Acronyms such as the CCPA, GDPR and CPRA have become all too common today. When the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, the legislation started a conversation amongst businesses dealing with California residents regarding how to adapt and comply with what’s considered one of the harshest pieces of consumer-focused digital privacy legislation.
With the CCPA in effect, businesses that fall under the scope of the law have had to make a considerable number of changes in the way their websites and other digital assets collect, process and share the personal data of California residents. Changes such as amending outdated privacy policies, implementing safeguards, honoring data subject rights, issuing prompt data breach notifications and more are just some of the requirements.
Goodbye CCPA, hello CPRA
However, the extension of the CCPA came shortly after its enactment and is known as the California Privacy Rights Act (CPRA). The CPRA is California’s version of the European Union's General Data Protection Regulation (GDPR), as it takes inspiration from perhaps the most stringent data privacy law as of today. The CPRA was signed into law in November 2020 and will take effect on January 1, 2023.
Among several new provisions, the CPRA includes provisions that allow California residents to opt out of firms sharing their personal information; imposes hefty penalties on businesses that violate the state's data privacy rules; and establishes a new enforcement agency to govern the law.
Even though the CPRA is California state legislation, it will have far-reaching implications for businesses across and outside the country that deal with California residents. By simply interacting with California residents, businesses must ensure they comply with the requirements of the CPRA.
CPRA’s effects on U.S. enterprise
Although most of the CPRA's provisions will not be implemented until January 2023 and enforcement will not begin until July 2023, the law will apply to businesses acquiring information of California residents starting in January 2022.
Before a business within or outside of the U.S. begins to comply with the CPRA, they must ensure the following:
Organizations meeting any of these eligibility requirements are subject to the law:
- Annual gross revenues greater than $25 million in the preceding calendar year
- Handling the data of 100,000 or more consumers
- At least 50% of revenue from selling or sharing data
Suppose a business falls under the category as highlighted by the CPRA. In that case, they must ensure their operations comply with the law’s requirements to avoid penalties and reputational damage.
Update policies & practices
Under the CPRA, businesses need to develop and/or change processes to allow users, employees and other individuals engaging with the business to exercise their new data privacy rights. Businesses will have to devise opt-out functionality and honor such requests.
Additionally, businesses must update their websites, other digital domains and privacy policies to reflect compliance with CPRA’s additional requirements. The website should also offer visitors an option to opt-out from the sharing and selling of their personal information.
Improve security safeguards
Since the CPRA empowers California residents to reach out to businesses that process or share their personal information without permission and even file lawsuits, businesses should immediately prepare to beef up their cybersecurity defenses.
The last thing a business wants is to fall victim to a data breach without having the necessary safeguards and exposing the data subject's personal information. In that case, the business would not only face the wrath of the regulatory body, but also get slammed with lawsuits and massive penalties.
Sensitive personal information
Taking inspiration from the EU’s GDPR, the CPRA has announced a new sub-category of personal information called Sensitive Personal Information. It refers to higher-risk, sensitive information about an individual that, if made public or landed in the wrong hands, might cause considerable harm to that individual. Cybersecurity leaders should familiarize themselves with this classification and protect it an appropriate amount.
Prioritize data subject rights
Consumers can prevent organizations from using, disclosing, or exchanging their sensitive personal information with third parties. If a customer requests to access their personal information, the business must disclose the categories of personal information collected, disclosed, sold and shared with others.
Additionally, businesses need to detail the categories of sources from where the personal information is collected, the commercial purposes for collecting, selling, or sharing, and the categories of third parties with whom the personal information is shared. For example, the CPRA forbids the sale of personal information without the consent of those under the age of 16. Children between the ages of 13 and 16 have the freedom to consent. As for those under 13, their parents need to provide consent. Businesses must ensure that consent is being acquired freely, as the CPRA triples its penalty for infractions involving children's personal information under 16.
Conduct cybersecurity audits
According to the CPRA, organizations whose processing of personal information "poses a serious risk to customers' privacy or security" must conduct an annual cybersecurity audit. Apart from conducting cybersecurity audits, businesses should regularly conduct Data Protection Impact Assessments to discover vulnerabilities and devise ways to minimize risk at the earliest opportunity.
Under the CPRA, organizations can be penalized up to $7,500 for intentional violations and $2,500 for unintentional violations. Furthermore, if the organization knew that the personal information belonged to a minor, fines for offenses involving children’s personal information under 16 are $7,500 per infraction.
In light of these considerations, businesses in the U.S. and abroad should closely watch California laws and become familiar with the CPRA's new strict rules and criteria. The sooner CPRA’s regulations are understood and implemented across a business, the faster and less expensive compliance has to be.