California Privacy Rights Act (CPRA) enforcement is starting: what you need to know

The California Privacy Rights Act (CPRA) is the state’s second data privacy law, which came into effect in 2023. It amends and expands on the California Consumer Privacy Act (CCPA), which came into effect in 2020. While the CCPA was the first state-level data privacy law in the United States, 12 other states have followed suit since with comprehensive data privacy laws. (Florida has also passed a privacy law, but it is much narrower in scope than the other state-level privacy laws, and Nevada also has some narrower and older regulations.)

There has been significant evolution in the data privacy and technology landscapes since 2020, and even in the 15 months between when the CPRA came into effect and when enforcement by the California Privacy Protection Agency (CPPA) commences. The CCPA coming into effect saw a number of class-action lawsuits and other responses, which are likely to be influential over time on updates to the regulations, enforcement, and case law.

We look at the key changes that have come with the CPRA, the requirements to comply — including if you’ve already pursued CCPA compliance — the authorities overseeing enforcement, and how organizations can best be prepared and protect their operations and users’ personal data.

Like the CCPA, the CPRA is extraterritorial, so it protects California residents and applies to any qualifying organization processing their personal data, even if the company is not located in California.

The qualifying thresholds for organizations changed from those set out in the CCPA, and under the CPRA companies meeting the following criteria must comply with the law:

• annual gross revenues exceeding US $25 million in the preceding calendar year

or

• receiving, buying, or selling personal information of 100,000 or more consumers or households

or

• earns more than 50 percent of their annual revenue from the sharing or sale of consumers’ personal information

Under the CCPA there were already controls and restrictions on the sale of personal data. The CPRA adds the sharing of personal data to those rules. This means that in many cases users must be given the option to opt out of both sharing and sale of their personal data. The restrictions apply to sensitive personal data and also to data belonging to minors in order to comply with the CPRA.

There are also restrictions on how personal data can be used for targeted or behavior-based advertising, and profiling used to create such campaigns. Consumers must be able to opt out of this use in most cases in order to comply with the CPRA.

More restrictions on data processing have been introduced with the CPRA, including the access third parties have to it. Any third parties undertaking data processing on behalf of a data controller or otherwise providing services wherein the data can be accessed must have contractual agreements in place before the data processing begins.

The contracts have to cover the new restrictions on disclosure, sharing, sale, purposes for these actions, and exercising of consumers’ rights (like deletion requests or processing opt-outs).

Consulting with qualified legal counsel and/or a privacy expert is strongly recommended when setting up new contracts or reviewing/updating existing ones that may have been put in place for CCPA compliance.

Consumers’ rights have been expanded under the CPRA, so there will be more restrictions on data processing to be enforced. The user consent standards that require it to be “freely given, specific, informed and unambiguous indication of the consumer’s wishes” remain in place. Additionally, use of dark patterns to obtain user consent is specifically referenced and prohibited by the CPRA.

• Right of access:
  • to know whether their personal data, or that of their children, is being collected and processed, and which data it is
  • to know if their personal data is being sold to other individuals or companies
  • to view the personal data collected about them at any time
• Right to opt out of the sale of their personal data
• Right to deletion of personal data collected from them (with some exceptions)
• Right to non-discrimination for exercising their CCPA rights

• Right to correction of inaccurate or incomplete data collected about them
• Right to data portability to receive a copy of their personal data they can take with them from one business, platform, etc. to another
• Right to restrict sensitive personal data, limiting its collection and use, including that of children
• Right to access information about automated decision-making, to request information about automated decision-making (e.g. AI tools) and likely outcomes of using such processes, particularly with regards to profiling
• Right to opt-out of the use of automated decision-making technology with regards to their personal data

Consumers can request their personal data that was collected before the CPRA’s look-back period (the 12 months prior to January 1st, 2023) as long as it’s possible or not unreasonably difficult to provide.

In addition to opting out of the sale of their personal data, consumers can now also opt out of the sharing of it with third parties.
The right to have personal data deleted includes both the company that collected it and any third parties that received, processed, or purchased it (with some exceptions).

Minors’ personal data cannot be shared or sold without explicit consent (from a parent or guardian), and if consent is declined, it cannot be requested again for 12 months.

Under the CPRA, “browsewrap agreements” are no longer allowed. This is when a website has its terms and conditions listed somewhere, potentially not prominently, and the terms state that you agree to them simply by using the website. This violates the requirement that consent be explicit and specific.

Data controllers also need to be able to prove consent, so in addition to being obtained, it must be securely stored and accessible in case of an audit or data access request.

Both the CCPA and CPRA require organizations to ensure that they have robust security processes in place to protect personal data and processing operations. Data controllers are also ultimately responsible for the activities (and any violations) of third-party processors under contract to them.

The “reasonableness” of security efforts depends on the volume and types of data processed, so the greater the volume and/or the sensitivity of it, the more robust the security of staff, contractors, technology, and policies must be.

If the violation is negligence — failure to take reasonable steps to achieve compliance — a company can be fined US $2,500 per violation.

Fines for a willful violation — the company intentionally did something that violated the law — can be up to US $7,500 per violation.

Fines for violations involving minors under the age of 16 have been increased to US $7,500 per violation (from US $2,500) under the CPRA.

Affected consumers are entitled to damages ranging from US $100 to US $750 per person for a data breach. California is also the only state among those in the US with data privacy laws that enables private right of action, where consumers can sue companies for violations that affect them. That right was introduced with the CCPA.

The CPRA eliminated the 30-day cure period that companies could receive under the CCPA to correct noncompliance issues without penalty.

The California Privacy Protection Agency (CPPA) was introduced with the CPRA, and is governed by a five-member board with a Chief Privacy Auditor.

The Agency came into effect with the law in January 2023, and enforcement was scheduled to begin July 1, 2023. However, this was delayed by a legal challenge, and later the start date for enforcement was changed to March 29, 2024. That changed again in February 2024 when an appeals court sided with the CPPA, clearing the way for CPRA enforcement to begin immediately.

Under the CCPA, administration and enforcement was handled by the California Attorney General’s office, though the CPPA has greater influence, jurisdiction, and obligations.

In addition to handling complaints, investigations, audits, and levying fines or other penalties, the CPPA takes over the interpretation of the CCPA/CPRA, which will have long-term influence over establishing how compliance is monitored, violations are punished, and fines are doled out. Its actions will also affect class-action lawsuits that come about as a result of alleged violations.

Mandatory risk assessments and cybersecurity audits for high risk activities are requirements introduced with the CPRA, and those risk assessments have to be submitted to the CPPA.

The CPPA monitors the data privacy landscape around the US and globally, as well as evolving technologies and their applications. This enables it to provide advice and technical assistance to the California state legislature and other jurisdictions. This will also influence updates to California’s privacy laws, or the drafting of future ones.

Organizations that have already done the work of CCPA compliance won’t need to do a great deal more for CPRA compliance. However, there are changes and new restrictions, so it’s important to review the following and update where needed:

• requirements and changes that come with the CCPA and CPRA
• your company’s data processing activities, including a data audit
• your company’s security measures, including staff training and data access
• contracts with any third parties that do data processing for you
• contracts with any other service providers with whom data is shared

Legally-mandated notifications for consumers, such as the content of privacy policies, will need to be updated, and clearly visible opt-out notices for sale or sharing of personal data will need to be present and updated.

You must provide information about what data is processed, for what purposes, who may have access to it, and how long it will be retained. Additionally, consumers must be notified about their rights, how to exercise them, and provided with a mechanism, such as a phone number or web form, to do so.

A consent management platform (CMP) like Usercentrics CMP for web or apps can help ensure that the right information and choices are provided to the right users at the right time. With geolocation functionality, it can also help ensure that you display the right regulatory information to different users around the world, if you do business outside California.

Users can request access to their data, as well as changes to it or deletion of it. Ensure that you have a robust and efficient system to handle data subject access requests. The CPRA does require they be handled within a specific time frame, typically 45 days unless there are legitimate extenuating circumstances.

Data privacy regulation and digital technologies are evolving at an ever-increasing pace, so it’s also important for organizations that process users’ personal data to keep up with what is happening in legislation, with changes to technology, and with consumers’ increasing savvy and concerns about privacy.

We recommend subscribing to the Usercentrics newsletter to get all the latest news from the data privacy landscape, exclusive invitations to our events, and more delivered monthly right to your inbox.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.