California was the first State in the U.S. that enacted a consumer privacy statute called the California Consumer Privacy Act (“CCPA”). Via a successful ballot initiative, the CCPA was amended by the California Privacy Rights Act (“CPRA”) to enhance and expand the rights and protections that were provided by the CCPA. This article offers a summary of the new rights and protections provided by the CPRA. The CPRA became effective at the beginning of 2023. Note that both the CCPA and the CPRA are mainly enforced by a California agency called the California Privacy Protection Agency.

CCPA now covers employees and business-to-business personal data

The original CCPA did not cover the personal data and information of employees or business-to-business personal information/data. The CPRA changed that. Now, the CCPA’s data collection, notice, consent, and protection protocols apply to employee data and business-to-business data.

New category of personal information: “sensitive personal information”

Under the original CCPA, the consumer data to be protected was data that allowed a person to be specifically identified such as social security numbers, names, addresses, biometric data, etc. The CPRA created a new category called “sensitive personal information” (“SPI”) which overlaps to a degree with the other categories called “personal identification information.” SPI is entitled to a higher level of protection. SPI includes:

• Racial origin
• Ethnicity
• Religious, political and philosophical beliefs
• Sexual orientation and identify
• History of one’s sex life
• Contents of mail, email and text messages
• Medical history and status
• Financial history and status
• Precise geolocation
• Genetics
• Biometrics
• Social security number
• And more

Several new consumer rights

The CPRA created several new rights for consumers. Under the earlier CCPA, consumers were given certain rights such as the right to know what information was collected, whether the information was sold, to whom it was sold, etc. The CPRA adds to these rights and protections. For example, consumers, employees, and those in B2B relationships have a right to limit the use of SPI to only that “which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.” This right includes a right to limit how long a company collecting, buying, processing, sharing, or using the SPI can keep the data. To facilitate the exercise of these rights, the CPRA mandates the prominent placement of a hyperlink called “Limit the Use of My Sensitive Personal Information.”

The CPRA also extends the previous opt-out rights to include SHARING of personal information and/or SPI. Under the original CCPA, consumers could only opt out of the SALE of their data. In reality, this is a new right to opt out of targeted advertising. “Sharing data” is defined as transferring or making available data for the purposes of “cross-context behavioral advertising.” Another new right is the right to correct all data including SPI. Finally, the CPRA creates the right to opt out of “automated decision-making technology.”

These and other changes made by the CPRA are well within the current trends that can be seen in more recent consumer privacy laws being enacted in other states. The trend with respect to targeted advertising is particularly noticeable.

Contact The Consumer Privacy Compliance and Internet Law Attorneys At Revision Legal

For more information, contact the experienced Consumer Privacy Compliance and Internet Law Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

The California Privacy Protection Agency: A Dedicated Enforcement Authority

The CPRA’s creation of the California Privacy Protection Agency (CPPA) is its most structurally significant contribution to the consumer privacy landscape. Before the CPRA, the CCPA was enforced exclusively by the California Attorney General — a resource-constrained office with a broad mandate. The CPPA is a dedicated, fully staffed privacy regulatory agency with the authority to promulgate regulations, conduct investigations, hold administrative hearings, and impose fines without routing matters through the AG’s office.

The CPPA has issued extensive regulations interpreting the CPRA, addressing automated decision-making technology, cybersecurity audits, and risk assessments. The agency has signaled aggressive enforcement intentions and has finalized regulations on the right to opt out of automated decision-making — including profiling for employment, education, housing, credit, and other consequential decisions. Businesses subject to the CPRA must monitor CPPA regulatory activity on an ongoing basis.

Data Minimization and Purpose Limitation Requirements

The CPRA introduced data minimization and purpose limitation principles into California law — concepts borrowed from the GDPR that had not previously been expressly codified in the CCPA. Under the CPRA, businesses may collect only the personal information “reasonably necessary and proportionate” to achieve the purposes for which it was collected or processed, and cannot retain personal information longer than “reasonably necessary for that disclosed purpose.”

In practice, these requirements mandate that businesses: (1) conduct a data inventory identifying all categories of personal information collected, their source, their business purpose, and their retention period; (2) implement data retention schedules consistent with disclosed purposes and legally mandated retention periods; and (3) delete personal information that no longer serves a disclosed business purpose. For many businesses, this requires overhauling data management practices that have historically operated on a “keep everything forever” basis.

Cybersecurity Audit and Risk Assessment Requirements

The CPPA’s regulations require businesses that process personal information presenting significant risk to conduct annual cybersecurity audits by a qualified, independent auditor. The audit must assess the business’s practices against the CPPA’s cybersecurity standards and must be submitted to the CPPA upon request. Even for businesses below the formal audit threshold, the cybersecurity audit framework provides a useful compliance benchmark — broadly consistent with NIST SP 800-53 and ISO/IEC 27001.

The CPRA also requires businesses to conduct risk assessments before undertaking any processing of personal information that presents a significant risk to consumer privacy or security. The CPPA’s regulations identify the following as high-risk processing activities: sale or sharing of consumers’ personal information; use of personal information for targeted advertising or profiling in furtherance of decisions with legal or similarly significant effects; processing of sensitive personal information; processing of the personal information of minors; and processing that creates a risk of harm due to deployment of new technologies. Risk assessments must document the purpose and benefits of the processing, the categories of personal information involved, potential risks, mitigating safeguards, and the business’s determination that the benefits outweigh the risks.

Penalties and Private Rights of Action

The CPRA retained the CCPA’s limited private right of action — available only for data breaches involving specific categories of sensitive personal information resulting from the business’s failure to implement and maintain reasonable security procedures. Statutory damages for a successful private breach action range from $100 to $750 per consumer per incident, or actual damages, whichever is greater. For a large-scale breach, even the statutory minimum can produce aggregate liability in the millions. Regulatory fines under the CPRA can reach $7,500 per intentional violation.

Revision Legal’s privacy compliance attorneys assist businesses in achieving and maintaining CPRA compliance, including data inventory, privacy policy drafting, consumer rights procedures, vendor agreement review, and risk assessment programs. Contact us at (855) 473-8474.