Key Requirements of the CPRA (and How They Differ from the Current CCPA)

By Stephanie Sparks, Hoge, Fenton, Jones and Appel

Less than a year after the California Consumer Privacy Act (CCPA) went into effect, Californians voted on November 3, 2020 to approve Proposition 24, a ballot initiative known as the California Privacy Rights and Enforcement Act of 2020 (“CPRA”).  The CPRA amends and expands the CCPA, which itself was the first and most comprehensive consumer data privacy law in the U.S.  The CPRA will take effect on January 1, 2023, providing businesses a little over a year to tailor personal data collection and handling practices, create policies, train workforces and get into compliance with the new law.  Some requirements have “look back” provisions to data collected on or after January 1, 2022, so now is the time to determine if your business is covered by the CPRA and if so, to work toward compliance.

Many of the requirements of the CCPA remain in the CPRA.  And two exemptions of the CCPA relating to employment records and B2B information have been extended to January 1, 2023.

Manufacturers who handle personal data of California consumers, read on to discover whether the CPRA applies to you and know key provisions of the CPRA and how they differ from the CCPA.

What businesses are covered? 

The CPRA applies to the for-profit business entity, wherever it may be located, that handles California consumers’ personal data and:

  • earns annual revenues in excess of $25 million (same as the CCPA);
  • annually buys, sells or shares personal data of 100,000 or more consumers or households, alone or in combination with its service partners (the CCPA’s threshold is 50,000 or more consumers, households or devices); and
  • earns 50 percent or more of its annual revenue from selling or sharing personal data (note that “sharing” generally relates to the use of personal data for targeted cross-context behavioral advertising through service partners).

What are the consumer rights to be protected? 

The CPRA continues the rights afforded to consumers by the CCPA, but expands those rights to those indicated by ▲.  Consumers will have the rights to:

  • delete their personal data;

▲     correct inaccurate personal data, along the lines of the EU’s General Data Protection Regulation (GDPR), but that is not currently provided for in the CCPA;

  • know what personal data the business is collecting about them;
  • access their personal data;
  • know if the business is using their personal data;
  • know what personal data the business is selling and to whom;

▲    opt out of the sale or sharing of their personal data, where the CCPA only specified the selling of personal data;

▲    restrict the business’s use of their “sensitive personal data,” newly defined and similar to the GDPR by including race, ethnicity, religion, sex life, sexual orientation, precise geolocation, as well as data considered sensitive in the U.S., such as financial information, social security number, account credentials, electronic communications content, genetic, health and biometric data;

▲    require disclosure of automated processes for decision-making and profiling;

▲    prohibit businesses from retaining personal data for longer than reasonably  necessary (and to significantly reduce risk, businesses should develop a data retention schedule, and begin data minimization by securely disposing personal data records no longer needed);

  • not be subject to retaliation for exercising their privacy rights;

▲    seek triple penalties for violating the rights of minors.

Why should manufacturers take the CPRA seriously?

Like the CCPA, the CPRA gives consumers private rights of action to sue businesses that fail to take their privacy rights seriously.

Importantly, the CPRA created the California Privacy Protection Agency, the first agency in the country dedicated to protecting Californians’ fundamental right to privacy, and charged to implement and enforce the law.

Further, the CPRA eliminates the CCPA’s 30-day notice period to cure violations, and maintains statutory penalties for each violation:

  • Up to $2,500
  • Up to $7,500 (­involving data of a minor under the age of 16)
  • Up to $750 per consumer per data breach or actual damages, whichever is greater

What are the priorities for compliance?

For businesses covered by the CPRA, consider tackling the following steps, with regard to consumer and your employees’ personal data, this summer:

  • Data inventory. Know what data you have and all locations.
  • Map data flows, into and out of the business: where you get your data and where you share that data.
  • Data retention schedule and data minimization.
  • Update/create an accurate privacy policy that can be published (on an ADA accessible website).
  • Vendor management and contracts. Ensure you require your independent contractors and vendors to comply with the CPRA and any other applicable laws.
  • Develop a data breach incident response plan that identifies your crisis management team and the immediate steps needed to mitigate and remediate a breach. This should include computer forensics and other vendors to help you investigate and control the breach.
  • Check to make sure you have cyber insurance coverage.

About the Author:

Stephanie Sparks is a Shareholder & Chair of Privacy & Data Security Group for Hoge, Fenton, Jones and Appel. She can be reached at stephanie.sparks@hogefenton.com.