The California Privacy Rights Act (CPRA) is intended to amend the California Consumer Privacy Act (CCPA) and ultimately to give consumers more control over their information. The Californians for Consumer Privacy coalition is working to obtain enough signatures to put CPRA on the November 2020 ballot. If successful, Californians would have the opportunity to vote this ballot initiative into law. Should it pass, it will go into effect January 1, 2023.
CPRA at a glance:
- Sensitive Information: Creates new rights allowing consumers to stop businesses using sensitive personal information (“SPI”). SPI includes SSN, DL, Passport, financial account info, precise geolocation, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, information about sex life or sexual orientation, email + password.
- Children’s Datta: It will triple 2018’s CCPA fines for collecting and selling children’s private information. It will also require opt-in consent in order to sell info from consumers under the age of 16.
- Geolocation: Prohibit businesses from tracking precise geolocation for most purposes, including advertising, to a location within roughly 250 acres.
- Enforcement Arm: Establishes an enforcement arm called the California Privacy Protection Agency and institutes a 5 year statute of limitations for filing claims of violations of the Act.
Comparison of existing Privacy Laws GDPR & CCPA to CPRA.
| Rights | GDPR | CCPA | CPRA |
| Right to Know What Information a Business has Collected About You | √ | √ | √ |
| Right to Say No to Sale of Your Info | √ | √ | √ |
| Right to Delete Your Information | √ | √ | √ |
| Data Security: Businesses Required to Keep Your Info Safe | √ | √ | √ |
| Data Portability: Right to Access Your Information in Portable Format | √ | √ | √ |
| Special Protections for Minors | √ | √ | √ |
| Requires Easy “Do Not Sell My Info” Button for Consumers | X | √ | √ |
| Provides Ability to Browser with No Pop-Ups or Sale of Your Information | X | X | √ |
| Penalties if Email Plus Password Stolen Due to Negligence | √ | X | √ |
| Right to Restrict Use of Sensitive Personal Information | √ | X | √ |
| Right to Correct Your Data | √ | X | √ |
| Storage Limitations: Right to Prevent Companies from Storing Info Longer than Necessary | √ | X | √ |
| Data Minimization: Right to Prevent Companies from Collecting More Info than Necessary | √ | X | √ |
| Right to Opt Out of Advertisers Using Precise Geolocation (< than 1/3 mile) | √ | X | √ |
| Ability to Override Privacy in Emergencies (Threat of Injury / Death to a Consumer) | √ | X | √ |
| Provides Transparency Around “Profiling” and “Automated Decision Making” | √ | X | √ |
| Establishes California Privacy Protection Agency to Protect Consumers | √ | X | √ |
| Restrictions on Onward Transfer to Protect Your Personal Information | √ | X | √ |
| Requires High Risk Data Processors to Perform Regular Cybersecurity Audits | √ | X | √ |
| Requires High Risk Data Processors to Preform Regular Risk Assessments | √ | X | √ |
| Appoints Chief Auditor with Power to Audit Businesses’ Data Practices | √ | X | √ |
| Protects California Privacy Law from being Weakened in Legislature | √ | X | √ |
| Provides Transparency Around “Profiling” and “Automated Decision Making” | √ | X | √ |
| Establishes California Privacy Protection Agency to Protect Consumers | √ | X | √ |
| Restrictions on Onward Transfer to Protect Your Personal Information | √ | X | √ |
| Requires High Risk Data Processors to Perform Regular Cybersecurity Audits | √ | X | √ |
| Requires High Risk Data Processors to Preform Regular Risk Assessments | √ | X | √ |
| Appoints Chief Auditor with Power to Audit Businesses’ Data Practices | √ | X | √ |
| Protects California Privacy Law from being Weakened in Legislature | N/A | X | √ |
Businesses subject to CCPA would need to make some updates to their CCPA programs, including:
- Update categories of personal information to include sensitive data, defined (somewhat differently than under the GDPR) as government identifiers, account and login information, precise geolocation data, racial or ethnic origin, religious or philosophical beliefs, union membership, contents of mail, email and text messages, genetic data, and certain sexual orientation, health and biometric information.
- Inclusion of email account credentials in the categories of personal information potentially subject to the CCPA “reasonable security” private right of action under Section 1798.150(a)
- Provide a right to limit the use of sensitive data for any secondary purpose and a new notice requirement to provide a separate link titled “Limit the Use of My Sensitive Personal Information” or accommodate an optional technical signal solution.
- Provide notice to consumers about the length of time each category of personal information will be retained and provide right to data minimization, as well as.
- Be able to correct inaccurate personal information.
- Right to know, access and receive personal information collected before the 12-month lookback period for data collected on or after Jan. 1, 2022.
- Direct obligations on service providers to assist with CPRA compliance activities.
- Definition of cross-context behavioral advertising and limitations exempts certain analytics functions but clearly now targets this activity to do-not-sell obligations so even if you are collecting data for analytics purposes only, you’d need to offer a “opt-out/do not sell” option in this context.
- Expands the definition of “Business” to include a joint venture or partnership composed of businesses in which each business has at least a 40% interest.