Professional Documents
Culture Documents
California Privacy Rights Act (CPRA)
California Privacy Rights Act (CPRA)
Act ('CPRA')
Insights into the proposed legislation
Target Audience
This whitepaper seeks to analyse the law It also intends to generate discussion
and compare it to other notable among secondary audiences, such as
legislative frameworks on data privacy students and academics, to help
and protection, like the California them comprehend the complexities
Consumer Privacy Act and the General of the proposed bill and its
Data Protection Regulation. It tries to provisions.
provide an overview of the proposed
law. It will be tailored to a wide range of
audience, including senior and mid-level
IT management, programme managers,
and compliance leaders, to help them
comprehend the goals of the CPRA and
the obstacles they may encounter in
showing compliance with this proposed
legislation.
Introduction
The California Privacy Rights Act of 2020 (CPRA), The law will go into effect on January 1,
also known as Proposition 24, was approved by 2023, and it will apply to personal
a majority of voters on November 3, 2020, after information obtained on or after January
appearing on the ballot for the state's general 1, 2022.
election. It builds upon the California Consumer
Privacy Act (CCPA) of 2018, which provided the
groundwork for consumer privacy legislation.
Problem Statement
The CPRA is an addendum to the CCPA, adding new sections about privacy protection authority,
consumer rights, etc. The proposition establishes additional provisions into the State of
California law, allowing consumers to prevent businesses from sharing their personal data,
correct inaccurate personal data, and limit businesses’ use of “sensitive personal information,”
including precise geolocation, race, ethnicity, religion, genetic data, private communications,
sexual orientation, and specified health information. Considering this, businesses and
organizations processing personal information would have to look out for the compliance with
CPRA and possible repercussions in case of any non-compliance.
Structure
This whitepaper would be covering the following aspects:
Scope of the Bill
Key changes brought by CPRA
Key topics under CPRA
Exemptions under CPRA
Who needs to comply with CPRA
Rights of consumers under CPRA
Comparison with GDPR
Enforcement and liability
Challenges posed by the CPRA to businesses involved in Data processing
Conclusion
SCOPE OF THE BILL
The compliance requirements under CPRA are different from the CCPA. All the
compliance requirements stem from the definition of ‘business.’ As defined under the
CPRA, a 'business' is a legal entity that conducts business in the State of California, acts
for financial gain, collects or has collected on its behalf the personal information of
consumers, and fits one of the following criteria:
In addition, the scope of entities required to comply with the CPRA is potentially increased
by defining common branding. Common branding is the use of a shared name,
servicemark or trademark by two or more businesses un a manner which would lead the
consumer in assuming that two or more entities are common owned. Under CPRA, the
exchange of information from a business to a firm that uses common branding brings the
latter company under the jurisdiction of CPRA.
The CPRA introduces two new ways for a business to qualify as an “enterprise”. First, a
joint venture or partnership comprised of enterprises in which each business owns at
least a 40% stake will result in the joint venture being regarded as a “business” subject to
the CPRA. Lastly, any company can self-certify compliance with the CPRA, thereby
agreeing to be governed by the law.
KEY CHANGES UNDER CPRA
CONSUMERS' RIGHT TO CORRECT INACCURATE
1 PERSONAL INFORMATION
3 LIMITATIONS ON TRACKING
The CPRA aims to restrict geolocation tracking by expanding consumer rights. Within a
specified radius, consumers will be able to stop businesses from tracking their
geolocation for the majority of purposes.
Under the CPRA, State of California’s minors, identified as an individual below the age of
16 years, will enjoy greater safeguards than they had under the CCPA.
Contrary to its predecessor, the CPRA forbids the sale of an individual’s personal
information without permission, and consent may entail opting in rather than opting
out.
In other words, children are automatically protected by the CPRA, and in some
situations, the penalties for noncompliance will be three times as severe as before.
Where businesses intend to sell or share personal information of minors under the
age of 13, an affirmative consent of the parent/guardian is required, whereas, for
minors between the ages of 16, an affirmative consent of minor is considered
adequate.
5 EXPRESS INFORMATION SECURITY REQUIREMENTS
While the CCPA does not directly address data retention, the CPRA does. It
permits enterprises to store personal information only when it is “necessary and
proportional” for collecting, processing, and other reasons that are properly
declared. According to the look-back provision, even if a business receives a
request to know on January 1, 2023 (the day the law goes into effect), it should
be prepared to provide information going back to January 1, 2022.
The CPRA strengthens the disclosure requirements for privacy notices posted at
or before the actual collection point. Businesses that collect consumer’s
information must:
Disclose if collected information will be sold or shared;
Identify the sensitive personal information that will be collected;
Disclose either the duration of information retention or the criteria used to
determine it.
Disclose if they do not gather information using a noticeable notification if
they do not collect information.
KEY TOPICS UNDER CPRA
California Resident
3
Background and Ethnicity (Political
opinion, sexual orientation etc.)
Genetic/Biometric data, Health
data
Financial account information
Precise geolocation data
Contents of mail, e-mail and text
messages
Government issued IDs.
EXEMPTIONS
KEY TOPICSUNDER
UNDERCPRA
CPRA
Medical Information
Personal Information
Vehicle Information
Credit Information
1. 2.
3. 4.
WHO NEEDS TO COMPLY WITH
CPRA
The CPRA applies to any entity organised and operated for profit or financial gain that:
However, a business does not need to comply with CPRA if it's commercial activities take
place outside of California.
1.
Scope / The GDPR applies to organisations The CPRA extends to businesses that
Applicability that have presence in the EU or if are located in the State of California
the data of EU residents is and to all the businesses that despite
processed irrespective of not being located in State of California
company’s location. do business in the State. The criteria
of businesses has been laid down as
well.
2. Data Subject Rights The rights vested with data subjects The rights vested with data subjects
under EU GDPR are: under the CPRA are:
right to be forgotten,
right of access, right to opt out from having
right to rectification, information sold,
right to erasure, right to equal service and price,
right to restriction of right to receive information on
processing, privacy practices and access
right to data portability, information,
right to object right to deletion,
right to receive information about
onward disclosures,
right to prohibit sale of
information.
3. Obligations of The EU GDPR elaborately lays down The CPRA does not provide for the
Controllers/ the obligations and duties obligations and duties of both
Businesses/ entrusted upon the Controllers and controllers and processors
Covered Entities Processors individually in individually in an elaborate manner.
furtherance of ensuring the
protection of the personal data so
processed.
Right to Access
Right to Opt-Out of
Information About
Automated Decision-
Automated Decision
Making Technology
Making
CHALLENGES POSED BY THE
INTRODUCTION OF CPRA
The CPRA expands consumer protections and imposes new obligations on businesses. Some of
the definitions have been changed and the mandate of some additional rights has been
expanded, for example the right to opt-out of processing. With the enactment of the CPRA,
businesses must revise and update their compliance.
The CPRA requires entities to provide a 12-month personal data report to residents. In this
regard, businesses will need to improve their data mapping procedures. Organizations will also
be required to disclose whether they have applied artificial intelligence to any personal data.
The CPRA extends its protections to State of California residents in their roles as employees,
applicants, independent contractors, and other work-related roles, i.e. HR Individuals. As
consumers, HR Individuals will have access to six data rights. These include the
the right to opt out of the sale or sharing of their personal information;
As a consequence of this, CPRA compliance challenges may include a review of existing practises
and the implementation of modifications to contracts, privacy notices, individual rights response
procedures, and other privacy operations.
To effectively comply with CPRA requirements, employers can make the following efforts:
Develop and document a retention policy that complies with employer data retention
requirements;
Comprehend the information that the organisation collects, the categorization of data, the
location of data, and the steps to access, correct, or delete data;
Identify the legal, HR, and technological support responsible for the efforts required to build
a privacy compliance programme;
BIBLIOGRAPHY
https://iapp.org/resources/topics/ccpa-and-cpra/.
https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-
consumer-privacy-act-ccpa/.
https://oag.ca.gov/privacy/ccpa.
https://www.delphix.com/glossary/cpra-california-privacy-rights-act.
https://www.truevault.com/learn/ccpa/how-does-the-cpra-look-back-provision-work.
https://www.spirion.com/solutions/compliance/what-businesses-need-know-cpra/.
https://www.onetrust.com/solutions/cpra-compliance/
https://www.privacypolicies.com/blog/cpra/.
https://www.osano.com/articles/california-privacy-laws-ccpa-cpra.
https://secureprivacy.ai/blog/what-is-cpra-and-how-does-it-differ-from-ccpa.
https://cpra.gtlaw.com/cpra-full-text/.
https://www.cooley.com/services/practice/cyber-data-privacy/cpra.
https://www.perkinscoie.com/en/practices/security-privacy-law/california-privacy-rights-
act-cpra.html.
https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
https://www.the-future-of-commerce.com/2021/05/27/what-is-cpra-california-privacy-
rights-act-basics-overview/.
https://medium.com/golden-data/section-by-section-summary-of-the-cpra-c1ac70fc8236.
https://cpra.gtlaw.com/1798-155-civil-penalties/
WHY TSAARO?
Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory
requirements while maintaining a robust security infrastructure.
Akarsh Singh
(CEO & Co-Founder, Tsaaro)
Akarsh is a fellow in Information Privacy
by IAPP, the highest certification in the
CONTACT US
field of privacy. His expertise lies in Data You can assess risk with respect to
Privacy and Information Security personal data and strengthen your
Compliance. data security by contacting Tsaaro.