Voters passed the California Privacy Rights Act (CPRA) or Proposition 24 on November 11th, 2020. While the new law doesn’t go into effect until January of 2023, organizations are already taking steps to ensure compliance.
With the California Consumer Privacy Act (CCPA) already law, businesses wonder what the California Privacy Rights Act is? In this article, you’ll find the information you need to ensure your business complies with the new consumer privacy act.
What is The California Privacy Rights Act (CPRA)?
The CCPA is considered the baseline for the CPRA. The new consumer privacy rights act expands on the regulations set down by the first law. It closes some possible loopholes organizations, and their third-party vendors can use to avoid non-compliance issues and strengthens other weak points in the original act.
Companies will find details on compliance regulations and information on who is responsible for implementing and enforcing the cybersecurity practices. Some procedural nuances are still under revision by the California Attorney General and won’t be finalized until July 1, 2022. With the CPRA regulations going into effect on January 1, 2023, businesses have time to meet the new consumer privacy standards.
What are the CPRA Key Provisions?
Several changes are included in the California Privacy Rights Act that all organizations who do business in the state must follow to avoid non-compliance fines and penalties. Most are expansions of current privacy regulations, so companies don’t need a complete overhaul of their cybersecurity protocols.
Here is a brief review of the key provisions included in the CPRA.
Additional Sensitive Personal Information Sub-Category
The CCPA already covers eleven categories pertaining to personal information (PI). However, the CPRA added a sub-category that covers sensitive personal information (Sensitive PI). The newly included information in the sub-category is:
- Social Security number
- Driver’s License, State, I.D., and passport numbers
- Account login information, including passwords
- Racial and ethnic origins
- Religious and Union affiliations
- Consumers’ exact geographic location
- Consumers’ genetic data
- Email, text, and postal mail contents unless it is a receipt for goods or services purchased by the consumer
- Collecting biometric information to use for identification purposes
- Health information
- Information about an individual’s sex life and sexual orientation
Under the CPRA guidelines, consumers have additional rights concerning collecting, using, and storing Sensitive PI.
Third-Party is Redefined
Most organizations use third-party vendors in some aspect of the business. Under the new consumer privacy act, who is defined as a third-party vendor has changed. Under CCPA guidelines, anyone outside of the business that supplies goods or services is considered a third-party vendor. Organizations are also responsible for ensuring that all vendors meet privacy compliance standards, including how consumer data is collected and used.
To keep up with advancing technology that includes artificial intelligence (AI), some vendors are no longer considered third-parties. It includes contractors, service providers, and businesses the consumer intentionally interacts with and collects information. These exceptions to what is regarded as a “third-party” are important now that consumers have expanded rights to opting-out of sharing their PI with third-parties.
Revised Definition and Limitations on Profiling Consumers
Profiling consumers is an automated process that refers to using PI to predict the following about a consumer.
- Financial situation
- Work performance
- Geographical location
Consumers now have the right to limit how their personal information is used and disclosed for business purposes. Profiling is excluded except for when the company performs a purchased service or delivers the products requested by the consumer. These new limitations will affect how businesses can use AI to obtain PI.
Additional Changes Included in the California Privacy Rights Act
Along with the key provisions in the updated consumer privacy act, companies that do business in California will notice changes to the obligations they are required to follow. These obligations center around protecting consumers’ privacy that includes their personally identifiable information (PII).
Limits on Data Retention and Required Disclosure of Retention Period
Businesses are now required to inform customers of how long their personal and sensitive data is stored. It applies to each of the 11 categories already covered by CCPA, along with the new sub-category that covers instances when an organization does not know how long they need to store a customer’s information. For example, ongoing healthcare when the nature of the patient condition is not known nor the length of treatment.
When businesses cannot provide customers with a definitive length of time, they are required to inform their consumers what criteria are used to determine if the data is still needed. When the information is no longer needed, businesses are not allowed to retain the information, and they may only use the data for the specific reason it was collected.
Limits on Use and Disclosure of Sensitive PI
The new sub-category covers sensitive PI, and consumers have the right to limit how their information is used and disclosed. To avoid non-compliance penalties, organizations must adhere to the revised regulations. Sensitive PI must be included in a separate privacy disclosure notice. The company cannot combine it with the standard disclosure used for personal information.
There are exceptions that organizations need to familiarize themselves with. At the same time, consumers can limit the collection and use of PI to what is required only for the service or goods. Sensitive PI that is not collected by the organization is exempt from the regulations. The reason being that even though the consumer may supply identifiable information, it is not used or disclosed by the company.
Consumers Right to Correct Information
Consumers have the right to correct any incomplete or inaccurate information. Businesses are also obligated to include a notice of the consumer’s right in their privacy disclosure. Organizations are also required to have protocols in place that allow for changes to incorrect consumer data. It includes processing consumers’ requests and making the requested changes promptly.
Right to Opt-Out of PI Sharing
It’s not uncommon for companies to sell consumer information to other businesses, and it is legal as long as the customer agrees. The CCPA already gives consumers the right to instruct enterprises to not to sell their PI, and the updated consumer privacy act takes it a step further.
Consumers now have the right to prohibit businesses from selling or sharing their data with third-party vendors. Often referred to as “cross-contextual advertising. It is defined as when a company sells, trades, or shares PI for advertising purposes. The targeted advertising uses PI gathered from websites, apps, services, and businesses with whom the consumer frequently interacts. Consumers have the right to prevent any selling or sharing of their PI for any purpose.
Non-Discrimination Provision Added
Consumers are already protected against retaliation tactics occasionally used by businesses when they prevent sharing their data. The California Consumer Rights Privacy Act (CCRP) takes it a step further.
Employers will face non-compliance penalties if they discriminate against an employee who refuses to share their personally identifiable information. The new provision also covers Independent contractors.
Contract Requirements for Everyone that Receives PI
Anyone that receives PI must meet specific contract requirements as listed under the CPRA. It includes those that sell and share information, along with contractors and service providers. The contract must include,
- Specify the specific use of and amount of time the data is stored.
- All persons receiving the information must meet and comply with CPRA privacy protection guidelines set down by the CPRA.
- Give the business the right to transfer information in a secure manner consistent with the company’s obligations under CPRA.
- The individual receiving the data must notify the company if it cannot meet the privacy standards.
- Give businesses the right to stop and remediate the unauthorized use of personal information.
The fifth part of the contract gives businesses a proactive measure if they feel a third-party associate is mishandling PI. The company can take steps to resolve the non-compliance issue before the state levies fines and penalties.
Additional Rights for Child Privacy
One of the most notable changes the CPRA brings is additional rights for children’s privacy, Increasing administrative fines that apply to children up to 16 years of age. Penalties are as high as $7,500 for each privacy violation against a minor. It only applies to intentional breaches. Unintentional privacy violations remain the same at $2,500.
The California Consumer Rights Privacy Act also includes additional rights for children, along with their parents/guardians.
Consent Must Be Given for Children Under 16
The CPRA not only gives adults the right to opt-out of sharing or selling their information but their children as well. While the CCPA covers the selling of children’s’ personal information, the new privacy act takes it a little further. Organizations must also allow parents and guardians of minors under 16 years of age to opt-out of sharing the child’s data.
New Watchdog Agency, Rules, and an Extended Private Right of Action
With the passage of the new consumer privacy rights acts, additional rules will also be implemented. These include a private watchdog agency and new regulations on insurance, cybersecurity, and the right of action.
Establishes the California Privacy Protection Agency (CPPA)
The CPRA establishes a new private agency tasked with implementing and enforcing the new consumer privacy regulations. The California Privacy Protection Agency (CPPA) is the first agency in the U.S. focused solely on consumer data privacy protection. It will have the broad authority to investigate CPRA violations and enforce the new standards through administrative action.
When it goes into effect in 2023, the private agency will have almost the same authority as the state’s Attorney General when it comes to investigating consumer privacy complaints and violations.
New Rules on Insurance
The private CPRA governing agency is tasked with reviewing existing insurance codes that relate to consumer privacy. The two exceptions are insurance pricing and rates. The governing agency will decide if the current insurance code provides more robust consumer data protection than the CPRA. If the insurance code does not adequately protect PI, the governing body will recommend that the insurance company adopt the CPRA standards.
Rules for Privacy and Cybersecurity
All organizations that process consumer personal information must perform annual cybersecurity audits and submit a risk assessment to the CPPA that details the company’s practices and protocols that are in place to protect PI.
Even though the California Privacy Rights Act doesn’t take effect until 2023, there are some significant changes that businesses will want to start implementing in the near future. While the CPRA won’t require a complete overhaul of your cybersecurity protocols, changes will need to be made.
If you have questions about the CPRA or need advice on meeting the new compliance standards, the experts at RSI Security are here to help. Contact RSI Security today for a free consultation.