California Privacy Rights

Act ('CPRA')
Insights into the proposed legislation

© 2022 Tsaaro. All rights reserved.

 Overview
The State of California Consumer The CPRA modifies the previous
Privacy Act ('CCPA') has been State of California law on data
considered a comprehensive protection and privacy, the CCPA. In
legislation protecting the privacy of 2020, a statewide data privacy
the consumers and the rights vested statute was signed into law.
with them in this regard. The However, it will become fully
California Privacy Rights Act ('CPRA') enforceable on July 1, 2023, with
is round the corner and, has retroactive application to January 1,
increasingly garnered the attention 2022. The bill aims to reinforce State
of organizations and entities of California's position as the leader
processing personal data, to in data privacy legislation in the
understand if the CPRA is applicable United States by dramatically
to the activities undertaken by them. expanding the existing CCPA.
Thereby, it is pivotal to understand
the law and the essential obligations.

Target Audience
This whitepaper seeks to analyse the law It also intends to generate discussion
and compare it to other notable among secondary audiences, such as
legislative frameworks on data privacy students and academics, to help
and protection, like the California them comprehend the complexities
Consumer Privacy Act and the General of the proposed bill and its
Data Protection Regulation. It tries to provisions.
provide an overview of the proposed
law. It will be tailored to a wide range of
audience, including senior and mid-level
IT management, programme managers,
and compliance leaders, to help them
comprehend the goals of the CPRA and
the obstacles they may encounter in
showing compliance with this proposed
legislation.
 Introduction
The California Privacy Rights Act of 2020 (CPRA), The law will go into effect on January 1,
also known as Proposition 24, was approved by 2023, and it will apply to personal
a majority of voters on November 3, 2020, after information obtained on or after January
appearing on the ballot for the state's general 1, 2022.
election. It builds upon the California Consumer
Privacy Act (CCPA) of 2018, which provided the
groundwork for consumer privacy legislation.

Problem Statement
The CPRA is an addendum to the CCPA, adding new sections about privacy protection authority,
consumer rights, etc. The proposition establishes additional provisions into the State of
California law, allowing consumers to prevent businesses from sharing their personal data,
correct inaccurate personal data, and limit businesses’ use of “sensitive personal information,”
including precise geolocation, race, ethnicity, religion, genetic data, private communications,
sexual orientation, and specified health information. Considering this, businesses and
organizations processing personal information would have to look out for the compliance with
CPRA and possible repercussions in case of any non-compliance.

Structure
This whitepaper would be covering the following aspects:
Scope of the Bill
Key changes brought by CPRA
Key topics under CPRA
Exemptions under CPRA
Who needs to comply with CPRA
Rights of consumers under CPRA
Comparison with GDPR
Enforcement and liability
Challenges posed by the CPRA to businesses involved in Data processing
Conclusion
 SCOPE OF THE BILL

The compliance requirements under CPRA are different from the CCPA. All the
compliance requirements stem from the definition of ‘business.’ As defined under the
CPRA, a 'business' is a legal entity that conducts business in the State of California, acts
for financial gain, collects or has collected on its behalf the personal information of
consumers, and fits one of the following criteria:

1. As of January 1, of the calendar year, has a gross revenue in excess

of $25,000,000 in the preceding calendar year;

Alone or in combination, annually buys, sells, or shares the personal

2. information of 100,000 or more consumers or households; or

Derives 50% or more of its annual revenue from selling or sharing

3. consumers’ personal information.

In addition, the scope of entities required to comply with the CPRA is potentially increased
by defining common branding. Common branding is the use of a shared name,
servicemark or trademark by two or more businesses un a manner which would lead the
consumer in assuming that two or more entities are common owned. Under CPRA, the
exchange of information from a business to a firm that uses common branding brings the
latter company under the jurisdiction of CPRA.

The CPRA introduces two new ways for a business to qualify as an “enterprise”. First, a
joint venture or partnership comprised of enterprises in which each business owns at
least a 40% stake will result in the joint venture being regarded as a “business” subject to
the CPRA. Lastly, any company can self-certify compliance with the CPRA, thereby
agreeing to be governed by the law.
KEY CHANGES UNDER CPRA
CONSUMERS' RIGHT TO CORRECT INACCURATE
1 PERSONAL INFORMATION

CPRA grants consumers the opportunity to amend erroneous personal information. It

states that-
A consumer has the right to request that an organisation rectify any erroneous
personal information about them.
A business that collects consumers’ personal information must notify them of their
right to request the correction of erroneous information.
A business that receives a verifiable consumer request to update erroneous
personal information is required to make commercially reasonable measures to
comply with the consumer’s request.

2 UPDATED CONSUMER PRIVACY RIGHTS

The CPRA contains a variety of strengthened privacy protections including-

A consumer’s right to limit the collection, use, and disclosure of sensitive personal
information
Additional recourse possibilities for victims of online security breaches such as the
theft of sensitive personal data and financial data.

3 LIMITATIONS ON TRACKING

The CPRA aims to restrict geolocation tracking by expanding consumer rights. Within a
specified radius, consumers will be able to stop businesses from tracking their
geolocation for the majority of purposes.

4 ADDITIONAL PROTECTION FOR MINORS

Under the CPRA, State of California’s minors, identified as an individual below the age of
16 years, will enjoy greater safeguards than they had under the CCPA.
Contrary to its predecessor, the CPRA forbids the sale of an individual’s personal
information without permission, and consent may entail opting in rather than opting
out.
In other words, children are automatically protected by the CPRA, and in some
situations, the penalties for noncompliance will be three times as severe as before.
Where businesses intend to sell or share personal information of minors under the
age of 13, an affirmative consent of the parent/guardian is required, whereas, for
minors between the ages of 16, an affirmative consent of minor is considered
adequate.
5 EXPRESS INFORMATION SECURITY REQUIREMENTS

Businesses must “establish appropriate security measures and processes” to

protect personal information against unauthorised or illegal access,
destruction, use, modification, or disclosure. However, the CPRA fails to define
any specific standard or certification regarding Data Security Requirements
and thus stands vague in that respect.

6 ANTI-RETALIATION CLAUSE FOR EMPLOYEES

Before employee rights became a concern, businesses frequently resorted to

retaliation against employees who opposed the corporation and exercised
their legal rights. The CPRA contains a revised and reinforced anti-retaliation
provision which states that-
A business shall not discriminate against a consumer based on the
consumer's exercise of any CPRA-protected right.
A firm may not discriminate against a customer on the basis of:
Denying a consumer access to goods or services.
Charging various prices or rates for various goods and services.
Providing the consumer with a different level or quality of goods or
services.
Implying the consumer will receive a different price or rate for products
or services, or a different level or quality of goods or services.

7 RIGHT TO KNOW LENGTH OF DATA RETENTION

While the CCPA does not directly address data retention, the CPRA does. It
permits enterprises to store personal information only when it is “necessary and
proportional” for collecting, processing, and other reasons that are properly
declared. According to the look-back provision, even if a business receives a
request to know on January 1, 2023 (the day the law goes into effect), it should
be prepared to provide information going back to January 1, 2022.

8 EXPANDED INITIAL NOTIFICATION OBLIGATIONS

The CPRA strengthens the disclosure requirements for privacy notices posted at
or before the actual collection point. Businesses that collect consumer’s
information must:
Disclose if collected information will be sold or shared;
Identify the sensitive personal information that will be collected;
Disclose either the duration of information retention or the criteria used to
determine it.
Disclose if they do not gather information using a noticeable notification if
they do not collect information.
 KEY TOPICS UNDER CPRA

California Resident

The CPRA applies to the personal

information of California Residents
which is defined in State of California
Tax Regulations as-
1 an individual who is in California
for other than a temporary or
transitory purpose.
Personal Information
an individual domiciled in State of

California who is outside of the

The CPRA defines personal
state for a temporary or transitory
information as “information that
purpose.
identifies, refers to, describes, is
reasonably capable of being
associated with, or is reasonably 2
capable of being linked, directly or
indirectly, with a specific consumer or
household.” It comprises information
such as a person’s real name, alias,
mailing address, unique personal
identifier, online identifier, Internet
Protocol address, email address,
account name, social security number,
driver's licence number, or passport
Sensitive Personal Data

number, among other identifiers.

In addition, the CPRA adds a new
subcategory of personal data known
as “sensitive personal data.” This
subcategory includes

3
Background and Ethnicity (Political
opinion, sexual orientation etc.)
Genetic/Biometric data, Health
data
Financial account information
Precise geolocation data
Contents of mail, e-mail and text
messages
Government issued IDs.
EXEMPTIONS
KEY TOPICSUNDER
UNDERCPRA
CPRA

Medical Information

Governed by the Confidentiality of Medical Information Act (the "CMIA") or

protected health information ("PHI") collected by a covered entity or
business associate governed by the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA") and the Health Information
Technology for Economic and Clinical Health Act ("HITECH").

Personal Information

Personal Information gathered as part of a clinical trial or other

biomedical research study.
Personal Information obtained by a business concerning an individual as
a job applicant, employee, owner, director, officer, medical staff member,
or independent contractor.
B2B Contracts are exempted.

Vehicle Information

Information about the car or its ownership is retained or shared between

a new vehicle dealer and the manufacturer.

Credit Information

Activity involving the collection, maintenance, disclosure, sale,

communication, or use of any consumer credit information.
GENERAL DUTIES OF BUSINESSES
UNDER CPRA

Follow the Basic Privacy Businesses must provide

Principles like Data
Minimisation, legitimate
purpose, Storage limitation,
Accuracy and Transparency,
Non-Discrimination and Data
Retention (restriction).
notice disclosing the
collection of sensitive
personal information and
the purpose of such
collection

1. 2.

CPRA requires enterprises to

Businesses shall use
have contractual agreements
adequate security
in place not only with service
measures to prevent
providers and contractors, but
unauthorised access to or
also with third parties to
disclosure of such
whom the businesses sell or
information.
distribute personal
information.

3. 4.
WHO NEEDS TO COMPLY WITH
CPRA
The CPRA applies to any entity organised and operated for profit or financial gain that:

Satisfies the definition of business

01 under the CPRA (refer pg. 4) 02 Collects the personal information
of consumers

03 Determines the purpose and

means of processing 04 Carries on business in the State of
California

However, a business does not need to comply with CPRA if it's commercial activities take
place outside of California.

ENFORCEMENT AND LIABILITY

The CPRA transfers enforcement authority from the Attorney General of State of California
to a new privacy-focused agency, the California Privacy Protection Agency (CalPPA). When
facing an enforcement action, businesses will no longer be afforded the CCPA's 30-day cure
period before being fined by CalPPA for a violation. In addition, the CPRA establishes an
automatic $7,500 fine for violations involving minors' personal information. In addition to
the existing private right of action for breaches of unredacted and unencrypted personal
information, the CPRA grants consumers a private right of action if an email address,
password, or security question and answer that would allow access to an account are
compromised.
 COMPARISON WITH GDPR
Sl. Basis of
EU GDPR
No. Comparison
1.
Scope / The GDPR applies to organisations The CPRA extends to businesses that
Applicability that have presence in the EU or if
the data of EU residents is
processed irrespective of
company’s location.
2. Data Subject Rights The rights vested with data subjects
under EU GDPR are:
right of access,
right to rectification,
right to erasure,
right to restriction of
processing,
right to data portability,
right to object
3. Obligations of The EU GDPR elaborately lays down
Controllers/ the obligations and duties
Businesses/ entrusted upon the Controllers and
Covered Entities Processors individually in
furtherance of ensuring the
protection of the personal data so
processed.
4. Penalties The penalty under GDPR is
defined, and fines and penalties
imposed under Article 83 are
flexible and scale with the firm.
The administrative fines are
determined up to 20 000 000
EUR, or in the case of an
undertaking, up to 4 % of the
total worldwide annual turnover
of the preceding financial year,
whichever is higher.
CPRA
are located in the State of California
and to all the businesses that despite
not being located in State of California
do business in the State. The criteria
of businesses has been laid down as
well.
The rights vested with data subjects
under the CPRA are:
right to be forgotten,
right to opt out from having
information sold,
right to equal service and price,
right to receive information on
privacy practices and access
information,
right to deletion,
right to receive information about
onward disclosures,
right to prohibit sale of
information.
The CPRA does not provide for the
obligations and duties of both
controllers and processors
individually in an elaborate manner.
The maximum penalty under
CPRA for any violation is $7500.
Upon any business not acting
upon violation under the CPRA,
within 30 days, the business would
be liable to civil penalty not more
than $2500 for each violation &
$7500 for any intentional violation.
 CPRA Compliance Toolkit
for Businesses

1 Determine if your company is subject to CPRA

Take advantage of the CPRA to review and

update your CCPA compliance programme. 2

3 Update your personal information database.

Determine if sensitive personal information is

collected. 4
Establish a method for implementing the right
5 to collect personal data.

Establish a procedure a procedure to implement

the right to restrict the use and disclosure of
sensitive personal information.
6

7 Address compliance requirements for your

vendors.

Address CPRA's limitations on collection, use

and retention. 8
 CPRA Compliance Toolkit
for Businesses

Determine if your company engages in

9 "profiling".

Determine if your organisation is subject to new

risk assessment and audit requirements for
high-risk organisations
10

11 Refresh your current privacy education

programmes.

Appropriate policies to be drafted for data

retention, incident management, etc. as per the 12
new provisions.

Determine policies and procedures to be

implemented to deal with minors data,
13 considering the new provisions about minors'
data in CPRA.

Enable opt-outs to stop sharing personal data

for behavioral advertising, based on the 14
consumers' activity.

Businesses are not permitted to store

15 consumer's personal information on devices

when consumer is in California and later
collecting such information when the consumer
is not in Califorina.
 RIGHTS OF CONSUMERS
UNDER CPRA

Right to Delete Personal Right to Rectification of

Information Incorrect Information

Right to Access Personal Right to Limit Sensitive

Information Personal Information

Right to Access
Right to Opt-Out of
Information About
Automated Decision-
Automated Decision
Making Technology
Making
 CHALLENGES POSED BY THE
INTRODUCTION OF CPRA
The CPRA expands consumer protections and imposes new obligations on businesses. Some of
the definitions have been changed and the mandate of some additional rights has been
expanded, for example the right to opt-out of processing. With the enactment of the CPRA,
businesses must revise and update their compliance.

The CPRA requires entities to provide a 12-month personal data report to residents. In this
regard, businesses will need to improve their data mapping procedures. Organizations will also
be required to disclose whether they have applied artificial intelligence to any personal data.

The CPRA extends its protections to State of California residents in their roles as employees,
applicants, independent contractors, and other work-related roles, i.e. HR Individuals. As
consumers, HR Individuals will have access to six data rights. These include the

rights to access, correct, and delete personal information;

the right to opt out of the sale or sharing of their personal information;

right to restrict the use of their sensitive personal data;

the privilege of not being punished for exercising these rights.

As a consequence of this, CPRA compliance challenges may include a review of existing practises
and the implementation of modifications to contracts, privacy notices, individual rights response
procedures, and other privacy operations.

To effectively comply with CPRA requirements, employers can make the following efforts:

Develop and document a retention policy that complies with employer data retention
requirements;

Draft a CPRA-compliant employee privacy policy;

Comprehend the information that the organisation collects, the categorization of data, the
location of data, and the steps to access, correct, or delete data;

Examine existing contracts with service-providers and ensure CPRA compliance;

Identify the legal, HR, and technological support responsible for the efforts required to build
a privacy compliance programme;

Develop procedures for responding to requests from employees.

 CONCLUSION
The CPRA is the most comprehensive consumer privacy law in the United States to date,
and additional privacy legislation is likely to follow. To ensure compliance with the CPRA,
organisations will need to become more intelligent and transparent about the
information they collect, on whom, and how they use it. The most effective method for
completing these tasks is to plan ahead and determine what resources are required,
including internal and external support. Given that data governance and security
compliance programmes necessitate time, attention, and effort from all facets of a
business, it is prudent to integrate the appropriate technology to ensure compliance.

BIBLIOGRAPHY
https://iapp.org/resources/topics/ccpa-and-cpra/.
https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-
consumer-privacy-act-ccpa/.
https://oag.ca.gov/privacy/ccpa.
https://www.delphix.com/glossary/cpra-california-privacy-rights-act.
https://www.truevault.com/learn/ccpa/how-does-the-cpra-look-back-provision-work.
https://www.spirion.com/solutions/compliance/what-businesses-need-know-cpra/.
https://www.onetrust.com/solutions/cpra-compliance/
https://www.privacypolicies.com/blog/cpra/.
https://www.osano.com/articles/california-privacy-laws-ccpa-cpra.
https://secureprivacy.ai/blog/what-is-cpra-and-how-does-it-differ-from-ccpa.
https://cpra.gtlaw.com/cpra-full-text/.
https://www.cooley.com/services/practice/cyber-data-privacy/cpra.
https://www.perkinscoie.com/en/practices/security-privacy-law/california-privacy-rights-
act-cpra.html.
https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
https://www.the-future-of-commerce.com/2021/05/27/what-is-cpra-california-privacy-
rights-act-basics-overview/.
https://medium.com/golden-data/section-by-section-summary-of-the-cpra-c1ac70fc8236.
https://cpra.gtlaw.com/1798-155-civil-penalties/
WHY TSAARO?
Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory
requirements while maintaining a robust security infrastructure.

Our industry-standard privacy services include Privacy compliance, DPO-as-a-service,

Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few,
delivered by our expert privacy professionals recognized by IAPP.

Akarsh Singh
(CEO & Co-Founder, Tsaaro)
Akarsh is a fellow in Information Privacy
by IAPP, the highest certification in the
CONTACT US
field of privacy. His expertise lies in Data You can assess risk with respect to
Privacy and Information Security personal data and strengthen your
Compliance. data security by contacting Tsaaro.

Krishna Srivastava Tsaaro Netherlands Office

(Co-Founder & Head of Cyber Security, Regus Schiphol Rijk
Tsaaro) Beech Avenue 54-62,
Krishna is a xKPMG data security Het Poortgebouw,
Amsterdam, 1119 PW,
consultant and a fellow in Information
Netherlands
Privacy by IAPP, the highest cerification P: +31-686053719
in the field of privacy, He has vast
experience in Information Security and Tsaaro India Office
Data Privacy Compliance. Manyata Embassy Business
Park, Ground Floor, E1 Block,
Beech Building, Outer
Krishna Chaitanya RingRoad,
(CIPM, CISA, ISO 27001 Lead Auditor, Bangalore- 560045
OCP, MCSE ) India
P: +91-0522–3581
Krishna is an Information Security &
Privacy Professional with over 16 years
Email us
of progressive Information Technology
info@tsaaro.com
& Databases experience, encompassing
7+ years of Information Security Audit
Programs & Data Protection.