On November 3, 2020, Californians voted the California Privacy Rights and Enforcement Act (CPRA or CCPA 2.0) into law. The CPRA makes a variety of amendments to the requirements in the California Consumer Privacy Act (CCPA).
While the majority of provisions in the CPRA do not go into effect until January 1, 2023, many businesses are thinking about these requirements ahead of time, and with good reason. Changes to business and privacy practices can take time, and with privacy looming on the minds of consumers and stakeholders alike, organizations are trying to stay ahead of the curve.
Here are some topics to consider when examining what the CPRA means for your privacy program.
Want to hear the reaction and analysis from leading industry panelists? Register for the webinar CPRA: What You Need to Know
Reexamine the CPRA (CCPA 2.0) Threshold
One issue that some businesses have with the CCPA is that a lot of small businesses fell under the CCPA’s definition of business. To fall under the scope of the CCPA, a business must do business in California, collect personal information from California residents, and decide how that information is collected, used, and shared. However, a business must also meet one of three additional requirements:
- Make over $25 million in annual gross revenue,
- Make over 50% or more of annual gross revenue from selling personal information, or
- Collect, buy, or share the personal information of over 50,000 California consumers
However, the CPRA considers the concerns of small businesses by adjusting one of these three requirements – specifically:
- Collect, buy, or share the personal information of over 100,000 California consumers
Therefore, small businesses that fell under the CCPA’s scope via this threshold should reevaluate the business’ qualifications under the CPRA’s new threshold.
Check Your Data Practices
The CPRA includes data minimization, purpose limitation, and storage limitation requirements. If the CPRA comes into effect, consumers must be informed regarding how long a business stores personal information. The CPRA notes that the collection, storage, and use of consumer information should be “reasonably necessary and proportionate” to accomplish the stated purposes.
Businesses should evaluate their practices to ensure that they are including an appropriate retention time for the various types of personal information that they store. Businesses should also consider how they want to integrate data minimization and purpose limitation into their practice, if they do not already do so.
Check for Sensitive Personal Information
The CPRA has defined a new type of personal information – Sensitive Personal Information. Sensitive personal information includes information such as Social Security numbers, driver’s license, and passport numbers, consumer account logins, precise geolocation, the content of the email, genetic information, sexual orientation, and more.
Under the CPRA, if a business collects sensitive personal information, consumers will have the right to direct a business to limit the use of this information to what is needed to perform services or provide goods. Businesses will need to create a “Limit the Use of My Sensitive Personal Information” link, much like the “Do Not Sell My Personal Information” link already required under the CCPA.
Prepare for New Consumer Requests
The CPRA provides consumers with a variety of new consumer rights. For example, the term “share” has been added to refer to the sharing of personal information to a third party for cross-context behavioral advertising purposes, regardless of whether or not monetary or other valuable consideration is exchanged. As such, the CPRA now includes the right to opt-out of sharing personal information, and the original “Do Not Sell” link has been adjusted to “Do Not Sell or Share” to reflect this new right.
Additionally, consumers will have the right to correct inaccurate personal information. Businesses must take reasonable steps to do so after verifying the consumer’s identity. Therefore, businesses should prepare internal policies for how to rectify inaccurate personal information.
The existing right to access has also been amended. Specifically, in the CCPA, businesses were only required to provide information from the twelve months preceding the access request. In the CPRA, however, the twelve-month limit has been removed. Therefore, if the information is maintained for more than twelve months, a business may have to provide more information than it did under the CCPA. Businesses should therefore examine their retention practices and create policies on fulfilling these requests in light of the CPRA’s changes.
These are only some of the changes that can be found in the CPRA. However, these topics create a solid starting point for businesses looking to start adjusting their practices in light of the CPRA. While the effective date of January 1, 2023 seems far away, we all know how quickly that day will come, and it is a good idea for businesses to begin thinking about necessary changes sooner rather than later.
Want to know more about the CPRA? Get an overview of the CPRA in this blog.