BLOG

Thoughtful Insights On The World We Live In

CPRA

What does the new California Privacy Rights Act mean for your business?

Effective January 1, 2023, the California Privacy Rights Act (CPRA, Cal. Civ. Code §§ 1798.100, et seq.) strengthens and amends the California Consumer Privacy Act (CCPA). The CPRA will bring California privacy rights up to European consumer protection standards set by the European Union General Data Protection Regulation (EU GDPR). Let’s take a closer look at what this new act means for businesses doing business with California consumers.

What does the CPRA do?

The CPRA has established a new agency, the California Privacy Protection Agency (CPPA), as the party responsible for enforcing the guidelines set by the CPRA. The most notable guidelines have expanded and escalated the definition of Personal Information, have required increased consumer ability to opt out of information sharing, and have created clear compliance standards regarding consumer information privacy and protection, including enhanced cybersecurity audits and risk assessments.

What consumer data is subject to protection under the CPRA?

The CPRA’s expansion of “Personal Information” extends protection to any information that is generally related to a particular consumer or household, like an online identifier, internet protocol access, search records, browsing history, geolocation data, etc. This information will now require increased protection by businesses dealing with California consumers.

The CPRA has also created an escalated category of information dubbed “Sensitive Personal Information,” which includes login information, bank information, precise geolocation, email content, genetic and biometric data, personal health information, religious affiliation, etc. Not only will this information require increased protection under the CPRA, but it will also now require a conspicuous online “opt-out” option for consumers.

What additional protections are businesses responsible for under the CPRA?

Businesses affected by the CPRA must expand their “opt-out” provisions to be easily found and understood by consumers. In addition, they must comply with new consumer rights regulations regarding deleting consumer information, correcting inaccurate data, protecting access to data, and consumer ability to opt out of precise geolocation advertising. They must also include methods of parental consent to collect or share personal data about a consumer under the age of 16.

Further, any business collecting the personal information of a California consumer must prove its internal infrastructure is sound enough to support the cybersecurity measures required to protect that data and will be subject to audit or risk assessment to ensure this compliance.

Are there non-compliance penalties?

Penalties for non-compliance can reach $2,500 for each violation and up to $7,500 for each violation involving minors or intentional violations. There is no ceiling on the number of violations for any one business, and an individual breach could escalate to a class-action lawsuit.

Who does the CPRA affect?

The CPRA applies to for-profit businesses providing goods or services to California consumers and meeting one or more financial criteria. Notably, a company does not need any physical presence in California for the CPRA to apply.

  • The previous calendar year had an annual gross revenue of over $25 million.  Note:  this applies to ALL corporate revenue regardless of its source.  For example, if $1,000,000 in gross revenue comes from doing business in California, and $25,000,000 in gross revenue comes from other states or countries, that business must comply with CPRA. 
  • Buying, receiving, selling or sharing “personal information” of more than 100,000 California consumers or households annually. (This quantum is expanded from 50,000 consumers under the CCPA). “Selling” personal data has a broad definition, including “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.” Transferring information to third parties via “cookies” (considered “valuable consideration”) is considered a “sale” of personal information.  
  • Derives 50 percent or more of its annual revenue from selling or sharing consumers’ personal information.

Contact us to learn if your business will be held accountable under the terms of the CPRA and to know what steps to take to ensure compliance.

Related

Spotlight on Lucha: A Story of Resilience and Community

n the heart of the South Bronx, a unique wrestling program has given rise to incredible athletes and inspired a compelling documentary, “Lucha.” This film captures the journey of a group of young women who, against all odds, found strength, community, and hope on the wrestling mat. Today, we are excited to share the story behind “Lucha” and its incredible impact on the lives of these young athletes and their community. We sat down with Josh Lee, a wrestling coach and one of the key figures behind this inspiring documentary.

>>

Understanding the FTC’s ban on noncompete clauses and what this means for your business

The Federal Trade Commission (FTC) has recently formalized a rule that will alter the landscape of noncompete clauses in employment…

>>

Corporate Transparency Act: An Essential 2024 Update

The Corporate Transparency Act (CTA) mandates domestic and foreign entities operating in the United States to report key details about their beneficial owners to the Financial Crimes Enforcement Network (FinCEN).…

>>

A Startup Conversation: Jim Roberts on Cultivating Entrepreneurship in Wilmington

Jim Roberts was the Founding Executive Director of the UNCW Center for Innovation and Entrepreneurship incubator and is the founder of the Network for Entrepreneurs in Wilmington (NEW) as well…

>>

Brand Protections and The Importance of A Fanciful Trademark

In the fast-paced and competitive world of business, your brand is everything. It represents your company’s identity, values, and products or services. As a law firm specializing in intellectual property…

>>

Mastering the Art of Handling Negative Online Reviews: Tips and Strategies for Business Owners

If you have been in business for any significant amount of time, you likely have received a negative online review. Depending on where the review is posted, the search engine or website may provide…

>>

THE LATEST

Spotlight on Lucha: A Story of Resilience and Community

n the heart of the South Bronx, a unique wrestling program has given rise to incredible athletes and inspired a compelling documentary, “Lucha.” This film captures the journey of a group of young women who, against all odds, found strength, community, and hope on the wrestling mat. Today, we are excited to share the story behind “Lucha” and its incredible impact on the lives of these young athletes and their community. We sat down with Josh Lee, a wrestling coach and one of the key figures behind this inspiring documentary.

Understanding the FTC’s ban on noncompete clauses and what this means for your business

The Federal Trade Commission (FTC) has recently formalized a rule that will alter the landscape of noncompete clauses in employment…

The Latest on the Corporate Transparency Act

The Corporate Transparency Act (CTA), a pivotal legislation aimed at combating financial crimes by enhancing transparency in business ownership, has…

Contact Us

Let's challenge the default together