Table of Contents
- 1 Key Takeaways:
- 2 What Is the California Consumer Privacy Act (CCPA)?
- 3 What Is the California Privacy Rights Act (CPRA)?
- 4 What Is the Difference Between CCPA and CPRA?
- 5 What Is Personal Information According to CPRA?
- 6 What Is Sensitive Personal Information (SPI) in CPRA?
- 7 CPRA Compliance Criteria
- 8 Who Must Comply With the CPRA?
- 9 Who Is Exempt From the CPRA?
- 10 Steps to CPRA Compliance
- 11 Conclusion
- 12 Identity.com
Key Takeaways:
- The California Privacy Rights Act (CPRA) expands on the existing CCPA, providing consumers with additional privacy protections and greater control over their personal data.
- CPRA enhances consumer rights, enabling Californians to limit the use of sensitive personal information, correct inaccurate data, and opt-out of targeted advertising across multiple platforms.
- By introducing stricter protections and creating an enforcement agency, the CPRA holds businesses more accountable for how they collect, share, and manage personal data.
In recent decades, online users have faced growing concerns about data mismanagement. The trade of personal information has fueled the rise of tech giants, highlighting a crucial reality of the Web 2.0 era: user data is a valuable commodity. However, a significant shift is underway, driven by increasing demands for online privacy. The rise of Decentralized Identifiers (DIDs) and Self-Sovereign Identity (SSI) technologies signifies a turning point in data ownership. These advancements empower users to control who can access their information and to what extent.
The development of Web3 and Web5 promises increased privacy and enhanced control over user data. In response to growing concerns about data misuse, California legislators implemented the California Privacy Rights Act of 2020 (CPRA). Building upon the foundation of the California Consumer Privacy Act (CCPA) of 2018, the CPRA strengthens privacy rights and protections in a tangible way. It addresses the urgent concerns of data exploitation and privacy breaches, offering significant benefits for both individuals and businesses.
What Is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a landmark privacy law in the United States aimed at enhancing consumer privacy rights. Passed in 2018 and effective since January 2020, the CCPA grants consumers more control over their personal information by providing details on the data businesses collect and the parties with whom it is shared. This law echoes the European Union’s General Data Protection Regulation (GDPR) introduced in May 2018. Additionally, the CCPA allows individuals to sue companies for privacy violations, focusing on breaches of privacy regulations.
What Is the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act (CPRA), also known as Proposition 24, builds on the existing CCPA, introducing stricter privacy measures for consumers. Its main objective is to give Californians more control over how their personal data is collected, used, and shared by businesses. By enhancing transparency requirements, the CPRA grants consumers new rights, such as the ability to limit the use of sensitive personal information, correct inaccurate data, and opt-out of certain forms of data sharing.
Approved by voters in November 2020 and fully effective as of January 1, 2023, the CPRA addresses rising concerns around data privacy and establishes stricter regulations for businesses handling consumer information. Additionally, it introduces the California Privacy Protection Agency (CPPA) to enforce the law and ensure compliance, further protecting consumer rights.
What Is the Difference Between CCPA and CPRA?
The primary difference between the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) lies in the CPRA’s expansion of consumer protections. While the CCPA establishes basic privacy rights for California residents, the CPRA introduces additional rights and stricter regulations to further safeguard personal data.
Key Differences:
- Consumer Rights: The CPRA grants consumers additional rights, including the ability to opt-out of targeted advertising across platforms and to limit the use of sensitive personal information.
- Privacy Impact Assessments: The CPRA requires businesses to conduct privacy impact assessments for high-risk data processing activities, a new obligation not present under the CCPA.
- Business Applicability Threshold: Under the CCPA, companies that handle the personal information of 50,000 or more consumers are subject to the law. The CPRA raises this threshold to 100,000 consumers, reducing the burden on small and medium-sized businesses.
- Consent for Data Sharing: Both acts require consent to sell or share consumer information with third parties. However, the CPRA demands clear disclosure of how the data will be used, providing consumers with more transparency.
- Enforcement: While the CCPA relies on the Attorney General for enforcement, the CPRA establishes the California Privacy Protection Agency (CPPA) to oversee and enforce compliance.
- Consumer Information Requests: The CPRA mandates businesses to provide at least two accessible channels (like web forms or phone calls) for consumers to inquire about their personal information. This ensures greater transparency and accessibility for Californians.
What Is Personal Information According to CPRA?
The California Privacy Rights Act (CPRA) defines personal information broadly to protect individuals. It encompasses data that identifies, relates to, describes, or could be linked to a person, directly or indirectly. Key categories include:
- Identifiers: Names, addresses, email addresses, IP addresses, driver’s licenses, social security numbers, passport numbers.
- Biometric Information: Iris scans, fingerprints, voice recognition patterns.
- Internet Activity: Browsing history, search history.
- Commercial Information: Personal property, purchase histories, e-commerce data.
- Employment and Educational Data: Employment history, educational background, and related information.
What Is Sensitive Personal Information (SPI) in CPRA?
Sensitive Personal Information (SPI) under the California Privacy Rights Act (CPRA) encompasses data that, if disclosed, could cause significant harm to an individual. Unlike general personal information, SPI warrants heightened protection. The CPRA specifically categorizes the following as sensitive information:
- Financial Data: Banking information, credit card numbers, and related financial access credentials.
- Private Communications: Content of personal emails, text messages, and phone calls.
- Personal Identifiers: Passport, social security, and driver’s license numbers.
- Personal Characteristics: Racial or ethnic origin, religious beliefs, political opinions, or membership in non-public organizations.
- Location Data: Precise geolocation information.
- Online Credentials: Account login details.
- Genetic Information: DNA samples and related genetic data.
- Health and Sexual Orientation: Health status, medical history, or sexual orientation information.
- Biometric Data: Processed data used for unique identification, such as fingerprints or retina scans.
CPRA Compliance Criteria
The California Privacy Rights Act (CPRA) establishes clear criteria to determine business compliance obligations. These criteria balance consumer privacy with business operations. Businesses must comply with the CPRA if they meet any of the following conditions:
- Significant Revenue Threshold: Companies with an annual gross revenue exceeding $25 million fall under CPRA. This targets businesses with substantial economic activity that potentially impacts a large number of consumers.
- High-Volume Data Handling: The CPRA applies to businesses that handle the personal information of more than 100,000 consumers, households, or devices (increased from CCPA’s 50,000 threshold). This captures entities engaged in large-scale data processing while reducing the burden on smaller businesses.
- Revenue from Personal Information: Businesses that derive at least 50% of their annual revenue from selling or sharing consumer personal information must adhere to CPRA. This targets companies that significantly profit from consumer data monetization.
Who Must Comply With the CPRA?
The California Privacy Rights Act (CPRA) applies to for-profit businesses that collect personal information from California residents and meet at least one of the following criteria:
- Annual gross revenue exceeding $25 million.
- Handling personal information of 100,000 or more California consumers, households, or devices.
- Deriving 50% or more of annual revenue from selling or sharing consumer personal information.
Businesses that don’t meet these criteria are generally exempt.
Who Is Exempt From the CPRA?
California Privacy Rights Act (CPRA) establishes criteria for businesses that must comply with its data privacy protections. However, certain entities and data types fall outside the scope of CPRA regulations. These exemptions ensure the law targets businesses with significant data processing activities that impact California residents.
Here’s what’s not covered by CPRA:
- Businesses Outside Data Collection Scope: Companies that do not collect personal information from California residents are exempt. This applies to businesses whose operations do not involve handling the personal data of Californians.
- Non-Profits and NGOs: Non-governmental organizations (NGOs) and non-profit organizations are exempt from the CPRA, as the law focuses on for-profit businesses.
- De-identified Information: Information that has been irreversibly anonymized (de-identified) is exempt. This means the information cannot be linked to a specific person and does not pose a privacy risk.
- Aggregate Information: Data compiled into anonymous statistics or analytics that do not identify individual users (e.g., website traffic numbers) is not covered. This allows businesses to use anonymized data for analysis without needing to comply with CPRA.
- Law Enforcement Compliance Exemption: Law enforcement activities that require collecting or providing data in good faith are exempt from the CPRA. In some cases, a court order might be needed for law enforcement to access user information.
- Data Covered by Other Laws: Information already regulated by other laws, particularly in healthcare and insurance (such as HIPAA), is exempt from the CPRA. These industries have pre-existing legal obligations that address data privacy.
Steps to CPRA Compliance
The California Privacy Rights Act (CPRA) mandates specific data privacy practices for businesses. Here are the steps to CPRA compliance:
1. Conduct a Personal Data Inventory
Identify the types of data you collect, and how you organize, store, and access it, especially sensitive personal information (SPI) as defined by CPRA. Determine if third parties store or access this data. This assessment will guide changes to cookie banners, agreements, and privacy policies.
2. Classify Data Sensitivity
Categorize your data based on its sensitivity to ensure appropriate security measures. This informs your security team about data requiring extra protection and data with limited retention periods.
3. Update Privacy Policy and Cookie Banners
Revise your cookie banner to clearly explain if and how you collect and process SPI as defined by CPRA. Include details on collection purposes and retention periods. Inform users about their rights regarding the sale or sharing of their personal information, including how they can opt-out.
4. Review Agreements with Partners
Ensure all agreements with partners, service providers, and third parties comply with CPRA requirements.
5. Educate Employees on Data Handling
Train your employees on CPRA requirements and proper data handling practices to minimize compliance risks.
6. Implement Opt-Out Links
Include clearly labeled links on your website for users to opt-out of the sale or sharing of their personal information (“Do Not Sell or Share My Personal Information”) and limit the use of their sensitive data (“Limit the Use of My Sensitive Personal Information”).
7. Establish Channels for Consumer Requests
Provide at least two accessible channels (phone, email, web forms) for consumers to request information about their data. Acknowledge requests within 10 days and fulfill them within 45 days, as required by CPRA.
Conclusion
The California Privacy Rights Act (CPRA) is beneficial for consumers, granting them more control over their personal data. However, it poses challenges for CEOs and investors who rely on trading customers’ digital footprints for revenue. The CPRA impacts profit margins, likely leading companies to raise prices for goods and services to compensate for the loss in data trading revenue.
Moreover, compliance costs with the CPRA are significant. Businesses must invest heavily in updating their data handling practices, adding to their overall expenses. This financial burden could increase if similar privacy laws are enacted across other states. Over the past few years, marketing and advertising have become more expensive in California compared to other U.S. states. This raises the question: will customers be willing to trade their data for lower prices, or will they see the value in data privacy and accept higher costs? The future will reveal the outcome, but for now, privacy laws are empowering users by giving them greater control over their data.
Identity.com
The CPRA legislation attempts to solve the data management problem that new technologies in the blockchain ecosystem are solving through projects like self-sovereign identity. It is great news that the government is seeing the importance of individual data control, just as it is one of our pursuits at Identity.com. As a company, we want a user-centric internet, where users have control over their data. More reason Identity.com doesn’t take the back seat in contributing to this future via identity management systems and protocols. We also belong to the World Wide Web Consortium (W3C), the standards body for the World Wide Web.
The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.