CPRA: What You Need To Know
The California Privacy Rights Act (CPRA), or Proposition 24, was passed with a 56% majority of California voters in the California General Election of November 3, 2020. The first version of the ballot initiative was introduced in September 2019 by Alastair Mactaggart, Board Chair and Founder of the Californians for Consumer Privacy group and proponent of the California Consumer Privacy Act (CCPA), which the California Legislature passed in June 2018.
CPRA: What you need to know - FAQs
Who does CPRA apply to?
The CPRA applies to businesses that collect the personal information of California residents and determine the business purpose for using the personal information within California.
The CPRA has a slightly broader application threshold than the CCPA and applies to businesses that meet one of the following criteria:
- Have annual gross revenue of over $25 million
- Buy, sell, or share the personal information of 100,000 or more California residents or households
- Derive 50% or more of their annual revenue from selling or sharing the personal information of California residents
Does CPRA apply to non-profits?
No. The CPRA applies explicitly to for-profit businesses operating in California.
When does the California Privacy Rights Act (CPRA) take effect?
The CPRA will enter into effect on January 1, 2023. The CPRA will apply to consumers’ personal information collected on or after January 1, 2022.
Does CPRA replace CCPA?
The CPRA amends several provisions found under the CCPA and the CCPA and its associated Regulations will continue to be in effect as they currently are. When the CPRA enters into effect on January 1, 2023 it will become the primary piece of data privacy legislation in California, and parts of the CCPA that are not impacted by the CPRA will continue unchanged.
What is sensitive personal information under the CPRA?
The CPRA introduces a new definition for sensitive personal information. Under the CPRA, sensitive personal information includes:
- Social security number, driver's license number, state identification card, or passport number
- Account log-in, financial account information, debit card or credit card details
- Precise geolocation
- Racial or ethnic origin, religious or philosophical beliefs, or union membership
- The contents of a consumer's mail, email, and text messages, unless the business is the intended recipient of the communication
- Genetic data
- Biometric information for the purpose of uniquely identifying a consumer
- Personal information concerning a consumer's health or a consumer's sex life or sexual orientation
Organizations can use sensitive personal information unless instructed otherwise by the individual. Organizations using sensitive personal information must provide consumers with a privacy notice as well as a clear and conspicuous link on the company’s internet homepage(s), titled “Limit the Use of My Sensitive Personal Information”.
What are CPRA risk assessments and cybersecurity audits?
Businesses that perform processing activities that are likely to present a significant risk to the consumer must conduct regular risk assessments and submit these to the California Privacy Protection Agency (CPPA). Risk assessments must identify and balance the benefits of the processing against the potential risks to the consumer.
The CPRA also requires businesses that perform processing activities that are likely to present a significant risk to the consumer to conduct cybersecurity audits on an annual basis.
Further regulations relating to risk assessments and cybersecurity audits are expected to be released in the second half of 2022.
Will there be a new regulator?
The CPRA provides for the establishment of an independent enforcement agency in the form of the CPPA. It is the responsibility of the CPPA to enforce the CCPA’s requirements and to act against organizations for non-compliance and the CPPA will take over from the California Attorney General.
The CPPA will be governed by a five-membered board for eight-year terms and is currently chaired by Jennifer Urban.
Follow OneTrust DataGuidance on LinkedIn to keep up to date with new resources, insights, and more.