To say that data governance and data compliance are rapidly becoming areas of immense strategic importance for businesses would be an understatement. Governments worldwide already have data protection laws in place or are busy drafting these laws. Moreover, users have become increasingly aware and educated about their rights online, especially regarding what data businesses can collect about them.
The California Privacy Rights Act (CPRA) is the data protection law that will take effect in California in January, 2023. Since the United States does not have a federal data protection law in place, most States legislatures have taken action to create regulations to protect their citizens.
California's importance cannot be overstated. Thanks to Silicon Valley, it is at the heart of technological overtures being made on a daily basis. That, in addition to the state's strong purchasing power, makes it vital for the businesses looking to operate in the US or to cater to US consumers, compliance with CPRA can very well make or break a business's chance of success. Hence, understanding the essentials of the CPRA, its history, how it differs from the existing regulation, and perhaps most importantly, how to ensure compliance with it should be high on the list of priorities for businesses.
What is CPRA?
The California Privacy Rights Act (CPRA) is California's equivalent of the General Data Protection Regulation (GDPR) in place within the European Union (EU). The legislation was passed in November, 2020 and will come into effect officially on January 1, 2023.
When it does come into effect, it amends the existing California Consumer Privacy Act (CCPA), effectively replacing the CCPA. The CCPA is relatively new legislation itself, only being enforced since July 1, 2020.
So, why is the CCPA being replaced so early? It all goes back to its origins. Back in 2018, a ballot initiative under the "Consumer Right to Privacy Act" was set to appear on the November 2018 ballot. Lobbying from businesses resulted in the passing of a “mellower” version of the originally proposed legislation.
The CCPA was the compromise to appease both businesses and privacy advocates. However, privacy advocates have highlighted several loopholes in the existing CCPA legislation. The CPRA aims to eliminate any such loopholes.
What loopholes specifically? Well, the most important ones relate to the collection of sensitive personal information, consent, dark patterns, online profiling, and data contractors. The CPRA takes a much more unambiguous approach to each of these, while highlighting the responsibilities of data handlers in complying with the requirements as stated in the new regulations.
Why is it important to comply with CPRA?
Under CPRA, it will no longer be a choice to be vigilant about undertaking adequate data protection measures, but a legal requirement. The CPRA is a step-up from the CCPA for businesses themselves in many ways.
Only businesses that cater to at least 100,000 consumers need to comply with it, providing leeway to small-and-medium enterprises. However, there are several other reasons why compliance with the CPRA should be a top priority for businesses.
For starters, the fines related to non-compliance can be devastating for any business. Financial losses are never a good prospect for businesses, especially if these losses could have been avoided altogether.
The second reason is the trust of the consumers. As mentioned earlier, consumers are increasingly becoming educated about their rights. They know what responsibilities websites online have towards them. If a business fails to abide by these regulations, it could adversely affect how consumers view these businesses. Years of hard work, dedication, and goodwill can be lost within seconds if a consumer believes a business does not take data privacy seriously.
CPRA & CCPA: What's the difference?
Of course, once it is understood just how important it is for businesses to comply with CPRA, the natural question is how it is different from CCPA?
The answer will determine just how much a business may need to change its present data collection and processing mechanisms considering most businesses are already expected to be CCPA compliant.
There is a lot of common ground between the CCPA and the CPRA. However, there are also some significant differences between the two. As far compliance efforts from businesses are concerned, these differences can be described effectively across the following categories:
Interestingly, both the CPRA and CCPA are meant to apply to "for-profit" organizations, meaning that government agencies and non-profit organizations are exempt. However, both the CCPA and CPRA have contrasting criteria for what qualifies as a "for-profit" business. Scope, in this case, refers to who needs to comply with the regulation.
Under the CCPA regulation, a "for-profit" business is an entity that has at least 50,000 consumers or caters to that many households.
Furthermore, it also covers a business that makes 50% or more of its annual revenue from selling consumers' personal information to other businesses.
The CPRA alters the criteria of "for-profit" businesses by defining it as an entity that caters to at least 100,000 consumers or households.
Similarly, the CPRA states that any business that makes 50% or more of its annual revenue from selling or "sharing" consumers' personal information to other businesses must comply with these new regulations.
Hence, businesses that share their users' data with third parties such as vendors or service providers will now have to comply with CPRA, as opposed to CCPA, where an outright sale of data was the stipulated condition.
While not exactly a part of the legislation itself, this is a major factor to consider since the agency responsible for enforcing any regulation usually dictates whether the application of the law will be strict or relatively laissez-faire.
The CCPA is enforced directly by the California Office of the Attorney General (OAG). The OAG oversees the application of the CCPA, responds to user complaints, and administers fines in case of breaches.
Like most other major data protection laws globally, the CPRA establishes a new data protection agency for the exclusive purpose of enforcing the CPRA within California's jurisdiction, i.e., the California Privacy Protection Agency (CPPA).
This is a crucial consideration for businesses when dealing with compliance efforts related to any data protection law. This is how the CCPA and CPRA deal with administrative fines and penalties in case of breaches:
A business will face the following penalties in the aftermath of their relative breaches:
- $2,500 for violations
- $7,500 for intentional violations
- $100 - $750 in damages in civil court
Curiously, the penalties laid down under CPRA are precisely the same as that of the CCPA. However, some additional provisions are important to note for businesses.
A $7,500 fine will be levied on businesses if a minor's privacy rights are violated. However, unlike CCPA, any fines can be avoided if the breach is rectified by altering a business' operational practices within 30 days.
How can Businesses Comply with CPRA?
It all comes down to this question. Once a business has understood its responsibilities, the ultimate question is, how can a business prepare for CPRA compliance. A surefire way to go would be to take the following steps:
Conduct a Thorough Gap Analysis - Conducting a thorough gap analysis will allow you to see what kind of data you're currently collecting, storing, and using and whether these current practices comply with the law’s requirements. You can then establish a framework to remedy any discrepancies and alter your practices to aid your CPRA compliance efforts.
Consumer Request Fulfillment - Once a Verifiable Consumer Request has been made, it is vital to ensure the request is fulfilled and dealt with properly within 45 days. An effective way to streamline this process is to establish a dedicated toll-free number or email address to make it easier for customers to make such requests and for you to have all such requests properly cataloged in one channel.
Minors' Consent - Remember, there's a $7,500 fine each time a minor's right to privacy is violated. The onus is on the website to ensure proper consent is elicited from the minor's guardian. An excellent way to ensure this is to require an adult's email address to ensure compliance with the CPRA's consent requirements in the case of minors.
Simpler Opt-Out Mechanism - The CPRA requires all websites subject to the regulation to display "Do Not Sell or Share My Personal Information" and a “Limit the use of my Sensitive Personal Information” button across the website. A business must ensure these options are clearly visible and easily accessible across the website, while also ensuring dedicated resources are appropriately linked to educating the users on topics such as how the data collected from them is used, and most importantly, how to opt-out of having their data shared, sold, or forwarded to any other parties.
It may come as a surprise that compliance with CPRA should prove a relatively straightforward process if a business knows the right way to go about it. Since adhering to the CPRA regulations means managing multiple incoming data streams, the answer lies in automating the entire process. Automation is by far the most effective and efficient way to guarantee compliance with CPRA and any other data protection laws globally because of how streamlined the whole process becomes as a result.
About the Author: With a passion for working on disruptive products, Anas Baig is currently a Product Lead at SECURITI.ai. He holds a Computer Science Degree and did his Bachelors in Science from Iqra University. His interest includes Information Security, Networking, Privacy, and Data Protection.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc