CPRA for business: why the CCPA is not enough
As you may already know, the U.S. is a federalist state. It means that, except the federal-level legislation, each State has its own corpus of laws and regulations that are intertwined (complementary, and often contradictory and conflicting). In practice, such legal arrangement means that the company should comply with all 50 state-level privacy laws and federal statutes to ensure the overall compliance. To facilitate compliance and flow of services and freedom of trade between different states, many states harmonize their laws. However, the State of California stepped up with the initiative to strengthen privacy laws.
- explains the relationship between the CPRA and CCPA;
- describes importance of compliance with the Californian privacy laws;
- helps update data protection policies of your organisation.
CPRA v. CCPA:
CPRA and CCPA are privacy rights laws in the state of California in the United States. CPRA is an abbreviation of California Privacy Rights Act and also known as CCPA 2.0. Does it mean that there is a new privacy rights law? No, it does not. The point is that California Consumer Privacy Act (CCPA) is amended by Proposition 24. These amendments are called CPRA and written in the way that expand existing provisions of the CCPA or add new ones.
In short, keep an eye on it because the CPRA is going into effect on January 1, 2023.
We have collected the most frequently asked questions to self-check and ensure your organization’s compliance.
Why the CCPA is not enough?
Nobody is perfect. Therefore, CCPA covers not all the necessary parts of privacy protection requirements. As a result, the CPRA is supposed to extend provisions of the CCPA and provide better privacy rights regulation, bringing in the best GDPR’s principles.
There is a lot!
- GDPR-like definitions of “sensitive personal information” and “consent”:
First of all, definition of “personal information” is changed. The CPRA adds a new term to the CCPA, namely the “sensitive personal information”. Examples of sensitive personal information include the SSN, driver license numbers, biometric information, precise geolocation, and racial and ethnic origin.
The implementation of this new term is necessary to provide higher-quality protection The essence of the case is that vehicle registration records contained the names, addresses, license plate numbers and vehicles identification numbers of California drivers (such kind of information is considered as sensitive personal information under the CPRA). There is a conclusion that Automatic Funds Transfer Services violated obligation to provide reasonable security procedures, not considering a nature of the information.
Business can use sensitive personal information in set of purposes established in the CPRA (e.g. “business purposes”, non-personalized advertisement in particular). Moreover, there is a possibility to use such information for other purposes, but a “Limit the Use of My Sensitive Personal Information” link, this one link which include a sale opt-out link or the last one combined with the automatic opt-out preference signal must be provided on the business’s homepage.
Besides, the CPRA changes a definition of “consent” bearing it to a standard similar to that of the GDPR. Namely, a consent is “freely given, specific, informed and unambiguous indication”. As it follows, consumers should have a clear understanding of the entity collecting data, its purpose, the amount of data, and that a consent should be offered as a true choice not imposed by the other party.
Hence, the new definitions make a business to pay close attention to the specific kind of personal information and requires providing extra protective measures.
- Data subjects receive extended rights:
One of the most sensitive part of privacy protection relations is consumer’s rights.
Under the CPRA, there are four new ones; also, five privacy-related rights will be extended.
The new features of the CCPA rights:
- Consumers will have a new sharing opt-out right. This concept means that business must provide consumers an opportunity to opt-out of sharing personal information to third parties for cross-context behavioral advertising;
- Right to request and receive personal information in a period of 12 months still exists, but can be realized among this period “unless doing so proves impossible or would involve a disproportionate effort” (California Civil Code § 1798.130);
- Right to delete personal information becomes more extended: business will have to send a request to the third parties that received personal information to delete that data.
- Another entity will be able to receive consumer’s personal information if consumer requests it from business (previously only consumer could receive it at their request).
- Minor’s opt-in right includes sharing personal information for cross-context behavioral advertising.
The new ones:
- Right to correct inaccurate personal information;
- Right to limit use and disclosure of sensitive personal information;
- Right to access information about Automated Decision-Making;
- Right to opt-out of being a subject of Automated Decision-Making technology, including profiling.
As a matter of fact, if one party has rights, the other party in most cases will have obligations. All of these consumers’ rights bind businesses with additional burden to ensure that such rights and interests will not be violated. It follows that providing their protection reduces the risk of penalizing data controllers and processors.
- New requirements for being recognized as a business:
Speaking about the other party of the relation, business, there are a few novelties. For instance, there are a new definition of business and its requirements in CPRA. It means that a legal entity, which operates for profit or financial benefit and involves collecting of personal information, should meet at least one of the following criteria:
1) Has an annual gross revenue of over $25 million in the preceding calendar year. A phrase “in the preceding calendar year” is added compared to the CCPA;
This change exists because the CPRA extends opt-out right by “sharing” term.
If a commercial legal entity does not fell under such criteria, it will not be considered as a business. It means that the CPRA will not be applied (possibility of it exists for some small and midsize businesses).
- Incorporation of the GDPR principles into California legislature:
The CPRA includes a few of the GPDR’s concepts, while there are not said principles in the CCPA. Let’s see the examples:
Data minimization: it is about necessity and proportionality of amount of collecting data to achieve purposes.
Purpose limitation: reasons of collecting information have to be compatible with purposes of it.
Storage limitation: this concept stands for retaining information for a period of time that has to be no longer than it is reasonably necessary for that particular purpose.
It sounds ephemeral, but if business don’t meet such principles, a state regulator can penalize it.
- Privacy enforcement authority:
The CPRA establishes the new brand privacy enforcement authority, the California Privacy Protection Agency. New privacy enforcement authority has investigative, enforcement and rulemaking powers. However, don’t be so worried. The Attorney General will fine business only after expiration of a 30-day cure period since violation.
However, our summary can help your business to find out all the necessary information about new privacy protection legislation requirements.
What you have to do to meet with new requirements established by the CPRA?
- Check the business definition requirement;
- Review the information in order to process which a business must receive consumer’s consent;
- Remember about minimization of retention of data, amount of data and proportional purpose of collecting such information;
- If your business stores sensitive personal information, provide special protection measures like an imaginary Company A. It established a “Limit the Use of My Sensitive Personal Information” link on business homepage. Moreover, it added to that a sale opt-out link;
- Update privacy notices considering new data protection requirements;
- Notice third parties while review data-sharing cases.
We tried to make it clear for you, but if there are any questions, please don’t be shy to ask us.
If a business reaches those requirements, it will receive many benefits. The most crucial is customers’ trust and loyalty, which may lead to company’s prosperity.