The California Privacy Rights Act (CPRA) is a California state law that builds upon the California Consumer Privacy Act (CCPA) and provides California residents with additional rights and protections when it comes to their personal information. The CPRA was passed in November 2020, and it went into effect on January 1, 2023.
One of the main changes introduced by the CPRA is the creation of a new category of personal information called "sensitive personal information." This includes information such as precise geolocation data, government-issued identification numbers, and certain health information. Organizations are required to obtain explicit consent before collecting, sharing or selling sensitive personal information, and they must also provide additional opt-out rights for this category of personal information.
Another important aspect of the CPRA is that it establishes the California Privacy Protection Agency (CPPA) as an independent agency to enforce the law and to protect the rights of California residents. The agency will have the authority to investigate and take enforcement action against organizations that violate the law, including imposing fines.
The CPRA also expands the definition of "personal information" to include browsing history and search history. As a result, organizations must provide additional transparency and control over the collection and sharing of this information. Additionally, the CPRA grants consumers the right to correct inaccurate personal information, and the right to limit the use of personal information for certain purposes, such as targeted advertising.
Another key feature of the CPRA is the right to know about the specific pieces of personal information that an organization has collected about a consumer, as well as the categories of third parties with whom the organization has shared or sold the information.
The CPRA also expands the rights of California residents to file private lawsuits against organizations that violate the law. It also strengthens the provisions related to data breaches, requiring organizations to provide notice of data breaches to affected individuals within 15 days of the discovery of the breach, and to provide notice to the CPPA within 30 days.
The CPRA also includes new provisions for specific industries, such as the entertainment industry and the connected device industry. For example, the CPRA requires entertainment companies to obtain explicit consent before collecting personal information from children under the age of 16 and to provide additional opt-out rights for this category of personal information.
Additionally, the CPRA also creates new rights and obligations for service providers that process personal information on behalf of other organizations. Service providers are now required to implement appropriate security measures to protect personal information and to notify the organization if they become aware of a data breach.
In summary, the California Privacy Rights Act (CPRA) is an important California state law that builds upon the California Consumer Privacy Act (CCPA) and provides California residents with additional rights and protections when it comes to their personal information. It creates a new category of personal information called "sensitive personal information" which organizations must obtain explicit consent before collecting, sharing or selling. It also establishes the California Privacy Protection Agency (CPPA) as an independent agency to enforce the law and to protect the rights of California residents. Additionally, it expands the definition of "personal information" to include browsing history and search history, expands the rights of California residents to file private lawsuits against organizations that violate the law and also includes new provisions for specific industries such as entertainment industry and connected device industry.
While they are both California specific privacy laws the CPRA is the updated version of the CCPA. The main differences between the CCPA and CPRA is that the CPRA creates a new category of personal information called "sensitive personal information." This includes information such as precise geolocation data, government-issued identification numbers, and certain health information. Organizations are required to obtain explicit consent before collecting, sharing or selling sensitive personal information under CPRA, and they must also provide additional opt-out rights for this category of personal information.
Another difference is that the CPRA establishes the California Privacy Protection Agency (CPPA) as an independent agency to enforce the law and to protect the rights of California residents. The agency will have the authority to investigate and take enforcement action against organizations that violate the law, including imposing fines.
The CPRA also expands the definition of "personal information" to include browsing history and search history, whereas the CCPA does not. As a result, organizations must provide additional transparency and control over the collection and sharing of this information under CPRA. Additionally, the CPRA grants consumers the right to correct inaccurate personal information, and the right to limit the use of personal information for certain purposes, such as targeted advertising, while the CCPA doesn't have these provisions.
Another key feature of the CPRA is the right to know about the specific pieces of personal information that an organization has collected about a consumer, which has similarities to the data subject access requests that are a part of the GDPR laws in Europe. CCPA is different in that the categories of third parties with whom the organization has shared or sold the information needs to be disclosed now if requested. The CCPA also provides the right to know but it's not as specific.