Effective January 1, 2023, the California Privacy Rights Act (CPRA, Cal. Civ. Code §§ 1798.100, et seq.) strengthens and amends the California Consumer Privacy Act (CCPA). The CPRA will bring California privacy rights up to European consumer protection standards set by the European Union General Data Protection Regulation (EU GDPR). Let’s take a closer look at what this new act means for businesses doing business with California consumers.

What does the CPRA do?

The CPRA has established a new agency, the California Privacy Protection Agency (CPPA), as the party responsible for enforcing the guidelines set by the CPRA. The most notable guidelines have expanded and escalated the definition of Personal Information, have required increased consumer ability to opt out of information sharing, and have created clear compliance standards regarding consumer information privacy and protection, including enhanced cybersecurity audits and risk assessments.

What consumer data is subject to protection under the CPRA?

The CPRA’s expansion of “Personal Information” extends protection to any information that is generally related to a particular consumer or household, like an online identifier, internet protocol access, search records, browsing history, geolocation data, etc. This information will now require increased protection by businesses dealing with California consumers.

The CPRA has also created an escalated category of information dubbed “Sensitive Personal Information,” which includes login information, bank information, precise geolocation, email content, genetic and biometric data, personal health information, religious affiliation, etc. Not only will this information require increased protection under the CPRA, but it will also now require a conspicuous online “opt-out” option for consumers.

What additional protections are businesses responsible for under the CPRA?

Businesses affected by the CPRA must expand their “opt-out” provisions to be easily found and understood by consumers. In addition, they must comply with new consumer rights regulations regarding deleting consumer information, correcting inaccurate data, protecting access to data, and consumer ability to opt out of precise geolocation advertising. They must also include methods of parental consent to collect or share personal data about a consumer under the age of 16.

Further, any business collecting the personal information of a California consumer must prove its internal infrastructure is sound enough to support the cybersecurity measures required to protect that data and will be subject to audit or risk assessment to ensure this compliance.

Are there non-compliance penalties?

Penalties for non-compliance can reach $2,500 for each violation and up to $7,500 for each violation involving minors or intentional violations. There is no ceiling on the number of violations for any one business, and an individual breach could escalate to a class-action lawsuit.

Who does the CPRA affect?

The CPRA applies to for-profit businesses providing goods or services to California consumers and meeting one or more financial criteria. Notably, a company does not need any physical presence in California for the CPRA to apply.

• The previous calendar year had an annual gross revenue of over $25 million.  Note:  this applies to ALL corporate revenue regardless of its source.  For example, if $1,000,000 in gross revenue comes from doing business in California, and $25,000,000 in gross revenue comes from other states or countries, that business must comply with CPRA. 
• Buying, receiving, selling or sharing “personal information” of more than 100,000 California consumers or households annually. (This quantum is expanded from 50,000 consumers under the CCPA). “Selling” personal data has a broad definition, including “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.” Transferring information to third parties via “cookies” (considered “valuable consideration”) is considered a “sale” of personal information.  
• Derives 50 percent or more of its annual revenue from selling or sharing consumers’ personal information.

Contact us to learn if your business will be held accountable under the terms of the CPRA and to know what steps to take to ensure compliance.