California Privacy Rights Act (CPRA), quick summary
California Privacy Rights Act (CPRA) – what, when and consequences for your website?
The California Privacy Rights Act (CPRA) is a state-wide data privacy bill passed into law on November 3, 2020.
The CPRA underscores California’s position as the US frontier in data privacy legislation, as it significantly expands upon the existing California Consumer Privacy Act (CCPA) that took effect on January 1, 2020.
In short, the California Privacy Rights Act (CPRA) works as an addendum to the CCPA – strengthening rights of California residents, tightening business regulations on the use of personal information (PI), and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA), among key changes to the Golden State’s data privacy regime.
The California Privacy Rights Act (CPRA) became fully effective on January 1, 2023. Enforcement is scheduled to begin on July 1, 2023 – with a so-called lookback period to January 1, 2022, meaning data collected from that date on is liable for compliance.
California Privacy Rights Act (CPRA) quick breakdown –
- CPRA establishes the California Privacy Protection Agency (CPPA) as lead enforcer and supervisor of the CPRA/CCPA data privacy regime.
- CPRA changes the definition of business to exclude smaller businesses and include bigger businesses that generate a large income from collection, sharing and/or selling of Californians’ personal information (PI).
- CPRA empowers California residents with four brand-new rights and five modified rights.
- CPRA creates the new category sensitive personal information (SPI) that is regulated separately and stronger than personal information (PI).
- CPRA changes the opt-out right to specifically regulate cross-contextual behavioral advertising and its use of personal information.
- CPRA makes a business responsible for how third parties use, share or sell personal information that the business collected in the first place.
- CPRA adds GDPR-like provisions to the CCPA.
- CPRA expands the requirement for consent to cover more scenarios.
The California Privacy Rights Act (CPRA) law text (PDF)
Timeline for California Privacy Rights Act (CPRA) –
- January 1, 2021 – California Privacy Rights Act (CPRA) goes into law and the California Privacy Protection Agency (CPPA) is established.
- July 1, 2021 – process for formulating and adopting CPRA regulations begins.
- January 1, 2022 – PI collection becomes liable under the CPRA’s one-year lookback period.
- July 1, 2022 – deadline for final CPRA regulations to be adopted by the CPPA.
- January 1, 2023 – CPRA enters into full force.
- July 1, 2023 – Enforcement of the CPRA begins under the CPPA.
CCPA vs CPRA – why two data privacy acts?
You might be wondering how the California Privacy Rights Act (CPRA) works with the existing California Consumer Privacy Act (CCPA)?
A simple answer is that California has one, overarching legal data privacy regime that was established by the CCPA on January 1, 2020, and to which the CPRA is an overlay more than a new law in itself.
Where the CCPA was a whole new foundation being paved across California’s digital infrastructures, the CPRA is a renovation of this foundation – cleaning up potholes of ambiguities, adding additional regulations for traffic, and constructing new safeguards for end-users traveling along.
In this way, California doesn’t really have two separate data privacy laws, but one data privacy regime consisting of the CCPA/CPRA setup.
That’s because the CPRA is written in such a way that it only refers to the existing CCPA foundation – sometimes expanding existing provisions, sometimes adding entirely new ones, but always referring back to the original CCPA law text itself.
Being the frontier of US data privacy law, the CCPA paved a road which the CPRA is now reinforcing.
Learn more about the California Consumer Privacy Act (CCPA)
Learn more about CCPA compliance with Cookiebot CMP
Compliance with Cookiebot CMP
Cookiebot CMP is the world’s leading consent management platform (CMP), offering compliance with the California Consumer Privacy Act (CCPA) today.
Our solution will continue to offer full compliance with the new and updated data privacy regime.
In fact, our CMP offers plug-and-play compliance with all major data privacy laws – from the EU’s GDPR/ePR to California’s CCPA/CPRA, Brazil’s LGPD and South Africa’s POPIA.
Our solution is built around a powerful website scanner that detects all cookies, trackers and third-party trojan horses on your domain – giving you full transparency and control over your website’s collection and sharing of personal information.
The Cookiebot CMP geotargeting feature automatically determines the location of your users, allowing your website to accurately present each end-user with the correct compliance solution specific to the data privacy regime – GDPR/ePR if users are from EU, CCPA/CPRA is users are from California.
Try Cookiebot CMP with Google Consent Mode for full compliance without breaking your website’s analytics.
Scan your website for free to see if you have users from California
Try Cookiebot CMP free for 14 days – or forever if you have a small website
Learn more about CCPA compliance with Cookiebot CMP
Learn more about GDPR compliance with Cookiebot CMP
Get started with Google Consent Mode and Cookiebot CMP
California Privacy Rights Act (CPRA), in detail
Let’s break down the California Privacy Rights Act (CPRA) into even smaller pieces to understand exactly how it changes, expands and renews the state-wide CCPA-established data privacy regime that has been in place and in effect since January 1, 2020.
As mentioned, the California Privacy Rights Act (CPRA) is an addendum to the California Consumer Privacy Act (CCPA), and so functions as a series of significant amendments to the existing CCPA law text.
The major changes that the CPRA makes to the CCPA consist of –
- Changing the CCPA’s definitions of PI
- Creating a new category called sensitive personal information (SPI)
- Changing the scope of the CCPA
- Changing the CCPA rights for California residents and adding new rights
- Changing regulatory area of focus towards behavioral advertisement
- Establishing a new government enforcement agency
- Adding GDPR-like features to the CCPA
In addition, the California Privacy Rights Act (CPRA) also secures data privacy law in California in a different way than the CCPA did, since the CPRA includes provisions requiring any amendments to the law to be consistent with its purpose and intent, making it almost legally impossible to be watered down.
This is perhaps one of the most significant changes, since it makes the law practically waterproof from any attempts to dilute its privacy protections or water down business regulations from industry pressure or special interests.
The passing of a federal data privacy law or a future ballot initiative barred California’s updated data privacy regime (CCPA/CPRA) seem to be here to stay for a while.
Let’s break down the new CPRA changes!
CPRA creates sensitive personal information (SPI)
In California, the CPRA creates a new category of personal information – the so-called sensitive personal information (SPI).
Sensitive personal information (SPI) includes –
- Data on race and ethnicity
- Religious beliefs, political and philosophical convictions
- Data on sex life or sexual orientation
- Genetic and biometric data
- Health data
- Geolocation
- Social security number and driver’s license
- Financial information
Sensitive personal information (SPI) is regulated separately from normal personal information with users having expanded rights over how their SPI is used, including the right to have collected SPI disclosed, to opt-out of SPI use, and subsequent consent to use SPI if users already opted out.
CPRA requires new links on your website
The California Privacy Rights Act (CPRA) rewrites the requirements for how your website enables consumers to opt out of having their PI sold or shared and adds a requirement for how your website enables users to exercise their right to limit the use of their SPI.
The CPRA amends the CCPA’s Do Not Sell-button, so that your website will have to provide a link titled “Do Not Sell Or Share My Personal Information” – adding or sharing, as the CPRA does in many other places.
The CPRA also creates a new, similar requirement for your website to provide a link titled “Limit The Use Of My Sensitive Personal Information” that enables California residents to limit the use and disclosure of their SPI.
In addition, the CPRA encourages businesses to make “a single, clearly-labeled link” that easily allows a consumer to simultaneously opt-out of sale or sharing of PI and limit the use or disclosure of the consumer’s SPI.
CPRA gives new scope to CCPA
The California Privacy Rights Act (CPRA) changes who is liable under the CCPA.
The CPRA amends the CCPA’s definition of business to be a website, company or organization that (changes in bold) –
- as of January 1 has an annual gross revenue exceeding $25 million
- buys, sells or shares the personal information of more than 100,000 consumers or households per year
- derives 50% or more of its annual revenues from selling or sharing consumers’ personal information
These changes are likely to tilt compliance from smaller companies to larger ones, whose businesses are more heavily reliant on the collection and sharing of personal information, both in scope (from 50,000 to 100,00) and in method (from only covering selling to include sharing).
CPRA creates and expands CCPA rights
The California Privacy Rights Act (CPRA) creates four new rights and modifies five existing rights for California residents.
The four new CPRA rights are –
- Right to correction, meaning that users can request to have their PI and SPI corrected if they find them to be inaccurate.
- Right to opt-out of automated decision making, meaning that California residents can say no to their PI and SPI being used to make automated inferences, e.g. in profiling for targeted, behavioral advertisement online.
- Right to know about automated decision making, meaning that California residents can request access to and knowledge about how automated decision technologies work and what their probable outcomes are.
- Right to limit use of sensitive personal information, meaning that California residents can make businesses restrict their use of this separate category of personal information, particularly around third-party sharing.
The five modified CPRA rights are –
- Right to delete, where California residents can request deletion of PI and business now have to notify third parties to delete this as well.
- Right to know, where California residents can now request access to PI collected beyond the original 12-month limit in the CCPA.
- Right to opt-out, where California residents can now opt out of businesses sharing and selling their PI specifically for behavioral advertisement, and not only of the sale of PI, as in the CCPA.
- Rights of minors, where the opt-in requirement for businesses when dealing with minors is extended to include the sharing of PI for behavioral advertising.
- Right to data portability, where California residents can request to have their PI transported to other businesses or organizations.
CPRA regulates behavioral advertising
The California Privacy Rights Act (CPRA) amends the CCPA to specifically regulate behavioral advertising that uses personal information to target California residents with marketing based on profiling.
Where the CCPA defined the right to opt out as restricting the use, selling and sharing of personal information for advertising purposes in exchange for money, the CPRA creates two separate types of advertising – cross-context behavioral advertising and non-personalized advertising.
The former is regulated by the right to opt-out, whereas the latter isn’t.
Having the right to opt out of behavioral advertising means that California residents can ask businesses to stop sharing and selling their personal information with third parties to avoid being targeted with advertisement that is based on behavioral data, from their search, browser and purchase history, online preferences, device settings, geolocation to how they scroll and click on a website.
Non-personalized advertisement, on the other hand, is defined by the CPRA as a business purpose, and therefore exempt from any requirements for opting out.
Rather than the CCPA opt-out right for personal information in general that California residents enjoy today, the CPRA now specifies its regulations to concern only PI used for behavioral advertisement.
CPRA creates the California Privacy Protection Agency (CPPA)
As a first in the US, California will have a data protection authority comparable to the GDPR-mandated national DPA’s that supervise and enforce the EU’s data privacy laws.
The California Privacy Protection Agency (CPPA) will become the leading enforcer and supervisor of the CCPA/CPRA with authority to investigate and fine violations.
By establishing the California Privacy Protection Agency (CPPA), the CPRA moves the enforcement responsibilities currently resting with the Office of the Attorney General to the new government agency, which will start enforcement from July 1, 2023.
The California Privacy Protection Agency (CPPA) has full enforcement authority over the CCPA/CPRA regime, as well as authority to investigate potential breaches and violations, and to draft enforcement regulations.
In addition, the CPRA cancels the grace period of 30 days that businesses have after being notified of an alleged breach or violation, and raises the maximum on fines for violations.
CPRA introduces GPDR-like requirements
In another first for California, the CPRA introduces three additional requirements for business that are closely modeled after the EU’s GDPR regime:
- data minimization
- purpose limitation
- storage limitation
Under the CPRA-amended data privacy regime in California, a website or business can only collect, use and share Californians’ personal information if it’s in accordance with what is reasonably necessary and proportionate to the collection purpose (data minimization).
In other words, you’re not allowed to collect, share or sell more data than what is strictly necessary for your stated purpose of collection.
Likewise, a website or a business is not allowed to collect, use, share or sell Californians’ PI for a new purpose without first stating so, just like you’re not allowed to collect or share data without any stated purpose at all (purpose limitation).
The CPRA also amends the CCPA so that a website or business will be required to notify (at the point of collection) California residents about the retention time of each collected category of personal information, meaning that users have a right to know for how long their data will be stored after collection (storage limitation).
The California Privacy Rights Act (CPRA) also expands the CCPA’s current consent requirements, perhaps the most GDPR-like feature of California’s data privacy law, to include –
- Consent needed for the selling or sharing personal information after a user has already opted out
- Consent needed when selling or sharing the personal information of minors
- Consent needed for secondary use, selling or sharing of sensitive personal information after a user has opted out
- Consent needed for research exemptions
- Consent needed to opt-in to financial incentive
Summary: California Privacy Rights Act (CPRA)
With the passing into law of the California Privacy Rights Act (CPRA), California’s data privacy regime has been significantly updated – only a year after the California Consumer Privacy Act (CCPA) went into force.
The California Privacy Rights Act (CPRA) is a clear signal that the Golden State is moving full speed ahead on the US frontier of data privacy.
Now that the CPRA is in full effect (since January 1, 2023) websites, businesses and organizations, who have users from California should prepare for compliance.
Cookiebot CMP already offers full CCPA compliance for your website’s cookies and trackers – alongside compliance with other major data privacy laws like the EU’s GDPR, Brazil’s LGPD and South Africa’s POPIA.
FAQ
What is CPRA?
The California Privacy Rights Act (CPRA) is a state-wide data privacy bill that amends and expands the existing California Consumer Privacy Act (CCPA). The CPRA works as an addendum to the CCPA, strengthening data privacy rights for California residents, tightening business regulations and establishing the California Privacy Protection Agency (CPPA) as lead enforcer and supervisor.
What is the difference between CCPA and CPRA?
The California Consumer Privacy Act (CCPA) laid the foundation for data privacy law in the state of California, when it entered into effect on January 1, 2020. The California Privacy Rights Act (CPRA) isn’t a new law in itself, so much as it is a rewrite of the CCPA. Together, the CCPA/CPRA form one data privacy regime in California.
When does the California Privacy Rights Act (CPRA) go into effect?
The California Privacy Rights Act (CPRA) took effect on January 1, 2023 with a lookback period to January 1, 2022. The California Privacy Protection Agency (CPPA) will begin enforcing the CPRA from July 1, 2023.
What is CPRA compliance?
If you’re already in compliance with the CCPA, you need to change certain practices and add new data privacy features to your business’ website. Using Cookiebot CMP already offers your website full control of data collection, respecting user opt-out for CCPA compliance.
Resources
Try Cookiebot CMP free for 14 days – or forever if you have a small website
Scan your website for free to see if you have users from California
Cookiebot CMP support for CPRA compliance
California Privacy Rights Act (CPRA) law text (PDF)
CCPA compliance with Cookiebot CMP
CCPA vs CPRA comparison by Manatt
IAPP on the passing of the California Privacy Rights Act (CPRA)