CPRA: Intro to the CCPA 2.0 and how it affects you. In 2020, the California Consumer Protection Act (CCPA) was enacted to address the increasing concerns about the sale and collection of personal information in California.
The current CCPA grants various rights to residents of California and regulates the actions of businesses that sell or collect personal information. However, it leaves the consequences of third-party processing of consumer data somewhat open to interpretation. This prompted an amendment to the CCPA, which has come to be known as the California Privacy Rights Act (CPRA).
💡 The CPRA builds on the CCPA’s existing provisions, establishes new consumer rights, and adds new requirements for companies that gather personal data from California residents.
Criteria for Qualifying as a Business has been updated; find out if you classify as a business by answering the questions below:
Does your business meet one or more of the following conditions:
(A) A gross revenue of over $25 million in the previous calendar year.
(B) Buys, sells, or distributes the personal information of 100,000 or more customers or households each year, either alone or in combination.
(C) Obtain 50% or more of its yearly income from selling or sharing personal information about customers?
If you answered yes, then under the CPRA, your organization could classify as a business.
Because of some changes in the criteria, entities that would be subject to the CPRA may be different from the ones that fall under the criteria of the CCPA.
The CPRA introduced a different category of protected data to the mix: sensitive personal information (SPI). This idea is quite similar to Article 9 of the General Data Protection Regulation (GDPR), which asks for a higher level of data protection for the sensitivity of personal information.
What is considered sensitive personal information under the CPRA? See here for a full checklist. (2020 amendment)
The CPRA puts particular standards and limits on SPI, providing consumers greater control over how organizations use their personal information. Among the new requirements are:
With the implementation of SPI, businesses, as specified by the CPRA above, must be extra diligent in protecting this type of data and responding appropriately when a customer wishes to opt-out. Extra standards must be established if a business plans to handle consumers’ SPI. Businesses that keep SPI, for example, must have a clear and visible link on their websites labeled “Limit the Use of My Sensitive Personal Information” that allows customers to limit the processing of their SPI.
Below are five consumer privacy rights from the CCPA that the CPRA has updated.
Now we’ve been through the five changes from the CCPA’s consumer privacy rights, let’s go through the four additional consumer privacy rights added by the CPRA: (not included in the CCPA)
Businesses must ensure that they are prepared to comply with the new and enhanced consumer privacy rights included in the CPRA.
They will need to establish solid systems and controls to guarantee that they are capable of and prepared to respond quickly to customer requests. To prepare for CPRA compliance, many firms may need to make major modifications to their existing security and privacy measures, recruit extra people, or contract third-party services.
The following concepts are not part of the CCPA, but they are now codified as part of the CPRA:
By explicitly codifying these principles in the CPRA, California has empowered the state regulator to enforce and potentially penalize businesses that fail to:
CCPA – In the case of a data breach, consumers have the private right to sue if their nonencrypted or nonredacted personal information is disclosed due to a business’s failure to establish adequate security measures and practices relevant to the nature of the information handled.
CPRA – The ‘right’ does not change direction; it does add consumer login passwords to the list of personal information categories that may be actionable under the statute.
The CPRA’s broadening of its scope to include login credentials as a legally actionable personal information security breach might be a reaction to the current surge of authentication attacks impacting customers. Many companies may choose to mandate multi-factor authentication as an additional security layer in addition to more advanced levels of data encryption.
As the final text of the CPRA has not been adopted yet, any interested person may participate in the formal rulemaking process before August 23, 2022. More information on how you can share your comments can be found here.
iubenda, as always, we keep our eye on the latest updates and ensure that all of our documents and products are adjusted in time to help you stay compliant.
If you already have CCPA procedures in place, it might be a good idea for you to start reviewing your processes and taking note of a few things:
Like with any new law, it’s a good idea to stay informed of changes so you can take appropriate measures. As always, we are here to help make these changes run smoothly; and will keep you updated over the next few months.