The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA), which grants Californians extra privacy rights for their personal information.
The CPRA brings California’s privacy regime closer to the European Union’s (EU) General Data Protection Regulation (GDPR) with a range of new technical obligations for businesses managing personal data.
It became effective from January 1, 2023, and is enforceable by the California Privacy Protection Agency (CPPA) from July 1, 2023.
Personal Data Rights Under the CPRA
The CPRA focuses strongly on Californians’ right to privacy of their personal information – especially their sensitive personal information – whether they are consumers, employees or business contacts. (The CCPA only covered personal information of consumers).
These personal data privacy rights include:
- Right to know what categories and pieces of personal information are collected, disclosed or sold by companies and the purpose/s
- Right to correct personal information
- Right to delete personal information
- Right to limit use of sensitive personal information
- Right to opt-out of automated decision-making technology
- Right to opt-out of the sale or sharing of personal information
- Right of non-retaliation by a company if an individual exercises their data privacy rights.
Summary of CPRA technical obligations for businesses
Like the EU’s GDPR, the CPRA requires businesses to show they are as serious about protecting people’s data privacy rights as they are about securing their own business’s data.
Businesses must also give individuals more control of their personal information and support their right to make informed choices about how their personal data is managed.
Technical obligations for businesses under the CPRA include:
- Data minimization
- Data collection purpose limitation
- Data storage limitation
- Notices for data collection and data privacy
- Links to allow Californians to exercise privacy rights
- Consent controls (opt-in)
- Privacy protection and cybersecurity.
CPRA data minimization obligation
Like the GDPR, the CPRA contains a rule about minimizing the amount of Californian’s personal information a business or website can collect, use or share to only what is genuinely needed to serve the publicly stated collection purpose:
- Any data must be reasonably necessary
- The amount of data collected must be proportionate.
CPRA data collection purpose limitation
Similarly, businesses and websites can only collect, use, share, or sell the personal information of
Californian residents for clearly stated purposes:
- Every purpose must be started first before personal data is collected
- Each new purpose must be stated first before data activities begin (whether the new purpose is to collect, use, share, or sell personal data)
- No personal data can be collected, used, shared, or sold without a stated purpose.
CPRA data storage/retention limitation
The CPRA addresses a gap in the CCPA rule about data retention: businesses and websites must now tell
Californians at the point of data collection how long each category of collected personal data will be stored for after collection.
- Personal data can be stored only for as long as is reasonably necessary to meet the purpose for which it was collected
- Personal data cannot be stored indefinitely – under the CPRA businesses are obliged to establish and adhere to clear data destruction policies.
Notices of collection and data privacy under CPRA
To meet their CPRA data privacy obligations to Californians, businesses must provide clear notices on their websites and any public-facing locations at or before the point of collection about:
- Categories of personal information the business intends to collect
- Whether the business intends to collect and use “sensitive personal information” (and which categories)
- Business or commercial purpose/s for collecting personal information/sensitive personal information
- Whether any category of personal information will be shared or sold
- How long data will be stored and the criteria used to decide a destruction date (data retention limitation)
- How the business manages and ensures privacy of personal data and sensitive personal information – including a link to the business’s Privacy Policy
- Data privacy rights for Californians and links to pages where they can exercise these rights.
CPRA obligations for links to allow Californians to exercise privacy rights
The CPRA requires businesses to clearly display at least two links on the homepages and any other relevant pages of their websites before data may be collected, so Californians can exercise two important privacy rights.
These must be clearly labelled as:
- “Limit the Use of My Sensitive Personal Information”
- “Do Not Sell or Share My Personal Information” (note: this link is an update to the CCPA’s “Do Not Sell” link/button)
While these links can appear on a button graphic, the text itself must be readable on any internet-capable device, and the links must work on any internet-capable device.
The text of the CPRA also includes a recommendation for businesses to publish “a single, clearly labeled link that allows consumers to easily exercise both their right to opt-out of sale/sharing and right to limit.”
CPRA rules on consent controls (opt-in)
Some kinds of consent related to collection, use, sharing and sale of personal data were already covered in the CCPA. However, the CPRA has expanded the types of consent that must be sought from Californians by businesses and website to include:
- New consent for personal data to be shared or sold after an individual has already opted out
- New consent for secondary activities related to sensitive personal information (SPI), such as using, sharing or selling SPI, after an individual has opted out.
The CPRA clearly states businesses are prohibited from soliciting for either of these consents (via an opt-in mechanism) “for at least 12 months” from the time the individual opted-out.
Other consents that must be sought via a mechanism for individuals to opt-in include:
- Consent from parents/guardians to opt-in so a business can collect, share and/or sell their children’s personal information
- Consent for exemptions such as data collection for research purposes
- Consent to opt-in to a financial incentive
CPRA Privacy Protection and Cybersecurity Obligations
The CCPA did not include a specific minimum standard for security. At the same time, businesses must maintain “reasonable security procedures and practices appropriate to the nature of the personal information” to protect against breaches that could allow unauthorized access, theft or disclosure of personal information.
However, the CCPA did create a “Private Right of Action” that gives Californians the right to sue businesses for security breaches involving their personal information.
Under the CCPA and CPRA, a business must notify affected parties and individuals of security breaches and the actions taken to recover from the breach.
The CPRA introduced new obligations on businesses to ensure they are maintaining “reasonable security procedures and practices”:
- Businesses must report on processing activities, restrict access to personal information to authorized parties, and ensure third parties meet contractual obligations for cybersecurity and privacy protection
Businesses must perform and report regular cybersecurity audits to demonstrate they can keep personal data safe - Businesses must also perform and report regular risk assessments, reviewing how they process personal information and evaluating the business benefits of each process against the potential risks to individuals’ privacy rights.
- Businesses’ data protection and cybersecurity stances can be audited by the CPPA, with the power to enforce the Act from July 1, 2023.