Ninety-four percent of consumers want more control over the data they share with companies and more insight into how that data is used
– Osano
According to Bloomberg Law, the California Privacy Rights Act (CPRA), is an amendment of the CCPA. The CPRA was proposed as ballot Proposition 24 (Prop 24) in the 2020 US General Election. The CPRA is slated to go into effect on January 1st, 2023. One of the main objectives of the CPRA is to amend and expand the scope of CCPA. The CPRA, also known as the “CCPA 2.0”, takes California privacy laws one step further, making them similar to the EU’s General Data Protection Regulation (GDPR).
CPRA does not replace the CCPA, but is an amendment of the CCPA. Bloomberg Law says that “the CPRA ‘amends’ existing provisions of Title 1.81.5 of the California Civil Code (currently known as the CCPA) and ‘adds’ new provisions (related to the establishment of the California Privacy Protection Agency)”. There are several key differences between the CCPA and the CPRA, Osano notes. These cover the definition of businesses, the household or resident threshold, and more.
Organizations may be considered businesses under the CPRA, if they are a legal entity that is operated for profit, collecting and processing California consumers’ personal information (PI), and who qualify for one or more of the following:
Sensitive personal information (SPI) is a new category in the CPRA. The CPRA stipulates that businesses need extra layers of technical and operational controls to process such data, and protect consumers’ SPI as part of their consumer rights ethos.
One of the key differences between the CCPA and CPRA is that the latter takes streamlined concepts from the EU GDPR. The 3 concepts the CPRA embodies include data minimization, purpose limitation, and storage limitation.
In the event of a data breach exposing personal information, the CPRA notes that consumer login credentials may be added to the list of personal information categories that can be legally carried out to mitigate risks.
CPRA transfers governance to the CCPA, which was enforced by the California Office of the Attorney General (OAG). The new shift gives CCPA investigative, enforcement, and rulemaking powers.
Organizations that adhere to the CPRA have to abide by the rules in protecting and maintaining the privacy of their customers’ data. Once the data is collected, users can submit a data subject access request (DSAR) to find out more about the personal information the organization collected, andand how they will use the personal information.
When an organization receives a DSAR request, they need to respond with the information requested and take the necessary actions. According to the CPRA, organizations need to respond to a DSAR within 30 to 45 days.
The California Privacy Rights Act (CPRA) is slated to go into effect on January 1st, 2023. Ensure that your company is compliant with the CPRA and subsequent DSAR mandates.