User data helps companies better target marketing campaigns, learn more about their website visitors, and optimize online properties. However, if your organization operates in the state of California, you need to collect and process user data in a way that complies with the state’s data privacy laws, or risk fines, legal action, and loss of customer trust and brand reputation.
The California Privacy Rights Act (CPRA) amends and expands the prior California Consumer Privacy Act (CCPA), setting data privacy rights and processing requirements for commercial entities.
We’ve outlined key elements you need to know about the CPRA and created a CPRA compliance checklist to help you achieve and remain compliant, and build trust with your customers.
What is the difference between the CCPA and CPRA?
The California Consumer Privacy Act (CCPA), sometimes also known as “the California GDPR”, is a state-wide data privacy law that regulates how organizations handle the personal information of California residents.
The CCPA was passed in 2018 and went into effect on January 1, 2020. It was the first of the modern, comprehensive data privacy laws to enter into force in the United States. The Act outlines six consumer rights for California residents:
- to learn whether and what data is collected about them
- to know if their information is being sold to or shared with other individuals or companies
- to view the data collected about them at any time
- to prohibit the sale of their personal data
- to request the deletion of the personal data collected from them
- to not be discriminated against for exercising their rights
- to initiate a private right of action against a violator in the event of a data breach
The CPRA took effect on January 1st, 2023, and expands and amends the CCPA. The CPRA added additional consumer privacy rights:
- to request and have inaccurate information collected about them corrected
- to limit the use of their personal information that is categorized as sensitive
- to request information about automated decision-making and the likely outcomes of using such processes, specifically regarding profiling
- to opt out of the use of automated decision-making technology regarding personal information
The CPRA also introduced the California Privacy Protection Agency (CPPA), which is the enforcement agency for the regulations, taking over for the Office of the Attorney General. In addition, the CPRA expanded the scope of the law’s applicability.
What data is protected under the CPRA?
The CCPA and CPRA do take some influence from the EU’s General Data Protection Regulation (GDPR). Both have strict requirements for data processing and privacy rights. However, the biggest difference is that the GDPR emphasizes legal bases for data processing, often requiring user consent prior to any data collection or processing, whereas the CPRA uses an opt-out model. Individuals do not have to give their consent for their data to be collected and processed, but they do have to be able to opt out of it being shared, sold, or used for targeted advertising or profiling.
The CPRA defines personal data as, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes identifiers like:
- names
- addresses
- email addresses
- Social Security numbers
- account numbers
- internet activity
- professional or employment-related information
The CPRA also introduces a new category of “sensitive personal information” which includes more sensitive data (which could cause greater harm if misused), like:
- passport numbers
- financial account numbers
- precise geolocation
- racial or ethnic origin
- religious beliefs
- contents of emails/text messages
- genetic data
- biometric information
- health data
- information about a consumer’s sex life or sexual orientation
Who does the CPRA apply to?
CPRA compliance is mandatory for any for-profit company that collects, shares, or sells the personal information of California residents and meets at least one of three compliance thresholds. It doesn’t matter if a company is based in California or operates outside of the state.
The CPRA’s compliance thresholds are:
The CPRA does not apply to government entities and most nonprofit organizations.
What are the fines and penalties for CPRA noncompliance?
The California Privacy Protection Agency can pursue civil penalties of up to $2,663 per unintentional violation, or up to $7,988 per intentional violation or violation involving minors.
Consumers also have the right to action if their personal information is exposed to a data breach due to a company’s lack of reasonable security measures. Individuals can sue companies for violations that affected them and seek statutory damages between $107 and $799 per incident. To date, California is the only US state with privacy laws allowing this.
Ensure your business is CPRA-compliant with a free CPRA compliance checklist
CPRA compliance can be complex, and in some areas, the law outlines requirements, but not clear steps to achieve compliance with them.
Usercentrics has compiled a free and detailed CPRA compliance checklist for the steps companies need to complete, along with best practices, when working toward achieving and maintaining CPRA compliance.
This CPRA compliance checklist covers key areas to address, from data collection and storage to individual rights and breach reporting.
Your CPRA compliance checklist
These steps will help you achieve compliance with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), which apply to and protect residents of California. The checklist also includes recommended best practices for data privacy-related user experience.
Step 1: Determine if your company is required to comply
If your for-profit organization:
- has gross annual revenue that exceeds USD 26,625,000 for the preceding year, or
- buys, sells or shares personal data from 100,000+ California consumers or households annually, or
- derives at least 50% of annual revenue from selling or sharing the personal data of California consumers
Important to know: The CCPA was expanded and amended by the CPRA, which came into effect January 1, 2023. From July 1, 2023, it applies retroactively to the processing of personal data back to January 1, 2022.
Step 2: Create a comprehensive Privacy Policy
- Purpose: Inform consumers at or before the point of data collection:
- how data is collected
- how long collected data is retained
- categories of personal data collected
- purposes for which data is collected
- whether data collected is sold to or shared with third parties
- the third parties with which data is shared
- Rights: Inform website visitors of their privacy rights and how to exercise them.
- Language: Ensure the Privacy Policy is clear and easy to understand, which includes availability in the languages in which your business provides information in California.
- Implementation: Implement a privacy notice with information about data use, consumers’ rights and user options, like consent opt out. Enable consumers to exercise rights, like opting out, via a banner or pop-up when users visit your site, e.g. with a Consent Management Platform.
Step 3: Inform users about their rights
Consumers’ rights under the CCPA:
- Right to Know: what personal data is collected and how it is used or shared
- Right to Delete: personal data that has been collected about them (with exceptions)
- Right to Data Portability: copy of personal data must be provided in a portable and readily useable format
- Right to Non-discrimination: for exercising privacy rights
- Right to Opt Out: of the sale or sharing of their personal data
- Right of Minors: consent must be obtained from a parent/guardian before children’s personal data is collected
Additional rights under the CPRA:
- Right to Correction: updates or corrections to inaccuracies in personal data collected
- Right to Know about Automated Decision-making: request information about automated decision-making and likely outcomes of using it, specifically with regards to profiling
- Right to Opt Out of Automated Decision-making: refuse use of automated decision-making technology with regards to personal data
- Right to Restrict Use of Sensitive Personal Information: limit the collection or use of personal data the law classifies as sensitive
Step 4: Review and update your Privacy Policy every 12 months
- Review your operations and potential changes in the law every 12 months. Update your Privacy Policy information and its effective date. Effective date should be updated even if you don’t make any other changes to the Policy.
- Transparency: Ensure that the information that users must be notified about is clear, comprehensive and up to date. Ensure that the date of the last update is clearly visible.
- Data sold: List all the categories of personal information that your business has sold in the past 12 months.
Step 5: Re-offer opt in consent every 12 months
- If the consumer has opted out, you can present the option to opt in again after 12 months.
Step 6: Include a clear and conspicuous “Do Not Sell Or Share My Personal Information” link (opt out)
- Availability: Easily accessible on your website homepage.
- Method: Via the use of a Consent Management Platform (CMP).
Step 7: Authenticate consent for collection of sensitive personal data or data from minors
- Sensitive Personal Data: Provide a clear “Limit The Use of My Sensitive Personal Information” link to enable opt out.
- Minors’ Consent: Obtain explicit consent (opt-in) from the data subject before processing the personal data if the data subject is between the ages of 13 and 16.
- Parents/Guardians: Obtain consent from a parent or legal guardian for collection of personal data if the data subject is 13 or younger.
Step 8: Enable consumers to make Data Subject Access Requests (DSARs)
- Provide at least 2 contact options, e.g. toll-free phone number, web form, email.
- Set up a system to enable submission of DSARs.
Step 9: Set up a system to verify Data Subject Access Requests (DSARs)
- Enable consumers to attach documentation when submitting a request, to enable secure verification of their identity and residency.
- Set up a system to enable submissions for verification requests.
- If your business cannot reasonably verify the consumer’s identity to the appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified, and enable the consumer to rectify.
Step 10: Keep track of Data Subject Access Requests (DSARs)
- Set up a system to track all requests.
- Time period: keep records of all requests and your business responses for 2 years
Step 11: Fulfill Data Subject Access Requests (DSARs)
- Standard time period: within 45 days.
- Extended time period: up to 90 days.
Get all the details about the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) in our comprehensive overview.
