The CPRA – California’s New Data Privacy Mandate

The CPRA – California’s New Data Privacy Mandate

What is the CPRA?

The California Privacy Rights Act (“CPRA”) is a new state-wide data privacy bill, also known as Proposition 24, passed into law on November 3, 2020. The CPRA significantly amends and expands the California Consumer Privacy Act (“CCPA”), which enforces an array of consumer privacy rights and business obligations regarding the collection and sale of personal information.   

In this article, we will address the new legislation and frequently asked questions about CPRA.  


California Consumer Privacy Act (CCPA)

In 2018, California Governor Jerry Brown signed into law the California Consumer Privacy Act, the first U.S. consumer privacy law that provides California consumers with rights and protections similar those afforded under the General Data Protection Regulation (“GDPR”). The CCPA went into effect January 1, 2020, and enforcement began July 1, 2020. The act applies to any business that collects, stores, or sells consumer data in California, regardless of location. 

California’s original privacy law guarantees consumers the right to know what personal information is being collected and shared with third parties. It also offers consumers the ability to access or delete their information and opt out of the sale of personal information. 

California Privacy Rights Act (CPRA)

The CPRA (sometimes called CCPA 2.0) was passed into law on November 3, 2020 to succeed the CCPA as California’s major privacy regulations. The CPRA will come into effect on January 1, 2023, but will implicate all information gathered beginning January 1, 2022. 

One of the most unique changes already implemented by CPRA is the creation of a new government agency – known as the California Privacy Protection Agency (“CPPA”) to support the regulation of California citizens’ privacy and to create additional rules and guidelines under the CPRA. The CPPA will have full administrative power, authority, and jurisdiction to implement and enforce the new regulations. 

Compared to the CCPA, the CPRA is even more similar to the GDPR. The CPRA includes employees as data subjects and grants additional protections and rights to consumers in California. The CPRA allows consumers to limit the way businesses use, process, and share data beyond the requirements allowed by CCPA, including accurate geolocation. The scope of opt-out requests is also expanded to include “do not sell or share, meaning consumers must be able to opt out of both the sale and sharing of their personal data easily. 

Three Additional Consumer Rights Under the CPRA

There are three important changes to consumer rights now afforded under the CPRA that were previously absent from the CCPA: 

1. Right to Rectification

The right to rectification allows consumers to correct personal data held by an organization. 

2. Creation of Sensitive Information Data Classification 

The CRPA has added a new classification of sensitive data, which updates the definition of personal information. Certain types of sensitive information, like consumers’ social security numbers, must be treated with special protection. 

3. Right to Restriction

The right to restriction grants consumers the right to limit the use and disclosure of their sensitive personal information. 

Five Key Changes to Obligations Under the CPRA

We identified five key changes to obligations new to the CPRA compared to the CCPA and have detailed each below.  

1. To Whom the CPRA Applies 

The CPRA changes the thresholds of applicability for the new law. To be subject to the CPRA, an organization must meet at least one of the following criteria:  

  • Derive 50% or more of its revenue from sharing or selling the personally identifiable information (“PII”) of California consumers (expanded from CCPA to include “sharing,” e.g., the ad tech sector) 
  • Have gross revenue over $25 million (same as CCPA) 
  • Buy, sell, or share the PII of over 100,000 California consumers/households (an increase from the CCPA’s 50,000 threshold; as a result, some small businesses could now fall out of scope) 

2. Agency Creation  

The CPRA creates the California Privacy Protection Agency, a regulatory and enforcement agency focused on privacy protection. Previously, enforcement fell to the office of the Attorney General. With a dedicated agency, businesses can expect more aggressive enforcement. 

3. Retention Limitations  

The CPRA limits the collection and retention of PII, requiring a business to retain only PII that is reasonably necessary and proportionate to achieve the purpose for which it was originally collected. A business is additionally required to inform consumers of the intended length of retention for each type of PII.  

4. No Automatic 30-day Cure Period  

Cure periods will only be granted at the discretion of the CPPA. 

5. Obligations for Service Providers 

Under the CPRA, service providers, contractors, and third parties who receive PII from businesses are now obligated to enter into an agreement to comply with the same level of privacy protection as provided by the CPRA. In addition, businesses are granted the right to take reasonable steps to remediate unauthorized use and require the data recipient to notify the business if it can no longer comply. 

CPRA Schedule 

The new state-wide data privacy bill will become fully effective on January 1, 2023. Enforcement is scheduled to begin on July 1, 2023, with a lookback period to January 1, 2022. 

Additional Data Privacy Laws Across the US

The COVID-19 pandemic accelerated our reliance on digital services and platforms, which brings new challenges and expectations for data privacy. There are three important state data privacy legislation to address in addition to the CPRA:  

1. Virginia – Consumer Data Privacy Act (CDPA)
The CDPA grants consumers various rights related to their personal data, including the rights of access, correction, transportability, and deletion of personal information. 

2. New York – New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
New York passed a law that amends the existing data breach notification law and imposes more data security requirements on companies who collect information on New York residents. 

3. Colorado – Colorado Privacy Act (CPA)
The CPA allows consumers to opt out of processing their personal data for (i) targeted advertising; (ii) the sale of personal data; and (iii) profiling.

We will discuss these laws and others in additional detail in upcoming posts.  

Is your organization taking proper steps to identify, classify, and protect personal data? If not, you may be opening yourself up to liability. Watch this spot for tips to minimize data privacy risks before it’s too late or contact Rational Enterprise to learn how in-place data management can help your organization.  

Tom Preece

About The Author

Tom Preece

Director of Pre-Sales Consultancy

Tom Preece works directly with clients, partners, internal Product Development and Marketing to improve, sell, and deliver Rational Enterprise technologies. He converses daily with executive- and director-level practitioners in Legal, Compliance, InfoSec, Privacy, and KM departments to better understand their problems and relate the multi-layered value that in-place supervised machine learning technology can provide.