Published November 25, 2020.
The California Privacy Rights Act (CPRA) is a state-wide data privacy bill passed into law in the General Election 2020 – breaking new waves in the Pacific frontier of US data protection.
The California Privacy Rights Act (CPRA) takes effect on January 1, 2023, and becomes fully enforceable on July 1, 2023 – with a lookback period from January 1, 2022.
In this blogpost, we break down the California Privacy Rights Act (CPRA) and what consequences it might have for your website and business.
Cookiebot consent management platform (CMP) already includes full compliance with California’s CCPA and we welcome a stronger, more GDPR-like addendum in the Golden State.
The California Privacy Rights Act (CPRA) is a new state-wide data privacy bill passed into law on November 3, 2020.
It underscores California’s position as the US frontier in data privacy legislation, as it significantly expands upon the existing California Consumer Privacy Act (CCPA) that took effect on January 1, 2020.
In short, the California Privacy Rights Act (CPRA) works as an addendum to the CCPA – strengthening rights of California residents, tightening business regulations on the use of personal information (PI), and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA), among key changes to the Golden State’s data privacy regime.
The California Privacy Rights Act (CPRA) becomes fully effective on January 1, 2023. Enforcement is scheduled to begin on July 1, 2023 – with a so-called lookback period to January 1, 2022, meaning data collected from that date on is liable for compliance.
California Privacy Rights Act (CPRA) breaks dawn on new and updated data privacy regime on the West Coast.
California Privacy Rights Act (CPRA) quick breakdown –
Timeline for California Privacy Rights Act (CPRA) –
Cookiebot CMP offers compliance for your website with California’s data privacy regime.
You might be wondering how the California Privacy Rights Act (CPRA) works with the existing California Consumer Privacy Act (CCPA)?
A simple answer is that California has one, overarching legal data privacy regime that was established by the CCPA on January 1, 2020, and to which the CPRA is an overlay more than a new law in itself.
Where the CCPA was a whole new foundation being paved across California’s digital infrastructures, the CPRA is a renovation of this foundation – cleaning up potholes of ambiguities, adding additional regulations for traffic, and constructing new safeguards for end-users travelling along.
In this way, California doesn’t really have two separate data privacy laws, but one data privacy regime consisting of the CCPA/CPRA setup.
Amending the CCPA law text, the California Privacy Rights Act (CPRA) is literally a rewrite.
That’s because the CPRA is written in such a way that it only refers to the existing CCPA foundation – sometimes expanding existing provisions, sometimes adding entirely new ones, but always referring back to the original CCPA law text itself.
Being the frontier of US data privacy law, the CCPA paved a road which the CPRA is now reinforcing.
Cookiebot CMP is the world’s leading consent management platform (CMP), offering compliance with the California Consumer Privacy Act (CCPA) today.
Our solution will continue to offer full compliance with the new and updated data privacy regime, once the CPRA goes into effect in January 2023.
In fact, our CMP offers plug-and-play compliance with all major data privacy laws – from the EU’s GDPR/ePR to California’s CCPA/CPRA, Brazil’s LGPD and South Africa’s POPIA.
Our solution is built around a powerful website scanner that detects all cookies, trackers and third-party trojan horses on your domain – giving you full transparency and control over your website’s collection and sharing of personal information.
The Cookiebot CMP geotargeting feature automatically determines the location of your users, allowing your website to accurately present each end-user with the correct compliance solution specific to the data privacy regime – GDPR/ePR if users are from EU, CCPA/CPRA is users are from California.
Try Cookiebot CMP with Google Consent Mode for full compliance without breaking your website’s analytics.
Try Cookiebot CMP free for 30 days – or forever if you have a small website
Let’s break down the California Privacy Rights Act (CPRA) into even smaller pieces to understand exactly how it changes, expands and renews the state-wide CCPA-established data privacy regime that has been in place and in effect since January 1, 2020.
As mentioned, the California Privacy Rights Act (CPRA) is an addendum to the California Consumer Privacy Act (CCPA), and so functions as a series of significant amendments to the existing CCPA law text.
The major changes that the CPRA makes to the CCPA consist of –
Solidifying data privacy in California, the CPRA is resistant to most legal attempts at loosening its strength.
In addition, the California Privacy Rights Act (CPRA) also secures data privacy law in California in a different way than the CCPA did, since the CPRA includes provisions requiring any amendments to the law to be consistent with its purpose and intent, making it almost legally impossible to be watered down.
This is perhaps one of the most significant changes, since it makes the law practically waterproof from any attempts to dilute its privacy protections or water down business regulations from industry pressure or special interests.
The passing of a federal data privacy law or a future ballot initiative barred, California’s updated data privacy regime (CCPA/CPRA) seem to be here to stay for a while.
Let’s break down the new CPRA changes!
In California, the CPRA creates a new category of personal information – the so-called sensitive personal information (SPI).
Sensitive personal information (SPI) includes –
Sensitive personal information (SPI) is regulated separately from normal personal information with users having expanded rights over how their SPI is used, including the right to have collected SPI disclosed, to opt-out of SPI use, and subsequent consent to use SPI if users already opted out.
The California Privacy Rights Act (CPRA) rewrites the requirements for how your website enables consumers to opt out of having their PI sold or shared and adds a requirement for how your website enables users to exercise their right to limit the use of their SPI.
The CPRA amends the CCPA’s Do Not Sell-button, so that your website will have to provide a link titled “Do Not Sell Or Share My Personal Information” – adding or share, as the CPRA does in many other places.
The CPRA also creates a new, similar requirement for your website to provide a link titled “Limit The Use Of My Sensitive Personal Information” that enables California residents to limit the use and disclosure of their SPI.
In addition, the CPRA encourages businesses to make “a single, clearly-labeled link” that easily allows a consumer to simultaneously opt-out of sale or sharing of PI and limit the use or disclosure of the consumer’s SPI.
The California Privacy Rights Act (CPRA) changes who is liable under the CCPA.
The CPRA amends the CCPA’s definition of business to be a website, company or organization that (changes in bold) –
These changes are likely to tilt compliance from smaller companies to larger ones, whose businesses are more heavily reliant on the collection and sharing of personal information, both in scope (from 50,000 to 100,00) and in method (from only covering selling to include sharing).
Redrawing the scope of California’s data privacy regime will create liabilities for different businesses.
The California Privacy Rights Act (CPRA) creates four new rights and modifies five existing rights for California residents.
The four new CPRA rights are –
The five modified CPRA rights are –
The California Privacy Rights Act (CPRA) amends the CCPA to specifically regulate behavioral advertising that uses personal information to target California residents with marketing based on profiling.
Where the CCPA defined the right to opt out as restricting the use, selling and sharing of personal information for advertising purposes in exchange for money, the CPRA creates two separate types of advertising – cross-context behavioral advertising and non-personalized advertising.
The former is regulated by the right to opt-out, whereas the latter isn’t.
Behavioral advertisement is a billion-dollar industry, now being regulated tighter in California.
Having the right to opt out of behavioral advertising means that California residents can ask businesses to stop sharing their personal information with third parties to avoid being targeted with advertisement that is based on behavioral data, from their search, browser and purchase history, online preferences, device settings, geolocation to how they scroll and click on a website.
Non-personalized advertisement, on the other hand, is defined by the CPRA as a business purpose, and therefore exempt from any requirements for opting out.
Rather than the CCPA opt-out right for personal information in general that California residents enjoy today, the CPRA now specifies its regulations to concern only PI used for behavioral advertisement.
As a first in the US, California will have a data protection authority comparable to the GDPR-mandated national DPA’s that supervise and enforce the EU’s data privacy laws.
The California Privacy Protection Agency (CPPA) will become the leading enforcer and supervisor of the CCPA/CPRA with authority to investigate and fine violations.
By establishing the California Privacy Protection Agency (CPPA), the CPRA moves the enforcement responsibilities currently resting with the Office of the Attorney General to the new government agency, which will start enforcement from July 1, 2023.
The California Privacy Protection Agency (CPPA) has full enforcement authority over the CCPA/CPRA regime, as well as authority to investigate potential breaches and violations, and to draft enforcement regulations.
In addition, the CPRA cancels the grace period of 30 days that businesses have after being notified of an alleged breach or violation, and raises the maximum on fines for violations.
In another first for California, the CPRA introduces three additional requirements for business that are closely modelled after the EU’s GDPR regime:
Under the CPRA-amended data privacy regime in California, a website or business can only collect, use and share Californians’ personal information if it’s in accordance with what is reasonably necessary and proportionate to the collection purpose (data minimization).
In other words, you’re not allowed to collect or share more data than what is strictly necessary for your stated purpose of collection.
Bringing California closer to the GDPR’s data privacy standards could yield a future adequacy decision from EU.
Likewise, a website or a business is not allowed to collect, use or share Californians’ PI for a new purpose without first stating so, just like you’re not allowed to collect or share data without any stated purpose at all (purpose limitation).
The CPRA also amends the CCPA so that a website or business will be required to notify (at the point of collection) Californian residents about the retention time of each collected category of personal information, meaning that users have a right to know for how long their data will be stored after collection (storage limitation).
The California Privacy Rights Act (CPRA) also expands the CCPA’s current consent requirements, perhaps the most GDPR-like feature of California’s data privacy law, to include –
With the passing into law of the California Privacy Rights Act (CPRA), California’s data privacy regime has been significantly updated – only a year after the California Consumer Privacy Act (CCPA) went into force.
The California Privacy Rights Act (CPRA) is a clear signal that the Golden State is moving full speed ahead on the US frontier of data privacy.
Even though the CPRA won’t go into full effect until January 2023, and won’t be enforced until July 2023, websites, businesses and organizations, who have users from California should prepare for compliance.
Cookiebot CMP already offers full CCPA compliance for your website's cookies and trackers - alongside compliance with other major data privacy laws like the EU’s GDPR, Brazil’s LGPD and South Africa’s POPIA.
The California Privacy Rights Act (CPRA) is a state-wide data privacy bill that amends and expands the existing California Consumer Privacy Act (CCPA). The CPRA works as an addendum to the CCPA, strengthening data privacy rights for California residents, tightening business regulations and establishing the California Privacy Protection Agency (CPPA) as lead enforcer and supervisor.
The California Consumer Privacy Act (CCPA) laid the foundation for data privacy law in the state of California, when it entered into effect on January 1, 2020. The California Privacy Rights Act (CPRA) isn’t a new law in itself, so much as it is a rewrite of the CCPA. Together, the CCPA/CPRA form one data privacy regime in California.
The California Privacy Rights Act (CPRA) takes effect on January 1, 2023 with a lookback period to January 1, 2022. The California Privacy Protection Agency (CPPA) will begin enforcing the CPRA from July 1, 2023.
If you’re already in compliance with the CCPA, you need to change certain practices and add new data privacy features to your business’ website. Using Cookiebot CMP already offers your website full control of data collection, respecting user opt-out for CCPA compliance.