Iubenda logo
Start generating


Table of Contents

CPRA: Intro to the CCPA 2.0 and how it affects you

CPRA: Intro to the CCPA 2.0 and how it affects you. In 2020, the California Consumer Protection Act (CCPA) was enacted to address the increasing concerns about the sale and collection of personal information in California.

The current CCPA grants various rights to residents of California and regulates the actions of businesses that sell or collect personal information. However, it leaves the consequences of third-party processing of consumer data somewhat open to interpretation. This prompted an amendment to the CCPA, which has come to be known as the California Privacy Rights Act (CPRA).

💡 The CPRA builds on the CCPA’s existing provisions, establishes new consumer rights, and adds new requirements for companies that gather personal data from California residents.

1. Updates to the definition of a business under the CPRA

Criteria for Qualifying as a Business has been updated; find out if you classify as a business by answering the questions below: 

  1. Are you a legal entity that operates for profit?
  2. Do you collect personal information (PI) from Califonia consumers?
  3. Do you determine the purposes and means of processing personal information? 

Does your business meet one or more of the following conditions: 

(A) A gross revenue of over $25 million in the previous calendar year.

(B) Buys, sells, or distributes the personal information of 100,000 or more customers or households each year, either alone or in combination.

(C) Obtain 50% or more of its yearly income from selling or sharing personal information about customers? 

If you answered yes, then under the CPRA, your organization could classify as a business.

What does this mean for my business?

Because of some changes in the criteria, entities that would be subject to the CPRA may be different from the ones that fall under the criteria of the CCPA.

2. Sensitive personal information under the CPRA

The CPRA introduced a different category of protected data to the mix: sensitive personal information (SPI). This idea is quite similar to Article 9 of the General Data Protection Regulation (GDPR), which asks for a higher level of data protection for the sensitivity of personal information.

What is considered sensitive personal information under the CPRA? See here for a full checklist. (2020 amendment)

The CPRA puts particular standards and limits on SPI, providing consumers greater control over how organizations use their personal information. Among the new requirements are:

  • Updated disclosure requirements 
  • Purpose limitation
  • Opting out of usage and disclosure
  • Opt-in permission is required following a previously decided Opt-out
What does this mean for my business?

With the implementation of SPI, businesses, as specified by the CPRA above, must be extra diligent in protecting this type of data and responding appropriately when a customer wishes to opt-out. Extra standards must be established if a business plans to handle consumers’ SPI. Businesses that keep SPI, for example, must have a clear and visible link on their websites labeled “Limit the Use of My Sensitive Personal Information” that allows customers to limit the processing of their SPI.

3. Consumer Privacy Rights Have Been Expanded

Below are five consumer privacy rights from the CCPA that the CPRA has updated.

  1. Right to Opt-Out of Third-Party Sales and Sharing: 
    1. CCPA – Under the CCPA, customers have the option to opt out of companies selling personal data.
    2. CPRA – In addition to selling, the CPRA broadens this right to include the sharing of personal information.
  2. Right to know 
    1. CCPA – Under the CCPA, companies must reply to consumer requests for personal information obtained during the previous 12 months.
    2. CPRA – Under some conditions, the CPRA extends this period, allowing consumers to seek personal information gathered after the previous 12-month limit.
  3. Right to delete
    1. CCPA – California residents can use the CCPA to request that a company remove their personal information if it is no longer required to satisfy one of the objectives specified in Cal. Civ. Code Sec. 1798.105
    2. CPRA – The CPRA will also oblige companies to communicate the removal request to third parties that have purchased or received the consumer’s personal information so that all parties are notified that it must be destroyed, with limited exceptions.
  4. Right to data transfer
    1. CCPA – Contains a “right to know,” which implies that customers have the right to get a copy of their personal information by mail or online.
    2. CPRA – A customer can now request that a business transfer certain personal information to another organization.
  5. Opt-In Rights for Minors
    1. CCPA – The use of children’s data is a general concern under the law, and the CCPA requires companies to seek opt-in authorization before selling the personal information of a California customer under the age of 16.
    2. CPRA – Companies are required to wait 12 months after a minor consumer has denied selling or sharing their personal information before seeking approval to do so.

Now we’ve been through the five changes from the CCPA’s consumer privacy rights, let’s go through the four additional consumer privacy rights added by the CPRA: (not included in the CCPA)

  1. Right to Correct Information: A consumer has the right to request that any incorrect personal information provided by a company be corrected.
  2. Right to Restrict Use and Disclosure of Sensitive Personal Information: A consumer has the right to restrict the usage and disclosure of their SPI to “use that is necessary to execute the services or deliver the products reasonably expected by an ordinary consumer who requests such goods and services.”
  3. Access to Information On Automated Decision Making: A consumer has the right to obtain “meaningful information about the logic involved in such decision-making processes, as well as a description of the process’s expected outcome with respect to the consumer.”
  4. Right to Opt-Out of Automated Decision-Making Technology: A consumer has the right to opt out of automated decision-making technology.
What does this mean for my business?

Businesses must ensure that they are prepared to comply with the new and enhanced consumer privacy rights included in the CPRA.

They will need to establish solid systems and controls to guarantee that they are capable of and prepared to respond quickly to customer requests. To prepare for CPRA compliance, many firms may need to make major modifications to their existing security and privacy measures, recruit extra people, or contract third-party services.

4. Incorporating GDPR Principles 

The following concepts are not part of the CCPA, but they are now codified as part of the CPRA:

  • Data minimization
  • Purpose limitation 
  • Storage limitation 
What does this mean for my business?

By explicitly codifying these principles in the CPRA, California has empowered the state regulator to enforce and potentially penalize businesses that fail to:

  1. reasonably limit the collection of personal information to what is necessary for the purpose for which it was collected, and;
  2. limit personal information’s retention to the shortest amount of time necessary to fulfill the purpose for which it was collected.

5. Expansion of Legally Actionable Data in a Breach

CCPA – In the case of a data breach, consumers have the private right to sue if their nonencrypted or nonredacted personal information is disclosed due to a business’s failure to establish adequate security measures and practices relevant to the nature of the information handled. 

CPRA – The ‘right’ does not change direction; it does add consumer login passwords to the list of personal information categories that may be actionable under the statute.

What does this mean for my business?

The CPRA’s broadening of its scope to include login credentials as a legally actionable personal information security breach might be a reaction to the current surge of authentication attacks impacting customers. Many companies may choose to mandate multi-factor authentication as an additional security layer in addition to more advanced levels of data encryption.

How to prepare for CPRA?

As the final text of the CPRA has not been adopted yet, any interested person may participate in the formal rulemaking process before August 23, 2022. More information on how you can share your comments can be found here

iubenda, as always, we keep our eye on the latest updates and ensure that all of our documents and products are adjusted in time to help you stay compliant.

If you already have CCPA procedures in place, it might be a good idea for you to start reviewing your processes and taking note of a few things:

  1. Outline any data you process covered by the CPRA’s definition of personal information.
  2. Review your process for updating users on any changes to your privacy policy; make sure you have a system in place in place. Once you update your privacy policy, you’ll need to alert your users. 
  3. If you work with processors or have processors working on your behalf, you might want to consider notifying them of any changes in requirements (especially if they’re based outside of the US). 

Like with any new law, it’s a good idea to stay informed of changes so you can take appropriate measures. As always, we are here to help make these changes run smoothly; and will keep you updated over the next few months.