The California Privacy Rights Act is the latest in a greater trend going on around the world, as data privacy advocates, individuals, and consumers have been demanding greater access and control over how businesses have been using their data, resulting in privacy regulation passing throughout the world. If you’re on our website, you’re probably aware that privacy regulations can be pretty challenging. The rules are vague and complicated, plus navigating brand-new regulations is even tougher.
There is a lot going on in the CPRA, and it is very easy to get bogged down, losing sight of the forest for the trees. Here, we'll talk about what you need to know about the CPRA including its key updates and how it affects your business.
The California Privacy Rights Act (CPRA), which was voted on and passed as a part of Proposition 24 on November 3rd, is a dramatic update and expansion of 2018’s California Consumer Privacy Act (CCPA), which had only been in effect since July 2020. The CCPA had national implications as it was the first general data privacy law that gave American consumers control over their personal data, as it provided limits on what personal data businesses could collect, how it could be used, and how individuals could protect and limit the spread of their data.
How is the CPRA Different from the CCPA?
It looks a lot like the GDPR
The CPRA draws inspiration from the GDPR by including employees as data subjects and gives consumers more rights, but it also clarifies some concepts that were left vague in the CCPA. The similarities to the GDPR give consumers several new rights, including:
- The right to access information about automated systems: for example, you can learn why a system chooses to show you a particular kind of advertisement - and the right to opt out of that technology.
- The right to correct incorrect information about themselves.
- The right to know how long their data is retained
- The right of data portability
- A much clearer definition of consent
It has some teeth behind it
The CPRA creates a new agency, the Consumer Privacy Protection Agency (which shares the same acronym as the now replaced CCPA), to regulate privacy for Californians and enforce the act.
The act also provides stronger protections to consumers, which will give them the right to impose more limits on the use and the disclosure of their information. Additionally, it also expands the definition of consent regarding an individual's personal information. While the CCPA allowed people to opt out of the sale of their personal data, companies could still distribute that information with the claim that they were merely sharing it for a “better experience”. The CPRA closes that loophole by including language that forbids companies from sharing information with third parties for behavioral advertising.
The act also provides for higher fines when the personal information of minors is involved.
How does the CPRA Impact Businesses?
The updates to the CPPA contained within the CPRA come at a great cost to businesses, as they will now face larger penalties and will not have an opportunity to remediate issues before facing lawsuit.
Publicly Available Information is not considered Personal Data
The CPRA does not consider publicly available information to be considered personal information. The CPRA defines publicly available information as “lawfully obtained, truthful information that is a matter of public concern; information that a business has a reasonable basis to believe is lawfully made available to the public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.” While this information will no doubt see later clarifications, businesses could conceivably freely collect data subjects first and last name or information that is shared on a public social media profile.
Imposes Obligations on Service Providers and Contractors
The CPRA puts new obligations on service providers, contractors, and other third parties by requiring the businesses to sign contracts with its vendors that will prohibit them from processing or using the data for any purposes other than those specified by the contract ,selling or sharing it, or combining it with data received or collected by other means (with very limited exceptions). Additionally, these contracts will allow the business to monitor their vendors compliance to the CPRA, as well demand that the vendor must certify that it understands and will comply with the obligations of the CPRA.
The CPRA extends the data protection obligations to these vendors. In other words, contractors who use or process the information provided to them as part of their business agreement must follow the same standards as their client, which is reminiscent of the HIPAA Omnibus Rule and the GDPR, which both apply the same.
Creates the California Privacy Protection Agency
The CPPA will serve as a watchdog for consumers, the agency will also be incredibly useful for companies by helping to interpret and clarify any vague or obscure portion of the law, which has been one of the challenges of compliance with the California Consumer Privacy Act to date. However, the organization will be funded by the money generated from penalties against companies, so the agency will definitely be incentivized to penalize.
While the law was primarily created to target and enforce compliance upon large businesses that process huge amounts of personal data, it is very likely that small businesses will be caught in the new law's crosshairs. Smaller businesses will probably be the first to receive fines because they are less likely to have the proper policies and procedures in place to protect data or cannot afford the opt-out feature. Regardless, the fact that the agency will be primarily funded by penalties provides the incentive for rather strict enforcement.
At the very least, organizations that conduct business in California should update policies and procedures to ensure the correct usage, storage, and transmission of personal data, and ensure that consumers can choose whether the information is used for other purposes. Even if they do not, they should already be looking into how to best comply with data privacy laws in general because it will only be a matter of time before a similar law is enacted over the entire United States.