The California Privacy Rights Act (CPRA) is sometimes called “CCPA 2.0” as it is an amendment to the California Consumer Privacy Act (CCPA) and increases Californians’ privacy rights. It also extended the scope of individual privacy rights to include employees and business-to-business contacts as well as consumers.
- January 1, 2023 – CPRA became effective
- from July 1, 2023 – the CPRA is enforceable.
The Californian Privacy Protection Agency (CPPA) was established in 2021 to enforce violations of the CCPA and the CPRA. The CPPA has the authority to:
- Audit businesses’ data protection and cybersecurity activities to determine if they provide “reasonable security procedures and practices appropriate to the nature of the personal information” – or fail to meet these obligations
- Investigate notified breaches and other possible violations of the CPRA rules
- Make probable cause determinations of violations
- Subpoena witnesses and documents for evidence
- Conduct hearings to review evidence
- Issue cease and desist orders
- Make orders for payment of fines
- Bring civil actions to enforce payment of penalties.
CPRA Penalties and No More 30-day Cure Period
Businesses will no longer have a 30-day cure period for violations under the CPRA. The CPPA will act immediately after it has determined a business has violated CPRA law, including asking the California Attorney General to impose fines per person affected by breaches, which can quickly add up.
Businesses found failing to protect Californians’ personal information and/or failing to address customer requests face four kinds of penalties for each violation:
- $2500 fine per person affected by a breach that exposes Californians’ personal information when the violation was unintentional
- $7500 fine per person affected by an intentional breach (e.g., non-compliant use, sale, or sharing of personal information; or not responding to customer requests related to their privacy rights)
- $7500 fine per child under 18 (i.e., a minor) affected by a breach that exposes their personal information, regardless of whether the violation was unintentional or intentional
- Between $100-750 statutory damages or actual damages (whichever is greater) are awarded to each person who sues for some type of security breach involving their personal information (see below).
Private Right of Action Under the CPRA
Californians’ right to sue for statutory damages and actual damages applies when they are affected by certain kinds of data breaches.
This private right of action must meet certain conditions:
- The breach led to personal data being exposed (including unauthorized access, copying, theft or disclosure)
- The breach is determined to have been due to a business failing to implement reasonable security measures
- The breach exposes a person’s email plus password/security question and answer or their personal information that is non-encrypted or non-redacted.
Read our CPRA Technical Brief
Get up to speed on how CPRA impacts technical activities related to the collection of personal information and data privacy rights, including:
- Data minimization
- Notices of collection
- Links to allow Californians to exercise privacy rights
- Consent controls (e.g., opt-in).
CPRA Compliance Checklist
Businesses have extensive obligations under the CPRA to establish and maintain “reasonable security procedures and practices” to protect personal data, particularly Personal Identifiable Information (PII).
They are also required to make it easy for individuals to exercise their privacy rights and respond to requests efficiently and effectively.
We recommend the following CPRA compliance actions:
Know your data
Create a data map identifying where the personal information of Californians is collected, processed, stored, and distributed (including sharing or selling data to third parties).
>>> Book a demo of TrustArc’s Data Inventory Hub
Update your data management policies and procedures
Ensure CPRA compliance is well communicated and adhered to across your organization by building and implementing a comprehensive, automated privacy program. All staff should be educated about CPRA compliance. The CPRA also requires businesses to complete a Records of Processing Activity (RoPA).
>>> Book a demo of TrustArc’s Privacy & Legal Solutions
Update third-party contracts to include CPRA compliance
Your business must include CPRA compliance requirements (e.g., security and privacy) in all written contracts with all third parties, service providers, and contracts involved in processing any personal information for your business.
Perform regular security audits and risk assessments
Assess the potential risks to personal data being exposed to and/or accessed and exploited by unauthorized parties. Risk assessments should cover network and database breach risks, non-compliance with data management processes and procedures, and third-party non-compliance with the CPRA.
Note: you must perform regular risk assessments on all third parties your organization shares, discloses, and/or sells personal data to, including service providers that manage PII on your behalf.
>>> Book a demo of TrustArc’s Risk & Compliance Solutions
Establish data minimization and retention rules
Under the CPRA businesses can only collect and process the minimum necessary personal data for their stated purposes. As well as reducing the amount of data that can be collected, the CPRA also limits the allowed purposes for data collection and how long it can reasonably be stored (data retention limitation).
Add notices at Point of Collection
You must publish plain language notices at or before the point of data collection explaining the categories of personal data you intend to collect (including PII and sensitive personal information), the purpose/s for each (and whether it could be shared, disclosed or sold), how long this data will be stored, and your processes for data retention limitation. You must also include explicit opt-in/opt-out notices for parents and guardians of children to control or withdraw consent to collect information from minors.
Add links for opt-outs
Your website must display two clearly labeled links so Californians can exercise the following data privacy rights:
i. Limit the Use of My Sensitive Personal Information
ii. Do Not Sell or Share My Personal Information
Honor consumer requests
Establish clear processes and policies to respond to consumer requests related to their privacy rights (e.g., right to know, correct, delete, access, and port/extract and opt-out). The CPRA forbids retaliation against consumers who exercise their privacy rights.
TrustArc can help your business with CPRA compliance
TrustArc knows privacy compliance can be challenging for businesses, so we have developed a suite of expert-designed resources to help you get on top of CPRA compliance:
Download the TrustArc Cloud Compliance Guide, which includes advice on achieving compliance with regulations such as GDPR, CCPA, and CPRA
Download our GDPR, CPPA & CPRA Comparison Chart to quickly understand the different compliance obligations for privacy regulation