CPRA for Business: Why Is CCPA Not Enough?

As is well known, the United States is a federal state. This means that in addition to legislation oriented toward federal subjects, each state has its own set of laws and regulatory acts that intertwine with one another (complementing each other, and sometimes conflicting or contradicting). In practice, this means that a company must comply with the personal data protection legislation of all 50 states in order to ensure comprehensive compliance.

To facilitate compliance and freedom of business activity between states, many states harmonize their legislation. However, it is the state of California that has taken a significant step in the initiative to strengthen personal data protection legislation.

This article:

• Explains the relationship between CPRA and CCPA;
• Explains the importance of compliance with California personal data protection laws;
• Helps companies update their personal data protection policies.

CPRA v. CCPA

CPRA and CCPA are California personal data protection laws in the USA.

CPRA is an abbreviation for the California Privacy Rights Act, also known as CCPA 2.0.

Does this mean a new personal data protection law has been issued? No, it does not. The fact is that the California Consumer Privacy Act (CCPA) has been amended by Proposition 24. With these amendments, the act is called the CPRA and is written in a way that expands the existing provisions of the CCPA or supplements them with new ones.

In short, it is worth paying attention to, as it entered into force on January 1, 2023.

We have compiled the most frequently asked questions so that your company can check and ensure compliance with the new requirements.

Read more: CCPA (California Consumer Protection Act): What Are the Requirements and Conditions for Compliance?

Why Is CCPA Not Enough?

Nothing is perfect. The CCPA likewise does not extend its reach to all privacy protection requirements. As a result, the CPRA expands the existing provisions of the CCPA and provides better regulation of personal data protection rights, taking into account the best principles of the General Data Protection Regulation (GDPR).

What Is New?

Quite a lot!

New definitions of “sensitive personal data” and “consent,” similar to those defined in the GDPR

First of all, the definition of “personal data” has changed. The CPRA adds a new term to the CCPA, namely “sensitive personal data.” Examples of sensitive personal information may include: SSN, driver’s license numbers, biometric information, precise geolocation, racial and ethnic origin.

The implementation of this new term is necessary to ensure high-quality rights protection and to prevent situations similar to that described in the case of Atachbarian v. Automatic Funds Transfer Services, Inc., which was examined under the CCPA. The essence of the case was that vehicle registration records contained the names, addresses, license plates, and vehicle identification numbers of California vehicle owners (a reminder that this type of information constitutes sensitive personal data under the CPRA). The court concluded that Automatic Funds Transfer Service violated its obligations to maintain reasonable personal data protection procedures by failing to take into account the nature of the information in question.

Businesses may use sensitive personal data in cases established by the CPRA (for example, for business purposes, including non-personalized advertising). Moreover, this type of information may be used for other purposes, but this requires the business’s website to have either a special “Limit the Use of My Sensitive Personal Information” link, or this link also incorporating the opt-out of data sale provision, or the foregoing but combined with an automated signal offering the possibility of such opt-out.

In addition, the CPRA changes the definition of “consent,” bringing it closer to that established by the GDPR. In particular, consent is to be understood as a freely given, specific, informed, and unambiguous expression. It follows that consumers should have full understanding of who is collecting data, for what purpose, what data is collected, and that consent must be expressed as a genuine agreement that is not imposed by the other party.

The new definitions therefore compel businesses to pay particular attention to a specific type of personal data and require the implementation of additional protective measures.

The Range of Data Subject Rights Is Expanding

One of the most sensitive parts of personal data protection regulation is consumer rights.

The CPRA provides for four new rights, as well as expanding five that already exist.

New features of rights previously defined by CCPA:

• Consumers will have the right to withdraw their consent to the sharing of data. This concept means that a business must provide a consumer with the ability to withdraw their consent to the sharing of personal data with third parties for the purposes of cross-context behavioral advertising;
• The right to request and receive personal information within a 12-month period still exists, but it may be exercised beyond the specified timeframe if responding to such a request within that period is impossible or requires disproportionate effort (California Civil Code 1798.130);
• The right to deletion of personal data becomes broader: businesses will be required to send requests for deletion of a person’s personal data to third parties that received such information;
• Another person will be able to receive a consumer’s personal information, provided the consumer has made a request to the business to that effect (previously only the consumer could receive information at their own request);
• Minors are granted the right to express consent regarding the sharing of personal data for cross-context behavioral advertising.

New rights:

• The right to correction of inaccurate personal data;
• The right to limit the use and disclosure of sensitive personal data;
• The right to receive information regarding automated decision-making technologies;
• The right to withdraw consent to be a subject of automated decision-making technology, including profiling.

As is well known, if one party has rights, the other party will in most cases have corresponding obligations. All of these consumer rights impose on businesses an additional burden of ensuring that the aforementioned rights and interests are not violated. It follows that ensuring their protection reduces the risk of penalty for data controllers and processors.

New Requirements for Recognizing a Legal Entity as a Business

Speaking of the other party to these legal relations — the business — it is worth noting that there are several new developments. For example, a new definition of “business” and the requirements for it as provided in the CPRA. This means that a legal entity that operates for profit or other financial gain and is involved in the collection of personal data must meet at least one of the following criteria:

• Have annual gross revenues exceeding $25 million in the preceding calendar year. The phrase “in the preceding calendar year” was added in comparison with the CCPA;
• Alone or in combination, buys, sells, or shares the personal data of 100,000 or more consumers or households. This provision doubles the requirements compared to the CCPA;
• Derives 50% or more of its annual gross revenues from selling or sharing consumers’ personal data. This change exists because the CPRA extends the right of opt-out also to “sharing.”

If a commercial legal entity does not meet these criteria, it may not be considered a business within the context of this act. This means the CPRA will not apply (this possibility exists for some small and medium businesses).

Incorporation of GDPR Principles into California Legislation

The CPRA incorporates several GDPR concepts that were not mentioned in the CCPA. Let us look at examples:

Data minimization: the necessity and proportionality of the volume of data collected with respect to the purpose to be achieved;

Purpose limitation: the reasons for collecting information must be compatible with the purpose.

Storage limitation: the storage of information may be carried out for a period that is no greater than reasonable and necessary for the specific purpose.

These principles may seem ephemeral, but if a business does not take them into account, the state regulator will have grounds to impose liability.

Privacy Protection Agency

The CPRA establishes a new privacy protection body — the California Privacy Protection Agency. The new body has investigative, enforcement, and rulemaking powers. However, do not worry. The Attorney General will only fine a business after the expiry of a 30-day period from the date of the violation.

Our findings, however, can help your business identify all the necessary information about the new personal data protection legislative requirements.

What Should You Do to Comply with the New Requirements Established by the CPRA?

• Verify the business’s compliance with the new requirements;
• Review the information for the processing of which the business must obtain consumer consent;
• Keep in mind the minimization of data retention periods, the volume of data, and the proportionality of the purpose for collecting information;
• If the business stores sensitive personal data, ensure special protective measures — for example, like the hypothetical Company A. It placed a “Limit the Use of My Sensitive Personal Information” link on its own website. Moreover, it added an option to withdraw consent to the sale of data;
• Update personal data protection notices, taking into account the new personal data protection requirements;
• Notify third parties when reviewing matters relating to the sharing of personal data.

We have tried to present the information as accessibly as possible, but if any questions have arisen, please do not hesitate to put them to us.

If a business complies with these requirements, it will gain many advantages. The most important are client trust and loyalty, which can ensure the company’s prosperity.

Legal IT Group helps businesses comply with the requirements of the California Consumer Privacy Act (CCPA) and implement them into daily activities. The team prepares a complete package of documents for working with consumer personal data, reviews agreements, policies, and technical procedures to ensure they align with the provisions of the CCPA. Legal IT Group conducts gap assessments, audits existing processes, and develops a CCPA Compliance Program that also takes into account the GDPR and other current data protection requirements.