The CPRA’s impact is two-fold, like a coin with two sides. On one side, consumers are rejoicing over the increased privacy protections. Conversely, companies and large businesses are struggling to find solutions to stay compliant while ensuring their revenue stays active. The impact of the CPRA on marketing and advertising is particularly noteworthy, and the following illustration can provide a closer understanding of its effects.

If you were the CEO or owner of a business, could you imagine holding mandatory meetings frequently and ensuring everyone was always present? Imagine what would happen if any of these important attendees were to pull out of the meeting. What would happen if everyone opted out and no one showed up to the next meeting?

This illustration shows the current effect of CPRA; it increases users’ privacy, which is good, but it also allows users to opt out of data collection and behavioral marketing. Businesses rely on data to understand customers’ needs. Effective advertising requires customers’ data, which helps meet customers on the social platforms they use most. While these are still possible, the California Privacy Rights Act (CPRA) makes accessing the data needed for these end goals extremely difficult. So how does CPRA affect businesses generally, and how can you create some cushioning effect to make the journey smoother for you?

What Is the California Privacy Right Act (CPRA)?

The California Privacy Right Act (CPRA), passed on November 3, 2020, supplements the California Consumer Privacy Act (CCPA) to further strengthen data privacy protections for California residents. Learn the key differences between CCPA and CPRA in our dedicated article.

The CPRA introduces significant changes, including:

• Expanded definition of personal information: The CPRA broadens the definition of “personal information” to encompass more data types, granting individuals greater control over their privacy.
• Enhanced browsing history protections: The act limits how businesses can track and sell browsing history without explicit consent, offering residents more control over their online activity.
• Creation of the California Privacy Protection Agency (CPPA): Enforcement of data privacy breaches has shifted from the Attorney General’s office to the newly established CPPA, dedicated to protecting consumer privacy.

This enhanced regulatory framework signifies a significant step forward for data privacy rights in California. Businesses operating in the state must adapt to these changes to ensure compliance.

Who Is Affected by CPRA?

CPRA affects every company in the world that connects with California consumers, operates for profit (non-profits are exempted), collects consumers’ personal information, and meets any of the following criteria:

1. Annual gross revenue of $25 million and upward
2. An upward 50% of its revenue is generated from selling or sharing customers’ personal information.
3. Collects, shares, buys, or sells the personal information of more than 100,000 consumers, households, or devices.

The Categories of Data Affected Under CPRA

Personal data and sensitive personal information (SPI) are categories under CPRA — check out our first article on CPRA for a deeper dive-in on this. One of the companies’ roles is to inform customers about the data they collect and how they can opt out. Unfortunately, these pieces of data are crucial to business decision-making and marketing campaigns. However, under CPRA, strict conditions have been created for businesses that collect this information, and non-compliant companies face severe penalties. To avoid these financial consequences, businesses must do everything possible to remain compliant. The following are the categories of data that are affected:

1. Name, address (including exact geolocation), email address, IP address, driver’s license, social security, passport number, and other state identification number
2. Biometric data, such as iris scans, fingerprints, and voice recognition (including biometric information already processed for customers’ identification)
3. Internet usage data such as browsing history and search history
4. Commercial data such as property records, purchase histories, e-commerce transaction data, etc
5. Consumers’ Employment and educational information
6. Consumers’ account log-in, financial account, debit card, credit card number, and other banking details, along with any required security or access code, password, or credentials that allow access to an account
7. Consumer’s race or ethnicity, religious or philosophical beliefs;
8. The contents of a consumer’s email or text messages
9. Consumer’s genetic data.

Understanding CPRA Penalties: Avoiding Costly Mistakes

Breaking the CPRA can be a costly mistake. Initially, a few thousand dollars for one violation may not seem significant. However, as the number of violations increases into the tens or hundreds, the penalties can quickly accumulate to hundreds of thousands or even millions of dollars. As a business owner, it is crucial to avoid such costly penalties. Understanding these penalties can motivate businesses to remain compliant and avoid the financial risks associated with non-compliance.

1. First, the regulation empowers individual litigation from affected or aggrieved customers. Consumers now have a private right of action instead of the sole power residing with the Attorney-General to persecute.
2. While a data breach triggers the above, the Attorney-General can pursue penalties for businesses violating the compliance requirement of CPRA.
3. For unintentional violations, fines can reach $2,500.
4. The CPRA imposes fines of up to $7,500 for intentional violations. If minors under the age of 16 are involved, this amount remains the same, regardless of whether the violation was intentional or not. Authorities will investigate each violation to determine its nature, whether deliberate or not. Additionally, they apply fines per violation rather than collectively. Therefore, ten intentional violations will result in an immediate penalty of $75,000.
5. The service provider and the contractor could be held responsible for data breaches, unlike CCPA, which exempts the contractor. With CPRA, both could be subjected to the same administrative sanctions.
6. CCPA gives businesses a 30-day window to avoid penalties by attending to customers’ complaints of violations; CPRA takes this away, opening up businesses to the risk of penalties the more, which makes compliance more complex and stringent.

Consequences of Non-Compliance With CPRA

As stated earlier, violation fees could stack up quickly, especially considering that the concerned businesses serve hundreds of thousands of users, households, or devices. A relatable example is the CalOPPA case against Delta Airlines between 2012 and 2016. The present vice president of the United States, Kamala Harris, was the Attorney-General of California that initiated this lawsuit.

California Online Privacy Protection Act (“CalOPPA”) was one of the first laws that requested online sites to post their privacy policies on their websites. The Attorney-General argued for the absence of these privacy policies in Delta Airlines’ mobile app. More importantly, she presented the violation of the airline per mobile app usage, meaning 50,000 thousand downloads means 50,000 violations because the mobile app downloads were counted as serving 50,000 people or devices already.

If the Attorney-General had pursued the highest violation fee under CalOPPA, which is $2,500, the airline would’ve had to pay $175 million. This is how quickly fees can sum up. The legal arm of Delta Airlines bailed out the company, and the case was ultimately dismissed. However, not every company will be as fortunate in 2023. With the CPRA’s increased specificity, the highest penalty per violation is now $7,500. Imagine having 100,000 violation cases! This is a call to learn from the past and consciously remain compliant.

The Cost of Compliance with CPRA

CPRA enables customers to request data that companies have collected on them, and companies must provide this data within 45 days. This provision puts more pressure on the company structure to meet up with multiple requests. Part of the compliance process involves determining the cost needed to set up structures and human resources for compliance if compliance is non-negotiable.

It is publicly estimated that a company would incur hundreds of dollars per customer, approximately up to $1,400 on an enterprise level, to answer a similar request under GDPR. GDPR has been in motion a few years before CPRA, which can serve as a reference point. Also, many agencies are springing up to ensure that CPRA compliance becomes easier for companies with a promise of lower costs, some as low as less than $100 per customer data management, which cuts across data sorting and customers’ requests fulfillment. However, the accuracy and effectiveness of these software solutions that claim to ensure compliance remain to be seen in the coming years.

Conclusion

In conclusion, the CPRA’s focus on protecting consumers’ data and its additional responsibilities to companies will inevitably increase business operational costs. These costs are likely to be passed on to consumers through higher prices for goods and services to maximize profits. As a result, customers will also feel the indirect impact of CPRA through increased costs. While many SaaS products are emerging to help businesses with compliance and data management, their reliability and effectiveness are yet to be fully established. While these solutions may promise to reduce expenses, the possibility of failure leading to costly penalties is a cause for concern. The public will undoubtedly scrutinize and review these solutions as they become more widely used over the coming years.

Identity.com

The CPRA legislation attempts to solve the data management problem. It is great news that the government sees the importance of individual data control, just as it is one of our pursuits at Identity.com. As a company, we want a user-centric internet, where users can control their data. More reason Identity.com doesn’t take the back seat in contributing to this future via identity management systems and protocols. We also belong to the World Wide Web Consortium (W3C), the standards body for the World Wide Web.

The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.