Iubenda logo
Start generating


Table of Contents

CPRA: Intro to the CCPA 2.0 and how it affects you

CPRA: Intro to the CCPA 2.0 and how it affects you. In 2020, the California Consumer Protection Act (CCPA) was enacted to address the increasing concerns about the sale and collection of personal information in California.

The current CCPA grants various rights to residents of California and regulates the actions of businesses that sell or collect personal information. However, it leaves the consequences of third-party processing of consumer data somewhat open to interpretation. This prompted an amendment to the CCPA, which has come to be known as the California Privacy Rights Act (CPRA).

💡 The CPRA builds on the CCPA’s existing provisions, establishes new consumer rights, and adds new requirements for companies that gather personal data from California residents.

🚀 Short on time? Start your compliance with the CPRA today!

📌 Updates to the definition of a business under the CPRA

Criteria for Qualifying as a Business has been updated; find out if you classify as a business by answering the questions below: 

  1. Are you a legal entity that operates for profit?
  2. Do you collect personal information (PI) from Califonia consumers?
  3. Do you determine the purposes and means of processing personal information? 

Does your business meet one or more of the following conditions: 

(A) A gross revenue of over $25 million in the previous calendar year.

(B) Buys, sells, or distributes the personal information of 100,000 or more customers or households each year, either alone or in combination.

(C) Obtain 50% or more of its yearly income from selling or sharing personal information about customers? 

If you answered yes, then under the CPRA, your organization could classify as a business.

🤔 Not sure if the CPRA applies to you? Do this 1 min quiz!

What does this mean for my business?

Because of some changes in the criteria, entities that would be subject to the CPRA may be different from the ones that fall under the criteria of the CCPA.

🚀 Does your business fall under the scope of the CPRA? See how to comply →

📌 Sensitive personal information under the CPRA

The CPRA introduced a different category of protected data to the mix: sensitive personal information (SPI). This idea is quite similar to Article 9 of the General Data Protection Regulation (GDPR), which asks for a higher level of data protection for the sensitivity of personal information.

What is considered sensitive personal information under the CPRA? See here for a full checklist (Click on as amended November 3, 2020, and scroll down to the definition). SPI that is “publicly available” can not be considered sensitive personal information or personal information.

The CPRA puts particular standards and limits on SPI, providing consumers greater control over how organizations use their personal information.

  1. Updated disclosure requirements – Your business needs to provide consumers with the following information on SPI in the privacy policy: whether the information will be sold or shared, and the duration of the retention.
  2. Purpose limitation – You need to disclose the additional and specific purpose for which the sensitive personal information may be used or disclosed to third parties.
  3. Limit the use and disclosure – provide a clear and visible link, “Limit the use of my Sensitive Personal Information”, on your homepage and a notice of right to limit the use/disclosure of sensitive personal information. However, there are cases where a business is not required to offer consumers a right to limit the use/disclosure of SPI and display relevant notice, namely whenever sensitive personal information is processed:
  • to perform services or provide goods (only for use reasonably expected by an average consumer);
  • to prevent, detect and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information;
  • to resist malicious, deceptive, fraudulent, or illegal actions directed at the business and prosecute those responsible for those actions;
  • to ensure the physical safety of natural persons;
  • for short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business;
  • to perform services on behalf of the business (e.g., customer service, processing or fulfilling orders and transactions, processing payments, etc.);
  • to verify or maintain the quality or safety of a product, service or device that is owned, manufactured, manufactured for or controlled by the business and to improve, upgrade or enhance the service or device that is owned, manufactured by, manufactured for or controlled by the business; and
  • for purposes that do not infer characteristics about the consumer.

Please verify whether your sensitive personal information processing activities fall within the scope of such exceptions.

What does this mean for my business?

With the implementation of SPI, businesses, as specified by the CPRA above, must be extra diligent in protecting this type of data and responding appropriately when a customer wishes to opt-out. Extra standards must be established if a business plans to handle consumers’ SPI. Businesses that keep SPI, for example, must have a clear and visible link on their websites labeled “Limit the Use of My Sensitive Personal Information” that allows customers to limit the processing of their SPI.

iubenda’s Privacy and Cookie Policy Generator takes the guesswork out of the game!

We will automatically fill in your documents with any processing of sensitive personal information depending on the services you add. Simply click Enable disclosures for Users Residing in the United States from within the Generator.

Want to know more about the easy ways iubenda can help comply? Click here →

📌 Notice at Collection

Do I need to provide a notice at collection? 

If your business collects consumers’ personal information or sensitive personal information you must provide them with a notice at or before the collection of data. 

The notice at collection gives users a tool to control how your company uses their personal information and sensitive personal information, informing users, among others, about:

  1. the categories of personal information and sensitive personal information, if any, collected from them; 
  2. the purposes for which personal information and sensitive personal information are collected or used; and 
  3. whether the information is sold or shared.

Where should the notice at collection be available?

The Notice at Collection must be displayed where consumers can easily see it at or prior to the moment of collecting any personal information. For example, by including a link to the notice on your website’s homepage and all web pages where personal information is collected.

👉 You must provide a conspicuous link on your site’s home page and on every page where personal information is collected.

👉 For Webforms, use a conspicuous link to the notice in close proximity to the fields in which your users input their personal information or in close proximity to the button by which your users submit their personal information.

👉 If you collect personal information through a mobile application, provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu. 

What should the notice at collection include?

The notice at collection should include, according to the CPRA:

  • a list of the categories of personal information and sensitive personal information that will be collected;
  • the purpose(s) for which the categories of personal information and sensitive personal information are collected and used;
  • whether each category of personal information and sensitive personal information is sold or shared;
  • the retention period for each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period;
  • if the business sells or shares personal information, a link to the notice of right to opt-out of sale/sharing; and
  • a link to the business privacy policy.

The iubenda Privacy Policy and Privacy Controls and Cookie Solution can easily help you display a “Notice at Collection” link for your users residing in California, as required by the law. You simply have to enable the US State Laws option. 

💡Make sure you enable the privacy widget, which will be displayed on every page of your website after your user has set their preferences. This allows the user to easily update their privacy preferences once they’ve been set.

📌 Consumer Privacy Rights Have Been Expanded

Below are four consumer privacy rights from the CCPA that the CPRA has updated.

  1. Right to Opt-Out of Third-Party Sales and Sharing: 
    1. CCPA – Under the CCPA, customers have the option to opt out of companies selling personal data.
    2. CPRA – In addition to selling, the CPRA broadens this right to include the sharing of personal information.
  2. Right to know 
    1. CCPA – Under the CCPA, companies must reply to consumer requests for personal information obtained during the previous 12 months.
    2. CPRA – Under some conditions, the CPRA extends this period, allowing consumers to seek personal information gathered after the previous 12-month limit. Businesses must inform consumers about their right to request disclosure about what personal information is sold or shared and to whom;
  3. Right to delete
    1. CCPA – California residents can use the CCPA to request that a company remove their personal information if it is no longer required to satisfy one of the objectives specified in Cal. Civ. Code Sec. 1798.105
    2. CPRA – Businesses must inform consumers about their right to request the deletion of their personal information and grant such requests unless the information is reasonably necessary for the business to complete the transaction, fulfill a warranty, recall a product or ensure security and integrity.
  4. Right to data transfer
    1. CCPA – Contains a “right to know,” which implies that customers have the right to get a copy of their personal information by mail or online.
    2. CPRA – A customer can now request that a business transfer certain personal information to another organization.

Now we’ve been through the four changes from the CCPA’s consumer privacy rights, let’s go through the four additional consumer privacy rights added by the CPRA: (not included in the CCPA)

  1. Right to Correct Information: A consumer has the right to request that any incorrect personal information provided by a company be corrected.
  2. Right to Restrict Use and Disclosure of Sensitive Personal Information: A consumer has the right to restrict the usage and disclosure of their SPI to “use that is necessary to execute the services or deliver the products reasonably expected by an ordinary consumer who requests such goods and services.”
  3. Access to Information On Automated Decision Making: A consumer has the right to obtain “meaningful information about the logic involved in such decision-making processes, as well as a description of the process’s expected outcome with respect to the consumer.”
  4. Right to Opt-Out of Automated Decision-Making Technology: A consumer has the right to opt out of automated decision-making technology.
What does this mean for my business?

Businesses must ensure that they are prepared to comply with the new and enhanced consumer privacy rights included in the CPRA.

They will need to establish solid systems and controls to guarantee that they are capable of and prepared to respond quickly to customer requests. To prepare for CPRA compliance, many firms may need to make major modifications to their existing security and privacy measures, recruit extra people, or contract third-party services.

👉 Please note that under the CPRA, companies are required to wait 12 months after a consumer has denied selling or sharing their personal information before seeking another approval of consent.

👉 Moreover, as a business, you must provide consumers with two or more methods for submitting their requests. These methods can vary from business to business, but must include, at a minimum, a toll-free number and, if the business has a website, the website address. However, a business can avoid providing a toll-free number if: it “operates exclusively online”; and if it has a “direct relationship with a consumer from whom it collects personal information”.

📌 Rights for minors

The CPRA requires you to comply with the COPPA, which governs children’s privacy rights, with specific reference to the sale and sharing of children’s personal information.

Therefore, if your business is selling or sharing the personal information of consumers:

  • under the age of 13, your business must obtain and maintain records that the consent to the sale or sharing of the children’s personal information comes from their parents or guardians.
  • from the ages of 13 to 16, your business must allow users an option to opt-in to the sale or sharing of their personal information and maintain records of the opt-in. When your business receives a request to opt-in, you are required to inform the user of their right to opt-out. 

📌 Incorporating GDPR Principles 

The following concepts are not part of the CCPA, but they are now codified as part of the CPRA:

  • Data minimization
  • Purpose limitation 
  • Storage limitation 
What does this mean for my business?

By explicitly codifying these principles in the CPRA, California has empowered the state regulator to enforce and potentially penalize businesses that fail to:

  1. reasonably limit the collection of personal information to what is necessary for the purpose for which it was collected, and;
  2. limit personal information’s retention to the shortest amount of time necessary to fulfill the purpose for which it was collected.
  3. As a consequence of these principles, the CPRA includes a new requirement. Opt-in permission is required following a previously decided Opt-out. Your businesses must allow consumers:

    1. to opt-in to the sale/sharing of their personal information after opting out; and 
    2. notify consumers that opted out of the sale/sharing of personal information whenever consumers initiate a transaction/attempt to use a product implying the sale/sharing of personal information, that the action requires the sale/sharing of personal information, and provide instructions on how to opt-in.

📌 Expansion of Legally Actionable Data in a Breach

CCPA – In the case of a data breach, consumers have the private right to sue if their nonencrypted or nonredacted personal information is disclosed due to a business’s failure to establish adequate security measures and practices relevant to the nature of the information handled. 

CPRA – The ‘right’ does not change direction; it does add consumer login passwords to the list of personal information categories that may be actionable under the statute.

What does this mean for my business?

The CPRA’s broadening of its scope to include login credentials as a legally actionable personal information security breach might be a reaction to the current surge of authentication attacks impacting customers. Many companies may choose to mandate multi-factor authentication as an additional security layer in addition to more advanced levels of data encryption.

📌 Opt out requirements 

Under the CPRA, it should be noted that businesses must also allow and process consumers’ Opt-out Preference Signals.

Opt out preference signal means a signal that is sent by a platform, technology, or mechanism, on behalf of the consumer that communicates their choice to opt out of the sale and sharing of personal information. The signal will automatically opt out for all websites the user visits without them having to make individual requests. 

💡 Did you know iubenda’s Privacy Controls and Cookie Solution automatically detects and honors opt out preference signals like the GPC and GPP, as mandated by the CPRA? With this feature, users can effortlessly rely on our solution to manage these signals without needing to take any extra steps.

📌 Privacy Policy 

The CPRA adds to the requirements of the CCPA. Here is the full checklist of information that you must include in your privacy policy. 

Include the categories of personal information that your business has sold or shared with third parties in the last 12 months, a list of relevant third parties, and your business’s purpose. You also need to disclose if you have not sold or shared users’ personal information within the last 12 months.
Add a statement regarding whether or not your business knows it sells or shares the personal information of users under the age of 16.
Include the categories of personal information that your business has disclosed (for business purposes) to third parties in the last 12 months, a list of relevant third parties, and your business’s purpose. You shall also disclose if you have not disclosed consumers’ personal information in the preceding 12 months.
State whether or not your business uses or discloses sensitive personal information for purposes other than those specified in the act.
Provide any links to online request forms or portals so your users can make requests regarding their personal information being collected, disclosed, or sold.
Provide means for users to request the correction of inaccurate personal information.
Include, if your business uses or discloses sensitive personal information for reasons other than those mentioned in the act, information on consumers’ right to limit the use or disclosure of their sensitive personal information and how to exercise it.
Provide information on users’ right to non-discrimination for the exercise of their privacy rights.
Add a general description of the process your business implements to verify users’ requests to know, delete, and correct, when applicable, including any information the user must provide.
Explain how an opt-out preference signal will be processed for the user (i.e., whether the signal applies to the device, browser, consumer account, and/or offline sales, and in what circumstances) and how the user can use an opt-out preference signal.
Provide additional reporting requirements (section 7102 of the regulations) if your business collects large amounts of personal information.

How can iubenda help you prepare for CPRA?

The CPRA becomes law on January 1, 2023, and became enforced as of July 1, 2023.

Please be informed that following the decision of the Sacramento County Superior Court the enforcement of the final regulations issued by the California Privacy Protection Agency has been delayed to March 29, 2024. The decision, however, does not affect the CPRA statutory provisions, which are enforced as of July 1, 2023.

Our solutions handle the complex technical and legal work, taking the uncertainty out of compliance so that you can concentrate on expanding your company.

Privacy Controls and Cookie Solution →
Our Privacy Controls and Cookie Solution will auto-configure to meet the most stringent US legal standards. 

👉 Simply choose the regions where you and your users are located, and the solution will do the rest!

Privacy and Cookie Policy Generator →
Use our Privacy and Cookie Policy Generator to identify services that are active on your website that might:

  1. qualify as a sale under the CCPA; and 
  2. qualify as sharing of personal data under the CPRA;
  3. qualify as sensitive personal information 

👉 Activate US-specific clauses by clicking “Enable disclosures for users residing in the United States.”

Want to get compliant today?

If your organization falls under the scope of the CPRA, you should begin looking into compliance solutions that are well-trusted and drafted by lawyers.

Comply Now