Table of Contents
- 1 Key Takeaways:
- 2 What Is the California Consumer Privacy Act (CCPA)?
- 3 What Is the California Privacy Rights Act (CPRA)?
- 4 What Is the Difference Between CCPA and CPRA?
- 5 What Is Personal Information According to CPRA?
- 6 What Is Sensitive Personal Information (SPI) in CPRA?
- 7 CPRA Compliance Criteria
- 8 Who Must Comply With the CPRA?
- 9 Who Is Exempt From the CPRA?
- 10 Steps to CPRA Compliance
- 11 Conclusion
- 12 Identity.com
Key Takeaways:
The development of Web3 and Web5 promises increased privacy and enhanced control over user data. In response to growing concerns about data misuse, California legislators implemented the California Privacy Rights Act of 2020 (CPRA). Building upon the foundation of the California Consumer Privacy Act (CCPA) of 2018, the CPRA strengthens privacy rights and protections in a tangible way. It addresses the urgent concerns of data exploitation and privacy breaches, offering significant benefits for both individuals and businesses.
What Is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a landmark privacy law in the United States aimed at enhancing consumer privacy rights. Passed in 2018 and effective since January 2020, the CCPA grants consumers more control over their personal information by providing details on the data businesses collect and the parties with whom it is shared. This law echoes the European Union’s General Data Protection Regulation (GDPR) introduced in May 2018. Additionally, the CCPA allows individuals to sue companies for privacy violations, focusing on breaches of privacy regulations.
What Is the California Privacy Rights Act (CPRA)?
What Is the Difference Between CCPA and CPRA?
The primary difference between the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) lies in the CPRA’s expansion of consumer protections. While the CCPA establishes basic privacy rights for California residents, the CPRA introduces additional rights and stricter regulations to further safeguard personal data.
Key Differences:
- Consumer Rights: The CPRA grants consumers additional rights, including the ability to opt-out of targeted advertising across platforms and to limit the use of sensitive personal information.
- Privacy Impact Assessments: The CPRA requires businesses to conduct privacy impact assessments for high-risk data processing activities, a new obligation not present under the CCPA.
- Business Applicability Threshold: Under the CCPA, companies that handle the personal information of 50,000 or more consumers are subject to the law. The CPRA raises this threshold to 100,000 consumers, reducing the burden on small and medium-sized businesses.
- Consent for Data Sharing: Both acts require consent to sell or share consumer information with third parties. However, the CPRA demands clear disclosure of how the data will be used, providing consumers with more transparency.
- Enforcement: While the CCPA relies on the Attorney General for enforcement, the CPRA establishes the California Privacy Protection Agency (CPPA) to oversee and enforce compliance.
- Consumer Information Requests: The CPRA mandates businesses to provide at least two accessible channels (like web forms or phone calls) for consumers to inquire about their personal information. This ensures greater transparency and accessibility for Californians.
What Is Personal Information According to CPRA?
The California Privacy Rights Act (CPRA) defines personal information broadly to protect individuals. It encompasses data that identifies, relates to, describes, or could be linked to a person, directly or indirectly. Key categories include:
- Identifiers: Names, addresses, email addresses, IP addresses, driver’s licenses, social security numbers, passport numbers.
- Biometric Information: Iris scans, fingerprints, voice recognition patterns.
- Internet Activity: Browsing history, search history.
- Commercial Information: Personal property, purchase histories, e-commerce data.
- Employment and Educational Data: Employment history, educational background, and related information.
What Is Sensitive Personal Information (SPI) in CPRA?
Sensitive Personal Information (SPI) under the California Privacy Rights Act (CPRA) encompasses data that, if disclosed, could cause significant harm to an individual. Unlike general personal information, SPI warrants heightened protection. The CPRA specifically categorizes the following as sensitive information:
- Financial Data: Banking information, credit card numbers, and related financial access credentials.
- Private Communications: Content of personal emails, text messages, and phone calls.
- Personal Identifiers: Passport, social security, and driver’s license numbers.
- Personal Characteristics: Racial or ethnic origin, religious beliefs, political opinions, or membership in non-public organizations.
- Location Data: Precise geolocation information.
- Online Credentials: Account login details.
- Genetic Information: DNA samples and related genetic data.
- Health and Sexual Orientation: Health status, medical history, or sexual orientation information.
- Biometric Data: Processed data used for unique identification, such as fingerprints or retina scans.
CPRA Compliance Criteria
- Significant Revenue Threshold: Companies with an annual gross revenue exceeding $25 million fall under CPRA. This targets businesses with substantial economic activity that potentially impacts a large number of consumers.
- High-Volume Data Handling: The CPRA applies to businesses that handle the personal information of more than 100,000 consumers, households, or devices (increased from CCPA’s 50,000 threshold). This captures entities engaged in large-scale data processing while reducing the burden on smaller businesses.
- Revenue from Personal Information: Businesses that derive at least 50% of their annual revenue from selling or sharing consumer personal information must adhere to CPRA. This targets companies that significantly profit from consumer data monetization.
Who Must Comply With the CPRA?
The California Privacy Rights Act (CPRA) applies to for-profit businesses that collect personal information from California residents and meet at least one of the following criteria:
- Annual gross revenue exceeding $25 million.
- Handling personal information of 100,000 or more California consumers, households, or devices.
- Deriving 50% or more of annual revenue from selling or sharing consumer personal information.
Businesses that don’t meet these criteria are generally exempt.
Who Is Exempt From the CPRA?
California Privacy Rights Act (CPRA) establishes criteria for businesses that must comply with its data privacy protections. However, certain entities and data types fall outside the scope of CPRA regulations. These exemptions ensure the law targets businesses with significant data processing activities that impact California residents.
Here’s what’s not covered by CPRA:
- Businesses Outside Data Collection Scope: Companies that do not collect personal information from California residents are exempt. This applies to businesses whose operations do not involve handling the personal data of Californians.
- Non-Profits and NGOs: Non-governmental organizations (NGOs) and non-profit organizations are exempt from the CPRA, as the law focuses on for-profit businesses.
- De-identified Information: Information that has been irreversibly anonymized (de-identified) is exempt. This means the information cannot be linked to a specific person and does not pose a privacy risk.
- Aggregate Information: Data compiled into anonymous statistics or analytics that do not identify individual users (e.g., website traffic numbers) is not covered. This allows businesses to use anonymized data for analysis without needing to comply with CPRA.
- Law Enforcement Compliance Exemption: Law enforcement activities that require collecting or providing data in good faith are exempt from the CPRA. In some cases, a court order might be needed for law enforcement to access user information.
- Data Covered by Other Laws: Information already regulated by other laws, particularly in healthcare and insurance (such as HIPAA), is exempt from the CPRA. These industries have pre-existing legal obligations that address data privacy.
Steps to CPRA Compliance
The California Privacy Rights Act (CPRA) mandates specific data privacy practices for businesses. Here are the steps to CPRA compliance:
1. Conduct a Personal Data Inventory
Identify the types of data you collect, and how you organize, store, and access it, especially sensitive personal information (SPI) as defined by CPRA. Determine if third parties store or access this data. This assessment will guide changes to cookie banners, agreements, and privacy policies.
2. Classify Data Sensitivity
Categorize your data based on its sensitivity to ensure appropriate security measures. This informs your security team about data requiring extra protection and data with limited retention periods.
3. Update Privacy Policy and Cookie Banners
Revise your cookie banner to clearly explain if and how you collect and process SPI as defined by CPRA. Include details on collection purposes and retention periods. Inform users about their rights regarding the sale or sharing of their personal information, including how they can opt-out.
4. Review Agreements with Partners
Ensure all agreements with partners, service providers, and third parties comply with CPRA requirements.
5. Educate Employees on Data Handling
Train your employees on CPRA requirements and proper data handling practices to minimize compliance risks.
6. Implement Opt-Out Links
Include clearly labeled links on your website for users to opt-out of the sale or sharing of their personal information (“Do Not Sell or Share My Personal Information”) and limit the use of their sensitive data (“Limit the Use of My Sensitive Personal Information”).
7. Establish Channels for Consumer Requests
Provide at least two accessible channels (phone, email, web forms) for consumers to request information about their data. Acknowledge requests within 10 days and fulfill them within 45 days, as required by CPRA.
Conclusion
The California Privacy Rights Act (CPRA) is beneficial for consumers, granting them more control over their personal data. However, it poses challenges for CEOs and investors who rely on trading customers’ digital footprints for revenue. The CPRA impacts profit margins, likely leading companies to raise prices for goods and services to compensate for the loss in data trading revenue.
Identity.com
The CPRA legislation attempts to solve the data management problem that new technologies in the blockchain ecosystem are solving through projects like self-sovereign identity. It is great news that the government is seeing the importance of individual data control, just as it is one of our pursuits at Identity.com. As a company, we want a user-centric internet, where users have control over their data. More reason Identity.com doesn’t take the back seat in contributing to this future via identity management systems and protocols. We also belong to the World Wide Web Consortium (W3C), the standards body for the World Wide Web.
The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.
