CPRA ACT

On November 3rd, 2020, the California Privacy Right Act was passed as the latest version of the California Consumer Privacy Act which recently came into effect on the 1st of July, 2020. CPRA brings significant amendments and additions to the rules of Data Privacy outlined in the CCPA Compliance. Declaring its enforcement in 2023, the CPRA introduced some new concepts to Data Privacy in California. With new additions and amendments, the CPRA bridges certain potential loopholes in the previous version of CCPA, making the law stringent. Further, introducing the amendments and new additions to the provision has taken this Data Privacy law closer to the EU’s GDPR standard. Let us today through this article take a look at the new provisions introduced and understand the amendments in the Data Privacy Standard.

New additions and Amendments in the provision of California Data Privacy Law

Amendments, and new additions in the provision, and strict enforcement of Data Privacy law are undoubtedly good news for consumers. However, for many of the world’s leading tech companies based in California, this act will have a significant global impact. Stringent enforcement rules, harsh penalties, and onerous obligations are likely to make things more complicated and difficult for most companies dealing with sensitive Personal Data. While we can expect changes in the finer details of the CPRA before its enforcement, here are the significant changes your business needs to know right now.

1. Business Scope-

1.1 In-scope business 

Modifications introduced in the In-scope businesses include a revised Standard for CCPA Compliance. This means –

  • Bases of “business” will be based on previous years’ activities. 
  • Increased threshold for businesses to “for-profit entities” that process over 100,000 consumers or households. 
  • Entities sharing common control, branding, and also share consumer Personal Information should be considered as the same business. Common branding means sharing a common name, service mark, or trademark such that a consumer understands the two entities are commonly owned.

1.2 Service Providers

Modification introduced in the Compliance requirements for Service Provider include :

Service Providers cannot combine Personal Information collected as a service provider with information received from other businesses or collected in the service provider’s “business” capacity (subject to exceptions).

1.3 Employee and Business-to-Business Exemptions

The modification includes retaining the CCPA’s exceptions for Personal Information collected in the employment and business-to-business contexts and extends the provisions to January 1, 2023.

1.4 De-identified 

As per the modification redefined “de-identified” as information that “cannot reasonably be used to infer information about, or otherwise be linked to a particular consumer, as long as the business takes measures to ensure that the information cannot be associated with a consumer or household and publicly commits to maintain information in de-identified form, and contractually require recipients to comply with the provisions.

2. Consumer Rights

2.1 Deletion of Personal Information

Modification to consumer rights deletion of Personal Information include 

  • Business to respond to a valid deletion request, notify service providers, contractors, and third-party to delete Personal Information.
  • Service Providers and Contractors should co-operate and respond to the consumer’s right to request.
  • Service Providers and contractors should delete Personal Information as and when directed.

2.2 Correction of Personal Information 

The new addition to the provision includes the right to correct Personal Information which includes

  • Business is required to make reasonable efforts to correct inaccurate Personal Information in response to a verifiable consumer request. 
  • Business is required to take into account “the nature of the Personal Information and the purposes of the processing of the Personal Information.”

2.3 Right to know

Modification in the Consumers Right to Know provision include-

  • Increase in the timeframe covered by Consumer’s Right to know requests beyond the 12-month window as earlier provided in the CCPA on consumer’s request. This will apply to all Personal Information collected on or after January 1, 2022.
  • Increased the overall scope of the right to know requests to include a business’ sharing and disclosure of the consumer’s Personal Information.
  • Increased in the manner that Personal Information must be shared and provided in a format that is “easily understandable to an average consumer” and if technologically feasible provide in a “structured, commonly used, machine-readable format.”

2.4 Opt-Out of Sale and sharing

Modified the provision of opt-out of sale and sharing which includes

  • Require businesses to provide consumers an opportunity to opt-out of sharing of Personal Information in addition to the existing right to opt-out of the sale of Personal Information under CCPA. Sharing means transferring or making available Personal Information to a third-party for advertising, regardless of whether consideration is exchanged.
  • Requires businesses to provide clear opt-out links in a language “Do Not Sell or Share My Personal Information” link unless the business has in place a mechanism that confirms the right to opt-out consent by the consumer which is established by implementing regulations

2.5 Limit on Use and Disclosure of Sensitive Personal Information

The new addition to the consumer right provision includes-

  • Businesses are expected to not use or disclose a consumer’s sensitive Personal Information for purposes other than stated necessary for providing goods or services requested by consumers. Sensitive Personal Information may include identification numbers, financial information, precise geolocation, racial and ethnic origin, the contents of certain communications, and genetic data.
  • Business is also expected to provide consumers the right to limit additional use or disclosure of Personal Data except for certain limited business purposes. 
  • Businesses should provide a link to consumers clearly stating in a language as “Limit the Use of My Sensitive Personal Information” unless the business allows consumers to opt-out via a mechanism established by business conforming to the right which should be established by implementing regulations.
  • The provision provides an exemption to business and service providers for advertising and marketing services and internal research which is not for business purposes, to use sensitive Personal Information without providing consumers the Right to Limit. 

3. Data Governance and Transparency 

3.1 Pre-collection Notice

Modification in the provision of transparency includes-

  • Businesses that “control the collection” of consumer’s Personal Information must provide consumers with notice at or before the point of collection.
  • The pre-collection notice must include details like the categories of sensitive Personal Information collected and whether they are sold or shared and the retention period till when the business intends to retain each category of Personal Information. 

3.2 Storage Limitation

The new addition to the provision Data Governance which includes- 

  • Prohibits retaining Personal Information for longer than is “reasonably necessary” for a specific and disclosed purpose. 

3.3 Data Minimization

The new addition to the provision of Data Governance and Transparency which includes 

  • Limiting collection, use, retention, and sharing of Personal Information to only what is “reasonably necessary” for achieving the specific disclosed purpose. 

3.4 Contract Requirements

Modification in the provision of Data Governance and Transparency include

  • Businesses are required to enter into a contract with all entities to which the business discloses Personal Information. This would include any Service Providers, Contractors, and Third-party which would include entities other than the business, its service providers, or its contractors. 
  •  Even in the case of sales or disclosures to third-parties the agreement must include and specify that the Personal Information is sold or disclosed by the business only for limited and specified purposes.

3.5 Security Procedures and Practices (new)

The new addition to the provision of Data Governance and Transparency include-  

  • The requirement for businesses to implement appropriate security procedures and practices to protect Personal Information against unauthorized, illegal access, destruction, use, modification, or disclosure.

4. Enforcement of Regulation

4.1 California Privacy Protection Agency 

The new addition to the provision of CPRA law enforcement includes- 

  • Establishment of the “California Privacy Protection Agency” for responsibilities to ensure adherence to rules and enforcing the CPPA through administrative proceedings.

4.2 Rulemaking Authority (modification)

Modification to the provision of Rulemaking Authority which includes- 

  • Empowering the Attorney General and California Privacy Protection Agency to issue regulations pertaining to defining business purposes, sensitive Personal Information, de-identified, and unique identifiers. This would also include defining specific pieces of information to minimize disclosure or sharing of information that is not helpful to consumers.
  • Issue Regulation pertaining to establishing when service providers and contractors can combine Personal Information from multiple sources.

4.3 Cure Period

Modification in provision pertaining to the cure period which includes-

Eliminates the 30-day cure period following notice of alleged non-compliance.

4.4 Penalty for Violation involving Minor 

The new addition to the provision of penalties for a violation involving minor includes-

  • A penalty of $7,500 for violations involving the Personal Information of a minor under 16 years of age known to business.

A final thought on the CPRA Act 

Introduction to the new modified version of CCPA which is called the CPRA Act is a clear example of the rapidly evolving Privacy landscape in the industry. The underlying volatility is a clear indication of the industry moving towards an enhanced Privacy law for organizations. Although new regulations and standard requirements call for additional efforts and resources, yet it gets you a step closer to achieving Compliance. As an experienced and qualified assessor of the Cybersecurity Industry, I strongly believe in today’s volatile environment organizations that prepare early for the law will be best positioned to comply with the Standard in days to come.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.