The California Privacy Rights Act (CPRA) is sometimes called “CCPA 2.0” as it is an amendment to the California Consumer Privacy Act (CCPA) and increases Californians’ privacy rights. It also extended the scope of individual privacy rights to include employees and business-to-business contacts as well as consumers.
Key dates:
- January 1, 2023 – CPRA became effective
- from July 1, 2023 – the CPRA is enforceable.
Enforcement:
The Californian Privacy Protection Agency (CPPA) was established in 2021 to enforce violations of the CCPA and the CPRA. The CPPA has the authority to:
- Audit businesses’ data protection and cybersecurity activities to determine if they provide “reasonable security procedures and practices appropriate to the nature of the personal information” – or fail to meet these obligations
- Investigate notified breaches and other possible violations of the CPRA rules
- Make probable cause determinations of violations
- Subpoena witnesses and documents for evidence
- Conduct hearings to review evidence
- Issue cease and desist orders
- Make orders for payment of fines
- Bring civil actions to enforce payment of penalties.
CPRA Penalties and No More 30-day Cure Period
Businesses will no longer have a 30-day cure period for violations under the CPRA. The CPPA will act immediately after it has determined a business has violated CPRA law, including asking the California Attorney General to impose fines per person affected by breaches, which can quickly add up.
Businesses found failing to protect Californians’ personal information and/or failing to address customer requests face four kinds of penalties for each violation:
- $2500 fine per person affected by a breach that exposes Californians’ personal information when the violation was unintentional
- $7500 fine per person affected by an intentional breach (e.g., non-compliant use, sale, or sharing of personal information; or not responding to customer requests related to their privacy rights)
- $7500 fine per child under 18 (i.e., a minor) affected by a breach that exposes their personal information, regardless of whether the violation was unintentional or intentional
- Between $100-750 statutory damages or actual damages (whichever is greater) are awarded to each person who sues for some type of security breach involving their personal information (see below).
Private Right of Action Under the CPRA
Californians’ right to sue for statutory damages and actual damages applies when they are affected by certain kinds of data breaches.
This private right of action must meet certain conditions:
- The breach led to personal data being exposed (including unauthorized access, copying, theft or disclosure)
- The breach is determined to have been due to a business failing to implement reasonable security measures
and/or - The breach exposes a person’s email plus password/security question and answer or their personal information that is non-encrypted or non-redacted.
CPRA Compliance Checklist
Businesses have extensive obligations under the CPRA to establish and maintain “reasonable security procedures and practices” to protect personal data, particularly Personal Identifiable Information (PII).
They are also required to make it easy for individuals to exercise their privacy rights and respond to requests efficiently and effectively.
We recommend the following CPRA compliance actions:
Know your data – Create a data map identifying where the personal information of Californians is collected, processed, stored, and distributed (including sharing or selling data to third parties).
Update your data management policies and procedures – Ensure CPRA compliance is well communicated and adhered to across your organization by building and implementing a comprehensive, automated privacy program. All staff should be educated about CPRA compliance. The CPRA also requires businesses to complete a Records of Processing Activity (RoPA).
Update third-party contracts to include CPRA compliance – Your business must include CPRA compliance requirements (e.g., security and privacy) in all written contracts with all third parties, service providers, and contracts involved in processing any personal information for your business.
Perform regular security audits and risk assessments – Assess the potential risks to personal data being exposed to and/or accessed and exploited by unauthorized parties. Risk assessments should cover network and database breach risks, non-compliance with data management processes and procedures, and third-party non-compliance with the CPRA. Note: you must perform regular risk assessments on all third parties your organization shares, discloses, and/or sells personal data to, including service providers that manage PII on your behalf.
Establish data minimization and retention rules – Under the CPRA businesses can only collect and process the minimum necessary personal data for their stated purposes. As well as reducing the amount of data that can be collected, the CPRA also limits the allowed purposes for data collection and how long it can reasonably be stored (data retention limitation).
Update your Privacy Policy – Potential and existing consumers, employees, and business-to-business contacts must have ready access to a plain language Privacy Policy that explains how you manage the protection of data and ensure compliance with privacy rights. The policy should also include (or link to) information on how individuals can exercise their data privacy rights (e.g., opt-out of the sale or sharing of personal information).
Add notices at Point of Collection – You must publish plain language notices at or before the point of data collection explaining the categories of personal data you intend to collect (including PII and sensitive personal information), the purpose/s for each (and whether it could be shared, disclosed or sold), how long this data will be stored, and your processes for data retention limitation. You must also include explicit opt-in/opt-out notices for parents and guardians of children to control or withdraw consent to collect information from minors.
Add links for opt-outs – Your website must display two clearly labeled links so Californians can exercise the following data privacy rights:
- i. Limit the Use of My Sensitive Personal Information
- ii. Do Not Sell or Share My Personal Information
Honor consumer requests – Establish clear processes and policies to respond to consumer requests related to their privacy rights (e.g., right to know, correct, delete, access, and port/extract and opt-out). The CPRA forbids retaliation against consumers who exercise their privacy rights.
TrustArc can help your business with CPRA compliance
This quick guide to CPRA compliance is part of a series about the California Privacy Rights Act, including a background of key dates, a summary of the main rules, and a technical brief.
