CPRA : The Dawn of a stricter privacy regime!

An image of the US and California State Flags representing changes to the California Privacy Right Act (CPRA) of 2020 for an entitled article featured on data-privacy.io

CPRA: The Dawn of a Stricter Privacy Regime!

A new data protection bill for California has been passed and is coming into effect from the first week of 2023. CCPA-compliant Companies have just two years to prepare themselves for the changes that are about to come into effect.

Alot has been asked of privacy professionals ove the last year, especially in keeping track of legislative changes across the globe. One such marked change was enacted in California where a new ballot measure has brought forward changes in privacy compliance for all businesses operating in California.
The newly proposed “California Privacy Rights Act” (CPRA) is set to come into force on the 1st of January 2023 which will undoubtedly give new cause for businesses to be anxious about the compliance deadline. This article, explores some of the noteworthy changes CPRA is set to bring to the existing California Consumer Privacy Act (CCPA).
In a statewide survey of California voters conducted by Goodwin Simon Strategic Research, it was found that 88% of Californians would support a ballot measure expanding privacy protections for consumers’ personal information. Proposition 24(CPRA) was put forward with the aim of preventing companies from undermining the rights provided by the CCPA in the protection of personal data rights of Californian residents. In the November 2020 ballot, more than 9 million voters agreed to the need for more transparency and expansion of consumer rights provided by the CCPA which prompted the introduction of CPRA.

The California Privacy Rights Act (CPRA) introduces specific and significant changes to it’s existing privacy framework which makes it the strongest state law and not to dissimilar from it’s European counterpart, GDPR (read our article on GDPR).

“We’ve laid a historic foundation for consumer rights in California with the passage of the California Consumer Privacy Act, and now it’s time to seize that momentum and take the next step in enforcing and expanding the law to keep pace with an industry that is changing at a break-neck pace” – Alastair Mactaggart, Board Chair, Californians for Consumer Privacy (Lam)

So what’s in the CPRA?

An image of a map of the USA with the acronymn CCPA below it

The CCPA remains in effect until the CPRA’s effective date and will continue to act as the framework for CPRA to operate. This means that the CPRA only establishes certain changes to the basic privacy regulation structure that CCPA has created. However, compliance with CPRA involves greater requirements for third-party contracts, privacy notices, breach response systems etc. The final draft of the CPRA would bring out the following changes:

1. Limit the use of “sensitive” personal information

Personal information shall be categorized into “sensitive personal information” to grant priority to the handling of biometrics, identification numbers, religion, race, sexual orientation, exact geolocation, membership in unions, contents of any personal communications etc. This categorization helps customers limit the use or disclosure of their sensitive personal data and obligates businesses to prevent the use of such data for purposes other than what is necessary for the supply of goods and services.

2. Redefine Publicly available personal data
The CPRA expands the definition of “publicly available” information to include the data voluntarily shared by the consumer on social media platforms and other similar networks. An exception to the definition of personal information under the CCPA involved any information of the customer, lawfully made available as per local, state or federal government records. The CPRA widens this exception to comprise the following:
- Information that is lawfully made available from federal, state, or local government records, or
- Information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or
- Information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.

Although in common parlance the phrase “made available to the general public” can be an open-ended category referring to the public as a whole, a legal thought on this definition forces us to believe that it does not refer to information that individuals share on their social media which is limited to certain audiences. Hence, dubieties on the definition continues to exist and must be handled with considerable care in lines of precedence on the subject. Additionally, biometric information collected without the customers’ knowledge (for instance, information collected in public places) cannot be considered as information publicly made available by the customer as stated in the CCPA.

1. Allows the Correction of Personal data

Customers are granted the right to request for correction of inaccurate information held by the businesses. This right is granted in addition to the right of access and erasure to individuals. CPRA ensure that business gather and store only such information which is necessary for the purposes stated in the privacy notices (data minimization) and that the customer maintains a control over their data to include only what is accurate.

1. Modify provisions on sale and sharing of personal data

The CPRA requires businesses to provide customers with “opt-out” right to limit the sale and sharing of their personal information to third parties. The bill specifies that consideration is not a mandatory requirement in such cross-context data transfers and that the customers will have a right to limit such transfers if they wish to. A business is required to provide a link, reasonably accessible to the consumer, titled “Do not sell or share my personal information” to opt out of the sale of their personal information. A customer must also have access to a link titled “Limit the use of my sensitive personal information” enabling them to limit the use or disclosure of their data for certain controlled purposes as per the Bill.

1. Establish a Data Protection agency and create stringent punitive measures

The Bill triples the fine amount for data breaches involving personal information of children under the age of 16, if businesses had reasonable knowledge about the age of the consumer. The bill also strikes out the 30-day cure period extended to violations of the Bill provisions (originally CCPA). The Bill effectively establishes the “California Privacy Protection Agency” as a body to enforce the Bill provisions through administrative practices. The Attorney General of California continues to hold the “rule-making” power until 1st of July 2021 or six months after the Agency notifies CA Ag that it is prepared for rule-making.

Final Analysis

California has always been at the forefront of privacy developments in the US and the California Consumer Privacy Act has heralded a sea change for privacy bills across the states in US. The new Bill is expected to create stronger laws with tightened authoritative enforcement procedures to effectively implement it in the state. California Privacy Right Act 2020 is believed to bring out stronger online privacy rights to protect sensitive and personal data of consumers especially that of children.

Relevant Links

Goodwin Simon Strategic Research results on California Privacy Survey(Accessed on March 2, 2021):
https://assets-global.website-files.com/5aa18a452485b60001c301de/5da7a66278dd751306184114_MEMO%3A%20Key%20Findings%20CA%20Privacy%20Online%20Survey%20October%202019.pdf
Find Proposition 24 original text here(Accessed on March 3, 2021):
https://vig.cdn.sos.ca.gov/2020/general/pdf/topl-prop24.pdf
What is Proposition 24? (Accessed on February 12, 2021)

Your Privacy Rights
Activist Behind California’s New Privacy Law Already Wants to Improve It (Accessed on February 26, 2021):
https://www.wsj.com/articles/activist-behind-californias-new-privacy-law-already-wants-to-improve-it-11577615401