CPRA vs CCPA, What Changed?
California consumers yet again concerned with Privacy voted in favor of the new privacy act California Privacy Rights Act (CPRA). Strengthening the privacy of California's consumers CPRA replaces the earlier act CCPA.
#1 Coming in effect from January 2023
With over 2 million votes, CPRA got approval during general elections held in November 2020. Californians asserted that CCPA lost its potency in the final version, prompting the enactment of the new Privacy Act.
The new regime may come in effect from January 2023 however, the 'look back' rule allows California people to request data collected on or after 1, January 2022.
#2 Applicability to the following businesses
The enactment applicable to the below organizations:
a) Entity having the US $25 million annual gross revenue threshold in the previous calendar year;
b) Entity that buys, sells, or share the personal information of 100,000 or more consumers or households; and
c) Entity that earns 50% of its revenue from selling or sharing personal information.
#3 "Sensitive Personal Information" defined under CPRA
CPRA defined the new category "Sensitive Personal Information" enabling consumers to have additional authority over such information. The category involves government provided identification numbers, geolocations, sexual orientation, ethnic and religious information, healthcare information, biometric data, text messages, etc. that is relatable directly or indirectly to the consumer.
#4 Formation of Administrative Body under CPRA
California Privacy Protection Agency (CPPA) first administrative body formed in the US for governing personal information issues under CPRA. The administrative body may conduct hearings, subpoena witnesses and take evidence, and impose fines upon non-compliance.
CPRA directs CPPA to 30-days issue notice including summary, evidence to the violator for informing that private proceeding will be held.
#5 Implications of CPRA
CPRA governs businesses to prudently implement countermeasures for protecting the personal information of consumers from unauthorized access during the complete information lifecycle.
Businesses require to conduct an annual cybersecurity audit including third-party risk assessments and report to the California Privacy Protection Agency (CPPA) where the processing involves significant risk to consumer's privacy.
Under CPRA law enforcement directs businesses to hold the information for 90 days even the deletion is requested by the consumer. This period can be extended by showcasing the cause for investigation purposes.
CPRA removes the 30-days notice period which allowed businesses to show compliance before incurring any penalties of non-compliance.
#6 Covers "Sharing" of Information
Unlike CCPA which only covered "Selling", CPRA covers "Sharing" of personal information to third-party for monetary, cross-context behavioral advertising or other valuable gains. Businesses should direct their third-parties to practice due-care and due-diligence to remain compliant with contractual requirements and CPRA.
#7 Action Items
Although the CPPA coming into effect from January 2023, the "look back" rule of the act will cover personal information shared from 1 January 2022. This requires businesses to plan ahead for the effective implementation of controls. Also, the clauses of the contract should be reviewed for sharing data with third-parties.
Personal information should be properly categorized as governed by the act for implementing reasonable protection.
Risk assessments to be conducted for business functions that collect personal information and supply-chain risk assessments where data is being shared with third-parties.
#8 CPRA Conclusion
CPRA answered many privacy concerns for California consumers by making significant changes to CCPA.
A world where privacy concerns are being addressed with CPRA and CCPA puts the burden on businesses. However, effective implementation of protection and privacy policies may allow the organizations to remain in compliance and ignore penalties.