Navigating California's new Privacy Regulations: CCPA and CPRA explained
The California Privacy Rights Act (CPRA) is a privacy law that went into effect on January 1, 2023. It builds upon and strengthens the California Consumer Privacy Act (CCPA), which was enacted in 2018. The CPRA grants California consumers new rights and protections with respect to their personal information, including the right to opt-out of the sale of their personal information and the right to request that their personal information be deleted.
The CCPA and the CPRA apply to businesses that do business in California, regardless of size. The CPRA expands the CCPA's coverage to businesses that meet one or more of the following criteria:
- Have annual gross revenues in excess of $25 million
- Buy, sell, or receive for the business's commercial purposes the personal information of 50,000 or more consumers, households, or devices
- Derive 50% or more of their annual revenues from selling consumers' personal information
So, if a business meets any of the above criteria, it will need to comply with both the CCPA and the CPRA. If a business does not meet any of the above criteria, it will only need to comply with the CCPA. The CCPA is not gone, but the CPRA builds on and expands the CCPA by providing additional protections for the personal information of California consumers.
What's new with the CPRA
Personal information (PI) is any information that is associated with an individual, whether it is electronic or in another format. Sensitive Personal Information (SPI) is PI that, if leaked, could easily infringe on an individual’s dignity, harm a person, or damage their property. Processing SPI requires a stated purpose, sufficient necessity, and stricter protective measures. Separate consent or opt-in steps are required, and written consent may be needed as well.
Sensitive Personal Information (SPI)
The CPRA introduces the Sensitive Personal Information (SPI) category, which as we said, is subject to more stringent disclosure and purpose limitation requirements. Specifically, the law says security measures should be appropriate to the data type - thus, SPI would need extra protection.
The CPRA gives consumers the right to ask organizations to limit the use of their SPI.
SPI includes highly sensitive data such as:
- Social Security Number;
- Driver’s license;
- State identification card;
- Passport Number;
- Financial account information and log-in credentials;
- Debit Card or Credit Card number along with access codes;
- Precise geolocation data;
- Religious or philosophical beliefs;
- Ethnic origin;
- Contents of communication;
- Genetic data;
- Biometric information for the purposes of identification;
- Health information;
- Information about sex or sexual orientation.
New Consumer Privacy Rights
- Right to limit the use of personal information for targeted advertising - Consumers have the right to tell a business not to use their personal information for targeted advertising.
- Right to correct inaccuracies in personal information - Consumers have the right to request that a business correct any inaccuracies in their personal information.
- Right to know about personal information collection practices - Consumers have the right to know what categories of personal information a business collects, uses, and shares about them, as well as the specific pieces of personal information the business has collected about them.
- Right to non-discrimination - Consumers have the right to be free from discrimination for exercising their privacy rights under the CPRA.
Expanded Consumer Privacy Rights
- Right to delete personal information - Consumers can now request businesses to instruct third-party vendors, service providers, or contractors to delete the personal information that might have been sold/shared with them by the business.
- Right to Access - Businesses must provide all PI data specified in the CCPA along with the categories of PI it has shared with third parties as well as the third parties it has shared the PI with.
- Right to opt-out of the sale of personal information - Data subjects now have the right to opt-out of both the sale and sharing of their PI with third parties, including for the purposes of cross-context behavioral advertising.
- Right to data portability - Consumers have the right to receive their personal information in a portable and, to the extent technically feasible, in a readily useable format that allows them to transmit their information to another entity without hindrance.
Expanded Notification Requirements
- Required information in privacy notices - Privacy notices must now include more detailed information about the categories of personal information that are collected, used, and shared, as well as information about the rights of consumers under the CPRA.
- Notice of sharing with third parties - Businesses must now provide more detailed information about the categories of personal information that will be shared with third parties and the categories of third parties with whom the information will be shared.
- Notice of financial incentives - Businesses must now provide more detailed information about any financial incentives or price or service differences that are offered in exchange for the collection, sale, or deletion of personal information.
- Notice of sensitive personal information collection - Businesses must now provide more detailed information about the collection, use, and sharing of sensitive personal information (SPI) and must obtain explicit opt-in consent from consumers before collecting, using, or sharing SPI.
- Notice of right to opt-out - Businesses must now provide more detailed information about the right to opt-out of the sale of personal information and must provide a "Do Not Sell My Personal Information" link on their website.
- Notice of right to non-discrimination - Businesses must now provide more detailed information about the consumer's right to be free from discrimination for exercising their privacy rights under the CPRA.
Changes to Privacy Notices
The CPRA also has additional requirements for Privacy Notices. Starting from January 2023, organizations will be required to modify their privacy notices to include three additional categories of disclosure such as:
- Disclose whether they share personal information about consumers along with details (the categories of PI shared and with whom).
- Disclose the length of time they intend to retain each category of personal information or if that is not feasible, the criteria they will use to determine that retention period.
- Make disclosures related to their collection, processing, and disclosure of “sensitive personal information.”
All this information needs to be added to their business' Privacy Policies.
Violations Involving Children's Personal Information
The CPRA prohibits selling the personal information of a person under the age of 16 without their consent, similar to the CCPA. However, under the CPRA, violations involving children’s personal information are liable similarly to intentional violations, i.e., fines of $7500 per violation. This amendment has provided extra protection to children’s personal information in the CPRA.
CPRA Compliance checklist
To comply with the CPRA, businesses that operate in California or that collect personal information from California consumers will need to take a number of steps, including:
- Reviewing their privacy policies and practices to ensure that they are compliant with the new requirements of the CPRA.
- Updating their privacy policies reflects the new rights and protections granted to California consumers under the CPRA.
- Training their employees on the requirements of the CPRA and how to handle consumer requests related to the law.
- Ensuring that any third-party service providers that handle personal information on their behalf are also compliant with the CPRA.
- Implementing technical measures to protect the personal information of California consumers from unauthorized access, use, or disclosure.
- Implementing processes for responding to requests from California consumers to exercise their rights under the CPRA, such as the right to opt-out of the sale of their personal information or the right to request that their personal information be deleted.
It is important to note that the requirements of the CPRA may vary depending on the size and type of your business and the personal information that you collect and process. After completing all of the checks above, we still advise consulting with an attorney or a privacy professional to ensure that you are fully compliant with the CPRA.
The CPRA and CCPA in the GDPR/CCPA app
The GDPR/CCPA app provides the tools to set the CCPA compliance of Shopify stores. The app generates a CCPA Compliance page and the specific "Do Not Sell Rule".
This CCPA Compliance page provides information about the types of personal information you collect, how it is used, and the rights that California residents have under the CCPA. The "Do Not Sell Rule" is a part of the CCPA Compliance page. More on that you can read on our blog post "How to make your Shopify store compliant with the new CCPA Do Not Sell Rule?"
The current features of the app, allow specific setups that are required by some of the CPRA rules. This includes the existing request present on the CCPA compliance page and additional notices you can add on the Preferences popup as shown:
This can be done by going to Cookie Bat tab > Cookie Bar Content section > Preferences Popup Text > 2. Preferences Popup Header Description.
At the moment the GDPR/CCPA app is working on an update to add the extended CPRA compliance.
What is the time frame?
The CPRA went into effect on January 1, 2023. This means that as of this date, businesses must be in compliance with the provisions of the CPRA in order to avoid penalties and fines. However, it's worth noting that the California attorney general's office has stated that it will not initiate enforcement actions until July 1, 2023, to provide businesses with additional time to come into compliance.
The GDPR/CCPA app will soon present the needed updates for our users to be fully compliant with the CPRA. For any specific questions, don't hesitate to reach out via chat or at our email address.