May 14, 2021
On November 3, 2020 California voters overwhelmingly voted in favor of Proposition 24, which is an amendment to the California Consumer Privacy Act, known as the CCPA. This new amendment is known as the CPRA. The CPRA will now stand for the California Privacy Rights Act, which expands on the current privacy law, the CCPA, with most provisions taking effect January 1, 2023. So, what does the CPRA stand and what does that mean for business?
What does the CPRA stand for and what does it mean?
So what does the CPRA stand for? Well, the CPRA stands for “California Privacy Rights Act.” And, you might ask “wait a minute, isn’t there already a privacy law in California?” There is, yes. The California Consumer Privacy Act (CCPA) is a general consumer privacy law that was passed in 2018. The California Privacy Rights Act (CPRA) amends the current CCPA in a number of ways, including more certainty about advertising that uses personal information to profile and target California residents. In addition, the CPRA adds a number of new rights for consumers as well as obligations for businesses. The CPRA also includes reporting requirements to a newly created California Privacy Protection Agency. And, while the CPRA won’t take effect until 2023, businesses should start preparing for it now. So, by now I bet you’re asking yourself, well then what is the CCPA?
What is the CCPA?
The CCPA stands for California Consumer Privacy Act, and it is the current privacy rights law in the state of California. This new regulation is intended to help enhance privacy rights and consumer protection for the residents of California. Below area few key elements of the CCPA:
- Broad definition of Personal Information
- Law applies when you have data on over 50,000 California consumers, or annual revenue over $25 million
- Detailed notice requirements
- Rights to access and delete personal information
- Opt out of “sales”
- De-Identification is burdensome
- Enforced by California’s Attorney General only
- Reasonable security for sensitive data
- Private right of action for data breaches
What is the CPRA?
The CPRA amends and extends the current California consumer privacy law, the CCPA. The CPRA is an upcoming law that will take effect in January of 2023. Most of its provisions apply to all data collected on or after January 1, 2022, although the right to access personal information extends to all data regardless of when it was obtained according to the privacy act. Below are a few key changes and additions:
- Definition of Personal information is clarified
- Law applies if you buy, sell, or share Personal Information of 100,000 California consumers, or have annual revenues above $25 million
- Additional notice requirements (e.g., retention)
- Adds the right to correct Personal Information
- “Sales” and “sharing” are regulated
- De-identification is simplified
- Enforcement: New state agency and Attorney General
- Reasonable security for all data
- Limitations on use of “Sensitive Personal Information”
- Data minimization requirement
- “Dark patterns” prohibited
- New regulations on many hot-button subjects
These CPRA regulations will be issued by the new state privacy agency over the next year, and they could result in significant new obligations for many businesses. For example, businesses that process personal information in a way that “presents significant risk to consumers’ privacy or security” will have to submit risk assessment reports to the agency on a regular basis as well as perform annual cybersecurity audits. These risk assessments are likely to be similar to those required under the GDPR. In addition, this agency is also tasked with issuing regulations about consumers’ rights to access and opt out of automated profiling. These regulations are scheduled to be finalized in January of 2022. With that being the case, I am sure you are wondering, when will the CPRA amendments take effect?
When does the CPRA take effect?
With the California Consumer Privacy Act (CCPA) being in effect since January of 2020, the amendments included in the new CPRA will take effect on January 1, 2023. Once the new CPRA takes effect, enforcement actions will begin in July of that year. Because the CPRA was a ballot initiative, it can only be amended by the legislature in ways that “further the purpose and intent” of the law. Which means, the law can be amended to become more privacy protective, but not less and businesses should expect ongoing changes to the CPRA. The CCPA that it replaces, was known for frequent updates and amendments. So, what does that mean for your business?
What does this mean for your business?
It means, to comply with the CPRA, companies will need to create compliance documents, map consumer data flows, collect and manage consumer requests, train relevant employees on the CPRA, and review contracts with business partners.You will also need to conduct risk assessments and submit them to the California Privacy Protection Agency, as well as perform annual cybersecurity audits. On top of all that, you’ll also need to update your compliance documents every time that the law changes. Any work you’ve already done to comply with the existing CCPA is an important start to be compliant with the new regulations. However, much more will need to be done to get ready for the CPRA, which is why, Sixfifty is here to help!
How can Sixfifty help?
Complying with the CCPA, and the new CPRA can be complex, expensive, and even stressful. At SixFifty, we are here to help! We deliver the expertise of Wilson Sonsini in a streamlined, affordable platform that helps get your business compliant. Our system helps generate documents, simplifies data mapping, offers a CCPA data request portal to manage or respond to requests, and provides CCPA as well as CPRA employee training to help educate your team.
Need help complying with the CPRA?
Schedule a free demo with SixFifty. We can help your organization comply with the CCPA, new CPRA, GDPR, and more!