What is the CPRA (California Privacy Rights Act)?
The CPRA (California Privacy Rights Act) is a data privacy law that came into effect on January 1, 2023. It enhances existing privacy laws in California, such as the CCPA (California Consumer Privacy Act).
Who does the CPRA apply to?
The CPRA applies to any legal entity that does business in the State of California (regardless of where they are located), collects consumers’ personal information, and:
- Buys, sells, or shares the personal information of 100,000 or more consumers or households in a year; or
- Derives 50% or more of its annual revenue from selling or sharing consumers’ data.
Under the CPRA, what is considered personal information?
The CPRA protects personal information, which is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This includes information such as name, address, phone number, email address, Social Security number, driver’s license number, IP address, geolocation data, biometric data, and Internet activity.
What rights do consumers have under the CPRA?
The CPRA grants California residents several new privacy rights that businesses must facilitate:
1. The right to know and be informed
The CPRA gives California residents the right to know and be informed about the personal information that businesses collect about them. This includes the right to be informed about the categories of personal information collected, the purpose for which it is collected, and the third parties with which it is shared.
2. The right to access data
The CPRA grants California residents the right to access their personal data that is held by a business. This includes the right to request the categories of personal information that have been collected, the categories of sources from which the information was collected, the business or commercial purpose for collecting or selling the information, and the categories of third parties with which the information has been shared.
In addition, individuals have the right to request a copy of their personal data in an easily readable format. Businesses must respond to these requests within 45 days and must provide the data free of charge.
3. The right to deletion
The CPRA grants consumers the right to request the deletion of their personal information from a business that collects it. This right is sometimes referred to as the “right to be forgotten.”
Consumers can make a request to delete their personal information, and the business must delete the information unless it is needed for a legitimate business purpose, a legal obligation, or to exercise a right or defense.
Businesses are also obligated to inform third parties with which they have shared the consumer’s information of the consumer’s request to delete their data.
4. The right to correct personal information
Under the CPRA, individuals have the right to correct personal information that a business holds about them. If a business holds inaccurate or incomplete personal information about an individual, the individual can submit a request to the business asking them to correct the information.
The business must acknowledge the request and take reasonable steps to assess the accuracy of the data and take appropriate action to correct any inaccuracies.
Businesses must also provide individuals with information about how to submit a request to correct their personal information and how the business will respond to the request.
5. The right to opt out
The right to opt out under the CPRA allows consumers to prevent businesses from selling their personal information. Businesses must provide a “Do Not Sell My Personal Information” link on their website or other online service that allows consumers to exercise their right to opt out. If a consumer opts out, the business must not sell the consumer’s personal information.
6. The right to limit the use and disclosure of sensitive personal information
Under the CPRA, consumers have the right to limit the use and disclosure of their sensitive personal information. This includes any data that reveals a person’s race or ethnicity, religious or philosophical beliefs, physical or mental health condition, sexual orientation, or biometric or genetic data.
Consumers can exercise this right by making a request to the business that collected their sensitive personal information. The business must then comply with the request unless it can demonstrate a compelling reason not to do so.
We’re here to help
Whether you’re looking to educate your employees about the CPRA through our online training course or assess your organization’s current level of compliance with the Act and help identify key work areas that you must address, IT Governance has a solution for you.
Speak to an expert
The CPRA vs. the EU GDPR
The CPRA is widely viewed as California’s version of the EU’s GDPR (General Data Protection Regulation). Like the GDPR, the CPRA gives people more control over their personal data and holds businesses more accountable for protecting the data they collect and process.
However, there are many differences between the two laws, so even if your organization complies with the GDPR, it might not meet certain CPRA requirements.
Contact us to discuss your CPRA compliance needs
What are the penalties for non-compliance with the CPRA?
Civil penalties
California’s Attorney General and the newly created California Privacy Protection Agency can bring injunctions against non-compliant businesses if they fail to address their non-compliance within 30 days of being notified. Civil penalties are capped at $2,500 per violation, or $7,500 for intentional violations. Higher penalties will also be applied to violations involving the information of children.
Private action
In addition, consumers may bring a civil action for security breaches to recover between $100 and $750 in damages, or actual damages (whichever is greater); injunctive or declaratory relief; or “any other relief the court deems proper.” Again, they must wait 30 days after serving written notice to allow the business to address any violation of the law.
What are the benefits of CPRA compliance?
The CPRA introduces greater visibility and responsibility when it comes to collecting and processing consumers’ personal data, and brings many benefits, including:
- Greater customer trust
- Enhanced brand image and reputation
- Improved data governance
- More robust information security
- Increased competitive advantage