Most of us don’t think about it often, but data is constantly working behind the scenes. Every video we watch, website we view, and article we read is collecting numerous points of data on our behavior and reporting it to its owners.
Any free service you use is packaging up, sharing, or selling your data to a variety of sources, and most of the time we haven’t the slightest idea what data is being sold and to whom it’s being sold to.
Plus, any personal information like credit card numbers, addresses, and phone numbers we enter online is being stored somewhere in the cloud — at risk of being compromised in the next inevitable breach.
After a mostly unburdened twenty years of corporate internet domination, consumers and their elected officials are starting to push back against the existing internet’s ecosystem and its abuse of privacy. The EU’s GDPR represented the first major piece of modern consumer privacy law, and countries and states around the world have started to look to it as a model for their own rights.
In the United States, California has been leading the charge, previously passing the California Consumer Privacy Act (CCPA) and now the California Privacy Rights Act (CPRA), also known as CCPA 2.0, in November of 2020.
The CCPA was a landmark piece of data privacy legislation that went into effect in 2020, and the CPRA is seen as an extension and bolstering of that law. It was widely disputed but seen as a victory by privacy advocates such as Consumer Watchdog and Andrew Yang.
So what is the CPRA and why is it important?
Let’s figure that out.
What Is the California Privacy Rights Act (CPRA)?
The CPRA refers to the California Privacy Rights Act, a data privacy law passed with 56.2% of the vote in November 2020. You can view the entire text here.
Known as “CCPA 2.0,” the CPRA strengthens, extends, and alters the CCPA. The CCPA was criticized for a litany of reasons, including having vague expectations, inadequate enforcement, and not providing enough rights, and the CPRA was designed to speak to each of those issues and more.
Specifically, the CPRA introduces new consumer privacy rights, alters some key definitions in the CCPA, puts tougher fines in place for minorities, establishes an official enforcement agency, and much more.
When Does the CPRA Go Into Effect?
Now that the CPRA has officially passed, everything is in motion. Here are the key dates you need to know:
January 1, 2021 – The CPRA went live, which in effect stopped any conflicting privacy legislation.
January 1, 2022 – The 12-month “lookback” for any collected data begins. In other words, this is the beginning of when businesses can be held accountable for violating the CPRA.
January 1, 2023 – CPRA goes live and all exemptions expire — opening up everyone to full regulation.
July 1, 2023 – CPRA becomes fully enforceable by the CPPA (the organization created to enforce the CPRA).
Note: Even though the official enforcement date isn’t until July 1st, 2023, your data practices are open to scrutiny starting January 1st, 2022.
A Brief Summary of the CPRA’s 6 Biggest Changes
Here’s a rundown of the most important additions and changes the CPRA introduced to the CCPA:
1. Established the California Privacy Protection Agency (CPPA)
One of the biggest criticisms of the CCPA was how enforcement worked, and leaving the responsibility to the attorney general’s office was clearly not going to work. To fix this, the CPRA created an agency with the explicit purpose of regulating and enforcing the CCPA and CPRA. They will be handling the enforcement, fines, and communication with non-compliant businesses.
2. Created New and Modified Existing Consumer Rights
The CPRA added two new rights to the CCPA — the right to rectification (or correction) and the right to restriction. This means that consumers have the right to have false information fixed and that consumers have the right to restrict how business can use their sensitive data. It also expanded rights around data portability, data exclusivity, and many others.
3. Distinguished Personal Data Into Separate Classes — Standard and Sensitive
The CPRA stipulates that all data are not equal. Social security numbers are different from email addresses in terms of value, for example. With this distinction in mind, the CPRA created different rules and potential fines for each. These rules include stricter disclosure requirements and limitations on how the data can be used.
4. Made Violations Involving the Data of Kids and Minors a Lot More Severe
Parents didn’t feel like the CCPA addressed the privacy concerns of children enough, and the CPRA stepped up to address this by allowing the CPPA to 3x any fine that involves a minor’s data. The law also dictates how consent is managed and allows parents to have more control over their children’s personal information.
5. Forced Companies to Protect Employees — Regardless of Where They Live
In addition to protecting consumers living in California, the CPRA also expanded its protections to any employees and contractors who are working for California companies. This means that any of the rights in the CCPA and the CPRA are enforceable across state lines when they involve employees and contractors.
6. Changed What Kinds of Businesses Are Subject to Scrutiny
The CPRA expanded the law’s scope in some categories and relaxed it in others. For example, small and mid-sized businesses are now exempt when buying, selling, receiving, or sharing data up to 100K consumers or households (assuming they don’t qualify for other categories), but the CPRA made businesses who make at least 50% of their revenue from sharing data eligible — regardless of how much revenue they make.
Let’s look at that a bit more.
Who Does the CPRA Apply To?
The CPRA now applies to:
Any business that has more than $25+ million in annual revenue.
Any business that shares, sells, or buys the personal information of 100k+ consumers or households.
Any business that gets at least 50% of its annual revenue from selling or sharing consumer personal information.
These categories apply to any company that does business within California. If you have users or sell products to California but are headquartered in Miami, you still have to comply.
Why Is the CPRA Important?
The impact of the CCPA and the CPRA will be felt for decades. California is the first major state to pass a set of data laws this comprehensive, and the successes and mistakes they make along the way will be watched carefully by other states across the country. The CPRA could also represent the second step in paving the way for federal consumer data regulation in the future.
The CPRA also forces other amendments to be consistent with the CPRA. In other words, if a county or city decides to pass a law that violates the CPRA, consumers, employees, and contractors could sue based on the CPRA’s protection. This further solidifies the CPRA in the world of law.
And more broadly, the CPRA is another major victory in the world of user privacy. Laws are rarely perfect, but it does represent the second step in a shift toward a more consumer-centric internet ecosystem.
Criticisms of the CPRA
There are common criticisms from larger businesses and corporations that you would expect — namely that the law will be too cumbersome on small businesses, cripple crucial data pipelines, and harm the overall consumer experience, but the more compelling criticisms come from privacy advocates.
The ACLU, for example, came out with a surprising attack against the CPRA labeling it as a missed opportunity [*]. Other critics point out that because the CPRA is fundamentally “opt-out” instead of “opt-in,” it opens the gate for companies to charge more for services that use less data — effectively creating an inequality where lower-income users will be forced to give up their data more often.
The CPRA has also been criticized for not allowing users to sue rule-breaking companies outside of special cases like breaches — only the CPPA has the authority to enforce fines. That being said, the CPRA did give the CPPA the authority to update the CPRA according to how the law handles itself in practice, so we can expect some adjustments that may speak to these issues later on.
What Are the Fines and Consequences of Violating the CPRA?
The CPRA is enforced via its new agency, the CPPA. It is the sole purpose of the agency to enforce the CPRA/CCPA and respond to complaints/hold non-compliant businesses accountable, and the CPRA can also be enforced via data breach lawsuits on behalf of consumers.
The fines for non-compliant businesses can vary widely in amount and are based on two main categories: fines that come into play when a consumer sues a company for a breach and when the CPPA fines a company directly.
For the first category, the fines are defined by these three criteria:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
In other words, the fines will usually be stackable amounts of $100-$750. This can add up quickly when thousands of customers or incidents are involved.
For other fines, the agency has a lot of freedom:
(2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.
In other words, whatever the agency feels is appropriate based on the unique case. This is purposely broad.
How Do You Comply With CPRA?
Complying with the CPRA means continuing and expanding the efforts you are making to comply with the CCPA. This includes having clear ways for users to opt-out of data collection, making it easy for users to transfer or change their data, and being proactive about your approach to user privacy.
Similar to the world of PCI Compliance in payment processing, complying with CPRA isn’t a one-and-done deal. Regulators are looking for consistent effort — an internal focus on protecting user rights. This is something that must be a process within your business, and the more thorough you are with that process, the less likely you are to be fined, or in the case of a fine, the less severe it may be. Demonstrating authentic effort is important.
You can structure that effort across three broad categories, similar to how companies in the EU are approaching GDPR. Those categories are:
1. Data Minimization
Data minimization means collecting the bare minimum amount of data needed to fulfill your business’s needs. It’s an active effort against “data bloat,” which unnecessarily makes data breaches more harmful. “Only collect what you need” is the mantra here.
2. Purpose Limitation
Once you collect someone’s personal information, you can only use it to the extent to which the user agreed. If you have been using a particular data set collected with consent for a period of time and want to use it in a different capacity (such as sharing or selling), you must be able to show that users consented to that secondary use as well.
3. Response to Requests and Active Engagement With Privacy Concerns
At its heart, the CPRA is trying to protect user privacy by making data management easier and more transparent for consumers. Businesses should be building systems and processes to make opting in and out of data collection and use more simple.
Phrases like “Do not use my personal information” should be clearly represented on homepages, there should be customer service resources allocated to data management, and resources telling consumers exactly how and why you use what data should exist.
If you work toward these three categories, then you’ll be well on your way.
For a more detailed rundown on how to begin preparing for CPRA’s January 1st, 2022 lookback period, go here.
The Bottom Line on CPRA
If you operate in California in any capacity and fall into one of the three categories mentioned above or plan on growing into one of those categories eventually, you need to be proactive about CPRA.
CPRA and its sister law the CCPA represent a fundamental shift in California’s approach to consumer data and will force businesses to take a hard look at how they collect, protect, and use consumer data.
The best plan is to have a plan, and business owners must demonstrate an active, early, and well-prepared approach to consumer privacy as defined by the CPRA and CCPA.