On Nov. 3, California voters approved the California Privacy Rights Act (CPRA). The CPRA amends the existing California Consumer Privacy Act (CCPA), providing new and additional rights and obligations to the existing law.
CPRA changes are as follows:
- Sensitive Personal Information – A new category of applicable privacy information and associated rights regarding its use.
- Included in this category are: Social security numbers, driver’s license numbers, passport numbers, financial account information, race information, ethnicity information, religious affiliation information, union membership information, sex life/orientation information, genetic data, health information, biometric data, personal communications, and geolocation data.
- Rights for this category include the right to limit disclosure and use of sensitive personal information except as needed by companies to perform the requested services of an average consumer. Links regarding exercising this right will likewise need to be provided to consumers.
- Right of Correction – California consumers can now request correction of incorrect personal data being held by a business.
- Disclosure - Businesses would have to specify the duration they will retain personal information, the purposes for its collection, and the volume of personal information collected.
- Children’s Data – Fines for violations of CCPA opt-in to sale are tripled. Opt-in consent to sell or share data from consumers under 16 is now required.
- Breach Liability – Breaches resulting in compromise of email addresses in combination with password or security question/answer are subject to relevant liability.
- California Privacy Protection Agency (CPPA) – The law will be enforced by the newly established CPPA rather than the Attorney General’s office. The CPPA will consist of five members appointed by various governmental shareholders (including the Governor, Attorney General, State Senate, and Speaker of the Assembly).
- Transparency and Governance – The law adds new transparency and governance requirements, including additional required content in privacy notices, as well as storage limitation and data minimization principles.
- Violations – The CPPA can issue fines of $2,500 for each statutory violation, or up to $7,500 for intentional violations or violations regarding children’s personal information
Most of the provisions of the CPRA will go into effect on January 1, 2023. The CCPA will remain in effect until that point, as will the existing exemptions regarding human resources and B2B data.
The CPRA adds multiple changes, both large-scale and nuanced, to the existing CCPA. Firms are advised to review the upcoming changes and begin preparation activities toward readiness.
Note that ACA Aponix will issue a detailed FAQ on the CPRA requirements and what they mean for firms toward compliance with the new law.
How We Help
Our CCPA compliance assistance service helps companies assess their privacy programs to ensure they comply with CCPA and CPRA requirements. We help firms implement best practices for achieving broader privacy risk and compliance objectives across the enterprise.
Schedule a call with ACA Aponix to discuss your concerns and how we can help you.