What Businesses Need to Know about the California Privacy Rights Act (CPRA)

By Guy Cohen, Head of Policy at Privitar

Last week, Californian voters approved Proposition 24 (also known as the California Privacy Rights Act of 2020, or CPRA), a ballot initiative intended to build upon the state’s current privacy legislation, the California Consumer Protection ACT (CCPA) of 2018.

What is the California Privacy Rights Act (CPRA)

The CPRA moves closer to the GDPR; bringing in an independent regulator, the right to correct inaccurate information, data minimization, and purpose limitation, and more.

While the CPRA will most directly impact Californian citizens and the organizations that do business with them, people from across the United States are largely in favor of taking a similar approach to consumer privacy protection. A post-election Privitar poll of 1,000 American consumers run by market research firm Dynata found that:

83% of consumers wish they had a similar law to Prop. 24
72% want a national data privacy protection law (21% believe state law is enough)
More than half of consumers (58%) would be more likely to support a candidate who supported stronger data protection

For organizations wondering what the U.S. privacy landscape might look like in a few years’ time, this is instructive but by no means conclusive.

For organizations that do business in California and/or with Californian residents, there are some clear considerations that should be taken into account today to prepare for the CPRA’s eventual enforcement.

What are the biggest differences for businesses from CCPA?

The CPRA makes a wide range of changes to the CCPA. Three significant changes in business should be aware of are:

Fines and claims have been made a little tougher.
Fines for unintentional violations relating to children’s data have been tripled and the 30-day‘ cure’ provision, whereby an organization had 30 days to try and remedy a breach, has been removed.
Consumers can opt-out of all sharing.
Under the CCPA the “opt-out” only relates to selling data. While the definition of sale was very broad, the CPRA is even broader, extending it to all data sharing.
Consumers can opt-out of secondary uses of sensitive data.
The CPRA introduces a new category of data: sensitive data. This includes things like health information, information about race or sexual orientation, personal messages, and precise geolocation. Under the CPRA, for sensitive data, consumers can opt-out not just from sharing from one company to another, but also any secondary uses of the data within a company. That means consumers can request their data not be used for any purposes beyond what is necessary to provide the goods or services.

What do businesses need to do to prepare?

Although the CPRA won’t come into effect for a little over two years, preparing for some of the changes may take time, and so it is worth starting thinking about what the CPRA means for your business now.

For example, limits on both data sharing and internal secondary uses of sensitive data may reduce many organizations’ ability to gain insights and extract value from the data they hold.

To understand how this may affect you, start by looking at what data you currently share, or have shared with you, and whether you hold data classified as ‘sensitive’ under the new definition. If you do, consider what the impact would be if your consumers decided to opt-out and how you might mitigate this risk. Would providing better privacy protections and greater transparency reduce the likelihood of consumers opting out? Could you use de-identified data that is out of the scope of the law?

Strategies such as these, if pursued, may take time to implement, meaning it’s worthwhile starting now.