The California Consumer Privacy Act in the US, or the CCPA of 2018, grants customers greater control over the personal information businesses gathers. The CCPA rules outline how to execute the law. This groundbreaking legislation gives California customers additional privacy protections that include:

  • The right to know what personal information an organization gathers and how it is used and disseminated.
  • The right to be able to get their personal information deleted (with some restrictions).
  • The choice not to have their personal information sold.
  • The right to have freedom from discrimination when exercising CCPA rights.

Businesses are obligated to provide notifications to customers about their privacy policies. The CCPA applies to a wide range of organizations, including data brokers.

Past and present of California Privacy Rights Act (CPRA)

California Privacy Act

The CCPA, sometimes known as “California’s GDPR,” ushered in a new age of compliance in January 2020, requiring businesses to do much more than update their privacy policies. The new California law affects thousands of firms that utilize a vast array of personal data tied to the state’s almost 40 million citizens, their families, and their gadgets.

Voters adopted the CPRA in November 2020 to expand upon CCPA. The CPRA will come into being on January 1, 2023, giving California customers more control over their personal information held by firms. The CPRA imposes substantial additional compliance requirements on covered enterprises. There is no one roadmap or plan for “CPRA compliance,” yet there is no scarcity of solutions for CPRA preparation. Let us first understand California’s privacy laws before deciding on CPRA management techniques.

Provisions Of California Privacy Protection Agency

The California Privacy Protection Agency (CPPA) initiated the official rulemaking process on July 8, 2022, to create regulations for implementing the CPRA. The proposed regulations will be:

  1. Updating the existing CCPA regulations to match them with CPRA.
  2. Engage new rights and concepts introduced by the CPRA.
  3. Reorganize and consolidate statutory requirements to make them easier to follow and comprehend.

Californians recently established the CPPA and amended the CCPA of 2018 via the CPRA. Most of these modifications go into effect on January 1, 2023, but a few are retroactive to January 1, 2022. Since July 2020, the California Attorney General’s Office has vigorously enforced the CCPA. The modified CCPA will continue to have enforcement powers alongside the CPPA. Meanwhile, the CPPA will revise and implement new CCPA regulations.

What data is safeguarded?

Scope And Applicability

The CPRA altered the CCPA’s scope of applicability relatively little. The modified CCPA protects “personal information,” broadly defined as covering any information relating to a specific California citizen or household.

On January 1, 2023, the CCPA exceptions to processing personal information in the B2B and HR settings will expire. The CPRA also states that it “shall prevail over any conflicting legislation enacted after January 1, 2020”. It further adds that any conflicting legislation “shall be null and void… regardless of the code in which it appears,” potentially invalidating health-related exemptions added by the California legislature in September 2020.

Who is covered by the CPRA?

CCPA or CPRA applies to any for-profit corporation in California that gathers, distributes, or sells California consumers’ personal data.

Beginning on January 1, 2023, the new CPRA will apply to any for-profit firm conducting business in California that collects the personal data of California customers and:

  • Had gross revenues above $25 million on January 1 of the previous year; or
  • Purchases, sell, or shares the data of at least 100,000 customers or households; or
  • At least 50 % of their yearly revenue comes from selling or exchanging customers’ personal information.

Subject to the effective date, if your firm uses personal information from California residents and fits any of the three prerequisites mentioned above, it is likely subject to the CCPA/CPRA. While neither the CCPA nor CPRA establishes a definition of “doing business in California,” related legal principles imply that this is a low barrier that does not necessitate having operations or employees in the state.

CPRA also adds another set of eligible entities: a joint venture or partnership comprised of enterprises with at least a 40% ownership stake. The joint venture or collaboration and each business that makes up the joint venture or partnership shall be regarded as separate entities. They will not reveal each business’s personal information about the joint venture or partnership to the other firm.

How do you comply?

Compliance

Businesses must comply with both existing and new CCPA standards. Here are some essential suggestions.

Revise agreements governing data processing, sharing, and sale.

The CPRA defines contract terms for personal information transmission. The regulations address audit rights and using personal data exclusively, and the companies should address these requirements with business partners if they haven’t already.

Consider implementing strategic adjustments to your business’s activities to lower compliance requirements.

Companies may profit from concerted efforts to avoid selling and exchanging personal information, as the new CCPA rigorously regulates these actions. Companies may also seek to develop de-identification methods to take advantage of exceptions about “de-identified” information.

Develop internal standards for selling and exchanging personal information.

Businesses must follow disclosure, consent, and data processing rules when selling or exchanging personal information. On every homepage, they must have a “Do Not Sell or Share My Personal Information” opt-out link for California residents.

Prepare for regulations regarding data reduction and destruction

Under the updated CCPA, an organization’s acquisition, use, retention, and disclosure of personal information must be fair and relevant to its goals. To comply with these guidelines, organizations should change their processes to ensure they delete personal data when it’s no longer needed.

Allow requests for “sensitive personal information” and handle them

Californians can ask businesses to stop using their “sensitive personal information” for reasons other than providing products and services. Companies that process sensitive personal data for other reasons must offer an internet link labeled “Limit my Sensitive Personal Data.” They may combine this link with “Do Not Sell or Share My Personal Information.”
Sensitive personal information includes government identities, exact geolocation data, racial or ethnic origin details, religious or philosophical convictions, and outgoing mail, email, and text messages.

Companies should update protocols and processes for subject data requests

The revised CCPA creates new data subject rights and modifies current ones. New rights include the ability to rectify erroneous information and restrict the use of sensitive personal data. Changes to existing rights include extending the right of access to information gathered over a longer period and eliminating restrictions that now allow firms to deny erasure requests.

Update collection and privacy policy notifications

The CPRA enhances the list of required disclosures for a company’s privacy policy and other notices. Businesses should consider drafting a privacy policy specific to the amended CCPA and distinct from the general privacy policy they use to address privacy laws in other jurisdictions.

Comply with regulations regulating the processing of children’s personal information

Selling and exchanging children’s personal information is subject to additional rules, such as obtaining opt-in authorization from minors between the ages of 13 and 15 or their parent or legal guardian in case they are below 12 years. Under the modified CCPA, penalties are treble for offenses involving children under 16.

Enhance and record security measures

The modified CCPA would mandate that all firms employ reasonable and suitable security measures and that enterprises whose processing of personal information poses substantial threats to the privacy or security of customers undertake cybersecurity audits and risk assessments.

Keep up-to-date

The CPRA delegates extensive rulemaking authority to the CPPA and mandates that the agency publishes its regulations by 1 July 2022.

Sanctions and CPRA penalties

On July 1, 2023, the California Attorney General’s Office and CPPA will have the power to conduct civil and administrative enforcement proceedings against accused CCPA amendment offenders. CPRA offers a private right of action for customers whose personal data breaches compromise information or email login information. The CPRA empowers the CPPA to investigate infractions, hold hearings, issue cease-and-desist orders, and impose administrative penalties of up to USD 2,500 per violation or USD 7,500 for each deliberate infringement.

The private right of action only applies if the company didn’t follow “reasonable policies and procedures” CPRA doesn’t specify such methods.

The CCPA mandates that the California Attorney General’s Office provide a corporation with a 30-day “cure time” before initiating enforcement actions. The CPRA will eliminate this cure time, allowing the California Attorney General’s Office and the CPPA to initiate enforcement proceedings immediately.