California’s Consumer Privacy Rights Act: What you need to know
In November 2020, California voters approved a consumer data privacy law that adds significant rights to the existing California Consumer Privacy Act (CCPA) of 2018. The California Privacy Rights Act (CPRA) amends and expands the breadth of requirements introduced under the CCPA to give California residents more control over how businesses collect, use, process, retain, and share their personal data.
The CPRA offers more stringent protection of consumer privacy rights and also creates the California Privacy Protection Agency (CPPA), the first state agency dedicated to protecting individual privacy rights. Companies will be expected to start complying with the CPRA in January 2023, with enforcement scheduled to begin in July 2023. (But, note that it applies to data collected starting Jan. 1, 2022, so businesses should now be applying the CPRA’s expanded definition of “private data.”)
CPRA advocates believe the law will not only strengthen consumer rights under the existing CCPA but also help drive the push for national data privacy standards. Significant changes include:
A higher threshold for compliance
The volume of consumer personal information (PI) that an organization must process to qualify as a business under the scope of these protections has been raised. Any organization that processes the records of 100,000 California consumers or households will be required to comply with the CPRA, up from the 50,000 threshold stipulated by the CCPA.
Establishes an enforcement oversight agency
The CPRA establishes a new enforcement agency, the California Privacy Protection Agency (CPPA), that will be responsible for upholding the rules and levying penalties for violations. Previously, the California state attorney general was responsible for oversight and enforcement. Enforcement will include administrative proceedings and fines that range from $2,500 to $7,500 per violation. In particular, the CPRA raises penalties for violations involving consumers under the age of 16 to $7,500 per incident.
The CPRA will require regulatory guidance mandating ongoing risk assessments and cybersecurity audits. Presumably, the results of these assessments and audits will be submitted to CPPA for review. In certain cases, the CPPA will maintain the right to audit companies in order to gauge their compliance.
The CPRA will also eliminate the 30-day “cure” period in which violators can address infractions. Instead, the CPPA will be able to set a time period for curing based on the intent of the business to violate privacy provisions.
Expanded consumer rights
The CPRA adds two new rights to the four created by the CCPA: the right to correction – companies that receive “verifiable consumer requests” to correct reportedly inaccurate personal information will be required to use “commercially reasonable efforts” to do so – and a right to place limits on how a business uses and discloses their personal information.
It also expands on three existing rights:
- Right of deletion: Service providers, contractors, and third parties will be required to cooperate with businesses’ requests to delete personal information.
- Right to know: The CPRA expands the consumer’s right to know what personal information has been collected, as well as the duration of its data retention.
- Right to opt out: The CPRA strengthens an individual’s right to opt out of sharing personal information for cross-contextual behavioral advertising.
Expansion of private right of action
Under the CPRA, a consumer will be able to bring claims against a company for unauthorized access to or disclosure of an email address and password. Consumers can also take action against a company if a security question and answer that permits access to the consumer’s account is disclosed, leading to exposure of user data.
Companies can prepare for CPRA by taking the following proactive steps:
- Update their consumer privacy notices in line with CPRA requirements.
- Review and update their procedures to respond to consumer data requests.
- Review their liability insurance policy to confirm that it covers data breaches. If not, procure specific cyber liability insurance. If they already have cyber liability insurance, review the coverage in light of the higher penalty amounts under CPRA.
- Perform a comprehensive cybersecurity assessment to identify any gaps in their security controls.
While there is no way to predict how the CPRA will evolve over time, one trend we are seeing is the move toward more stringent privacy laws. To be prepared, security and business leaders should continually be proactive about their cybersecurity and privacy programs so they can react agilely to changes and help deflect risks.
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.