The California Privacy Rights Act (CPRA) is a California law and an amended version of the California Consumer Privacy Act (CCPA). In other words, it is a change to the pre-existing privacy law of California.
It is worth noting that the CPRA is the result of a ballot initiative. This shows that California residents are concerned with their privacy and that privacy regulations find substantial support in the State.
Lets dive in to learn more about the CPRA and how it changed Californian privacy law!
- How is the CPRA enforced?
- Why are all these acronyms so confusing?
- When did the CPRA come into effect?
- How did the CPRA change the CPPA?
- Data minimization
- Protecting sensitive information
- The right to opt out: “do not sell or share”
- The right to have information corrected
- The CPRA and Global Privacy Control
- The CPPA
How is the CPRA enforced?
The CPRA is enforced by the Advocate General of California . Starting 2024, it will also be enforced by the California Privacy Protection Agency (CPPA).
Additionally, the CPRA includes a private right of action for data breaches, allowing customers to sue businesses directly (but not their partners and service providers).
Why are all these acronyms so confusing?
We have no idea and we hate it too. Here is a handy reference:
- the CCPA (California Consumers Privacy Act) is the old California privacy law from 2018
- the CPRA (California Privacy Rights Act) is the new law from 2020
- the CPPA (California Privacy Protection Agency) is the enforcement agency established by the CPRA.
When did the CPRA come into effect?
The CPRA came into effect on January 1 2023. However, some of the CPRA’s rules are vague and need to be fleshed out by the CPPA through its regulations. These regulations will only come into effect in March 2024 because of a recent court decision.
In practice, this means that the regulation as a whole is already in effect, but certain rules will only become enforceable next year.
How did the CPRA change the CPPA?
The CPRA brought important changes to the CPPA, including:
- introducing the data minimization principle
- introducing stronger protection for sensitive information
- expanding the scope of the right to opt-out of the selling or sharing of personal information
- introducing obligation to honor the consumer’s global privacy controls
- introducing a right to have personal information corrected
- establishing the California Privacy Protection agency
Under the CRPA, consumers' personal information can only be processed and retained when reasonably necessary and proportionate for the purpose of the processing, or for a different, disclosed, and compatible purpose.
In a nutshell: 1) only process the data you need, and 2) only process them for the original purpose they were collected for, or for a compatible purpose the consumer knows about.
That’s the short, simplified version. The text of the rule has a lot more legal substance to it:
A business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes
Data minimization tries to achieve a lot with just one principle. In fact, CPRA data minimization covers two distinct GDPR principles- data minimization and purpose limitation. This is why the principle is so complicated.
Notably, the CPRA includes detailed rules on what counts as a compatible purpose. On the European side, the GDPR lacks such rules and leaves the notion open to interpretation.
Protecting sensitive information
The CPRA introduced a legal definition of sensitive information, as well as specific rules for processing this information.
Under CPRA, the notion of sensitive information covers:
- precise geolocation data
- religious beliefs
- ethnic origin
- contents of communication
- genetic data
- biometric information for the purposes of identification
- health information
- information about sex or sexual orientation
- some other data that can be used for fraud or identity theft (social security number, access credentials, credit/debit card data, and so on)
Consumers have a right to request companies to limit the use and disclosure of their sensitive information to what is strictly necessary to provide the service. In other words, they can opt out of any non-essential use of their sensitive information.
We are not terribly fond of opt-out systems because they put the burden of privacy on the consumer as opposed to simply requiring good privacy practices from businesses. But the CPRA is still a step in the right direction because the CCPA featured no rules for sensitive data at all.
The right to opt out: “do not sell or share”
Under the CPRA, consumers have a right to opt out of the selling and sharing of their personal information. Under the CCPA consumers could opt out of the sale of personal information only. Therefore, the CPRA expands the scope of a pre-existing opt-out right.
This change was influenced by the debate within the legal community on the meaning of sale. A sale of personal information was defined in very broad terms under the CCPA: disclosing information in exchange of monetary or other valuable consideration, was considered to be a sale. The notion of valuable consideration was broad enough to cover cross-context behavioral advertising involving a third party (typically Google or Meta).
Therefore, there is no doubt that consumers have a right to opt out from tracking for the purpose of contextual advertising under the CPRA!
Again, we are not fans of this opt-out system, but it is still good that consumers at least have the option to say “no thanks”.
The right to have information corrected
Oddly enough, the CCPA included a right to know and a right to erasure, but not a right to have personal information corrected. The CPRA filled this gap.
The right to correct largely works the same way as the rights to know and delete: businesses must comply within 45 days and may extend the deadline by another 45 days, provided that they inform the consumer.
The CPRA and Global Privacy Control
Global Privacy Control (GPC) is a technical standard embedded in browsers and plug-ins. GPC notifies websites of the privacy preferences of the consumer, including the refusal to have their information sold or shared. Under the CPRA, businesses must comply with GPC signals from the consumer’s browser.
As we said, most privacy rights in the CCPA/CPRA are opt-out rights. By streamlining the tedious process of opting-out, GPC can ease the burden on the consumer and make privacy rights easier to exercise. It will be interesting to see how widespread the use of GPC becomes and to what extent websites will comply.
You can learn more about GPC at https://globalprivacycontrol.org/.
As we explained, the CPRA established the California Privacy Protection Agency (CPPA). To some extent, you can think of the CPPA as the Californian equivalent of data protection authorities in Europe: the Agency is responsible for CCPA enforcement along with the Advocate General and can adopt regulations based on the CCPA.
The Agency is already at work, but because of a recent court decision, it will only be able to enforce its regulations in 2024.
We try to explain privacy laws in a simple way because we care about privacy. This is also why we build Simple Analytics: a lightweight, user-friendly analytics tool that provides you with all the insight you need while preserving user privacy.
If this sounds good to you, feel free to give us a try!