Who Does CPRA Apply to? Understanding the Scope of California's Privacy Law
The California Privacy Rights Act (CPRA) is a groundbreaking privacy regulation that significantly impacts businesses working with Californians.
In this article, we'll answer the question, "Who does CPRA apply to?" This article will also include key provisions of the CPRA, the types of businesses that come under its purview, and steps companies must take for compliance.
We will also explore the enhanced consumer rights granted by the CPRA and the possible consequences of noncompliance.
The CPRA is a comprehensive data privacy law that took effect in California on January 1, 2023, and was designed to expand consumers' privacy rights and establish more stringent regulations for businesses that collect, use, and process personal data.
The CPRA builds upon the California Consumer Privacy Act (CCPA), providing significant changes that address consumer privacy concerns while clarifying business obligations.
The primary purpose of the CPRA is to strengthen consumer privacy rights and provide greater control over personal information. It grants Californians the right to access, correct, and delete their personal data and limits the use and disclosure of sensitive information.
For businesses, the CPRA has several implications. It introduces new obligations and requirements, such as data minimization, purpose limitation, and storage limitation principles. Companies must also conduct regular risk assessments and maintain comprehensive data security programs.
The CPRA revises the definition of the word "business," potentially expanding the scope of organizations that must comply with the law. Failure to adhere to the CPRA intentionally or unintentionally can lead to hefty fines and penalties.
Personal Information Under the CPRA
The CPRA defines personal information as “information that identifies, relates to, describes, references, or is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
This broad definition includes various types of data that businesses may collect, use or process as part of their operations. The CPRA strongly emphasizes protecting personal information and ensuring consumers have more control over how their data is handled.
Examples of personal information under the CPRA include, but are not limited to:
- Government identifiers
- Postal Address
- Email Address
- Social Security Number
- Drivers License Number
- Passport Number
- Other Similar Identifiers
- Customers Records
- A Signature
- Telephone Number
- Bank Account Number
- Credit Card Number
- Characteristics of protected classifications
- Marital Status
- National Origin
- Gender Identity
- Sexual Orientation
- Commercial Information
- Records of personal property
- Products or Services
- Purchased Products
- Biometric Information
- Psychological Information
- Biological Information
- Behavioral Characteristics
- Internet and other electronic Network Activity
- Browsing History
- Search History
- Professional or Employment-related information
- Job History
- Employment Status
- Other work-related information
Who does CPRA Apply to?
Under the CPRA, the word "business" refers to any legal entity operating for profit that meets one or more specified thresholds outlined by this legislation and its provisions.
This law seeks to safeguard Californian consumers’ privacy while placing responsibility for safeguarding personal information on businesses handling it. Businesses should assess if they fall under CPRA and, if so, take the necessary steps to comply with its requirements.
Annual Gross Revenue
A business must comply with the CPRA if it has over $25 million in annual gross revenue. This threshold applies regardless of the source of the revenue, whether it is derived solely from California residents or other locations.
Personal Information of Consumers
A business that buys sells, or shares the personal information of 100,000 or more California residents or households annually must comply with the CPRA. This threshold was increased from the previous 50,000 under the CCPA.
Deriving Revenue from Selling Personal Information
If a business derives 50% or more of its annual revenue from selling or sharing California residents' personal information, it must comply with the CPRA. This criterion targets companies with a primary focus on monetizing consumer data.
CPRA and Employee Data
The CPRA has implications for employee data protection, expanding on CCPA provisions related to employee data. Employers are expected to abide by certain rules regarding their employees' personal data when handling it according to this Act.
Employers must inform employees about collecting and using personal information for a specified purpose, protection, and intended purpose.
The types of employee data that the CPRA covers are broad, as it includes any personal information collected, used, or processed by a business in the context of its relationship with current, former, or prospective employees. This encompasses various data that employers may handle throughout the employment lifecycle, from recruitment to termination.
Types of Employee Data
- Government Identifiers
- Contact information
- Employment History
- Education information
- Professional certifications
- Job application materials
- Performance evaluations
- Compensation and benefits information
- Human resources records
While the CPRA protects Californian consumers' privacy rights, certain types of businesses and situations fall outside its reach.
These exemptions were implemented to relieve businesses of unnecessary burdens or meet other existing regulations governing how personal information should be handled.
Exemptions vary based on the nature and purpose of a company's business activity, while others depend on meeting certain criteria for processing personal information. Businesses that fulfill all the conditions necessary for exemption may not need to abide by all the CPRA provisions.
Non-profit organizations are exempt from the CPRA, as the law specifically targets for-profit businesses that collect and process personal information.
Government agencies at the local, state, and federal levels are not subject to the CPRA, as they are governed by different privacy laws and regulations.
Businesses Not Meeting Thresholds
Businesses that do not meet any of the CPRA thresholds, such as having less than $25 million in annual gross revenue, handling the personal information of fewer than 100,000 California residents or households, or deriving less than 50% of their annual revenue from selling or sharing personal information, are exempt from the law.
Compliance with Other Privacy Laws
In certain cases, the CPRA provides exemptions for personal information that is collected, processed, sold, or disclosed according to specific sectoral privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or the Family Educational Rights and Privacy Act (FERPA).
These exemptions apply when the processing of personal information is already regulated under those laws, and compliance with the CPRA would create a conflict.
Employee Data Exemption
While the CPRA covers certain aspects of employee data, some employee rights, such as the right to delete and opt out, do not apply until January 1, 2023, providing a temporary exemption for businesses to adjust their practices related to employee data.
Consumer Rights Provided by the CPRA
The CPRA grants consumers several rights to provide greater control over their personal information and enhance their privacy. These rights empower Californian consumers to make informed decisions about how businesses collect, use, and share their data.
It does not have to be a restriction for businesses; rather than viewing these consumer rights as obligations, businesses should see them as opportunities to build trust, demonstrate transparency, and foster strong relationships with their customers.
This approach can help enhance a company's reputation and boost customer loyalty. The CPRA also encourages businesses to take an active stance towards privacy by design, prioritizing data protection as part of their business operations.
Right to Know
Consumers have the right to obtain information regarding how a business collects, uses, or shares their personal information about them - this includes categories of data collected about them as well as its sources, purposes, and any third parties involved.
Right to Delete
Consumers can request the deletion of their personal information held by a business, subject to certain exceptions, such as legal obligations or the need to complete a transaction.
Right to Opt-Out
Consumers have the right to opt out of the sale or sharing of their personal information for targeted advertising purposes, allowing them to exercise greater control over how their data is used.
Right of a Minor
The California Privacy Rights Act contains provisions designed to safeguard the privacy of minors, defined as individuals under 16 years old.
Businesses are prohibited from selling or sharing the personal data of minors without first receiving affirmative authorization, commonly known as opt-in consent. Consent for children aged 13 and younger must come from their parents/guardians, while 13-15-year-old minors can give themselves opt-in consent themselves.
Right to Request Data Transfer
Under the CPRA, consumers have the right to request the transfer of their personal information from one business to another in a format that is both structured and readily usable. This right is also known as "data portability."
Changing Criteria for Businesses
The CPRA updates the criteria that determine whether a business falls within the scope of the law, expanding the number of companies that may be subject to its requirements. Under the CPRA, a business must comply with the law if it meets any of the following thresholds:
- Has annual gross revenue of over $25 million.
- Buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices annually.
- Derives 50% or more of its annual revenue from sharing or selling California residents' personal information.
CPRA Key Provisions
The CPRA expands upon and strengthens the privacy rights of California consumers, introducing several new provisions that give individuals greater control over their personal information.
These key provisions focus on enhancing transparency, accuracy, and user control over how businesses collect, use, and share personal data.
The Right to Correct a Business's Inaccurate Personal Information
Under the CPRA, consumers have the right to request the correction of any inaccurate personal information held by a business.
This right ensures that individuals can maintain the accuracy and the up-to-date status of their data, minimizing the potential for errors or miscommunications resulting from outdated or incorrect information.
The Right to Opt-Out of Decision-Making
The CPRA grants consumers the right to opt out of automated decision-making processes, including profiling, that may have a significant impact on their legal rights, financial services, or employment opportunities.
The Right to Know of Decision-Making
Consumers have the right to know about a business's use of automated decision-making processes that may affect their rights or interests. This includes the right to request meaningful information about the logic involved in these processes and the potential consequences of the decisions made.
The Right to Limit the Usage and Disclosure of Sensitive Personal Information
The CPRA introduces a new category of personal information called "sensitive personal information," which includes data such as Social Security numbers, financial account information, precise geolocation data, racial or ethnic origin, religious beliefs, and biometric data.
Consequences of Non-compliance
Now that we understand the consumer rights provided by CPRA, we should also think about when not complying can have serious repercussions for businesses - both financially and otherwise.
Failing to adhere to CPRA can result in fines, legal actions, and consumer trust issues, which could potentially harm a company's success and brand image over time. Businesses that prioritize compliance with the CPRA can distinguish themselves from competitors while building stronger customer relationships by prioritizing compliance.
Understanding the potential penalties and fines associated with non-compliance is crucial for businesses to avoid costly mistakes and to take proactive measures to ensure they are adhering to the CPRA's requirements.
Businesses that violate the CPRA may face civil penalties of up to $2,500 per violation or up to $7,500 for each intentional violation. These fines can quickly increase, especially for companies with numerous violations or large-scale data breaches.
Private Right of Action
The CPRA expands consumers’ private right of action, allowing them to seek legal remedies for unauthorized access, theft, or disclosure of their non-encrypted or non-redacted personal information due to a business's failure to maintain reasonable security measures.
Consumers may be entitled to statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater.
The CPPA, established under the CPRA, is responsible for enforcing the law and has the authority to investigate potential violations, issue administrative fines, and take legal action against non-compliant businesses.
Noncompliance with the CPRA can have severe reputational repercussions for businesses. Consumers are becoming increasingly sensitive about data privacy, and businesses that fail to protect customer personal information risk compromising customer trust, leading to less customer loyalty and potentially leading to negative publicity.
Businesses covered by the CPRA Act must take appropriate steps to comply with its requirements, which include adopting an assertive data privacy stance, implementing robust security measures, and being transparent about data collection, usage, and sharing practices.
To ensure compliance with the CPRA, businesses should consider taking these steps..
1. Assess Applicability
Determine whether the CPRA applies to your business by evaluating whether you meet the specific thresholds and requirements outlined in the law.
2. Map Data Flows
Identify the types of personal information your business collects, processes, and shares, and map the flow of this data through your organization to understand potential risks and vulnerabilities.
3. Update Privacy Policies
Review and update your privacy policies to ensure they accurately reflect your data collection, usage, and sharing practices and provide clear information on consumer rights under the CPRA.
4. Implement Consumer Rights Mechanisms
Establish mechanisms for consumers to exercise their rights under the CPRA, such as providing an online portal for submitting requests or designating a dedicated contact point for handling privacy-related inquiries.
5. Establish Data Security Measures
Implement reasonable security measures to protect personal information from unauthorized access, disclosure, or theft, and regularly review and update these measures to address evolving risks.
6. Train Employees
Make sure that employees who handle personal information are trained on both the CPRA's requirements and your organization's data privacy policies and procedures.
7. Review Vendor Contracts
Review contracts with vendors and third-party service providers to ensure they comply with CPRA and include adequate safeguards to protect personal information.
8. Monitor and Adapt
Continuously monitor your organization's compliance with the CPRA and adapt your data privacy practices as necessary to address changes in the regulatory landscape, emerging risks, or new technologies.
Does CPRA Apply Outside of California?
Yes, CPRA applies to any business, regardless of location, that collects the personal information of California residents and meets certain criteria.
Does CPRA Apply
Who is exempt from CPRA?
Non-profit organizations, local, state, and federal government agencies, and businesses that do not meet any CPRA thresholds are exempt from the law. Additionally, certain personal information that is collected, processed, sold, or disclosed according to sectoral privacy laws such as HIPAA is also exempt from the CPRA.
GDPR is a European regulation with a broader reach, while CPRA is a California law that provides specific data protections for California residents.
What are the rights of CPRA in California?
CPRA rights include the right to know, delete, and correct personal information and opt out of the sale or sharing of personal information, among others.
How many new rights did CPRA introduce for the individuals in California?
CPRA introduced several new rights, including the right to correct personal information and limit the use and disclosure of sensitive personal information.
Does California have a Constitutional Right to Privacy?
Yes, the California Constitution recognizes an individual's right to privacy.
The CPRA is a groundbreaking privacy regulation aiming to give Californians increased control over their personal information. As these laws evolve, businesses must stay informed about the changes to remain compliant and protect their customers' data.
In this ever-changing data privacy landscape, Captain Compliance can be your trusted partner in navigating the complexities of the CPRA.
Our expert team can guide the implementation of best practices for data protection, conducting risk assessments, and addressing potential vulnerabilities.