Skip to content

California Privacy Rights Act (CPRA): Guide for employers

·
10 min read
California Privacy Rights Act (CPRA)

There are a number ofdata privacy lawsaround the world, including Europe’sGDPRand Canada’sPIPEDA. These laws aim toprotect citizens and establish guidelines for how businesses can process and handle personal data. In the US, the most comprehensive state data privacy legislation is theCalifornia Privacy Rights Act(CPRA), which became fully operative on January 1, 2023. 

In this post, we are going to answer questions like “What is CPRA?” and “How does the California Privacy Rights Act (CPRA) compare to the CCPA?”. We will also explain which GDPR principles the Act has adopted and provide definitions for terms including “private right of action” and “sensitive personal information”. This will help you comply with the law and reduce the risks associated with non-compliance. 

free demo

What is the California Privacy Rights Act (CPRA)? 

There is no all-encompassingUS federal employment lawrelating to employee data protection in the United States. Instead, there is a vast range ofdata privacyanddata securitylawsthat have been enacted on both thefederal and statelevels which serve to protect the personal data of U.S. employees and consumers. One such example is theCalifornia Privacy Rights Act (CPRA).

So, what is CPRA?

California is known for its progressive laws, especially those enacted in more recent years. Examples of these trailblazing laws include theCalifornia Pay Transparency Lawand the California Family Rights Act (CFRA)which protects an employee’s right to takebereavement leave, amongst other provisions. The CPRA is another example of how the State of California is leading the way in terms ofconsumer and workplace protections.

The California Privacy Rights Act (CPRA) is aUS data privacy lawtargeted at businesses based or operating in the state of California. It was adopted via referendum and went into effect on January 1, 2023. At its core, it aims toprotect data privacy rights, including those of employees and consumers. It alsoexpands on existing privacy data laws(namely, the CCPA which was enacted in 2018) and defineshow businesses must operate when they collect, store, use, and share employee and consumer data.

Specifically, under the CPRA, the citizens of California have gained a number of new rights, including the right to:

  • Correct personal information
  • Prevent the use of sensitive personal information
  • Opt out of personal information being shared with third parties

As the first comprehensive consumer privacy legislation of its kind in the U.S., the CPRA is changing the way companies do business and serves as a potential model for other states looking to improve their data privacy laws.

Does CPRA replace CCPA? 

Many people confuse the California Consumer Privacy Act (CCPA) with the California Privacy Rights Act (CPRA). However, they are not the same thing.

Let’s take a look at some of the key differences betweenCPRA vs. CCPAto help you understand the difference.

TheCalifornia Consumer Privacy Act(CCPA) was signed into law in 2018 and went into effect on January 1, 2020. It established a range of business obligations and consumer privacy rights relating to the collection and sale of personal data. 

This included a consumer’s right to:

  • Opt out of the sale of their personal data
  • Delete personal information collected about and from them
  • Nondiscrimination for exercising their CCPA rights 

TheCalifornia Privacy Rights Act(CPRA), also known as Proposition 24, doesn’t replace the CCPA. Instead, it significantly amends and expands the existing provisions of the CCPA. 

This includes the right to:

  • Opt-out of cross-contextual advertising.
  • Contractual commitments from service providers relating to the protection and use of personal data. This includes how long a business can retain each category of personal data, which should be explained in a company’s public consumer privacy notice.
  • The protection of employment data, not just consumer data.

The CPRA alsoexpands the definition of breach liability. As a result, liability now also takes into account unauthorized access or disclosure of certain data elements (email addresses, passwords, security questions, etc.). Plus, it has added new provisions related to the establishment of anew government agency for the enforcement of data privacy lawsin California, known as theCalifornia Privacy Protection Agency

Data protected under the California Privacy Rights Act (CPRA)

As an employer or small business owner based or operating in California, it’s important to understand which data is protected under the California Privacy Rights Act (CPRA). 

Essentially, any personal data that could be used to identify an employee or a consumer is covered by the CPRA.

This includes, but isn’t limited to:

  • Names
  • Email addresses 
  • Phone numbers
  • The contents of phone calls, emails, and text messages
  • Social Security Numbers (SSN)
  • Physical addresses 
  • Driver’s license numbers
  • State identification cards
  • Passport numbers
  • Account login information
  • Bank account numbers
  • Debit and credit card numbers 
  • Any data related to geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, or genetic and biometric information
  • Any other personally identifiable information

The CPRA does not classify information that is publicly available from governmental records as personal information. 

Changes and expansions under the California Privacy Rights Act (CPRA)

Let’s take a look now at some of the changes and expansions under the California Privacy Rights Act (CPRA).

There are6 main differences between the CCPA and the CPRAthat you need to be aware of.

These relate to:

  • The criteria for qualifying as a business
  • Modified consumer privacy rights
  • A new category of protected data
  • The adoption of GDPR principles
  • The expansion of the private right of action 
  • The creation of a new privacy enforcement authority

Let’s take a look at these points in a bit more detail.

Criteria for qualifying as a business 

An important change relates to the criteria for qualifying as a business.

Let’s look first at what the guidelines were under the CCPA (changes in bold).

According to the CCPA, data privacy provisions applied to all for-profit businesses that met one or more of the following thresholds:

  • Has an annual gross revenue of over $25 million
  • Makes 50% or more of its annual revenue from selling personal data
  • Buys, sells, or receives the personal data of 50,000 or more California residents for commercial purposes, alone or jointly.

The CPRA has expanded these guidelines. The law now applies to for-profit legal entities that meet one or more of the following thresholds:

  • Has an annual gross revenue of over $25 million
  • Makes 50% or more of its annual revenue from selling or sharing personal data
  • Buys, sells, receives,or sharesthe personal information of100,000 or more households or consumersannually, alone or jointly

5 modified consumer privacy rights 

The CPRA has alsomodified and expanded the definition of consumer privacy rights.

Previously, the CCPA created 5 specific rights for consumers.

This included the right to:

  • Know what personal information is collected, used, and shared with third parties, including where it was collected from, why it was collected, and, if sold, to whom.
  • Delete any collected personal data.
  • Opt-out of the sale of personal data (if applicable).
  • Non-discriminatory treatment for exercising any rights.
  • Initiate a private cause of action for data breaches.

The CPRA has included 2 additional consumer privacy rights:

  • Firstly, the right to correct inaccurate personal information.
  • Secondly, the right to limit the disclosure and use of sensitive personal information. This includes stopping their data from being collected and shared along a complex targeted advertising ecosystem (e.g., automated decision-making technology, including profiling).

New category of protected data: SPI 

Another important change relates to the definition of personal data.

The California Privacy Rights Act (CPRA) has introduceda new classification of personal information (PI), referred to as sensitive personal information (SPI). Moreover, it has also introduced additional use, disclosure, and opt-out requirements relating to sensitive personal information.

As we mentioned above, according to the CPRA, sensitive personal information includes:

  • Names
  • Email addresses 
  • Phone numbers
  • The contents of phone calls, emails, and text messages
  • Social Security Numbers (SSN)
  • Physical addresses 
  • Driver’s license numbers
  • State identification cards
  • Passport numbers
  • Account login information
  • Bank account numbers
  • Debit and credit card numbers 
  • Any data related to geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, or genetic and biometric information
  • Any other personally identifiable information

Essentially, if you collect any of this data from your workforce (which you undoubtedly do), thenyour employees have the right, under the CPRA, to receive notice of said collection. Moreover, they also havethe right to be notified if you sell or share any of this sensitive data. Additionally, they havethe right to delete, correct or opt out of data-sharing arrangements. What’s more, if an employee decides to exercise any of these rights, you must comply with their request within 45 days of notification.

3 GDPR Principles adopted 

Many businesses in California have noted the similarities between the CPRA and Europe’sGeneral Data Protection Act (GDPR), which came into force in 2018. Generally speaking, they are right. In fact, the CPRA has adopted a number ofGDPR principles.

These GDPR principles, guided by the concept oflawfulness, fairness, and transparency, relate to: 

  • Data minimization: Companies are required to limit the collection of personal data that is deemed directly necessary and relevant to the nature of the business.
  • Storage limitation: Businesses are only permitted to retain and store personal data for a reasonable amount of time.
  • Purpose limitation: Businesses can only collect personal data for explicit, specific, and legitimate disclosed purposes.

This makes it much easier to ensure compliance with both laws if your business is operating in both US and European territories. 

Moreover, much like the GDPR, the CPRA also establishes a specific governing body for regulating the provisions of the Act. This body is known as theCalifornia Privacy Protection Agency (CPPA), and it hasfull administrative power, authority, and jurisdiction to implement and enforce the CPRA.

Expanded private right of action 

A further important change relates to a consumer’s private right of action.

But, what does this mean?

Basically, the California Privacy Rights Act (CPRA) has expanded the CCPA’s scope for theprivate right of action. Under the terms of the new law,employees and consumers have the right to file a claim if they believe there has been a breach of their personal data. Previously, the CCPA included provisions for the private right of action. However, the CPRA has expanded these provisions so that they now also includeadditional types of personal information. These additional types of personal information include email addresses, security questions and answers, and passwords. 

New privacy enforcement authority: CPPA 

Finally, as we mentioned above, the California Privacy Rights Act (CPRA) includes the establishment of anofficial governing body. This governing body is known as theCalifornia Privacy Protection Agency (CPPA)  and it is directly responsible for regulating the Act. It has the authority toinvestigate claims of data privacy breaches and enforce corrective actions, including the assignment ofnon-compliance penalties. Moreover, the CPPA is also responsible forpromoting awareness of the CPRAand has thepower to issue further regulationswhere applicable. 

Previously, the CCPA was enforced by theCalifornia Office of the Attorney General (OAG). Instead, a specific governing body is now exclusively responsible for enforcing the protection of sensitive personal information. This should hopefully result in higher levels of data privacy compliance in the state. 

Consumer rights under the California Privacy Rights Act (CPRA)

Under the terms of the California Privacy Rights Act (CPRA), youremployees and customers have the right to:

  • Be informed of the data you are collecting and their corresponding rights.
  • Request that you disclose what sensitive personal information you have collected, and what the specific purpose of collecting this data is. 
  • Correct any sensitive personal information that you hold. 
  • Limit how you use their sensitive personal information unless it is necessary for you to perform the services or provide the goods they are requesting. 
  • Opt out of third-party data sales.
  • Take legal action if you expose their non-encrypted sensitive personal information.
  • File a claim for violations of the CPRA involving the personal information of consumers under the age of 16. 

Obligations/requirements for businesses 

As an employer or business owner, if you qualify under the provisions of the California Privacy Rights Act (CPRA),you have a number of specific obligations.

In particular, these obligations mean you have to:

  • Provide your customers with notice of their consumer rights in the form of an“at time of collection” privacy policy. In the case of employees, you also have an obligation to post anemployee privacy statementin your place of business and ensure your employees understand what personal information you have collected from them.
  • Honorthese consumer rights.
  • Fulfill all your obligations relating to thedisclosure and retentionof sensitive personal information.
  • Facilitate consumer requests relating to theomission, retraction, or sharing of sensitive personal informationunless you specifically require access to this information in order to provide the products or services that a consumer has requested.
  • Facilitate requests relating to thedisclosure and amendment of sensitive personal information
  • Implementsecurity safeguards, such as the encryption of sensitive personal information.

hr compliance calendar

Enforcement and penalties 

So, what happens if you don’t comply with the CPRA?

In the event ofnon-compliancewith any of the obligations established by the California Privacy Rights Act (CPRA),the California Privacy Protection Agency (CPPA) has the right to impose a number of penalties.

What are these penalties?

Basically, these include:

  • Civil penaltiesof up to $7,500 per intentional (willful) violation or $2,500 per unintentional (negligible) violation.
  • Damages. Consumers are entitled to statutory damages of no less than $100 and no more than $750. 
  • Non-monetary relief. If an employee or consumer files a claim for a security breach violation, they are also entitled to seek injunctive or declaratory relief, as well as any other relief the court deems appropriate.

Unquestionably, the best way to avoid these penalties is to implementstandards and procedures that ensure you handle all consumer and employee data in a responsible and ethical manner. For example, you should develop strongerdata protection processes and controlsandadapt to any new data privacy compliance requirementsthat might be included in the Act in the future. 

California Privacy Rights Act (CPRA) compliance tips 

Above all, there are two main aspects you need to consider and evaluate to ensure CPRA compliance:

  • What changes do you need to make to your internal processes, policies, procedures, and systems to ensure ongoing compliance?
  • How will you notify your customers, partners, and employees of the changes and their additional rights under the CPRA?

Here are a few additional tips to help you with this:

  • The first step is conducting a detailed auditof the data your organization collects. Above all, make sure youunderstand the types of data you collect, why you collect it, how you handle it, and how you protect it. You should also identify which categories of data are sensitive personal information and consider removing the collection of any data that is not strictly necessary for the purpose of your business. 
  • Secondly, make sure youremployees and customers are aware of their rightsunder this law.
  • Thirdly, review and update your internal processes, policies, procedures, and systemsso that they comply with all requirements of the CPRA.
  • Additionally,update your privacy noticeso that it aligns with CPRA disclosure requirements.
  • Likewise, it’s also a good idea to update your contractswith employees, service providers, contractors, and third parties to ensure they include the required CPRA provisions.
  • Moreover, conduct a comprehensiveprivacy and cybersecurity risk assessment.
  • Lastly, use anencrypted document management systemto handle all the SPD that you collect, store, and manage.

Ultimately, by understanding all your obligations under the California Privacy Rights Act (CPRA) and designing acomprehensive plan of action to ensure compliance, you can successfully avoid undesirable enforcement penalties. Above all, this is important because non-compliance can not only damage your company’s finances – it can also have a negative effect on your brand and reputation.

Cat Symonds is a freelance writer, editor, and translator. Originally from Wales, she studied Spanish and French at the University of Swansea before moving to Barcelona where she lived and worked for 12 years. She has since relocated back to Wales where she continues to build her business, working with clients in Spain and the UK.  Cat is the founder of The Content CAT: Content And Translation, providing content development and translation services to her clients. She specializes in corporate blogs, articles of interest, ghostwriting, and translation (SP/FR/CA into EN), collaborating with a range of companies from a variety of business sectors. She also offers services to a number of NGOs including Oxfam Intermón, UNICEF, and Corporate Excellence - Centre for Reputation Leadership.  For more information or to contact Cat visit her website (thecontentcat.com) or send her a message through LinkedIn.

Related posts