California is complementing its data privacy regulations with amendments that come into force in January 2023, yet impact the data you’ve been collecting since January 2022. How can businesses get ready to comply? Our article clears it all up.
On November 3rd, 2020, the California Privacy Rights Act (CPRA), also known as Proposition 24, was approved, complementing the state’s data privacy regulations. The CPRA amends existing California law, the Consumer Privacy Act (CCPA) of June 28th, 2018.
The regulations not only affect businesses doing business in California, but also those advertising in the state, regardless where they are legally based. Therefore, compliance with the CCPA and CPRA is quite a big deal, considering California’s leading economy and highest overall population for a US state.
Businesses don’t need to be based in California to fall under the CPRA and CCPA. The two acts apply to all businesses that onboard California residents and/or fall under other criteria defined by the regulations. Let’s dive into the finer details.
To fall under the regulations, businesses should meet at least one of the following conditions:
Under the regulations, the terms “selling” and “sharing” have a broad meaning, so businesses must carefully examine them to consider whether they are affected.
Definitions under the regulations:
Selling: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”.
Sharing: “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged”.
The CPRA amendments introduce the new types of businesses covered by the regulation:
The CPRA also specifies that businesses also fall under the regulations if they share common branding with a regulated business. According to the amendments, common branding means “shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned”.
Under the CCPA and CPRA, the regulation of personal information flows involves three counterparts to which businesses may entrust personal data:
Transferring personal information to contractors and service providers is regulated by a written contract. The contract imposes restrictions on the use of personal information, banning the resale of personal data among others. Whereas entrusting personal information to third parties is regulated by other mechanisms, namely the users’ rights regarding their data.
Under the CCPA and the CPRA, personal information is anything that a business collects about its customers. This includes not only names and locations, but also IP addresses, cookies, and behavioral patterns that are deduced from user web engagement.
Covered businesses are obliged to provide California residents with mechanisms to take advantage of their privacy rights:
When a client exercises these rights, businesses are not allowed to refuse service or change the quality of their service.
The CPRA gives Californians more control over their privacy by adding new personal information rights and expanding existing ones. Among other updates, the law introduces a subcategory of personal information defined as “sensitive personal information” or SPI.
1. New obligation to correct personal information
CCPA: The act only obliges businesses to provide access to delete or disclose personal information upon the user’s request.
CPRA: The act gives consumers the right to request correction if the data which is held about them is inaccurate. Businesses have 45 days to respond to such requests.
2. New obligation to enable opting-out of sensitive personal information use
CCPA: The act doesn’t divide personal information into sub-categories. Consumers have the right to opt-out from the use of personal information in general.
CPRA: The act introduces the term “sensitive personal information” (SPI) which includes:
Under the CPRA, precise geolocation is any data that is derived from a device and that is used to locate a consumer within a radius of 1,850 feet or less.
The new act imposes obligations on businesses to inform users about the collection and usage of their sensitive personal information and provides them with mechanisms to opt out.
3. Expanded obligation to give access to information
CCPA: A person can request a business to provide them with access to the personal data it has collected in the preceding 12-month period.
CPRA: The act provides individuals with the right to apply for access to any information collected, regardless of when it was collected or whether it was personally identifiable data. Businesses have 45 days to respond to such requests.
4. Expanded obligation to enable opting-out of information sharing
CCPA: The act allows users to refuse the sale of their personal information. The definition of “sale” does not explicitly include sharing.
CPRA: The act clarifies that people can opt out of both the sale and sharing of their personal information to third parties.
5. Expanded user right to sue businesses
CCPA: The act gives users the right to sue a business for personal information data breaches.
CPRA: The act expands this to cover data breaches where the personal information that was exposed includes usernames and passwords.
The amount of civil penalties under the regulation depends on the type of violation:
Penalties are imposed in case businesses don’t rectify a violation within 30 days.
If an individual sues, the fines depend on whether data is harmed during the breach:
While the CPRA does not come into effect until January 1st, 2023, the amendments cover personal information collected as of January 1st, 2022.
Businesses that have already implemented measures to comply with the CCPA have a good head start. Still, transition to the CPRA will require them to conduct a thorough review of their existing data privacy policies. CPRA compliance should include adjusting privacy notices, contracts, and procedures of consumer rights response.
Businesses must include information on new and expanded user rights and sensitive information handling. This includes:
All in all, businesses are recommended to revise their privacy policies and make sure they guarantee user rights and access to personal information.
Businesses must ensure an advanced level of data access for consumers. This must include one of the following:
Businesses must update their opt-out options depending on the type of personal information they handle:
The links must be present on the homepage of the company’s website and should redirect users to the web page where they can choose settings to opt-out.
Businesses disclosing personal information to contractors and service providers must follow the restrictions set by the regulation and write them into the contracts. These restrictions prohibit contractors from:
Also, regulation prescribes contractors to undertake compliance certification. It is the business’s responsibility to monitor the certification of their contractors.
Compliance with CPRA means respecting new consumer rights definitions of personal information. Although businesses have to bear financial and administrative costs, by implementing the regulations’ requirements, they lay the groundwork for expanding in California—the state with the greatest consumer potential in the US.