California Privacy Rights Act (CPRA) – A Comprehensive Guide for Businesses

The California Privacy Rights Act (CPRA) is the latest data privacy law in California and was enacted on January 1, 2023. This blog post will cover everything you need to know about California’s new data privacy law and how it affects businesses.

California State implemented the California Consumer Privacy Act (CCPA) in 2018. It is one of the most advanced privacy laws after GDPR. But with the new law CPRA to take effect, most people are confused about why the state has two privacy laws.

If you are a business owner doing business in California, this is a complete guide for understanding CPRA for your business. We’ll answer all your queries in this article, so read till the end.

But first, let’s have a quick look at the timeline of Californian privacy laws.

Year	Event
2003	Online Privacy Protection Act
2003	Shine the Light Law
2013	Privacy Rights for California Minors in the Digital World Act
2018	California Consumer Privacy Act
2023	California Privacy Rights Act

Reference: CPRA.org

California Privacy Rights Act is an amendment to the existing statewide privacy law CCPA, California Consumer Privacy Act. The CPRA was approved by California voters in November 2020 and is also known as Proposition 24. It came into effect on January 1, 2023, and will be applicable to the data collected on or after January 1, 2022.

The law was supposed to be enforced from July 1, 2023, however after a legal challenge by the California Chamber of Commerce, a judge in the Superior Court of California issued a ruling to postpone the enforcement of the regulations related to the California Privacy Rights Act (CPRA) until March 29, 2024. As per the court’s decision, the existing regulations under the California Consumer Privacy Act (CCPA) will continue to be in effect until the new regulations become enforceable.

Now that we know that CPRA was not an additional law but instead an addition to the existing CCPA, let’s see what the changes are with the new law.

• Redefining what is considered personal information (PI) under the CCPA.
• Introducing a new category called sensitive personal information (SPI) with additional protection.
• Expanding the scope of the CCPA to include more types of businesses.
• Modifying existing rights for California residents under the CCPA while also introducing new rights.
• Shifting the regulatory focus towards regulating behavioral advertising.
• Establishing a new government enforcement agency to oversee privacy laws.
• Adding features to the CCPA that are similar to those found in the European Union’s General Data Protection Regulation (GDPR).

Furthermore, the California Privacy Rights Act (CPRA) includes provisions that mandate any changes or amendments to the law to align with its purpose and intent. This strengthens data privacy laws in California in a distinct manner compared to the CCPA, as it ensures that the CPRA cannot be easily weakened from a legal standpoint.

The CPRA aims to build upon the existing CCPA law by expanding its provisions, introducing new regulations, and providing new definitions for terms associated with the CCPA. The CCPA laid the groundwork for data privacy in California and served as California’s response to the EU’s GDPR (General Data Protection Regulation).

Also Read: US Data Privacy Laws – A Comprehensive Overview for Businesses

CPRA introduces four new rights and modifies five existing rights provided under CCPA. Let’s take a closer look at them:

New Rights

1. Right to limit the use of sensitive personal information (SPI): California consumers can request businesses to restrict the use of their sensitive personal information for internal purposes and for sharing with third parties.
2. Right to correction of personal information (PI) and sensitive personal information (SPI): Residents can ask businesses to share the data they have collected about them. They can also request the deletion of inaccurate data (as per CCPA) and ask for corrections to be made (as per CPRA).
3. Right to know about automated decision-making: If a business uses artificial intelligence (AI) to automate decision-making based on collected personal information or sensitive personal information, it must inform consumers about these processes and their outcomes.
4. Right to opt-out of automated decision-making: If a California resident disagrees with a business’s automated decision-making methods, they can choose to opt out. In such cases, businesses must not use their personal information for automated processes like behavioral advertisements or individual profiling.

Modified Rights

1. Right to data portability: Consumers can request businesses to transfer their personal information to other businesses or organizations.
2. Right to opt-out: Individuals now have the option to opt out of sharing their personal information (previously, it only applied to selling).
3. Right to know: Consumers can ask businesses to provide them with details of the personal information collected beyond the 12-month limit set by CCPA.
4. Right to delete: Consumers have the right to get their data deleted from processing. Businesses must inform third parties to delete the data as well (previously, it only applied to the business that initially collected the data).
5. Right of minors: If a minor under 16 years of age has declined to provide consent for the collection of their personal information or sensitive personal information, businesses are prohibited from approaching them until the consumer turns 16.

These rights are only applicable to people residing in California.

New Category of Personal Information

CPRA introduces a new category of personal information known as sensitive personal information, which is subject to more privacy controls. Sensitive personal information refers to specific types of personal information that can reveal sensitive details about an individual.

Following are the different types of sensitive personal information as mentioned by the CPRA:

1. Social Security Number: A unique identification number issued by the government that is often used for various official purposes.
2. Driver’s License Number: The unique number assigned to an individual’s driver’s license, which is used for identification and legal driving privileges.
3. State Identification Card Number: Similar to a driver’s license number, this is the unique identifier associated with a state-issued identification card.
4. Passport Number: A unique identification number assigned to a person’s passport, which is used for international travel and identification.
5. Account Login Information: Information used to access online accounts, such as usernames, email addresses, and passwords.
6. Financial Account Numbers: Numbers associated with bank accounts, credit cards, or debit cards that are used for financial transactions.
7. Geolocation Data: Precise information about an individual’s current or past locations, often obtained through GPS technology.
8. Racial or Ethnic Origin: Information that identifies a person’s race or ethnicity.
9. Religious or Philosophical Beliefs: Personal beliefs or affiliations related to religion or philosophical perspectives.
10. Union Membership: Information indicating an individual’s membership in a labor union.
11. Contents of Communications: The actual content of a person’s private communications, including emails, text messages, and mail.
12. Genetic Data: Information about an individual’s genetic makeup, including DNA sequences and inherited traits.
13. Biometric Information: Data related to an individual’s unique physical or behavioral characteristics, such as fingerprints, facial recognition data, or voiceprints.
14. Health Information: Personal data collected and analyzed regarding an individual’s health, medical conditions, or treatments received.
15. Information on Sex Life or Sexual Orientation: Personal details about an individual’s sexual activities, preferences, or sexual orientation.

Please note that this list is not exhaustive, and there may be additional types of sensitive personal information that could vary based on legal regulations and specific contexts. However, if any of this information is already publicly available, it is not considered sensitive personal information or personal information under certain circumstances.

Who Needs to Comply?

CPRA has revised the definition of ‘who needs to comply.’ It now applies to businesses in California or those that collect or control how the personal information of California residents is used and meet one or more of the following conditions:

1. Made more than twenty-five million dollars ($25,000,000) in total revenue during the previous calendar year.
2. Buys, sells, or shares the personal information of 100,000 or more consumers or households each year, either individually or combined.
3. Earns 50 percent or more of its annual revenue from selling or sharing consumers’ personal information.

	CCPA	CPRA
Annual Gross Revenue	Over $25 Million	Over $25 Million in the previous calendar year
Personal Information Transactions	Buys, receives, sells, or shares personal information of 50,000 or more consumers, households, or devices for commercial purposes	Buys, sells, or shares personal information of 100,000 or more consumers or households
Revenue Source	50% or more of its annual revenues come from selling consumers’ personal information	50% or more of its annual revenues come from selling or sharing consumers’ personal information

CPRA introduced two new categories of businesses that are subject to its provisions.

1. A joint venture or partnership is composed of businesses where each business has a 40 percent or more ownership interest. As per the law, the joint venture or partnership and each individual business within it are considered separate businesses. However, personal information held by each business and shared with the joint venture or partnership cannot be shared with the other individual business.

2. A person who conducts business in California but doesn’t meet any of the previously mentioned conditions. They can voluntarily certify to the California Privacy Protection Agency that they are in compliance with CPRA and agree to follow its rules.

California Privacy Protection Agency (CPPA)

CPRA has created the California Privacy Protection Agency, which is a new organization responsible for enforcing and implementing the law. This agency will have administrative power and authority over privacy matters. The agency will be overseen by a board consisting of five members, including a Chairperson.

The Governor will appoint the Chairperson and one member of the board, while the Attorney General, Senate Rules Committee, and Speaker of the Assembly will each appoint one member. It is important that the appointed board members are among Californians and have knowledge and expertise in areas such as privacy, technology, and consumer rights.

CPRA introduces three additional requirements for businesses inspired by the EU’s GDPR:

• Data minimization: According to CPRA, a website or business in California can only collect, use, and share the personal information of Californians if it is reasonably necessary and proportional to the purpose of collection.
• Purpose limitation: Businesses cannot use personal information for undisclosed or unrelated purposes.
• Storage limitation: Businesses are required to inform California residents about the retention period of each category of collected personal information. Users have the right to know how long their data will be stored after it is collected.

New Definitions In CPRA

Advertising and Marketing

CPRA explicitly defines advertising and marketing as any communication, whether in print, online, or through other means, that is aimed at persuading or enticing a consumer to acquire goods, services, or employment. This communication can be carried out by the business itself or by an individual acting on behalf of the business.

The purpose is to encourage the consumer to make a purchase, use a service, or seek employment opportunities.

Consent

CPRA says that consent means a consumer willingly and clearly shows their interest in a particular purpose after understanding what it involves. As per the law, consent should be specific, freely given, and informed. However, the law also says that the following actions do not count as consent:

• Just agreeing to general terms of use or similar documents that have information about how personal information is processed along with other unrelated information.
• Simply hovering over, muting, pausing, or closing a piece of content.
• Consent obtained using deceptive methods or “dark patterns.”

Contractor

CPRA adds a new category of information collector as Contractor. It refers to a person who is given access by a business to the personal information of consumers. This access is granted for a specific business purpose and is done through a written contract between the contractor and the business.

CPRA mandates that contractors must confirm that they comprehend and will adhere to the necessary requirements. Additionally, contractors are obligated to inform the business if they are unable to comply with CPRA.

Cross-Context Behavioral Advertising

CPRA includes a new category of advertising named “cross-context behavioral advertising.” It refers to when advertisements are tailored to a consumer using their personal information gathered from their activities across different businesses, websites, applications, or services. It specifically excludes the business, website, application, or service that the consumer intentionally interacts with.

Profiling

As per CPRA, profiling refers to the “automated processing” of consumers’ personal information in order to assess specific aspects of them. This analysis may involve predicting or understanding things like their “work performance, financial situation, health, personal preferences, interests, reliability, behavior, location, or movements.”

Security and Integrity

CPRA defines security and integrity as the ability of a network or information system:

1. To identify security incidents that threaten the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information.
2. To resist and defend against malicious, deceptive, fraudulent, or illegal actions and aid in the prosecution of those responsible for such actions.

Additionally, it also includes a business’s responsibility to ensure the physical safety of individuals.

Sharing

“Share,” “shared,” or “sharing” refers to the act of a business giving a consumer’s personal information to a third party for the purpose of cross-context behavioral advertising. This can involve sharing, renting, disclosing, disseminating, making available, transferring, or communicating the information orally, in writing, or through any other method. The sharing can occur whether or not there is any monetary or other valuable benefit involved.

The California Privacy Rights Act (CPRA) introduces significant changes and additions to California’s data privacy landscape. It expands upon the existing CCPA, enhancing consumer rights and imposing stricter requirements on businesses.

The CPRA also introduces new categories of personal information, establishes the California Privacy Protection Agency, and introduces GDPR-like requirements. These changes aim to strengthen consumer privacy and control over personal information, bringing California closer to global data protection standards.

What are your thoughts on the CPRA? Does the law make it hard for businesses in California? Drop your thoughts in the comments.

Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.