How the CPRA Changes Compliance in California

The California Privacy Rights Act (CPRA), a major amendment to California’s landmark data privacy legislation (CCPA), went into effect on the first of the year. The CPRA amends earlier data privacy legislation in the state and strengthens consumer privacy protections. It also introduces new policies, creates new data categories, and establishes an agency to oversee compliance and enforcement.

With the CPRA now in full force, businesses operating in California face significant changes in their compliance obligations. Because the amendment places new responsibilities on businesses that handle personal information, it’s vital to understand its key points.

Today, we’ll delve into the key provisions of the CPRA, exploring its implications for businesses and offering suggestions on how to navigate compliance with stronger data privacy practices.

First, what is the CCPA?

To understand how the CPRA changes compliance in California, we first need to understand the earlier legislation that it modifies: the California Consumer Privacy Act, or CCPA.

The CCPA is a groundbreaking data privacy law designed to safeguard the personal information of California residents. Enacted on Jan 1, 2020, the CCPA grants consumers greater insight into their personal data, including what information businesses collect, how it is used, and whether it is shared with or sold to third parties.

Under this regulation, businesses that meet certain criteria must be transparent about their data practices, allowing consumers to access their personal information and request its deletion. Businesses must also provide a clear and conspicuous “Do Not Sell My Personal Information” link on their websites to give individuals more control over how their data is used.

Although the CCPA only applies to for-profit companies that conduct business in California and meet certain revenue or data processing requirements, it has had a far-reaching impact. In the absence of a unifying federal data privacy regulation, many companies that process the data of California residents have chosen to apply the CCPA’s provisions across their business operations to simplify compliance. The law has also served as a model for other US states enacting similar legislation, shaping the direction of data privacy in the digital era and promoting greater transparency around the handling of personal information.

What is the CPRA, and why was it passed?

The California Privacy Rights Act (CPRA) is a crucial expansion and enhancement of the CCPA, designed to further strengthen data privacy and protection for California residents. Enacted three years after the CCPA on January 1, 2023, the CPRA introduces additional rights and safeguards for consumers. Notably, it amends but does not replace the CCPA.

The CPRA builds on the CCPA’s foundation to grant California consumers more control over how their personal data is collected, used, and shared by businesses. It also subjects businesses that handle large amounts of personal data to more stringent requirements.

There are numerous policy changes introduced by the CPRA, including:

Establishing the consumer right to correct inaccurate personal information and limit the use of sensitive personal information.
Creating the California Privacy Protection Agency (CPPA) to oversee compliance and enforcement.
Strengthening employee privacy protections.
Emphasizing privacy by design.

Below, we’ll explore each of these changes in detail.

The CPRA establishes the right to limit the use of sensitive personal information

First, the CPRA adds a new consumer right in California: the right to limit how businesses use their sensitive personal information. Under California’s amended data privacy law, consumers can limit the use and disclosure of this “sensitive personal information” — a new category of data that was also established by the CPRA.

The CPRA categorizes the following types of data as sensitive personal information:

Social Security and driver’s license numbers
Account login info
Credit card and financial account numbers
Geolocation
Race and ethnicity
Religious beliefs
The contents of mail, email, or text messages
Genetic and biometric information

This is distinct from the broader category of “personal information” in the CCPA, which refers to any information that identifies, relates to, or can be associated with a particular person. By adding the new category of sensitive personal information and offering stronger protections around it, the CPRA moves closer in line with the EU’s GDPR and its strict view on personal privacy.

The CPRA establishes the CPPA

The CPRA also adds another acronym to the California data privacy landscape: the CPPA, or California Privacy Protection Agency. This agency is responsible for overseeing compliance with and enforcement of the CPRA. Additionally, it is responsible for updating existing regulations and adopting new ones, ensuring that data privacy practices evolve to keep pace with the ever-changing digital landscape.

The CPPA can levy civil penalties of $2,500 per violation and $7,500 per intentional violation for noncompliance with California’s data privacy laws. The agency takes over from the state’s Office of the Attorney General, which was previously tasked with ensuring CCPA compliance.

The CPRA strengthens employee privacy protections

Under the earlier CCPA legislation, California employees, applicants, independent contractors, and board members were exempted from certain data privacy protections. The CPRA dissolves the employee exception, extending consumer privacy rights in the workplace.

In general, the CPRA gives employees the right to know when their personal information is being sold or shared and the right to set limits on the usage of their sensitive personal data. Employees and contractors can ask their company to disclose what information has been collected about them, request corrections or deletions to that information, and opt out of having their personal information sold or shared.

The CPRA emphasizes privacy by design

One of the most important things to know about the CPRA is its emphasis on privacy by design. Even more than the CCPA, the CPRA requires businesses to embed privacy into the design of their business operations and IT infrastructure.

In today’s regulatory landscape, it’s not enough to approach data privacy in a piecemeal way or apply security measures retroactively. Instead, businesses must consider privacy implications at every stage of their operations, from the conception of new products or services to the implementation of data collection and processing practices. This shift will typically require collaboration between legal, IT, and business teams to ensure that data privacy principles are seamlessly woven into the fabric of the organization.

How can companies meet compliance with the CPRA and CCPA?

As organizations adapt to the CPRA's changes, they must ensure that their business practices continue to meet compliance in California. Here are a few preliminary steps they can take:

Adopt a privacy by design approach.
Minimize data collection and retention.
Implement data minimization and data anonymity wherever possible.
Obtain consumer consent for data processing.
Update data privacy policies and notifications.
Review contracts with third-party service providers to make sure they also meet compliance.
Refrain from selling or sharing sensitive personal information beyond the parameters established by law.
Perform regular security audits and risk assessments.

Organizations should also invest in robust data security and privacy measures to ensure they meet CPRA compliance. One option is the ShardSecure platform, which offers an innovative approach to file-level encryption that secures data against third-party access. Even if a storage location is breached, data remains private and unintelligible to unauthorized users, including cloud admins and cyberattackers.

By maintaining data privacy, the ShardSecure platform helps customers strengthen their privacy posture for regulatory compliance, including with the CPRA, GDPR/Schrems II, and SOC 2. To learn more about our technology, visit our resources page today.