The California Privacy Rights Act (CPRA) is California’s data privacy law that expands consumer rights and imposes stricter obligations on businesses regarding the collection, use, and protection of personal information. As we showed with our example of an automaker’s hefty fine in our CCPA explainer, California’s privacy regulations have teeth. In this explainer on “what is CPRA,” we continue to argue that businesses cannot afford to treat consumer data protection as an afterthought.
Building on the foundation of the earlier CCPA legislation, the newer CPRA gives California residents expanded control over their personal information. It also requires businesses to implement more robust privacy practices. Here’s everything you need to know to get started with compliance and build a more secure business along the way.
The California Privacy Rights Act (CPRA) At a Glance
California voters approved the CPRA through a ballot initiative in November 2020. The law became enforceable on January 1, 2023, and applies to personal information collected on or after January 1, 2022.
The CPRA applies to businesses that meet one or more of these thresholds:
- Annual gross revenue exceeding $25 million
- Buying, selling, or sharing the personal information of over 100,000 California residents
- Generating 50% or more of yearly income through selling or sharing personal data from California residents.
Any business operating in California that meets any one of these criteria must comply, regardless of its headquarters location.
The CPRA covers a broad range of personal information, from basic identifiers such as names and email addresses to more sensitive data, including precise geolocation, biometric information, and browsing histories.
Many organizations turn to outside managed security services to help them navigate such requirements.
Why Was CPRA Created?
The original California Consumer Privacy Act, which took effect in January 2020, established groundbreaking privacy protections for California residents. However, some limitations became apparent.
For example, businesses found ways to continue certain data practices that some consumers found problematic. Emerging technologies also created new privacy concerns that the original law didn’t adequately address.
The CPRA addressed these shortcomings by creating the California Privacy Protection Agency, a dedicated regulatory body with authority to investigate violations and impose penalties. The new law also eliminated the CCPA’s original automatic cure period for violations and established more rigorous requirements around sensitive personal information.
CPRA vs CCPA: What’s the Difference?
The CPRA doesn’t replace the earlier law but rather amends and expands it.
- It added new consumer rights, including the right to correct data and limit the use of sensitive personal information.
- It created a dedicated enforcement agency with rule-making and investigative authority.
- It imposed stricter obligations on businesses for data minimization, retention, and vendor management.
Organizations must comply with the requirements of the CCPA and the expanded standards established under the CPRA.
New Consumer Rights Under CPRA
The CPRA establishes several rights not addressed under the CCPA. For example, California residents can now request that businesses correct inaccurate personal information rather than only request deletion.
Another significant addition limits the use of sensitive personal information. Under the CCPA, consumers could only opt out of the sale of their data. The CPRA expands this protection by allowing consumers to limit how businesses use sensitive information, including precise geolocation data, race, ethnicity, religious affiliation, genetic data, private communications, and health information.
New provisions also expand CPRA’s reach into automated decision-making technology. Under emerging CPPA regulations, businesses must disclose how certain automated decision-making processes operate. They must also provide consumers with an opt-out from profiling that produces legal or comparable effects and clearly describe the results of automated decisions.
Finally, the CPRA expands and clarifies the existing right to data portability, allowing consumers to request that businesses transmit their personal information to another entity when technically feasible.
Sensitive Personal Information (SPI) Changes
The CPRA created a new category of data called sensitive personal information (SPI) that receives heightened protection. SPI includes:
- Government identifiers
- Account login credentials
- Financial information
- Precise geolocation data
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union membership status
- Genetic data
- Biometric information
- Personal information concerning health, sex life, or sexual orientation
- Contents of mail, email, and texts when the business isn’t the intended recipient
Businesses can only use sensitive information for specific purposes unless consumers have been given the opportunity to limit its use. Permitted purposes include:
- Performing reasonably expected services
- Enhancing cybersecurity
- Short-term transient use
- Performing services on behalf of the business
- Verifying and strengthening the quality and safety of products and services
Enforcement and Penalty Differences
The CPRA makes substantial changes to enforcement mechanisms. The law established the California Privacy Protection Agency (CPPA) as the primary regulatory body responsible for issuing regulations and enforcing the CPRA. At the same time, the Attorney General’s Office retains authority for certain CCPA-related actions.
Although the CPRA eliminated the CCPA’s original automatic 30-day cure period, the Privacy Protection Agency may choose to provide one at its discretion. Penalty amounts remain at $2,500 per unintentional violation and $7,500 per intentional violation. However, any violations involving the personal information of children under 16 carry a higher penalty.
Given the high cost of noncompliance, many organizations partner with experts who are intimately familiar with the nuances of the CPRA and other regulations. Xantrion provides compliance support and managed IT services to businesses throughout California, with closer hands-on service available in the Bay Area, Silicon Valley, LA, Sacramento, and San Diego.
Understanding CPRA Regulations
The CPRA statute establishes the legal baseline, but the practical compliance requirements derive from regulations issued by the California Privacy Protection Agency. These regulations interpret potentially ambiguous statutory language, create standards for acceptable business practices, and provide guidance on enforcement.
The regulations also address topics, including automated decision-making technology, assessing risk assessment, requirements for contracts with service providers, and related areas.
Managed cloud services can help you implement systems that facilitate adaptation to regulatory changes.
Key CPRA Regulatory Requirements for Businesses
Under CPRA, businesses must implement data minimization practices, collecting only personal information reasonably necessary and proportionate to disclosed purposes.
Purpose limitation rules require businesses to use personal information only for disclosed purposes unless they obtain fresh consent for new uses. Retention limits prevent businesses from retaining personal information longer than is reasonably necessary for the disclosed purposes.
The regulations impose specific requirements on vendor and processor contracts. Businesses must include contractual provisions requiring:
- Explanations of the purpose of data processing
- Data to be processed only as instructed
- CPRA compliance
- Audit capabilities
- Notification if contractors cannot meet their obligations
Organizations in highly regulated sectors may benefit from specialized cybersecurity services, such as healthcare cybersecurity services, IT services for the financial industry, law firm IT services, and IT support for accounting firms, to help them meet these vendor management requirements.
CPRA Compliance: What Businesses Need to Do
CPRA compliance touches every aspect of how an organization collects, uses, and protects personal information. That makes compliance more than a one-time project, since protections must change along with data collection and use practices.
For many mid-market organizations, the biggest CPRA risk is not intent but visibility. Data is distributed across dozens of SaaS tools, cloud platforms, and vendor systems, which makes it difficult to determine where sensitive personal information resides, who can access it, and whether requests are being honored correctly.
In general, core compliance obligations include:
- Maintaining up-to-date privacy policies
- Providing notices at the point of data collection
- Processing consumer rights requests
- Establishing opt-out mechanisms
- Training staff in proper data handling processes
- Implementing reasonable security measures
- Auditing high-risk processing activities
- Documenting compliance activities
Whatever industry you’re in, working with a trusted partner in cybersecurity compliance can help you ensure that your cybersecurity program meets current standards.
Updating Privacy Policies and Notices
Under CPRA, privacy policies must describe:
- Categories of personal information collected
- Business purposes of collected data
- Categories of sensitive personal information and purposes
- Categories of information sold or shared
- Retention periods
- Consumer rights under current California regulations
- Instructions for submitting requests
A notice presented at the time of data collection must also inform consumers of the categories of information being collected, the purposes of collection, whether the information will be sold or shared, and the retention period.
Businesses must regularly review and update these disclosures as data practices change. A comprehensive cybersecurity strategy includes policies around keeping privacy disclosures current.
Operational and Technical Compliance Considerations
CPRA compliance may mean both adjustments to operational processes and technical upgrades. For example, adding or enhancing data mapping and classification capabilities may be necessary for you to understand what personal information your organization collects, where it resides, how it flows through your systems, and who has access to it.
Additional changes may be needed to implement consumer-request workflows that enable individuals to submit requests through multiple channels, verify requestors’ identities, process requests within statutory timeframes, maintain records, and ensure that requests reach the appropriate personnel.
Process and system upgrades can also support vendor oversight. Under the CPRA, organizations must inventory all vendors that have access to their customers’ personal information, assess vendors’ privacy and security practices, implement required contractual terms, monitor vendor compliance, and maintain relevant documentation.
Finally, technical systems must support compliance activities, including identifying sensitive personal information, implementing access controls, processing deletion requests, honoring opt-out preferences, and maintaining audit logs.
Organizations can leverage enterprise cybersecurity frameworks to help them securely build out these capabilities and more.
CPRA Enforcement, Updates, and What’s Changing
The CPRA represents a significant step up in privacy enforcement. As just one example, it established the Privacy Protection Agency to focus exclusively on privacy protection.
The automaker’s case cited in our explainer on the CCPA demonstrates California’s willingness to pursue enforcement actions against businesses under its privacy laws. The $632,500 penalty resulted from violations, including requiring consumers to provide more personal information than necessary, making it unduly difficult to exercise their privacy rights, and failing to disclose data-sharing practices adequately.
Regulatory updates continue as the agency refines compliance requirements. Recent developments have included modified regulations addressing automated decision-making technology, risk assessment requirements, cybersecurity audit standards, and verification procedures for consumer requests.
Cloud security best practices can help you stay compliant even as regulations change.
You or your services provider should also monitor agency announcements, track regulatory updates, review enforcement actions, conduct regular compliance assessments, update systems and processes as business practices change, and document your compliance efforts.
Not sure where to start? Xantrion can help. We know CPRA inside and out and are here to assist with general concerns, specific questions, or expert implementation. Get started today.
Frequently Asked Questions About CPRA
What Does CPRA Stand For?
CPRA stands for California Privacy Rights Act. California voters approved the law as Proposition 24 in November 2020, and it became enforceable on January 1, 2023.
Is CPRA the same as CCPA?
No, the CPRA and the CCPA are not the same, although they are closely related. The CCPA was California’s initial privacy law, taking effect in January 2020. The CPRA amends and expands the CCPA, adding new consumer rights protections, creating stricter business obligations, and establishing the Privacy Protection Agency as a dedicated enforcement agency.
Does CPRA replace CCPA?
The CPRA does not replace the CCPA; instead, it builds upon it. Businesses must follow both the original CCPA rules and the expanded obligations added by the CPRA.
Who does CPRA apply to?
The CPRA applies to for-profit businesses that meet any of several thresholds. These thresholds include annual gross revenue exceeding $25 million and handling the personal information of 100,000 or more California residents. A business also qualifies if it earns at least half of its annual revenue from selling or sharing California residents’ personal information.
When did CPRA take effect?
The CPRA became enforceable on January 1, 2023, although it applies to personal information collected on or after January 1, 2022.
Xantrion can help you navigate complex privacy requirements, especially in highly regulated industries, while protecting your business and customer data. Contact us to learn more.
