The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA), which combine to form a single data privacy regime in California.
The CPRA became effective on January 1, 2023, and is enforceable by the California Privacy Protection Agency from July 1, 2023.
The CPRA brings California’s privacy regime closer to the European Union’s General Data Protection Regulation (GDPR) by adding greater obligations on businesses to protect personal information, notify of data security breaches and manage compliance.
Download TrustArc’s GDPR, California Privacy Protection Agency (CPPA), and CPRA Comparison Chart for a summary of the differences in rules governing individual rights and business obligations.
Which organizations are covered by the CPRA?
If your business collects personal information about consumers in California it is already generally covered by the CCPA when:
- Your business earns gross annual revenue of more than US$25 million
or - Your business collects the personal information of 50,000 or more California consumers, households, or devices for commercial purposes
or - Your business makes 50% or more of its annual revenue by selling the personal information of California residents.
However, the CPRA slightly raises the thresholds for determining which businesses are covered, and as of January 1, 2023, CPRA rules replace the CCPA rules when:
- Your business earned gross annual revenue of more than US$25 million in the preceding year – the main change is revenue is calculated from January 1 in the preceding calendar year
or - Your business buys, sells, or shares the personal information of 100,000 or more California consumers or households – the doubling of the threshold only applies if your business buys, sells, or shares personal information; the CPPA rules still apply if your business only collects (but does not sell or share) information of 50,000 or more California consumers or households
or - Your business makes 50% or more of its annual revenue by selling or sharing the personal information of California residents – the main change is the addition of ‘sharing’ as a qualifier.
What personal data rights are covered by the CPRA?
While the CCPA compliance originally focused on consumer personal data rights, the CPRA now adds protections for employee personal data rights and business-to-business (B2B) personal data rights for California citizens.
Employers were required to establish data collection and privacy protocols by January 1, 2023, to comply with CPRA rules.
The CPRA adds three new rights for individuals, whether they are covered as consumers, employees, or participants in B2B relationships, including:
- Right to limit use of sensitive personal information, including limits on how long a company can keep personal information in its records
- Right to correct personal information by requesting changes to any of their personal information held in a company’s data records
- Right to opt-out of automated decision-making technology.
The CPRA also updates several existing consumer rights already covered by the CCPA including:
- Right to know what categories and pieces of personal information are collected, disclosed, or sold by companies and the purpose/s
- Right to delete personal information, by requesting permanent removal of personal information from a company’s data records
- Right to opt-out of the sale or sharing of personal information by a company to any other company
- Right of non-retaliation by a company if an individual exercises their data privacy rights.
Read on for a summary of the main rule changes for personal data rights under the CPRA.
New Rule: Right to limit the use of sensitive personal information
The CPRA created a new category of personal information known as sensitive personal information (SPI), which includes:
- Racial origin and ethnicity
- Religious beliefs and political and philosophical convictions
- Sexual orientation and sex life activity
- Contents of a consumer’s mail, email and/or text messages
- Health and medical status and history
- Financial status and history
- Precise geolocation
- Genetics and biometrics
- Social security number and driver’s license.
Under the CPRA, Californian citizens now have the right to request a business to limit its use of sensitive personal information to only that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.”
Companies must publish a second website homepage link labeled “Limit the Use of My Sensitive Personal Information” to allow Californians to exercise this right, including opting-out of use, sale, or sharing of SPI.
Californians can also request disclosure of what SPI is collected, how it is used, and for how long.
New rule: Right to correct personal information
Californian citizens have a right to request corrections to any personal information about them held by a business. Under the CPRA, this includes inaccurate or incomplete records about the individual making the request.
To comply with this right, a business must:
- Share information about how to submit a request to correct personal information
Explain (in clear, plain language) the business’ processes for responding to the request - Acknowledge receipt of a request
- Review the individual’s instructions and take reasonable steps to assess the accuracy of any records containing personal information
- Correct any inaccuracies and add relevant personal information requested by the individual.
New rule: Right to opt-out of automated decision-making technology
The CPRA directs the Attorney General to govern individual rights to access information about automated decision-making technology and “profiling,” which can include plain language explanation of how such technologies automate the collection of personal information and the “logic” of the decision-making process.
The CPRA also gives individuals the right to opt out of being profiled and defines profiling as the collection of personal information to evaluate personal aspects related to a natural person or analyze or predict a person’s:
- work performance (e.g., productivity)
- financial or health status or history
- personal interests and preferences
- behavior, including their reliability
- location and movements.
Note: most of these categories of personal information are also covered under Sensitive Personal Information, especially precise geolocation and an individual’s financial and health/medical statuses and histories.
Updated rule: Right to know categories and specific pieces of personal information
Californian citizens already had some rights under the CCPA to request access to their personal information collected by a business in the previous 12 months, so they can understand how their data is categorized, including categories of:
- Personal information held by the business
- Personal information disclosed for a business purpose
- Sources of collection of their personal information (whether the business or a third party controls these sources)
- Personal information sold to third parties
- Business or commercial purposes for which their personal data was collected and/or sold.
The CPRA updates the Right to Know rule with greater obligations on businesses. Now when Californian citizens make a right to know request under CPRA, a business must provide:
- Personal data collected by the business, whether collected directly or indirectly, including through or by a service provider or contractor – note, the CPRA also obliges related third parties to help the business respond to these requests
- Information about the categories of personal information shared with third parties for cross-contextual behavioral advertising
- More than 12 months’ worth of personal data wherever feasible – note this doesn’t apply to personal data collected before January 1, 2022. It also gives businesses some leeway if it would be impossible or “involve a disproportionate effort” to provide more than 12 months of data
- Specific pieces of personal information on request in a portable and readable format (i.e., a common format readable on most devices) “which may also be may be transmitted to another entity at the consumer’s request without hindrance”
- A response to a verifiable Right to Know request within 45 days and provide the data to the individual free of charge.
Updated rule: Right to delete personal information
Under the CCPA, Californians already had the right to request deletion of personal information collected by a business, and once receiving a verifiable request, a business must:
- Delete the individual’s personal information (with some exceptions, such as the business needs to hold the data for a legitimate business purpose, a legal obligation, or to exercise a right or defense)
- Notify its service providers and contractors to delete any copies of the individual’s personal information.
- Now under the CPRA, a business must also notify any other third parties it has shared or sold the individual’s personal information to delete the information. Each service provider must do the same with any downstream service providers.
The CPRA also updates the deletion requirement with some exceptions or clarifications. Businesses are not required to delete personal data if:
- The individual has given the business consent to use the information to produce a physical item (e.g., a magazine or yearbook), and the business has already incurred significant expenses producing the item
- The personal information about the consumer belongs to another natural person or is maintained by the business on behalf of another natural person
- The data relates to a group of consumers who live at the same address (household data) and share common devices and/or services.
Updated rule: Right to opt-out of sale or sharing of personal information
The biggest change to the opt-out rule under the CPRA is that it now covers the right to prevent a business from sharing personal information alongside preventing a business from selling it.
The CPRA defines sharing as transferring or otherwise making available a “consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
This change means businesses must update the label on the “Do Not Sell My Personal Information” link they are required to publish on their websites under the CCPA rule to a new label: “Do not Sell or Share My Personal Information.”
Updated rule: Right of no retaliation – previously called right of non-discrimination
The CCPA protected consumers from being discriminated against by a business when they exercised their rights, such as a request to access or delete personal data or opt-out from data collection.
The CPRA now extends these protections to prohibit retaliation against other Californians exercising their rights guaranteed under the CPRA including:
- Current employees
- Applicants for employment
- Independent contractors.
The CCPA allows an exception to non-discrimination when the value of the consumers’ data to the business is reasonably related to the price or service difference. The CPRA clarifies a similar exception to existing consumer rights to non-discrimination, noting they do not prohibit a business from offering consumer loyalty or club card programs (including rewards, premium features, and discounts).
Access more information about the CPRA and CCPA from TrustArc
This summary of the main rules under the California Privacy Rights Act is part of a series including a background of key dates, a technical brief, and a guide to CPRA compliance.