The California Privacy Rights Act (CPRA) expands consumer data protections and presents new compliance obligations for businesses. As organizations adapt to the evolving regulatory landscape, individuals must also understand how to keep personal information safe. Let’s explore the evolution of the CPRA and how it affects businesses and individuals.
The Evolution of Data Protection in California: From CCPA to CPRA
California has been at the frontier of consumer data privacy regulation in the US. The CCPA laid the groundwork, and CPRA expanded protections further. Let’s explore the history of the CPRA and how it evolved to affect businesses.
California Consumer Privacy Act (CCPA)
Effective in January 2020, the CCPA gave California residents new data rights and imposed obligations on companies. It allowed consumers to:
- Know what personal data is collected about them.
- Access and obtain copies of collected personal data.
- Opt-out of sale/sharing of personal data.
- Delete certain personal data held by businesses.
The CCPA mandated data protection, required disclosures, limited data monetization, and created a privacy enforcement agency.
California Privacy Rights Act (CPRA)
Passed by ballot initiative in November 2020 and effective January 2023, the CPRA enhances and expands consumer privacy rights. Major provisions include:
- Restrictions on using sensitive personal data.
- Expanded opt-out rights beyond just “sale” of data.
- Tighter requirements on notice, consent, access, and retention.
- New protections for employee and B2B data.
- Broader enforcement powers and increased penalties.
The CPRA evolves data regulations to give California residents stronger control over personal information. Whether your California business operates exclusively online or you just manage normal customer service contact information, it’s important to understand these requirements and how they apply specifically to your company.
Scope and Applicability of the CPRA
The CPRA affects businesses and consumers and understanding scope and applicability is key for compliance.
CPRA applies to for-profit entities doing business in California that collect personal information from CA residents and meet certain criteria:
- $25+ million annual gross revenue
- Buys/sells/shares personal info of 100k+ consumers/households
- Derives 50%+ of annual revenue from selling consumer personal information
The CPRA protects any California resident or household. This includes:
- Natural persons residing in California
- Legal guardians for minors under 16 years old
- Authorized agents designated by the consumer
- Businesses registered and operating in California
The CPRA governs “personal information” as any information that identifies, relates to, describes, is capable of being associated with, or reasonably linkable to a particular consumer or household.
Common examples include:
- Name and contact data
- Financial and employment information
- Browsing history and online behavior
- Purchase history and tendencies
- Geolocation data
- Audio/visual data
- Inferences drawn from the above
Consumer Rights Under the CPRA
California residents have several key rights under CPRA:
Right to Know
Consumers can request details on:
- Types of personal information collected
- Sources of collected information
- Purposes for collection and use
- Third parties information is disclosed/sold to
Right to Access
Consumers can request copies of specific pieces of personal data that businesses hold.
Right to Opt-Out
Broader ability to opt-out of sale/sharing of personal data beyond just “sales” covered under CCPA.
Right to Delete
Right to request deletion of personal information. Businesses must delete upon consumer request unless exempted.
Right to Correct
Right to request correction of inaccurate personal information. Businesses must correct inaccuracies.
Right to Limit Use & Disclosure
Opt-out of certain uses or disclosures of sensitive personal information.
Right to Non-Discrimination
Prohibits discriminatory treatment for exercising CPRA rights.
How to Keep Your Personal Information Safe from the CPRA
While the CPRA creates new responsibilities for companies, individuals can also take steps to protect personal data:
- Review privacy policies to understand data practices before agreeing. Look for collection, usage, sharing, retention, and protection details.
- Be selective when providing personal information and limit sharing to only what is required. Avoid oversharing on forms, apps, websites, and surveys, and be careful about giving extremely sensitive information, such as your social security number.
- Opt-out of sales/sharing of personal information and cookie tracking where possible. Exercise CPRA data opt-out rights.
- Use strong passwords, enable multi-factor authentication, and monitor accounts for suspicious activity to prevent unauthorized access.
- Check credit reports regularly and set up credit freezes with Credit Reporting Agencies (CRAs) to block fraudulent accounts. Report errors or suspicious entries.
Staying informed on evolving regulations empowers individuals to make smart data-sharing choices and exercise privacy rights. Proactively monitoring accounts and credit activity also helps detect misuse.
Obligations for Businesses and Organizations
Alongside consumer rights, the CPRA also imposes significant privacy, security, and compliance obligations on companies. Whether your company has to regularly process customer credit card transactions or you only collect data for website cookies, it’s important to understand and comply with these obligations.
- Providing Notice: Must inform consumers about data collection, use, disclosure, and retention policies.
- Obtaining Consent: Requires affirmative consent from consumers to process data from minors and sensitive information.
- Honoring Data Rights: Must have processes to validate identity and fulfill consumer rights requests to know, access, delete, correct, and opt-out.
- Protecting Data: Must implement reasonable security safeguards and data handling procedures.
- Limiting Data Use: Restrictions on using certain categories of sensitive data beyond core business purposes.
- Conducting DPIAs: Data protection impact assessments are required when processing sensitive data or for automated decision systems.
- Designating Compliance Personnel: Must designate employee(s) responsible for managing privacy programs and requests.
- Contractual Obligations: Must ensure vendors and partners adhere to CPRA via contracts.
- Providing Reports: Must compile and submit annual reports to regulators on data handling metrics.
Compliance and Accountability: How Businesses Must Adapt to CPRA Requirements
Achieving CPRA compliance requires extensive changes and requires businesses to be flexible and adapt. Here are key ways companies must pivot to ensure CPRA compliance:
- Gap Analysis: Teams should compare current policies, procedures, systems, and data flows against CPRA requirements to identify gaps.
- Consent Mechanisms: Implement expanded consent requirements for collecting and processing different data types.
- Rights Fulfillment: Build infrastructure and processes to validate identity and fulfill consumer rights requests.
- Data Mapping: Your organization must identify where all consumer data resides, how it flows, and properly tag it.
- Data Minimization: Reduce unnecessary data collection and retention.
- Security Controls: Enhance and document data security safeguards like encryption, access controls, audits, and employee training.
- Vendor Management: Update contracts with vendors/partners and ensure CPRA compliance across the supply chain.
- Record Keeping: Maintain compliance records like DPIAs, consent evidence, and requests fulfilled.
- Training: Educate employees on new policies and procedures, as well as the specifics of CPRA guidelines.
Fulfilling these tasks requires substantial effort and coordination across sales, marketing, engineering, legal, and other internal teams. Appropriate staffing, budget allocation, and executive buy-in are critical.
Best Practices and Strategies to Enhance Data Security and Privacy in the CPRA Era
To go beyond baseline compliance, companies should embed privacy and ethical data handling into their programs. Privacy by design principles involve conducting privacy impact assessments when designing new systems, minimizing data collection, anonymizing data where possible, and following least privilege access rules.
Regarding data minimization, organizations should only collect the data absolutely needed for core functionality, set shorter retention periods, and regularly purge unnecessary data via archiving and selective deletion. De-identification techniques like anonymization, tokenization, and federated learning can remove direct identifiers from datasets.
For access controls, companies should use strong authentication methods like multi-factor, role-based authorization restrictions, and segment access between business functions. Encrypting data both in transit and at rest via algorithms like AES-256 bit is critical, as is proper key management.
Tagging data by sensitivity level allows automated controls tailored to risk. Monitoring system activity detects anomalies, while audits and penetration testing reveal vulnerabilities. Comprehensive training makes employees the last line of defense.
Why Vault Verify?
If your business is seeking secure income and employment verification that is CPRA compliant and goes above and beyond to protect your employees’ data security, look to Vault Verify. Our industry-leading technology platform includes data security that offers the strongest protection of employee data for income and employment verification, I-9 administration, and unemployment claims administration.
When you partner with us, you’ll benefit from:
- Data Security: We have the most comprehensive and innovative security measures in our industry that keep your data safe while reducing employee data exposure by 99%.
- 24/7 HR Automation: Customized, easy-to-use employee and administrative portals can be accessed 24/7 with no PIN codes or Salary Keys required.
- Full-Picture Reporting: Our fully configurable output reports mirror your compensation model and needs.
- World-Class Support: Our 99% client retention rate speaks to the fat that we always put our clients first. When you need help, you’ll always speak to a professional, USA-based support specialist.
- Free and Seamless Integration: You’ll benefit from easy, real-time API integration with most payroll and HRIS systems. As a bonus, setup, training, and implementation are totally free.
- Revenue Sharing for Instant ROI: We are the only verification service with a revenue-share model that provides ongoing incentives to support new HR projects. Plus, it never charges you a fee.
If you want to learn more about our secure, intuitive, and revolutionary platform, request your demo today.
Frequently Asked Questions
What companies does the CPRA apply to?
CPRA applies to for-profit companies doing business in California that meet size criteria like $25M+ revenue or buy/sell data of 100k+ consumers or households.
What gives me rights under CPRA?
CPRA protects any California resident or household. You automatically have CPRA rights by living in California. They apply to your personal data.
What is personal information CPRA?
CPRA classifies personal information as names, contact data, financial info, browsing history, purchase history, location data, and inferences drawn from data about you. Basically, anything that identifies, relates to, describes, or can be linked to you.
What can I do if a company denies my CPRA request?
First appeal directly to the company. If still denied, you can file a complaint with the California Privacy Protection Agency, which oversees CPRA enforcement.