What is the CPRA? 

The CPRA is classified as a statewide initiative, meaning the proposed law was devised outside of the California legislature. Under the California law, any California voter can submit statewide initiatives to be included on statewide general election ballots. The CPRA’s development was led by Alastair Mactaggart, a real estate developer, investor, and staunch advocate for consumer privacy rights. Mactaggart and Californians for Consumer Privacy, a California Privacy advocacy group, were the same parties responsible for the creation and enactment of the CCPA in 2018. The CPRA proposes several revisions to the CCPA representing an effort to clarify the ambiguity and confusion on some of the existing CCPA requirements and introduces new privacy and security obligations for covered businesses. If enacted in November, the CPRA would go into effect on January 1st, 2023. Until then, the CCPA will continue to remain in effect. 

The CPRA’s Most Important Implications

While the CPRA proposes a myriad of updates and addendums to the CCPA, the following section outlines the revisions we believe will create the most significant impact on consumers and businesses. 

• Scope:  While the scope of the CPRA remains similar as the CCPA, the CPRA intends to increase the second quantitative threshold for businesses. Under the current law, all businesses who buy, sell, or share the personal information of 50,000 or more consumers, or households, are required to comply with the CCPA. The CPRA proposes to extend the threshold from 50,000 consumers, or households, to 100,000. The change may exclude small businesses who only just met this criteria. The CPRA also adds “sharing” to the third quantitative criteria for applicability if a business derives more than 50% of its revenue from selling or sharing data. 

• Increased Penalties for Misuse of Minors’ Data:  The CPRA seeks to triple the penalties for children’s privacy violations for businesses, service providers, contractors, or other person that commit an intentional violation involving the personal information of a minor under the age of 16. Each intentional violation constitutes a fine of $7,500. Currently, the CCPA prevents the sale of minor’s information without prior consent and has a fine of $2,500. The CCPA has already required specific consent practices for selling the data of minors; however, the CPRA raises the standard requiring businesses to protect minor’s data even more. 

• New Administrative Enforcement Agency:  The CPRA proposes the creation of the California Privacy Protection Agency (“The Agency”). The Agency will be endowed with full administrative power, authority, and jurisdiction to implement and enforce the CPRA. The introduction of this new agency is similar to the Data Protection Authorities (“DPAs”) created by the General Data Protection Regulation (“GDPR”) in the EU, in that they would supervise the application of data protection laws and provide more specific guidance to businesses liable to comply. The Agency will replace the State Attorney General as the current enforcement authority of privacy rights. 

• Risk Assessments and Cybersecurity Audits:  The CPRA proposes the issuance of new regulatory requirements to business whose processing of consumers’ personal information presents a significant risk to the consumers’ privacy or security. The new law would require businesses to perform an annual cybersecurity audit. Organizations would also be required to submit to the California Privacy Protection Agency, on a regular basis, a risk assessment with respect to their processing of personal information. This new requirement resonates with the Data Protection Impact Assessment (“DPIA”) concept introduced in GDPR. 

• New and Revised Consumer Rights:  The CPRA also expands upon individual rights established by the CCPA. In addition to the current consumer rights in the CCPA, the CPRA proposes two more rights: Right to Correction and Right to Limit Use and Disclosure of Sensitive Personal Information. Both of these rights have similar GDPR counterparts: Right to Rectification and Right to Restrict Processing, respectively. 

• • The Right to Correction: This new requirement grants consumers the right to have inaccurate personal information corrected. Consumers would have the ability to make a request for correction to the business holding the personal information. The proposed law also states that in-scope organizations are obligated to “use commercially reasonable efforts” to correct any PI consumers deem inaccurately recorded. For organizations that already comply with GDPR, implementation could be relatively straightforward; however, it will require of additional efforts for organizations that do not yet have this right in place. 

• • The Right to Limit Use and Disclosure of Sensitive Personal Information:  This new requirement gives consumers the right to direct a business to limit the use of sensitive personal information only to perform the services or provide the goods. Organizations would be required to provide consumers a notice of additional uses. Additionally, businesses would be required to create a “Limit the Use of My Sensitive Personal Information” link on its online services or a combined sensitive personal information, sale, and sharing opt-out link. The link will provide a convenient mechanism for consumers to restrict the processing of their sensitive personal information.

    Simultaneously, the law introduces a new sub-category of PI, “sensitive personal information”, in which it defines sensitive personal information as any PI not publicly available that contains sensitive information such as social security numbers, passport numbers, credit card number, etc. As a result of a more specified category of PI, the CPRA proposes additional regulations tailored to sensitive personal information rather than PI as a broader definition, such as the Right to Limit Use and Disclosure of Sensitive Personal Information itself, which does not apply to all PI.

In addition to the key changes mentioned above, the CPRA also included other substantial modifications: expansion of the “Right to Know” to be beyond the current 12-month look back; expansion of the definition of “sale” to explicitly include “sharing” of personal information; expansion of the private right of action to cover breach of an email address in combination with a password or a security question; and expands on the requirements pertaining to employment data until the year 2023. 

What does this mean for organizations?

Organizations that already comply with GDPR will require less effort to comply with the CPRA, assuming they already applied GDPR practices to their California operations. The CPRA proposes a closer step towards the GDPR but is still not quite as strict in its proposed penalties and consumer rights. Organizations that already comply with the CCPA will require a concentrated effort to comply with CPRA, but the road to compliance will not be nearly as drastic. In fact, some smaller organizations that were liable to comply with the CCPA could be out of scope with the updated applicability thresholds. Organizations making the leap from CCPA to CPRA compliance will need to consider updated penalties and regulations accordingly in order to ensure their preparedness by January 2023. 

In the months leading up to the CPRA organizations should evaluate their existing internal privacy and security handling practices and coordinate efforts across the organization to update processes and controls to comply with the proposed law. Existing Data Subject Request (“DSR”) programs, including CCPA specific workflows and integrations, can be leveraged to create and fulfill the new consumer requests such as the Right to Correct and the Right to Limit. Organizations can also leverage their existing data mapping and records of processing to ensure proper identification of PI, including minors under the age of 16. 

Privacy and IT Governance Programs will also need to be updated to satisfy the requirements of annual cybersecurity audits and risk assessments. For example, existing security governance processes will need to be reviewed ensure that risk assessment and audit activities incorporate CPRA requirements. This will likely continue the trend of greater collaboration between privacy, security, and technology teams. All other aspects of privacy programs should also be evaluated to determine the level of effort required for implementing the CPRA compliance measures. Many organizations, if already CCPA compliant, will already possess the tools they need to comply with CPRA. 

Conclusion

The CPRA could push the privacy landscape in the United States closer to that in the EU. While the bill, just as the CCPA, will only technically apply to organizations and consumers located in the state of California, the impact of the bill could lead to greater pressure on the federal government to legislate a federal privacy law (the strictest federal privacy law to date was recently proposed in the US Senate). If passed this November, the CPRA will build upon the foundation laid by the CCPA. While the road to compliance will not be as daunting, organizations should take note of the CPRA’s expanded terminology, consumer rights, and penalties for non-compliance. 

Interested in talking more about privacy and data protection? Get in touch with us.