Californians voted in November to extend their data-privacy rights beyond the provisions of the CCPA. The new California Privacy Rights Act of 2020 (CPRA) is an expansion of the CCPA, designed to strengthen and clarify privacy requirements – and more closely align with international privacy standards, namely the GDPR.

The most significant provisions of the CPRA center around three areas: sharing and selling of personal information, service providers and contractors, and consumer rights. In addition, the law adopts certain GDPR principles, such as data minimization, purpose limitation, and storage limitation. The CPRA also adds muscle to the CCPA by creating a new government agency – the California Privacy Protection Agency – dedicated to handling enforcement and compliance with the new regulations.

While the majority of CPRA provisions don’t become operative until 2023, don’t wait to begin the compliance process. The CPRA may be leading the way for future U.S. privacy regulations on a broader scale.

Here’s a look at the new CPRA provisions, how they compare to the CCPA – and what you can do now to prepare.

CCPA CPRA
Threshold For businesses that meet any of the following:

  • $25 million in annual revenue
  • 50,000+ California consumers
  • 50% of annual revenue from selling consumer personal data
For businesses that meet any of the following:

  • $25 million in annual revenue
  • 100,000+ California consumers
  • 50% of annual revenue from selling or sharing consumer personal data
Effective date January 1, 2020 January 1, 2023. Applies only to personal information collected on or after January 1, 2022, except for access requests.
Employee and B2B exemptions Expires January 1, 2021 Expires January 1, 2023
Consumer rights
  • Right to know/access
  • Right to delete
  • Right to opt out of sale
  • Right to nondiscrimination
All rights under the CCPA, plus:

  • Right to rectification
  • Right to limit use and disclosure of sensitive personal information
Definitions of “sold” and “shared” “Sell” means selling for monetary or other valuable consideration. “Sell” has been broadened to “sold or shared,” as in shared by a business with a third party for the benefit of the business with or without the exchange of money.
Third parties A “service provider” is an entity that processes information on behalf of a business under a written contract. “Service provider” requirements have been expanded and a parallel category of “contractor” has been added.
Personal information “Personal information” is information that identifies, relates to, describes, or could reasonably be linked to a particular consumer or household. Covers personal information, as well as “sensitive personal information,” which includes SSN, driver’s license number, login credentials, biometric information, precise geolocation, and racial/ethnic origin.
Personal information of minors Fines are the same as those for other types of personal information – $2,500 for each intentional violation and $7,500 for each unintentional violation. Imposes an automatic fine of $7,500 for each violation involving the personal information of a minor.
Data retention Imposes no specific requirements that businesses disclose their retention practices to consumers. Data collection, retention, and use should be limited to what is
reasonably necessary to provide goods and services.
Automated decision-making NA Consumers can opt out of the use of their personal information for automated decision-making, which includes “profiling” in connection with evaluations or decisions about a consumer’s work performance, economic situation, health, reliability, etc.
Enforcement
  • Enforced by the Attorney General.
  • Allows a 30-day period for businesses to cure violations.
  • Gives consumers a private right of action for a breach of certain information.
  • Establishes the California Privacy Protection Agency for enforcement and guidance.
  • Eliminates the 30-day cure period before a business is fined for a violation.
  • Gives consumers a private right of action for a breach of certain information.

Some of these provisions may be further refined by future regulations released by the newly created California Privacy Protection Agency. Meantime, here are three actions to take now:

  1. Honor opt-ins and opt-outs. Make sure you have a process in place to quickly enact privacy requests.
  2. Comply with CCPA regardless of your company’s physical location. CCPA compliance extends beyond state borders to include any California resident no matter their location. If a California resident can access your website, you must comply with CCPA.
  3. Understand the complexities of personal information and how that is defined. Maintaining legal compliance while conducting marketing initiatives is an ongoing process, not a one-time checkpoint. Regularly revisit how personally identifiable information is being used each time
    privacy regulations are changed or updated.

With the passage of the CPRA, the nation’s most robust consumer-privacy law just got significantly stronger – and the stakes significantly higher. And if the lessons of the CPRA, CCPA, and GDPR are any indication of the future, expect more states and countries to develop their own privacy requirements. Meantime, put the right policies, procedures, and technology in place so you can adjust your privacy practices accordingly.

The clock is ticking.

For more information on an effective compliance solution, download our e-book, Transforming Compliance from Check the Box to Champion.