BLOG

Thoughtful Insights On The World We Live In

CPRA

What does the new California Privacy Rights Act mean for your business?

Effective January 1, 2023, the California Privacy Rights Act (CPRA, Cal. Civ. Code §§ 1798.100, et seq.) strengthens and supersedes the California Consumer Privacy Act (CCPA). The purpose of the new CPRA is to bring California privacy rights up to European consumer protection standards set by the European Union General Data Protection Regulation (EU GDPR). Let’s take a closer look at what this new act means for businesses doing business with California consumers.

What does the CPRA do?

The CPRA has established a new agency, the California Privacy Protection Agency (CPPA), as the party responsible for enforcing the guidelines set by the CPRA. The most notable guidelines have expanded and escalated the definition of Personal Information, have required increased consumer ability to opt out of information sharing, and have created clear compliance standards regarding consumer information privacy and protection, including enhanced cybersecurity audits and risk assessments.

What consumer data is subject to protection under the CPRA?

The CPRA’s expansion of “Personal Information” extends protection to any information that is generally related to a particular consumer or household, like an online identifier, internet protocol access, search records, browsing history, geolocation data, etc. This information will now require increased protection by businesses dealing with California consumers.

The CPRA has also created an escalated category of information dubbed “Sensitive Personal Information,” which includes login information, bank information, precise geolocation, email content, genetic and biometric data, personal health information, religious affiliation, etc. Not only will this information require increased protection under the CPRA, but it will also now require a conspicuous online “opt-out” option for consumers.

What additional protections are businesses responsible for under the CPRA?

Businesses affected by the CPRA must expand their “opt-out” provisions to be easily found and understood by consumers. In addition, they must comply with new consumer rights regulations regarding deleting consumer information, correcting inaccurate data, protecting access to data, and they must consumer ability to opt out of precise geolocation advertising. They must also include methods of parental consent to collect or share personal data about a consumer under the age of 16.

Further, any business collecting the personal information of a California consumer must prove its internal infrastructure is sound enough to support the cybersecurity measures required to protect that data and will be subject to audit or risk assessment to ensure this compliance.

Are there non-compliance penalties?

Penalties for non-compliance can reach $2,500 for each violation and up to $7,500 for each violation involving minors or intentional violations. There is no ceiling on the number of violations for any one business, and an individual breach could escalate to a class-action lawsuit.

Who does the CPRA affect?

The CPRA applies to for-profit businesses providing goods or services to California consumers and meeting one or more financial criteria. Notably, a company does not need any physical presence in California for the CPRA to apply.

  • The previous calendar year had an annual gross revenue of over $25 million.  Note:  this applies to ALL corporate revenue regardless of its source.  For example, if $1,000,000 in gross revenue comes from doing business in California, and $25,000,000 in gross revenue comes from other states or countries, that business must comply with CPRA. 
  • Buying, receiving, selling or sharing “personal information” of more than 100,000 California consumers or households annually. (This quantum is expanded from 50,000 consumers under the CCPA). “Selling” personal data has a broad definition, including “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.” Transferring information to third parties via “cookies” (considered “valuable consideration”) is considered a “sale” of personal information.  
  • Derives 50 percent or more of its annual revenue from selling or sharing consumers’ personal information.

Contact us to learn if your business will be held accountable under the terms of the CPRA and to know what steps to take to ensure compliance.

Related

What does the new California Privacy Rights Act mean for your business?

Effective January 1, 2023, the California Privacy Rights Act (CPRA, Cal. Civ. Code §§ 1798.100, et seq.) strengthens and supersedes the California Consumer Privacy Act (CCPA). The purpose of the…

>>

Startup Spotlight: Docupilot’s Innovative Document Automation

Rohit Reddy and Aravind Surendran saw a gap in the business world – so they filled it. They created Docupilot, a document generation program that quickly became an indispensable tool…

>>

Protecting Your Business in Light of the Federal Trade Commission’s Proposed Ban on Non-Competes

When you own a business, you are only as protected as your trade secrets are. That is why you should pay close attention to the Federal Trade Commission’s (FTC) recent…

>>

Ravila Gupta’s Multifaceted Approach to Corporate Boards

Ravila Gupta, the CEO of Bagchi Group was recently interviewed by CoolBrands about analyzing situations through different lenses. Read on to review some highlights from her interview and learn how…

>>

Podcast: The Right Time To Lawyer Up When Starting A Company

An important decision every entrepreneur needs to make during the early stages of their startup is choosing when to engage with an attorney. Attorney’s Neil Bagchi and Glen Caplan join host Robbie Allen during the sixth episode of the For Starters podcast to help answer that question.

>>

Entrepreneur Spotlight: Vintage Porsche Master Marc Zurlinden | Zurlinden Gruppe

Marc Zurlinden is the vintage Porsche master and has spent his life learning the ins and outs of his niche in the automotive and manufacturing industries. He dreams big, and…

>>

THE LATEST

What does the new California Privacy Rights Act mean for your business?

Effective January 1, 2023, the California Privacy Rights Act (CPRA, Cal. Civ. Code §§ 1798.100, et seq.) strengthens and supersedes…

Startup Spotlight: Docupilot’s Innovative Document Automation

Rohit Reddy and Aravind Surendran saw a gap in the business world – so they filled it. They created Docupilot,…

Protecting Your Business in Light of the Federal Trade Commission’s Proposed Ban on Non-Competes

When you own a business, you are only as protected as your trade secrets are. That is why you should…

Contact Us

Let's challenge the default together