California, you will need to be aware of the CPRA because it is possible that your business still handles the personal information of California residents.
The CPRA also regulates the selling and sharing of personal information to third parties for targeted behavioral advertising, a major part of the new addendum that could cover many more businesses. For these reasons, you may need to consult your attorney to determine whether or not you are required to be CCPA/CPRA compliant.
Personal Information & Sensitive Personal Information under the CCPA/CPRA
Personal information identifies consumers with their name and address, even their political opinions, and any records kept on them. The CCPA further expands the definition of personal information by including any tracking information such as geographical location and “cookie” tracking information on websites. It also includes any information that can be linked to the consumer’s devices or household. This creates a broad definition of consumer (differing from the GDPR, which identifies only information that links to natural persons, not including their devices or household).
The addendum of CPRA also added a new category of Sensitive Personal Information. This category includes things like a consumer’s social security number, state identification card, passport number, biometric data, and more. Religious and philosophical belief as well as sexual orientation also fall under the purview of sensitive personal information. This information is regulated separately from regular personal information with expanded rights thereof.
The New Agency for Enforcing Data Privacy in California
The California Privacy Protection Agency (CPPA) is the data protection authority that will be established under the CPRA as of July 1, 2023. The new agency will replace the California attorney general as the enforcement authority for the CPRA.
The agency will have the authority to investigate and collect fines for compliance violations and have a grant fund for educational purposes. Starting in 2023, the CPPA can fine organizations $2,500 for violations pertaining to individuals or $7,500 for violations pertaining to minors.
Rights for Consumers under CPRA:
Much like the GDPR, the CPRA sets out several rights for consumers regarding their personal data. Businesses subject to the CPRA will need to become familiar with these rights and how to uphold them.
- Right to correction: Consumers can correct their personal data if inaccurate.
- Right to opt-out of automated decision making: Consumers have a right to opt-out of targeted profiling either in employment review or in advertising.
- Right to know about automated decision-making: Consumers and employees have a right to access the logic used in justifying automated profiling.
- Right to limit the use of sensitive personal information: Consumers can opt-out of having their sensitive personal information collected.
- Right to delete: Consumers have a right to have their information deleted.
- Right to opt-out: Consumers have a right to opt-out from having their data collected or stored.
- Rights of minors: Consent is required by minors under 16 to opt-in to data collection, and if a minor has declined once, collectors must then wait twelve months before making another request.
- Right to data portability: Consumers have a right to move, transfer, or copy personal data to different platforms.
CPRA and Similarities with GDPR
With the addition of the CPRA, California’s privacy legislation now bears a stronger resemblance to the GDPR. They both outline a number of rights for individuals to control their own data and privacy. Both laws established new entities to act as an enforcement authority.
Also, starting in 2023, the CPRA aims to modify data privacy to look a little more like the GDPR by adding three additional requirements:
- Data minimization: Only the amount of data that is necessary for the stated purpose can be collected.
- Purpose limitation: Data can only be collected for the purpose stated.
- Storage limitation: The consumer must be notified about the retention time of collected information at the time of its collection.
CCPA Compliance Tips for Businesses
Many CCPA compliance requirements overlap with popular security frameworks and best practices for data protection. If you’re just getting started, these are some essential items to have at the top of your checklist:
- Know where you store your data, ensure that it is properly safeguarded, and perform risk assessments to ensure that it is protected. You will have to do this under the California Privacy Protection Agency’s mandate, so it is a good practice to establish now.
- Don’t keep any data you do not need and destroy it after it has fulfilled its purpose.
- Enforce security best practices, such as multi-factor authentication for logins.
- Update your privacy policies to reflect requirements by the CCPA/CPRA.
How Carbide Can Get You CCPA Compliant
Carbide’s all-in-one information security management platform helps teams develop, implement and maintain a robust security program to prove their compliance with industry security frameworks like CCPA, HIPAA, SOC 2, GDPR, and more. Talk with our team to learn how we can help you get started on your path to CCPA compliance and prepare a strong security foundation you can build your business on, no matter what laws and regulations come down the pipeline.