California already has one of the toughest data privacy laws in the U.S., known as the California Consumer Privacy Act (CCPA). And it was further amended and expanded by the California Privacy Rights Act (CPRA).
Here's what you need to know about how the CPRA changes the CCPA, and what this means for your business.
Businesses (from any location) that handle data about Californian consumers may come under the California Consumer Privacy Act of 2018. A lengthy consultation process means its measures did not come into effect until 1 January 2020 while the state Attorney General's office only began enforcing the measures from 1 July 2020.
Below we will look at the CCPA before the CPRA amendments, and what the CPRA adds to it.
Before the CPRA amendments, the CCPA applied to businesses that met any of three thresholds:
- Annual revenue of more than $25 million
- Buy, share or sell data about more than 50,000 Californian consumers, households or devices in a year
- Make 50% or more of your revenue from selling data about Californian consumers
The law gave Californians five rights relating to their personal information.
- To know what data you collect
- To know if you sell or disclose it
- To refuse to let you sell it
- To access it
- To exercise these rights and still get equal service and price
The CCPA put personal information into 11 designated categories and required you to give consumers a category-by-category breakdown of whether you collect data, how you use it, and how you share it. The full text of the law details the designated categories:
The categories are:
- Personal identifiers (names, email addresses, passport numbers etc.)
- Any categories of personal information listed in subdivision (e) of Section 1798.80
- Characteristics of protected classifications (under California or federal law)
- Commercial information (records of purchased products or services, personal property, etc.)
- Biometric information
- Internet or electronic network activity (browsing and search history, etc.)
- Geolocation data
- Audio, visual, thermal, olfactory, electronic information (or similar)
- Employment and profession-related data
- Education information (that is not publicly available)
- Any inferences drawn from any of this information which would create a profile about a consumer's preferences, behavior, abilities, characteristics, etc.)
You must have a dedicated "Do Not Sell My Personal Information" page on your site for easy opt-outs.
The opt-out system is only for over people over the age of 16. For people aged under 16, you can't sell personal data unless and until the person gives you permission. For under-13s this permission must come from a parent or guardian.
The maximum penalty is $7,500 for each intentional violation and $2,500 for each unintentional violation. Each individual affected can count as a separate violation.
The CPRA expanded the range of measures a business must take, and also reduces the number of businesses that come under the law. The threshold doubled to 100,000 people or households.
Under the CCPA, consumers had the right to opt-out from you being able to sell their data. The CPRA extended this opt-out right to cover any disclosure or sharing to third parties, even if this doesn't involve any payment.
Automated Decision Making
Under the CPRA expansion, businesses have to inform consumers if they use their data for automated decision making. This is also commonly known as data profiling. Consumers have the right to opt out of their data being used to profile their "performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements."
Consumers have the right to request that you correct inaccurate information. You're required to tell consumers about this right. You would also normally be required to make at least two methods available to exercise this right, one of which must be a toll-free phone number.
However, if you only operate online and you deal directly with the consumer, then you could simply provide an email address.
The CCPA says businesses must give category-by-category breakdowns of what data they collect, how they use it, and whether they share it. The CPRA adds a fourth requirement: to tell the data subject how long they will retain the data from each category, or to explain how they will decide how long.
This is accompanied by a general principle that businesses should not retain data for longer than is needed to carry out the original stated purpose for collecting it.
Sensitive Personal Information
Arguably the biggest change the CPRA creates for the CCPA is the addition of an extra category of information known as "sensitive personal information." This acts as a 12th category (alongside the original 11 from the CCPA) when listing how you use, share or disclose data. More importantly, the data in this category has an extra level of protection.
The list of data that counts as sensitive personal information includes:
- Government issued numbers (social security, driver's license, state identification card, passport)
- Any combination of financial account details (such as card number, access code, password) that allows access to an account
- Precise geolocation
- Details of racial or ethnic origin, philosophical or religious beliefs, or union membership
- The contents of any letters, emails or text messages from the consumer to somebody other than your business
- Genetic data
- Biometric data when processed to identify an individual
- Health data
- Data about sex life or sexual orientation
However, "publicly available" data doesn't count as either personal information or sensitive personal information.
The big difference with the "sensitive personal information" category is that consumers wouldn't just have the right to know what data you collect and how you use it. They would also have the right to tell you to only use it for the purposes needed to provide the goods or services they've requested.
This means you couldn't use it for future marketing or customer analysis, even if you told the consumer first.
Links to Display
The CCA already required businesses to have a link on their website homepage titled "Do Not Sell My Personal Information" linking to a dedicated page allowing them to exercise their opt-out rights.
The CPRA adds an additional requirement of a second link, titled "Limit The Use Of My Sensitive Personal Information" that links to a dedicated page allowing them to exercise this right.
The CPRA also lets you use a single link and page that covers both the sale of personal information and the use of sensitive personal information. It also says you could let customers tell you in other ways as long as the customer can clearly indicate their intent.
The CPRA amendment contains some changes to the administration of the rules including the following:
- A dedicated organization, the California Privacy Protection Agency, takes over responsibility for enforcing data privacy rules from the state Attorney General's office. The agency has the right to require businesses to carry out regular risk assessments or audits of their data handling procedures.
- The maximum penalty is tripled for violations involving a data subject that you know to be aged under 16. This means a maximum of $22,500 for an intentional violation and $7,500 for an unintentional violation.
- The CCPA already had a temporary exemption on the measures affecting business-to-business and human resources data, which expired on 1 January 2021. The CPRA extended this exemption until 1 January 2023.
- The CCPA already allows individuals to take civil action if you suffer a data breach involving their personal information in unencrypted form. The CPRA extended this to cover a breach where hackers get access to a combination of username, password or security question answer that allows access to an account.
- The CPRA adds several rules covering third party service providers and contractors. In short, if a third party has to access your consumer data while working or providing a service, you would need a contract that forces them to follow the same rules on privacy protection that you do.
Updating Privacy Policies for the CPRA
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
1. Information about the categories of data. For each category you must detail:
- Whether you collect data in this category
- How and why you will use the data
- Whether you sell the data
- (If you sell it), who you have sold the data to
You have two main ways to present this information:
Individual lists for data collection, data sales and data disclosures, each with a list of the applicable categories. VMWare takes this approach:
A list of all categories, each detailing whether you collect, sell or disclose data. This works best as a table as used in this example from Claridges:
2. The fact that users have the right to access the specific details of what data you hold about them, along with at least two ways to exercise this right.
These must include a toll free phone number and a website contact or form, as in this example from Disney:
3. The fact that consumers have four other rights: To know what personal information you collect, to know if you sell or disclose the information, to say no to you selling their personal information, and to get equal service and prices even if they exercise these rights.
Apple covers these rights in a clear paragraph:
4. You'll also need a homepage link titled "Do Not Sell My Personal Information" that links to a dedicated page for consumers to tell you they are opting out of their personal data being sold.
Here's example from CBS:
5. Relevant details about data collection, use, sales and disclosure for a 12th category, "sensitive personal data."
6. A category-by-category breakdown of how long you keep data.
7. Whether you use data for automated decision making (including data profiling).
Here's how Chubb addresses this point:
8. The fact that the consumer has the right to correct inaccurate information and the ways in which they can do this.
Contently does this in concise fashion:
9. A homepage link titled "Limit The Use Of My Sensitive Personal Information" that points to a dedicated page for exercising this right.
Let's recap what you need to know about the California Privacy Rights Act (CPRA) and how it amends the CCPA.
- The CPRA builds upon the existing California Consumer Privacy Act, which applies to businesses that serve California residents and meet any of three thresholds (annual revenue, number of consumers served, proportion of revenue coming from selling personal data).
The CPRA gives consumers several additional rights, including:
- To stop you from sharing or disclosing data to third parties in any way, not just selling it
- To know if you use their data for automated decision making and to opt out in many cases
- To request that you correct errors in their data
- To know how long you will keep their data
The CPRA creates a new category, "sensitive personal data."
- You would need to list this alongside the 11 categories defined by the CCPA when detailing your data use, collection and sale.
- With this new category, consumers would have the right to opt out of you using it for any purpose other than providing the goods or services they've requested.
- You would need a homepage link titled "Limit The Use Of My Sensitive Personal Information" pointing to a dedicated page for exercising this right.
- Details of whether you collect, use, sell or disclose "sensitive personal information"
- Details of how long you keep data in each of the 12th categories
- Whether you use automated decision-making
- The consumer's right to correct errors and how to do so
- The "Limit The Use Of My Sensitive Personal Information" link and page