The approval of the California Privacy Rights Act (CPRA or CCPA 2.0) has left many organizations with questions about how they will pivot their existing programs to meet CPRA compliance, so we addressed some of your burning CPRA questions. Many organizations will be shifting from existing California Consumer Privacy Act (CCPA) compliance to focus on the new CPRA, but the good news is there’s still time to prepare! The CPRA comes into effect in January 2023.  

Watch the recording: California Privacy Rights Act CPRA Live Q&A 

What is the California Privacy Rights Act (CPRA)? 

The CPRA passed on November 4, 2020 and will enter into effect on January 1, 2023. The CPRA aims to address specific elements of the CCPA that the backers feel come up short. Here’s an overview of the CPRA basics: 

  • The CPRA makes changes to the CCPA, but it also leaves room for new regulations to make additional changes in the future. 
  • Changes include new consumer rights, a new category of personal information and use and retention limitations on personal information.   
  • The new California Privacy Protection Agency will take over rulemaking and enforcement powers from the CA Attorney General. 

Your CPRA Questions 

Let’s take a look at some of the CPRA questions that you asked:  

1: Will a Data Discovery Tool Be Useful for CPRA Compliance? 

In short, yes. The CCPA and the CPRA require you to be able to fulfill access, deletion, and data limitation requests, at the heart of which is the ability to understand the data that you have and where it is. A data discovery tool will help you locate that data and support your fulfillment of these obligations. 

However, it is important to remember that data discovery isn’t a miracle tool; you still need to understand your processing purposes and how long you retain data. This additional contextual information can help supplement a data discovery tool

2: What does the CPRA Say about Cookies? Under the CPRA, Can Cookie Preferences Be Defaulted To “Yes’”? 

Under the CPRA, it seems that an opt-out system for cookies preferences is acceptable, but consumers must be given the ability to exercise this opt-out right. However, if you’re taking a global approach to cookies, it is worth remembering that other regulations, like GDPR, the ePrivacy Directive, and LGPD will require more of an opt-in system. 

When operating under an opt-out model, it is always worth being aware of any other regulations or laws that apply to your organization that may have different requirements.  

3: Will the CPRA Replace the CCPA? 

The CPRA replaces certain aspects of the CCPA and adds additional obligations. The CCPA isn’t gone forever, but the CPRA heavily amends it. Any aspects of the CCPA that the CPRA does not address remains unchanged. 

4: If the CPRA Will Not Apply to My Business, Do I Still Need to Be CCPA Compliant? 

The CPRA does not come into effect until January 1, 2023, so until then, the CCPA is still applicable and enforceable. So if your business is applicable under the CCPA, you still need to be CCPA compliant.  

Under the CCPA, the threshold for application is an organization that buys, receives, or sells the personal information of 50,000 or more California residents, households, or devices. Under the CPRA, this has been increased to apply to those that buy, sell, or share the personal information of 100,000 or more California residents or households. 

For more CPRA questions and answers, watch the recording of our live Q&A. For more information about how OneTrust can support your compliance programs or for a demo visit onetrust.com

Further CPRA Compliance reading: