CPRA: Intro to the CCPA 2.0 and how it affects you. In 2020, the California Consumer Protection Act (CCPA) was enacted to address the increasing concerns about the sale and collection of personal information in California.
The current CCPA grants various rights to residents of California and regulates the actions of businesses that sell or collect personal information. However, it leaves the consequences of third-party processing of consumer data somewhat open to interpretation. This prompted an amendment to the CCPA, which has come to be known as the California Privacy Rights Act (CPRA).
💡 The CPRA builds on the CCPA’s existing provisions, establishes new consumer rights, and adds new requirements for companies that gather personal data from California residents.
🚀 Short on time? Start your compliance with the CPRA today!
Criteria for Qualifying as a Business has been updated; find out if you classify as a business by answering the questions below:
Does your business meet one or more of the following conditions:
(A) A gross revenue of over $25 million in the previous calendar year.
(B) Buys, sells, or distributes the personal information of 100,000 or more customers or households each year, either alone or in combination.
(C) Obtain 50% or more of its yearly income from selling or sharing personal information about customers?
If you answered yes, then under the CPRA, your organization could classify as a business.
🤔 Not sure if the CPRA applies to you? Do this 1 min quiz!
Because of some changes in the criteria, entities that would be subject to the CPRA may be different from the ones that fall under the criteria of the CCPA.
🚀 Does your business fall under the scope of the CPRA? See how to comply →
The CPRA introduced a different category of protected data to the mix: sensitive personal information (SPI). This idea is quite similar to Article 9 of the General Data Protection Regulation (GDPR), which asks for a higher level of data protection for the sensitivity of personal information.
What is considered sensitive personal information under the CPRA? See here for a full checklist (Click on as amended November 3, 2020, and scroll down to the definition). SPI that is “publicly available” can not be considered sensitive personal information or personal information.
The CPRA puts particular standards and limits on SPI, providing consumers greater control over how organizations use their personal information.
Please verify whether your sensitive personal information processing activities fall within the scope of such exceptions.
With the implementation of SPI, businesses, as specified by the CPRA above, must be extra diligent in protecting this type of data and responding appropriately when a customer wishes to opt-out. Extra standards must be established if a business plans to handle consumers’ SPI. Businesses that keep SPI, for example, must have a clear and visible link on their websites labeled “Limit the Use of My Sensitive Personal Information” that allows customers to limit the processing of their SPI.
We will automatically fill in your documents with any processing of sensitive personal information depending on the services you add. Simply click Enable disclosures for Users Residing in the United States from within the Generator.
Want to know more about the easy ways iubenda can help comply? Click here →
If your business collects consumers’ personal information or sensitive personal information you must provide them with a notice at or before the collection of data.
The notice at collection gives users a tool to control how your company uses their personal information and sensitive personal information, informing users, among others, about:
The Notice at Collection must be displayed where consumers can easily see it at or prior to the moment of collecting any personal information. For example, by including a link to the notice on your website’s homepage and all web pages where personal information is collected.
👉 You must provide a conspicuous link on your site’s home page and on every page where personal information is collected.
👉 For Webforms, use a conspicuous link to the notice in close proximity to the fields in which your users input their personal information or in close proximity to the button by which your users submit their personal information.
👉 If you collect personal information through a mobile application, provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.
The notice at collection should include, according to the CPRA:
The iubenda Privacy Policy and Privacy Controls and Cookie Solution can easily help you display a “Notice at Collection” link for your users residing in California, as required by the law. You simply have to enable the US State Laws option.
💡Make sure you enable the privacy widget, which will be displayed on every page of your website after your user has set their preferences. This allows the user to easily update their privacy preferences once they’ve been set.
Below are four consumer privacy rights from the CCPA that the CPRA has updated.
Now we’ve been through the four changes from the CCPA’s consumer privacy rights, let’s go through the four additional consumer privacy rights added by the CPRA: (not included in the CCPA)
Businesses must ensure that they are prepared to comply with the new and enhanced consumer privacy rights included in the CPRA.
They will need to establish solid systems and controls to guarantee that they are capable of and prepared to respond quickly to customer requests. To prepare for CPRA compliance, many firms may need to make major modifications to their existing security and privacy measures, recruit extra people, or contract third-party services.
👉 Please note that under the CPRA, companies are required to wait 12 months after a consumer has denied selling or sharing their personal information before seeking another approval of consent.
👉 Moreover, as a business, you must provide consumers with two or more methods for submitting their requests. These methods can vary from business to business, but must include, at a minimum, a toll-free number and, if the business has a website, the website address. However, a business can avoid providing a toll-free number if: it “operates exclusively online”; and if it has a “direct relationship with a consumer from whom it collects personal information”.
The CPRA requires you to comply with the COPPA, which governs children’s privacy rights, with specific reference to the sale and sharing of children’s personal information.
Therefore, if your business is selling or sharing the personal information of consumers:
The following concepts are not part of the CCPA, but they are now codified as part of the CPRA:
By explicitly codifying these principles in the CPRA, California has empowered the state regulator to enforce and potentially penalize businesses that fail to:
As a consequence of these principles, the CPRA includes a new requirement. Opt-in permission is required following a previously decided Opt-out. Your businesses must allow consumers:
CCPA – In the case of a data breach, consumers have the private right to sue if their nonencrypted or nonredacted personal information is disclosed due to a business’s failure to establish adequate security measures and practices relevant to the nature of the information handled.
CPRA – The ‘right’ does not change direction; it does add consumer login passwords to the list of personal information categories that may be actionable under the statute.
The CPRA’s broadening of its scope to include login credentials as a legally actionable personal information security breach might be a reaction to the current surge of authentication attacks impacting customers. Many companies may choose to mandate multi-factor authentication as an additional security layer in addition to more advanced levels of data encryption.
Under the CPRA, it should be noted that businesses must also allow and process consumers’ Opt-out Preference Signals.
Opt out preference signal means a signal that is sent by a platform, technology, or mechanism, on behalf of the consumer that communicates their choice to opt out of the sale and sharing of personal information. The signal will automatically opt out for all websites the user visits without them having to make individual requests.
💡 Did you know iubenda’s Privacy Controls and Cookie Solution automatically detects and honors opt out preference signals like the GPC and GPP, as mandated by the CPRA? With this feature, users can effortlessly rely on our solution to manage these signals without needing to take any extra steps.
The CPRA adds to the requirements of the CCPA. Here is the full checklist of information that you must include in your privacy policy.
The CPRA becomes law on January 1, 2023, and became enforced as of July 1, 2023.
Please be informed that following the decision of the Sacramento County Superior Court the enforcement of the final regulations issued by the California Privacy Protection Agency has been delayed to March 29, 2024. The decision, however, does not affect the CPRA statutory provisions, which are enforced as of July 1, 2023.
Our solutions handle the complex technical and legal work, taking the uncertainty out of compliance so that you can concentrate on expanding your company.
Privacy Controls and Cookie Solution →
Our Privacy Controls and Cookie Solution will auto-configure to meet the most stringent US legal standards.
👉 Simply choose the regions where you and your users are located, and the solution will do the rest!
Privacy and Cookie Policy Generator →
Use our Privacy and Cookie Policy Generator to identify services that are active on your website that might:
👉 Activate US-specific clauses by clicking “Enable disclosures for users residing in the United States.”
If your organization falls under the scope of the CPRA, you should begin looking into compliance solutions that are well-trusted and drafted by lawyers.
Comply Now