Following a ballot on Proposition 24 by California voters on November 3, 2020, the California Privacy Rights Act (CPRA) was passed amending and extending many of the provisions set out by the California Consumer Privacy Act (CCPA). The CPRA will enter into effect on January 1, 2023, having a significant impact on businesses operating in California or those processing the data of Californians. And while there is still time to develop a CPRA-compliant privacy program, there are key steps that businesses can be taking now.   

What is the CPRA? 

The CPRA introduces a number of key changes to the CCPA including sensitive personal information as a new category of personal information, additional and amended consumer data rights, expanded contractual requirements for service providers and third parties, and more. OneTrust DataGuidance has produced a What You Need To Know report summarising these key differences as well as updating the CCPA Portal with FAQs, texts, and other resources.  

Key Requirements for CPRA Compliance 

Sensitive Personal Information 

A new category of consumers’ personal information was introduced to cover sensitive personal information. The use of sensitive personal information works on an opt-out basis and organizations are required to make a ‘Limit The Use of My Sensitive Personal Information link clearly available on websites and homepages for consumers to access. 

Examples of sensitive personal information include: 

·      Social security number 

·      Driver’s license number 

·      Passport number 

·      Precise geolocation 

·      Biometric or genetic data 

Employee Data 

The scope of the CPRA has been extended to include employee data. This also means that employees are entitled to exercise additional consumer privacy rights that were not previously available to them under the CCPA including the right to access, correction, and deletion. 

Do Not Sell or Share 

The CPRA extends the CCPA’s ‘Do Not Sell’ requirements to include and define sharing of personal information. Organizations must now place a ‘Do Not Sell or Share My Personal Information link on company websites. 

Risk Assessments 

Similar to the General Data Protection Regulation (GDPR), organizations that perform large scale processing actives that are likely to be a risk to the consumer must complete regular risk assessments and submit them to the supervisory authority in California. 

Covered organizations are also required to conduct an annual, independent cybersecurity audit. Further guidance on both risk assessments and audits is expected to be finalized by the end of 2022. 

Enforcement 

The CPRA provides of the establishment of an independent enforcement agency. The California Privacy Protection Agency (CPPA) will take over from the California Attorney General (AG) in monitoring compliance with the CPRA, further rulemaking, and imposing penalties for violations of the law. 

Reaction & Analysis Webinar 

OneTrust DataGuidance hosted an expert panel on November 9, 2020 for a webinar reacting to the CPRA and what the new privacy law means for businesses. In this webinar we discuss, the key differences and similarities between the CPRA and the CCPA, and some of the key milestones businesses should be aiming for ahead of January 1, 2023.   

Key takeaways include: 

• How we got to where we are today and what lays ahead for businesses regarding compliance  
• The most important differences between the CPRA and the CCPA  
• The potential benefits that these changes bring to businesses  

Further Reading: 

• OneTrust DataGuidance Blog: The Definitive Guide to California Privacy Laws
• OneTrust Blog: Overview of the California Privacy Rights Act of 2020 (CPRA or CCPA 2.0)
• OneTrust Blog: CCPA vs. CPRA – What Has Changed?

Follow OneTrust DataGuidance on LinkedIn to keep up to date with new resources, insights, and more.