What does the new California Privacy Rights Act mean for your business?
Effective January 1, 2023, the California Privacy Rights Act (CPRA, Cal. Civ. Code §§ 1798.100, et seq.) strengthens and amends the California Consumer Privacy Act (CCPA). The CPRA will bring California privacy rights up to European consumer protection standards set by the European Union General Data Protection Regulation (EU GDPR). Let’s take a closer look at what this new act means for businesses doing business with California consumers.
What does the CPRA do?
The CPRA has established a new agency, the California Privacy Protection Agency (CPPA), as the party responsible for enforcing the guidelines set by the CPRA. The most notable guidelines have expanded and escalated the definition of Personal Information, have required increased consumer ability to opt out of information sharing, and have created clear compliance standards regarding consumer information privacy and protection, including enhanced cybersecurity audits and risk assessments.
What consumer data is subject to protection under the CPRA?
The CPRA’s expansion of “Personal Information” extends protection to any information that is generally related to a particular consumer or household, like an online identifier, internet protocol access, search records, browsing history, geolocation data, etc. This information will now require increased protection by businesses dealing with California consumers.
The CPRA has also created an escalated category of information dubbed “Sensitive Personal Information,” which includes login information, bank information, precise geolocation, email content, genetic and biometric data, personal health information, religious affiliation, etc. Not only will this information require increased protection under the CPRA, but it will also now require a conspicuous online “opt-out” option for consumers.
What additional protections are businesses responsible for under the CPRA?
Businesses affected by the CPRA must expand their “opt-out” provisions to be easily found and understood by consumers. In addition, they must comply with new consumer rights regulations regarding deleting consumer information, correcting inaccurate data, protecting access to data, and consumer ability to opt out of precise geolocation advertising. They must also include methods of parental consent to collect or share personal data about a consumer under the age of 16.
Further, any business collecting the personal information of a California consumer must prove its internal infrastructure is sound enough to support the cybersecurity measures required to protect that data and will be subject to audit or risk assessment to ensure this compliance.
Are there non-compliance penalties?
Penalties for non-compliance can reach $2,500 for each violation and up to $7,500 for each violation involving minors or intentional violations. There is no ceiling on the number of violations for any one business, and an individual breach could escalate to a class-action lawsuit.
Who does the CPRA affect?
The CPRA applies to for-profit businesses providing goods or services to California consumers and meeting one or more financial criteria. Notably, a company does not need any physical presence in California for the CPRA to apply.
- The previous calendar year had an annual gross revenue of over $25 million. Note: this applies to ALL corporate revenue regardless of its source. For example, if $1,000,000 in gross revenue comes from doing business in California, and $25,000,000 in gross revenue comes from other states or countries, that business must comply with CPRA.
- Buying, receiving, selling or sharing “personal information” of more than 100,000 California consumers or households annually. (This quantum is expanded from 50,000 consumers under the CCPA). “Selling” personal data has a broad definition, including “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.” Transferring information to third parties via “cookies” (considered “valuable consideration”) is considered a “sale” of personal information.
- Derives 50 percent or more of its annual revenue from selling or sharing consumers’ personal information.
Contact us to learn if your business will be held accountable under the terms of the CPRA and to know what steps to take to ensure compliance.
The Corporate Transparency Act (CTA) mandates domestic and foreign entities operating in the United States to report key details about their beneficial owners to the Financial Crimes Enforcement Network (FinCEN).…>>
Jim Roberts was the Founding Executive Director of the UNCW Center for Innovation and Entrepreneurship incubator and is the founder of the Network for Entrepreneurs in Wilmington (NEW) as well…>>
In the fast-paced and competitive world of business, your brand is everything. It represents your company’s identity, values, and products or services. As a law firm specializing in intellectual property…>>
If you have been in business for any significant amount of time, you likely have received a negative online review. Depending on where the review is posted, the search engine or website may provide…>>
As businesses continue to expand globally, the issue of data privacy and security becomes even more critical. As the amount of consumer digital data being collected increases, businesses should be…>>
Flip it! In our legal practice, we look for opportunities to use the law to create strategic business opportunities for our clients. One of our most high-impact structuring techniques, especially…>>
Let's challenge the default together