CPRA 2024: The New Compliance Requirements

The California Privacy Rights Act (CPRA), set to take effect in 2024, is a significant amendment to the existing California Consumer Privacy Act (CCPA).

In this blog, we’ll explore the expanded consumer rights, new obligations for businesses, updated data processing rules, mandatory data mapping, and enhanced enforcement powers. Additionally, we’ll discuss effective compliance strategies, vendor management best practices, and the impact of the CPRA on advertising technology. By the end of this article, you’ll have a clear understanding of the steps necessary to ensure your organization is prepared for the CPRA’s implementation in 2024.

The CPRA expands upon the consumer rights granted under the CCPA, providing Californians with greater control over their personal information. One of the key additions is the right to correct inaccurate personal information. Businesses are required to disclose this right to consumers and use reasonable efforts to correct any inaccuracies upon receiving a verified consumer request.

The CPRA also introduces the concept of sensitive personal information (SPI), which includes categories such as precise geolocation, racial or ethnic origin, religious beliefs, biometric data, and information concerning a consumer’s health or sexual orientation. Consumers have the right to limit the use and disclosure of their SPI, allowing them to restrict its processing to only what is necessary for the business to provide goods or services.

Right to Know and Access Data

Under the CPRA, consumers can request information about their personal data collected by businesses beyond the standard 12-month look-back period, as long as the data was collected on or after January 1, 2022, and fulfilling the request does not require disproportionate effort.

Right to Opt Out

The CPRA expands the right to opt out to include both the sale and sharing of personal information. Sharing is defined as disclosing, making available, or communicating a consumer’s personal information to a third party for cross-context behavioral advertising, regardless of whether money is exchanged.

Right to Delete

While maintaining the basic framework of the right to delete, the CPRA provides additional guidance on passing these requests downstream. Businesses must instruct third parties to whom the consumer’s data was sold or shared to delete the information as well, with some exceptions.

To comply with these expanded consumer rights, businesses must update their privacy policies, contracts, and websites to include the necessary disclosures and mechanisms for consumers to exercise their rights. Failure to comply with the CPRA can result in fines of up to $7,500 per intentional violation or violations involving the personal information of minors.

The CPRA introduces several new obligations for businesses, particularly in the areas of risk assessments and data protection audits. These requirements aim to ensure that companies processing personal information are taking appropriate measures to safeguard consumer privacy and security.

Risk Assessments

Under the CPRA, businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security must conduct regular risk assessments. These assessments should evaluate the benefits of the processing weighed against the potential risks to consumers. Factors to consider when determining if processing poses a significant risk include the size and complexity of the business, as well as the nature and scope of processing activities.

Risk assessments must be submitted to the California Privacy Protection Agency (CPPA) on a regular basis and include a statement on whether the business processes sensitive personal information. The CPPA will provide further guidance on the specific requirements for these assessments through future regulations.

Data Protection Audits

In addition to risk assessments, certain businesses will be required to perform annual cybersecurity audits. While the exact criteria for determining which businesses are subject to this requirement have not been finalized, the CPPA is considering factors such as deriving 50% or more of annual revenue from selling or sharing personal information, processing the personal information of a certain threshold number of consumers, or meeting a specific gross revenue value.

The purpose of these audits is to assess the effectiveness of a business’s security measures and identify any vulnerabilities or risks to the security of personal information. Audits must be conducted by an independent third-party auditor certified by a recognized organization. Businesses will need to submit an annual notice of compliance to the CPPA, certifying that they have either complied with the audit requirements or have not fully complied and indicating when remediation will be completed.

The CPRA’s expanded obligations for risk assessments and data protection audits represent a significant change from the CCPA, placing a greater burden on businesses to proactively evaluate and address potential privacy and security risks. As the CPPA continues to develop and finalize the regulations surrounding these requirements, businesses should stay informed and prepare to adapt their compliance strategies accordingly.

The CPRA introduces several key amendments to the existing CCPA, establishing new obligations for businesses regarding their data processing practices. The CPRA codifies two important principles of lawful data processing: purpose limitation and data minimization.

Under the CPRA, businesses must ensure that the collection, use, retention, and sharing of a consumer’s personal information is reasonably necessary and proportionate to achieve the purposes for which the information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected. This requirement emphasizes the importance of aligning data processing activities with the original purpose of collection and obtaining consumer consent for any additional purposes.

The CPRA also mandates that businesses inform consumers about the length of time they intend to retain each category of personal information or sensitive personal information. If a specific retention period cannot be provided, businesses must disclose the criteria used to determine the data retention period. However, businesses are prohibited from storing personal data beyond the period reasonably necessary to achieve the purpose of the data processing activity.

The CPRA requires businesses to refrain from collecting or using personal information or sensitive personal information for any purpose that is incompatible with the original purpose of the data processing activity. If a business intends to collect or use additional categories of personal information for purposes incompatible with the original purpose, it must notify the relevant consumers and obtain their consent.

To comply with the purpose limitation principle, businesses should carefully consider the data they collect, use, retain, or share, as well as the processing purposes, to eliminate any unnecessary or purpose-incompatible data processing activities.

The CPRA emphasizes the principle of data minimization, stating that a business’s collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.

This means that businesses should only process personal information that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. They should regularly review the personal information in their possession to determine whether it remains adequate, relevant, and necessary for the specified purposes.

To comply with the data minimization principle, businesses should scrutinize the data they collect and the purpose of collection to eliminate any unnecessary data processing. They should also implement measures to delete this data from their systems once it is no longer required for the intended purpose.

The CPRA also extends data minimization obligations to third parties, contractors, and service providers with whom businesses share consumer data. Businesses must enter into agreements with these entities to ensure they comply with CPRA requirements, including the principle of data minimization.

The CPRA introduces mandatory data mapping requirements for businesses, which involves identifying and documenting the flow of personal information within an organization. Data mapping is crucial for CPRA compliance as it helps businesses understand how personal data is collected, processed, and shared with third parties.

Continuous Data Tracking

Maintaining an up-to-date data inventory is a critical aspect of CPRA data mapping. Businesses must keep a comprehensive record of the personal information collected, the purposes for which it is used, and any third parties with whom it is shared. This ongoing process requires constant vigilance to ensure the data inventory remains accurate as data collection practices, usage purposes, and third-party relationships change over time.

Automated Data Management

To simplify the data mapping process and enhance accuracy, businesses can leverage automation tools. These tools can help identify personal information, map its flow, and maintain a comprehensive data inventory. Automation reduces manual effort and enables organizations to respond promptly to consumer requests and adapt to evolving regulatory requirements.

Osano Data Mapping is an example of a privacy-focused solution that integrates with Single Sign On (SSO) providers to quickly uncover systems containing personal information. It assigns risk scores based on criteria like data fields, vendor flows, and identities managed, allowing privacy professionals to prioritize by risk and effort. The benefits of using a privacy-focused solution like Osano for CPRA data mapping include faster discovery of personal data and the ability to take action on the findings from a compliance perspective.

The California Privacy Protection Agency (CPPA) was established by the CPRA to implement and enforce the law. The CPPA is governed by a five-member board and has a dedicated leadership team to administer policies and oversee day-to-day operations.

The CPPA has greater influence, jurisdiction, and obligations compared to the California Attorney General’s office, which previously handled administration and enforcement under the CCPA. In addition to handling complaints, investigations, audits, and levying fines or penalties, the CPPA is responsible for interpreting the CCPA/CPRA. This will have a long-term influence on establishing how compliance is monitored, violations are punished, and fines are issued.

CPPA

The CPPA released its first-ever enforcement advisory in April 2024, focusing on CCPA data minimization obligations tied to consumer requests. The advisory, intended to encourage voluntary compliance, calls data minimization a “foundational principle” of the CCPA and outlines business and consumer benefits stemming from application and compliance.

The CPPA Enforcement Division has observed improper practices, including some unidentified entities “asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA”. The advisory highlights areas where data minimization applies in CCPA regulations, such as handling user opt-out preference signals, requests for data sale and sharing opt-outs, requests around the use and disclosure of sensitive personal information, and identity verification.

Fines and Penalties

Under the CPRA, businesses showing a proactive and reasonable approach to compliance may be able to escape a penalty, even where a CCPA violation has occurred. However, any CCPA violation can lead to a penalty, and the California Attorney General can pursue penalties from businesses that violate any part of the CCPA.

Penalties can be extremely costly, with fines of up to $7,500 per intentional violation or $2,500 per unintentional violation. A “violation” occurs each time a consumer’s rights are violated by a non-compliant business, meaning these penalties can add up quickly. Fines for violations involving minors under the age of 16 have been increased to $7,500 per violation under the CPRA.

Affected consumers are entitled to damages ranging from $100 to $750 per person for a data breach. California is also the only state among those in the US with data privacy laws that enables private right of action, where consumers can sue companies for violations that affect them.

To ensure compliance with the CPRA’s expanded requirements, businesses must adopt robust compliance strategies. Implementing a comprehensive data inventory and mapping process is crucial to understand how personal information flows within the organization. This involves identifying all sources of personal data, documenting the types of information collected, and tracking how it is used and shared with third parties.

Businesses must also implement reasonable security measures to protect personal information from unauthorized access, destruction, or disclosure. The CPRA requires businesses to apply a higher standard of security around sensitive personal information they process. Regular risk assessments and data protection audits can help identify vulnerabilities and ensure appropriate safeguards are in place.

Updating privacy policies is another critical aspect of CPRA compliance. Privacy policies should clearly outline how personal information is collected, used, and shared, as well as the rights of consumers under the CPRA. As compliance operations evolve, privacy policies must be updated accordingly to reflect any changes.

Using Consent Management Tools

Consent management tools can significantly streamline CPRA compliance efforts. These tools enable businesses to collect, store, and manage user consent preferences in a centralized manner. They can display user-friendly consent banners, provide granular control over cookie categories, and maintain auditable records of consent histories.

Consent management platforms (CMPs) can also help businesses comply with the CPRA’s requirement to provide a “Do Not Sell or Share My Personal Information” link and a “Limit the Use of My Sensitive Personal Information” link on their websites. CMPs can automate the display of these links and facilitate the processing of consumer opt-out requests.

Implementing Opt-Out Mechanisms

The CPRA introduces new complexities to managing consumer opt-out requests. Businesses must implement efficient intake methods to receive and process these requests, ideally through automated systems. Detailed consent and opt-out records must be maintained, and processes must be in place to honor consumer choices wherever personal information is sold or shared.

Creating dedicated opt-out pages is a straightforward way to comply with the CPRA’s opt-out requirements. These pages should provide clear information about the types of personal information being sold or shared and allow consumers to exercise their rights easily. Businesses can also choose to streamline opt-out options into a single webpage where consumers can manage their preferences.

Collaborating with third parties is essential to ensure that consumer opt-out choices are respected throughout the data ecosystem. Businesses must have agreements in place with service providers and contractors to limit the use of personal information and comply with opt-out requests.

By implementing these compliance strategies, businesses can navigate the CPRA’s complex requirements and demonstrate their commitment to protecting consumer privacy. Regular training for employees handling consumer requests, coupled with robust data governance practices, will help organizations build trust with their customers and avoid potential penalties for non-compliance.

The CPRA introduces several new obligations for businesses regarding their vendor relationships. To ensure compliance, businesses must review and update their contracts with service providers, contractors, and third parties to include specific provisions mandated by the CPRA.

Updating Contracts

Contracts between businesses and service providers, contractors, or third parties must specify that personal information is sold or disclosed only for limited and specified purposes. The contracts should obligate the recipient party to comply with the CPRA and provide the same level of privacy protection as required by the law.

Businesses must have the right to take reasonable steps to ensure that the recipient party uses personal information consistently with the business’s obligations under the CPRA. The contracts should also require the recipient party to notify the business if it can no longer meet its obligations and grant the business the right to take remedial action.

Ensuring Compliance of Third Parties

Businesses must conduct due diligence on their service providers, contractors, and third parties to ensure they comply with the CPRA. Failure to enforce contractual terms or exercise audit rights may indicate that the business had reason to believe the recipient party intended to use personal information in violation of the CPRA.

The CPRA also introduces the concept of “contractors,” a new category of recipients distinct from service providers. Contractors must certify their understanding and compliance with the additional requirements set forth in the CPRA.

To effectively manage vendor relationships under the CPRA, businesses should:

By implementing these practices and updating contracts to meet the CPRA’s requirements, businesses can navigate the complexities of vendor management and demonstrate their commitment to protecting consumer privacy.

The California Privacy Rights Act (CPRA) introduces several amendments to the California Consumer Privacy Act (CCPA) that significantly impact the digital advertising industry. The CPRA’s expanded consumer rights, new obligations for businesses, and restrictions on data sharing are set to change the advertising technology landscape.

One of the most notable changes under the CPRA is the introduction of the right for consumers to opt-out of having their personal information shared for cross-context behavioral advertising. This means that businesses may not be able to avoid being sharers of personal information by entering into service provider agreements with their vendors, as transferring personal information to a vendor for cross-context behavioral advertising is no longer considered a business purpose. As a result, businesses will have limited options to avoid being sharers of personal information under the CPRA, with the only option being to implement a mechanism to capture consumers’ consent for disclosing their personal information to other entities.

The CPRA also limits the sharing of personal information for targeted advertising. Businesses must now provide consumers with the opportunity to not only opt out of the sale of their personal information but also of giving or sharing that data with someone else, including a third party that might use it for cross-context behavioral advertising. This eliminates any ambiguity around how to interpret the “sale” of personal information under the CCPA.

Changes in Ad Practices

The CPRA’s impact on advertising practices is expected to be significant. While some businesses argued that permitting third-party cookies on their websites did not constitute a sale of personal information under the CCPA, this position became uncertain when the CPRA regulations included a provision requiring businesses to treat browser plug-ins, privacy settings, device settings, or other mechanisms that communicate or signal a consumer’s choice to opt out as valid requests. The Global Privacy Control (GPC) browser extension, developed by a coalition of organizations, communicates opt-out signals every time a consumer visits a website, potentially restricting businesses from sharing personal information as a default setting.

Furthermore, the CPRA introduces new contractual obligations for businesses regarding their vendor relationships. Contracts between businesses and service providers, contractors, or third parties must specify that personal information is sold or disclosed only for limited and specified purposes, and obligate the recipient party to comply with the CPRA and provide the same level of privacy protection as required by the law. Businesses must also have the right to take reasonable steps to ensure that the recipient party uses personal information consistently with the business’s obligations under the CPRA.

Limiting Data Sharing

The CPRA’s restrictions on data sharing are likely to have a profound impact on the ad tech ecosystem. With the CPRA’s effective date of January 1, 2023, and the lookback period starting one year earlier, ad tech companies are already under scrutiny and may face fines for non-compliance once California authorities begin enforcement actions.

To comply with the CPRA and navigate the changing advertising technology landscape, businesses should:

1. Review and update their contracts with service providers, contractors, and third parties to include specific provisions mandated by the CPRA.
2. Conduct due diligence on their service providers, contractors, and third parties to ensure they comply with the CPRA.
3. Implement efficient intake methods to receive and process consumer opt-out requests, ideally through automated systems.
4. Maintain detailed consent and opt-out records and establish processes to honor consumer choices wherever personal information is sold or shared.
5. Collaborate with third parties to ensure that consumer opt-out choices are respected throughout the data ecosystem.

As businesses prepare for the CPRA to take effect in 2024, it is crucial to understand the expanded consumer rights, new obligations, and updated data processing rules introduced by the law. By implementing good compliance strategies, conducting thorough vendor management, and staying informed about the evolving advertising technology landscape, organizations can deal with the CPRA and demonstrate their commitment to protecting consumer privacy. Detailed analysis of the CPRA amendments to the CCPA highlights the new obligations for companies, emphasizing the need for proactive compliance measures.

To ensure a smooth transition and maintain compliance with the CPRA, businesses should seek guidance from experienced professionals who can provide tailored advice and support. Contact us for expert advice on operating the CPRA’s requirements and developing effective compliance strategies that align with your organization’s unique needs. By taking a proactive approach and prioritizing consumer privacy, businesses can build trust with their customers, mitigate the risk of penalties, and thrive in the new era of data protection regulations.

What does the CPRA entail for businesses in California?

The California Privacy Rights Act (CPRA) mandates businesses to adhere to specific regulations concerning the handling of personal information. This includes the protection of Social Security numbers, driver’s licenses, state identification cards, passport numbers, financial account details along with login credentials, debit or credit card numbers with access codes, precise geolocation data, religious or philosophical beliefs, and ethnic origin.

What are the latest additions to data privacy laws in California?

Effective from January 1, 2023, the new data privacy laws in California have expanded consumer rights. These enhancements include the right for individuals to correct inaccurate personal information held by businesses and the right to restrict the use and disclosure of sensitive personal information.

Was the CPRA approved by California voters?

Yes, the CPRA was approved by approximately 55% of California voters, indicating a majority support for the proposition.

Does the CCPA affect businesses located outside California?

Yes, the California Consumer Privacy Act (CCPA) applies to businesses that operate outside of California, not just those within the state boundaries.