The California Privacy Right Act (CPRA) is an amendment to the CCPA, which was approved in November  2020. The CPRA has technically been in effect since December 16, 2020. However, most of the revisions to the CCPA won’t come into force until January 1, 2023. Read more about the CCPA here.

5 consumer privacy rights that have been modified under the CPRA:

  • Right to access: Businesses must provide consumers with their personal and sensitive information collected, shared, or sold to third parties, the categories of PII, and the third parties involved when requested. There are no legal obligations for companies to save data for a particular amount of time, so it's hard to say how long the company will retain PII.
  • Right to delete: The CPRA gives consumers new rights that allow them to more easily get rid of the collected data that companies have on them.
  • Right to data portability: The CCPA gives users the right to access their data. However, users can now transfer their personal information to different companies under the CPRA.
  • Right to opt-out: The CPRA gives users the right to opt-out of the sale and also out of sharing of their personal information with third parties.
  • Right to opt-in for minors: CCPA prohibits the sale of personal information of California consumers under 16 years without their opt-in consent. The CPRA states that you have to wait for 12 months before requesting consent from a minor who has refused the initial request.

4 New consumer rights under CPRA:

  • Right to correct data: This right applies when a consumer’s data is inaccurate. It allows them to ask for this information to be corrected.
  • Right to access information about automated decision-making: Data subjects are entitled to request information about automated decision-making processes concerning their data, as well as the likely results of those processes.
  • Right to limit use & disclosure of sensitive personal information: A company must, by law, respond to a consumer’s requests to limit the use and disclosure of their data.
  • Right to opt-out of automated decision-making: California residents can also choose to opt-out of automated decision-making technology, such as individual profiling.

Who must comply

The CPRA exempts some small businesses from the CCPA. Previously, under the CCPA, a business that collected data from over 50,000 data users would be subject to the act. Under the CPRA, that number has increased to 100,000.

CPRA also applies to any company with at least half of its revenue involving transactions coming from the sales or sharing of consumers’ data or with a gross annual revenue of over $25 million.

Other Important facets of the CPRA:

  • 3 GDPR principles that are incorporated in CPRA are
  • Storage limitation
  • Data minimization
  • Purpose limitation
  • 30-day cure period abolished: organizations won’t automatically get a 30-day cure period which used to allow the possibility for violations to be addressed. However, at the discretion of the CPPA, cure periods can still be given to violators.
  • CPRA expanded private right of action: The California Consumer Privacy Act gave consumers who have had their unredacted, or unencrypted data compromised the right to take legal action against companies. The CPRA amended this term to cover some personal data like consumers’ passwords, email addresses, and security questions.
  • Contractual provisions for data shared with third parties: The CPRA obligates businesses to have a contract in place with any third party that is receiving or sharing their customer data. This enhances customer data security to reduce the number of third-party risks.
  • Addition of the SPI (sensitive personal information) category which is subject to more strict purpose limitations and disclosure requirements. This includes: Biometric information for identification, Contents of communication, Credit or debit card number with access codes, Driver’s license, Ethnic origin, Financial account information and log-in credentials, Genetic data, Health information, Information about sex or sexual orientation, Passport number, Precise geolocation data, Religious or philosophical beliefs, Social Security Number, State identification card.
  • Mandatory audit and security risk assessment: The CPRA mandates that businesses comply with annual cybersecurity audits and periodic risk assessments to protect the data of consumers. Businesses must start assessing risks related to data security and information confidentiality to prioritize the risks they face and implement a risk assessment framework. It is an important step in developing a cybersecurity strategy, which helps organizations take the appropriate steps to mitigate risks.
  • Creation of a new privacy enforcement authority: The CCPA was first enforced by the office of the Attorney General. The CPRA established a new privacy enforcement authority, the California Privacy Protection Agency (CPPA), and grants it powers to investigate and enforce the act.  
  • Extra data protection for children’s PII: The CPRA is similar to the CCPA because it also prohibits the sale of personal information of those under 16. Nonetheless, violations involving children’s data are liable as intentional violations, meaning they are more severe. Violating CPRA often comes with a penalty of up to $7,500 for intentional violations and a penalty of up to $2,500 for unintentional violations.