BLOG

Thoughtful Insights On The World We Live In

CPRA

What does the new California Privacy Rights Act mean for your business?

Effective January 1, 2023, the California Privacy Rights Act (CPRA, Cal. Civ. Code §§ 1798.100, et seq.) strengthens and amends the California Consumer Privacy Act (CCPA). The CPRA will bring California privacy rights up to European consumer protection standards set by the European Union General Data Protection Regulation (EU GDPR). Let’s take a closer look at what this new act means for businesses doing business with California consumers.

What does the CPRA do?

The CPRA has established a new agency, the California Privacy Protection Agency (CPPA), as the party responsible for enforcing the guidelines set by the CPRA. The most notable guidelines have expanded and escalated the definition of Personal Information, have required increased consumer ability to opt out of information sharing, and have created clear compliance standards regarding consumer information privacy and protection, including enhanced cybersecurity audits and risk assessments.

What consumer data is subject to protection under the CPRA?

The CPRA’s expansion of “Personal Information” extends protection to any information that is generally related to a particular consumer or household, like an online identifier, internet protocol access, search records, browsing history, geolocation data, etc. This information will now require increased protection by businesses dealing with California consumers.

The CPRA has also created an escalated category of information dubbed “Sensitive Personal Information,” which includes login information, bank information, precise geolocation, email content, genetic and biometric data, personal health information, religious affiliation, etc. Not only will this information require increased protection under the CPRA, but it will also now require a conspicuous online “opt-out” option for consumers.

What additional protections are businesses responsible for under the CPRA?

Businesses affected by the CPRA must expand their “opt-out” provisions to be easily found and understood by consumers. In addition, they must comply with new consumer rights regulations regarding deleting consumer information, correcting inaccurate data, protecting access to data, and consumer ability to opt out of precise geolocation advertising. They must also include methods of parental consent to collect or share personal data about a consumer under the age of 16.

Further, any business collecting the personal information of a California consumer must prove its internal infrastructure is sound enough to support the cybersecurity measures required to protect that data and will be subject to audit or risk assessment to ensure this compliance.

Are there non-compliance penalties?

Penalties for non-compliance can reach $2,500 for each violation and up to $7,500 for each violation involving minors or intentional violations. There is no ceiling on the number of violations for any one business, and an individual breach could escalate to a class-action lawsuit.

Who does the CPRA affect?

The CPRA applies to for-profit businesses providing goods or services to California consumers and meeting one or more financial criteria. Notably, a company does not need any physical presence in California for the CPRA to apply.

  • The previous calendar year had an annual gross revenue of over $25 million.  Note:  this applies to ALL corporate revenue regardless of its source.  For example, if $1,000,000 in gross revenue comes from doing business in California, and $25,000,000 in gross revenue comes from other states or countries, that business must comply with CPRA. 
  • Buying, receiving, selling or sharing “personal information” of more than 100,000 California consumers or households annually. (This quantum is expanded from 50,000 consumers under the CCPA). “Selling” personal data has a broad definition, including “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.” Transferring information to third parties via “cookies” (considered “valuable consideration”) is considered a “sale” of personal information.  
  • Derives 50 percent or more of its annual revenue from selling or sharing consumers’ personal information.

Contact us to learn if your business will be held accountable under the terms of the CPRA and to know what steps to take to ensure compliance.

Related

Intellectual Property – A Roundtable Discussion

Protecting your intellectual property (IP) is essential to running a successful business. Understanding the different types of IP and how they work can ensure your ideas remain secure and utilized…

>>

USA and India Law Firms Join Forces in Cross-Border Business Collaboration

Chapel Hill, NC – Bagchi Law, a premier business law firm located in the United States of America, and Stoicus Legal, a boutique business law firm located in India, are…

>>

What does the new California Privacy Rights Act mean for your business?

Effective January 1, 2023, the California Privacy Rights Act (CPRA, Cal. Civ. Code §§ 1798.100, et seq.) strengthens and amends the California Consumer Privacy Act (CCPA). The CPRA will bring…

>>

Startup Spotlight: Docupilot’s Innovative Document Automation

Rohit Reddy and Aravind Surendran saw a gap in the business world – so they filled it. They created Docupilot, a document generation program that quickly became an indispensable tool…

>>

Protecting Your Business in Light of the Federal Trade Commission’s Proposed Ban on Non-Competes

When you own a business, you are only as protected as your trade secrets are. That is why you should pay close attention to the Federal Trade Commission’s (FTC) recent…

>>

Podcast: The Right Time To Lawyer Up When Starting A Company

An important decision every entrepreneur needs to make during the early stages of their startup is choosing when to engage with an attorney. Attorney’s Neil Bagchi and Glen Caplan join host Robbie Allen during the sixth episode of the For Starters podcast to help answer that question.

>>

THE LATEST

Intellectual Property – A Roundtable Discussion

Protecting your intellectual property (IP) is essential to running a successful business. Understanding the different types of IP and how…

USA and India Law Firms Join Forces in Cross-Border Business Collaboration

Chapel Hill, NC – Bagchi Law, a premier business law firm located in the United States of America, and Stoicus…

What does the new California Privacy Rights Act mean for your business?

Effective January 1, 2023, the California Privacy Rights Act (CPRA, Cal. Civ. Code §§ 1798.100, et seq.) strengthens and amends…

Contact Us

Let's challenge the default together