January 14, 2021
The 8 Steps to CPRA Compliance
California continued to raise the bar for data privacy when voters approved Proposition 24, the California Privacy Rights Act (CPRA), on November 3, 2020. The new law amends and builds on the 2018 California Consumer Privacy Act (CCPA).
CPRA gives Californians more control over their personal information (PI) and introduces new requirements for businesses using this information. It also establishes the California Privacy Protection Agency (CPPA), which will have responsibility for implementing and enforcing California consumer privacy laws and imposing fines for non-compliance. With this law, California will become the first state in the U.S. with a privacy-specific regulator.
Most CPRA provisions take effect on January 1, 2023, which gives businesses a reasonable amount of time to prepare if they start planning now.
In this blog, we’ll review the key changes being introduced with CPRA and what you need to do to prepare for and benefit from this significant new privacy law.
CPRA Overview
Weighing in at over 50 pages, CPRA covers a lot of territory. This section provides an overview of what we feel are the most important elements of the new law.
Expanded Definition of Covered Businesses
CPRA modifies the definition of “covered business” to include:
- Businesses that buy, sell, or share the PI of more than 100,000 California consumers or households. Under CCPA, the threshold is 50,000. This means that some small businesses currently subject to CCPA requirements may fall outside the scope of CPRA.
- Businesses that derive at least 50% of their revenue from selling or sharing consumer PI. Under CCPA, this provision only includes businesses that “sell” consumer PI.
- Joint Ventures, which are defined as follows: “joint venture or partnership composed of businesses in which each business has at least a 40 percent interest.”
New Sensitive Personal Information Category
CPRA introduces a new category of “sensitive personal information,” which is subject to more stringent disclosure and purpose limitation requirements. Sensitive PI includes highly sensitive information such as Social Security Number, driver’s license, financial account information, geolocation data, religious beliefs, genetic data, and health information. Covered businesses are directed to limit their use of sensitive PI to that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.”
Fines Tripled for Violations Involving Childrens’ Personal Information
Fines for violations of CCPA requirements range from $2,500 per violation for a non-intentional violation to $7,500 for an intentional violation. There is no distinction between fines for violations related to a child’s personal information vs. an adult’s information.
Under CPRA, fines for all violations related to the information of children under the age of 16 are $7,500 per violation, regardless of whether the violations are intentional or non-intentional.
Expanded Opt-Out and Advertising Rights
CPRA expands consumer opt-out rights to include both the sale and “sharing” of personal information. “Sharing” is defined as the transfer or making available of a “consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
Expanded Notice Requirements
Businesses must notify consumers “at or before the point of collection” regarding:
- PI that will be sold or shared.
- The collection, processing, and disclosure of sensitive PI.
- The length of time the business intends to retain each category of PI or, if not possible, “the criteria used to determine such period.”
New Consumer Privacy Rights
CPRA introduces new consumer data privacy rights that do not exist in CCPA:
- Right to Restrict Sensitive PI. Consumers may instruct a business to limit the use and disclosure of their sensitive PI for certain secondary purposes, including disclosure to third parties.
- Right to Correction. Consumers may instruct a business to correct any of their PI held by the business if the information is not accurate.
- Right to Opt Out of Automated Decision-Making Technology. Consumers may opt out of the use of automated decision-making technology, including “profiling,” in connection with decisions related to their work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Right to Access Information About Automated Decision Making. Consumers may instruct a business to provide information about automated decision-making processes that are based on their personal information. They may also request a description of the likely outcomes that will result from these processes.
- Expanded Contracting Requirements. CPRA expands contracting requirements for business that sell, share, or disclose PI to “service providers,” “contractors,” and “third parties.” Businesses must include in their agreements with these contracting organizations provisions requiring that the contracting organizations comply with CPRA requirements.
Expanded or Modified Consumer Privacy Rights
CPRA expands or modifies consumer data privacy rights that currently exist in CCPA:
- Modified Right to Delete. When requested by a consumer, businesses must notify third parties to delete consumer PI bought or received.
- Expanded Right to Know. The PI that must be included in a “Right to Know” response is expanded to include PI collected over 12 months prior to the PI request. This only applies to information collected after January 1, 2022.
- Expanded Right to Opt Out. A consumer’s right to opt out of the sale of their PI to third parties has been expanded to include “sharing” of PI for cross-context behavioral advertising.
- Expanded Right to Data Portability. Consumers may instruct businesses to transmit specific pieces of PI to another entity, to the extent that it is technically feasible for the business to provide the PI in a structured, commonly used, and machine-readable format.
More Clearly Defined Audit and Risk Assessment Requirements
CPRA requires that businesses whose processing of consumers PI “presents a significant risk to consumers’ privacy or security” perform an annual cybersecurity audit. These businesses must also conduct an annual risk assessment and submit it to the newly-created California Privacy Protection Agency (CPPA).
Incorporation of GDPR Principles
While CCRA does not mirror Europe’s General Data Protection Regulation (GDPR) in every respect, it does adopt some of GDPR’s principles, including:
- Data minimization. Businesses must limit their use of PI to what is reasonably necessary for the way in which the business has indicated they will use the information.
- Purpose limitation. Businesses wishing to use PI in a different way than previously disclosed must notify consumers before using PI in the new way.
- Storage limitation. Businesses must not retain PI for longer than is “reasonably necessary” for each disclosed purpose. They must also disclose, at the time of collection, their retention periods for each category of PI—or if that is not possible, the criteria used to determine the retention period.
How Should You Prepare for CPRA?
To ensure that your company is ready for CPRA, it’s helpful to view the challenge through two lenses:
- What changes do we need to make to our internal processes, policies, procedures, and systems?
- What do we need to do to notify our customers and partners about the upcoming changes?
Here are the steps we recommend you take to ensure your business is compliant with CPRA requirements before the new provisions become effective on January 1, 2023:
- Conduct a thorough data mapping exercise to understand the types of data that your organization uses, how it is protected, and for what purposes it is used. Identify PI that you consider to be “sensitive” PI. If you have already mapped your data, be sure to periodically refresh this mapping to make sure it stays current. Consider eliminating any personal information you are using that is either not needed or is creating more risk than the value it adds to your organization.
- Update your processes, policies, procedures, and systems to be compliant with CPRA requirements.
- Update your privacy notice to align with the new CPRA disclosure requirements.
- Update your contracts with service providers, contractors, and third parties to ensure they include the required CPRA provisions.
- Conduct a privacy impact assessment.
- Conduct a thorough risk assessment that incorporates risks related to failure to comply with CPRA requirements.
- Engage a third party to conduct a cybersecurity audit if you feel that your use of consumer PI could present a significant risk to consumers’ privacy or security.
- Adopt Privacy by Design principles as you develop new products and services.
Cost of Data Privacy
You may be thinking that this sounds like a lot of work and expense just to ensure data privacy—and it is! Here are some considerations that may help you justify the costs to others in your organization:
- Because CPRA was introduced via a ballot proposition, California voters may be especially attuned to the rights afforded them under the new law. If businesses fail to fully implement these new rights, California consumers may be inclined to initiate legal action or join a class-action lawsuit. Or, they may simply be dissatisfied with the way in which you are handling their personal information. Neither is a good outcome for your business.
- According to a recent IBM/Penomon Institute report[1], the average cost of a compromised record containing personal information is $150/record. To put this in context, the cost of 50,000 breached records would be $7.5 million.
- Failure to comply with CPRA could result in fines of up to $7,500 per violation.
- While the risks and costs of using PI are significant, you may be able to offset these costs/risks by developing new products and services that securely leverage this information by using techniques such as data aggregation, anonymization, and pseudonymization.
- You can use your strong data privacy protections as a selling point to customers. As data privacy issues continue to attract significant attention in the media and with legislators, assuring customers that you place a high priority on maintaining the privacy of their personal information can be a great way to maintain and attract customers.
We Can Help
If you have questions about CPRA or would like help implementing changes in your environment to ensure CPRA compliance, Tevora’s team of data privacy and security specialists can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com. Take a look at our Privacy Tracker that helps you stay up to date with every privacy regulation.
[1] 2019 Cost of a Data Breach Report by IBM and Penomon Institute
Privacy Webinar On-Demand Now
CPRA: What Privacy Officers Need to Know
About the Authors
Christina Whiting is a Principal | Privacy, Enterprise Risk & Compliance at Tevora.
Adoriel Bethishou is an Associate Manager | Privacy at Tevora.