This article summarizes the requirements of California Privacy Rights Act (CPRA) which is a revision to the California Consumer Privacy Act (CCPA) that was passed in November 2020.
Requirements of California Privacy Rights Act
The regulation went into effect on January 1, 2023. Some of the key requirements of the CPRA include:
- The right to know: Consumers have the right to request and receive information about the personal data that a business has collected about them, including the categories of data, the source of the data, and the purpose for which it is being used.
- The right to delete: Consumers can request organizations to remove any personal information that it collects about consumers.
- The right to opt-out of the sale of personal data: Consumers can prevent the sale of their personal data by a business. This includes the right to prevent targeted advertising.
- The right to non-discrimination: Businesses cannot discriminate consumers when they exercise their rights under the CPRA. This includes refusing goods and services, offering different prices, or providing a different service levels.
- Data minimization: Businesses must minimize the personal data they collect and retain.
- Stronger security requirement: Businesses must maintain adequate security controls to secure personal data.
- Limited retention period: Businesses must limit the retention of personal data to what is necessary for the purposes for which it was collected.
- New rights for minors: Consumers under the age of 16 must provide affirmative approval before their personal information can be collected, used, or shared.
The CPRA also designates a new California Privacy Protection Agency to enforce the regulation and offer guidance to businesses on compliance.
How is CPRA different from CCPA
The California Privacy Rights Act (CPRA) is a revision to the California Consumer Privacy Act (CCPA) that expands upon and improves the consumer privacy rights and protections established by the CCPA.
Some key differences between the CCPA and CPRA include:
- The CPRA expands the term “personal information” to include new elements such as geolocation information, biometric data, and internet or other digital activity information.
- The CPRA requires businesses to notify consumers about the personal data they collect, including the categories of sources from which the data was collected and the specific data elements that the business has collected about the consumer.
- The CPRA gives consumers the right to request companies to remove any personal data that they have collected about them, whereas the CCPA only requires businesses to disclose what personal data they collect and how they use it.
- The CPRA requires businesses to minimize the personal data they collect and retain and to implement and maintain appropriate security controls to protect personal data.
- The CPRA includes stronger provisions for data protection for sensitive personal information and for the rights of minors.
- The CPRA creates a new California Privacy Protection Agency to enforce the regulation and provide support to businesses on compliance.
CPRA’s goal is to provide stronger consumer privacy rights and protections, and to give California consumers more options to control their personal information.
What policy changes should companies implement to comply with CPRA
Companies should implement a number of policy changes in order to comply with the California Privacy Rights Act (CPRA). Some key changes that companies may need to make include:
- Creating a new process for handling consumer requests: Companies must be able to handle consumer requests to know and delete personal data, as well as requests to opt-out of the sale of personal data.
- Reviewing and updating their data collection and retention practices: Companies should review the types of personal data they collect and how long they retain it. They should minimize the data they collect and retain and ensure that it is only collected and retained for a specific, legitimate purpose.
- Reviewing and updating their targeted advertising practices: Companies should review and update their targeted advertising practices to ensure that they are in compliance with the CPRA’s opt-out requirements.
- Reviewing and updating their practices for handling data of minors: Companies should review and update their practices for handling data of minors to ensure that they are in compliance with the CPRA’s requirement for affirmative consent.
- Training employees: Companies should train their employees on the new requirements of the CPRA, including the new rights of consumers and the new compliance obligations of the company.
- Monitoring and reporting: Companies should monitor their compliance with the CPRA and report any violations of the law to the California Privacy Protection Agency.