If you operate a business in California or if you collect personal data from consumers in California, you must abide by the terms of the California Privacy Rights Act.
The CPRA, or California Privacy Rights Act, is an amendment and extension to the CCPA (California Consumer Privacy Act). It became effective on January 1st, 2023, while the CCPA itself became law three years before in 2020.
While the CCPA/CPRA mainly protects consumers who are residents of California, your business doesn’t have to be based in this US state. The law applies to businesses across the globe.
Who is Affected by the CPRA?
The law affects customers who live in California permanently, those who are there temporarily (for work), and those who reside in the state but are on vacation elsewhere.
It does not affect someone who is in California for a holiday or vacation.
The CPRA applies to for-profit entities that do business in California. They must also meet one of the following criteria:
- They buy, sell, or share the personal information of at least 100,000 or more residents, households, or devices in California
- The business has a gross annual revenue of $25 million or more
- Or, a minimum of 50% of the businesses’ annual revenue comes from the sale of consumer’s personal information
CPRA Key Requirements
Although the criteria above are pretty straightforward for the most part, they still require a little more explanation.
- The business must buy, sell, and/or share the personal information of 100,000+ California residents.
This doesn’t include only buying and selling data or sharing data with a third party via cross-context behavioral advertising.
In other words, if you have 100,000 or more unique visits to your website from California (again, only residents, not people vacationing there), you must abide by the CPRA.
- Your business has a gross annual revenue of at least $25 million.
This criterion is pretty self-explanatory.
Note that “gross revenue” refers to the amount of money your business earns from sales in a certain period. For “gross annual revenue” that would be between January 1st and December 31st of the same year), while “net revenue” equals gross revenue reduced by your expenses for the same period.
- At least 50 percent of your annual revenue is from selling consumer’s personal information
If at least 50% of your annual revenue derives from selling or sharing personal information of your consumers, then it doesn’t matter if your gross annual revenue is $25 million or $25 thousand.
Today, data has become more valuable than gold and businesses require data to better serve their consumers.
However, they still need to ensure that their consumer’s privacy is protected.
You probably saw a link to it somewhere in the footer of the website you visited but didn’t pay much attention (yeah, most privacy policies are dull).
Still, this is one of the most important documents on your website (so be sure it’s written by someone who is an expert, as this is not your typical blog post).
- What data you collect (preferably a list with descriptions)
- Where do you obtain this data
- How you collect data
- How you store data
- Why do you collect data
- Are you selling or sharing the data you collect, and with whom
- Your consumer’s privacy rights
- How can your consumers use their rights
- How can consumers access and remove the data you collected
- Personal data that you collect from consumers
- Where do you collect the data
- The purpose of collecting this data
- What data do you sell to or share with third parties
- Consumers’ privacy rights (how they can opt out of data collection, access or delete their data)
- How to submit a privacy request (with at least two methods of doing so)
- Children’s opt-in
- A link to “Do Not Sell My Personal Information”
- A 12-month Update
Personal Data that You Collect From Consumers
According to the California Civil Code, “personal information” under CCPA includes “information that identifies, relates to, or could reasonably be linked with you or your household.”
In other words, this includes your name, email address, biometric data like fingerprints, Internet browsing history, social security number, product purchase records, etc.
Note that “personal information” under CPRA does not include already publicly available information.
- Data safeguarded against security breaches like name, date of birth, SSN, driver’s license
- Gender, race, ethnicity
- Biometric data (face recognition, fingerprints, voice recording, etc.
- Audio, video, electronic, or thermal data
- Professional and education data
- Data made from profiling
- Commercial data, like records of services purchased
Where Do You Collect the Data?
Websites can collect data as a first-party or third-party.
As a first party, the website collects data directly from its visitors as they engage with its web pages. Consequently, a third party is an outside source that might use trackers to collect consumer data from multiple websites.
Three types of trackers are used to collect data:
- Cookies, which are small data files that are sent and stored on the user’s computer
- Pixels, or small, pixel-sized images that are downloaded when a new webpage loads, informing the website owner the page was loaded and
- Browser fingerprinting, which collects information about what browser you are using, its version, operating system, plugins, etc.
Why Do You Collect Data?
If you are collecting data from your users, you must be clear as to your data gathering purposes.
Here are some of the reasons why you might collect your consumer’s personal data:
- For identification and verification
- To better deliver your service
- To improve user experience
- To better communicate with them
- For marketing and advertising purposes
- Legal compliance
What Data Do You Sell or Share With Third-Party Entities?
If you are selling or sharing data with other third-party parties, like other websites or companies, you must also specify these third parties and why you sell or share consumer personal data with them.
For example, third parties that you sell or share data with might include:
- Service providers
- Marketing providers
- Brands and companies affiliated with yours
- Government agencies, law enforcement, and other third parties
- Parties involved in a business transaction or merger (in case your business is acquired by another company, it acquires another company, merges with another company, or is reorganized
Consumer Privacy Rights
As residents of California, your consumers have the following rights:
- Right to know.
At the moment, consumers can request from you the following: 1) categories and specific pieces of information you have gathered about them; 2) categories of sources where you collected their personal information; 3) purpose(s) you will use their personal information; 4) third parties with which you sell or share this information with.
- Right to delete
Next, consumers also have the right to request that you delete their personal information that you previously collected as well as instruct any third parties to do the same.
Note that there are some exceptions, such as when the business is by law required to keep this data.
- Right to correct
If the consumer notices that you have wrong information about them, they can also request that you correct it.
- Right to limit the use and disclosure of sensitive personal information
Additionally, consumers can also limit the purposes for which you use some of their sensitive personal information, for instance, to only provide the service they requested.
- Right to opt-out of data sale and sharing
Finally, users can also request to “opt-out” of data selling or sharing until they authorize your business to do so once more.
How can Consumers Submit a Privacy Request?
These can be:
- An email address
- A contact form on your website
- Phone number
- Post office address
Keep in mind that once a consumer issues a privacy request, you have 45 days to address it.
If you are aware that your business is collecting data from children, you need to get an opt-in from their parents or guardians if they are under 13 years old.
For children between 13 and 16, the opt-in can come from the child itself.
Do Not Sell My Personal Information Link
If your business sells or shares personal information it gathers from consumers, you must include a visible “Do Not Sell or Share My Personal Information link as part of your “notice at collection”.
A notice at collection is a notice that you provide before or at the point of data collection.
- A list of categories of personal information that you intend to collect
- The purposes for which you collect consumer’s personal information
- Information on how consumers can opt out of the sale of their personal information to third parties
Privacy policies are notoriously difficult to create.
On one end, you want to ensure that you include everything that is needed for the policy to comply with the law, and on the other, you want to present the information in a way that is clear for the user.
- Add information about your website or app (domain name, URL, etc.)
- Provide information about your business (business name, address, etc.)
- Select your country (and state if you operate a business in the United States)
- Include what personal information you intend to collect from consumers (first and last names, addresses, phone numbers, email addresses, and social media information)
Even though CPRA took effect on January 1st, 2023, it was not enforced until July 1st.
Specifically, the California Civil Code §1798.185(d) states that:
“Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this Act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date.”
In other words, your business is not subject to enforcement for something that happened before that date under CPRA.
- COPPA (Children’s Online Privacy Protection Act
- CalOPPA (California Online Privacy Protection Act)
- PIPA (Personal Protection Information Protection Act of Maryland)
- Computer Fraud and Abuse Act of 1986
- Computer Security Act of 1997
- SHIELD (Stop Hacks and Improve Electronic Data Security Act of New York)
- EU’s GDPR (General Data Protection Regulation)
- UK’s Data Protection Act 1998
- Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act)
- The type of personal information that you collect
- Why do you collect personal information
- How you collect personal information
- How you use personal information
- How you share personal information
- Do you sell personal information
- With whom do you share or sell personal information
- Your data retention policies (how and why you store data you’ve collected)
- How do you protect the data you’ve gathered
- What are the consumer’s rights
- Your contact information
What is CPRA Compared to GDPR?
CPRA (California Privacy Rights Act) and GDPR (General Data Protection Regulation) aim to protect personal data and enhance privacy rights. However, they differ in several things, such as
- Scope. CPRA only applies to California residents, while GDPR applies to EU/EEA residents
- Data subject rights. While both privacy laws outline largely the same data subject rights like the right to access data, the right to correct/rectify data, the right to delete/erase data, etc, Additionally, CPRA allows customers to limit the use of their sensitive personal information, which is not specified in GDPR.
- Definition of personal data. CPRA has a broader definition of “personal data” than GDPR, which also includes “sensitive personal data” such as health data, race, or ethnicity.
When Does the California Privacy Rights Act (CPRA) Go Into Effect?
The CPRA took effect on January 1, 2023, but it will not be enforceable until July 1, 2023.
What is the Importance of CPRA?
Overall, the California Privacy Rights Act (CPRA) is important because it gives customers more control over their personal information and enforces businesses to protect that information.
More specifically, CPRA does the following:
- Enhances user’s privacy rights
- Imposes obligations on businesses to protect customer privacy rights
- Sets a new privacy law standard
- More effectively enforces consumer privacy rights through the California Privacy Protection Agency (CPPA)
Ensure that you’re handling your customer’s sensitive data with due care with our team of data privacy compliance superheroes!