Submitted by on
Home> Guides> Governance> The California Privacy Rights Act of 2020

Home > The California Privacy Rights Act of 2020

The California Privacy Rights Act of 2020

Share this Page

The California Privacy Rights Act (CPRA), a ballot measure (Proposition 24) approved by voters in November 2020, redefined and expanded the California Consumer Privacy Act (CCPA), which was signed into law in June 2018.

When woven into the fabric of a business, privacy protections such as the CPRA, represent more than an IT program.

The impetus for the new law was to strengthen privacy rights for residents of California. The CPRA provides consumers more opportunities to opt-out of targeted messages from businesses or third parties to whom they have sold or shared consumers’ data. In addition, specific requirements are set forth directing businesses to use deliberate data privacy management systems and processes.

Both the CCPA, which began as an Assembly Bill (AB-375), and the CPRA were championed by privacy activist Alastair Mactaggart. He and the organization he founded, Californians for Consumer Privacy Committee, bear much of the responsibility for California’s privacy laws.

Their objective was to “Give Californians the strongest online privacy rights in the world, establish an enforcement arm for consumers, and make it harder to weaken privacy laws in the future.” (Source: Californians for Consumer Privacy Committee)

Summary of CPRA Provisions

The CPRA has four main categories of provisions to aggressively protect California consumers' privacy. These categories cover:

1. Detailing what is considered sensitive and personal information

2. Creating an enforcement agency

3. Codifying consumers’ rights

4. Defining who must comply with the law

Sensitive and Personal Information Under CPRA

  • Content of non-public communications, such as:
    • Mail
    • Email
    • Text messages
  • Age
  • Biometric data, such as: 
    • Eye color
    • Facial recognition
    • Fingerprints
    • Hair color
    • Height
    • Retina scans
    • Voice 
  • Commercial information, such as:
    • Records of personal property
    • Products or services purchased, obtained, or considered
    • Other purchasing, consuming histories, or tendencies
  • Education information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
  • Financial information, such as:
    • Bank account numbers
    • Credit card numbers 
    • Debit card numbers  
    • Insurance policy numbers
  • Genetic data 
  • Geolocation information for consumers
  • Government identifiers, such as:
    • Driver’s license numbers
    • Passport numbers
    • Social Security numbers
  • Health or health plan information
  • Identifiers, such as:
    • Alias 
    • Email address
    • Internet protocol (IP) address
    • Name
    • Online identifier
    • Postal address
    • Unique personal identifier
  • Information to infer characteristics about consumers
  • Internet or other electronic network activity information, such as: 
    • Browsing history
    • Search history
    • Information regarding a consumer’s interaction with a website, application, or advertisement
  • Professional or employment-related information
  • Race, ethnicity, religious, or philosophical beliefs 
  • Sex life or sexual orientation information 
  • Union membership

Enforcement of the CPRA

Taking a cue from the European Union’s General Data Protection Regulation (GDPR), CPRA enforcement of the privacy rules is transferred from the California Attorney General to a dedicated enforcement agency, the California Privacy Protection Agency (CPPA). 

The CPPA has investigative, enforcement, and rulemaking powers. A five-year statute of limitations for the CRPA’s administrative actions can be suspended if violations were fraudulently concealed. 

The CPPA has the authorization to investigate possible violations on its initiative and has the discretion “not to investigate or decide to provide a business with a time period to cure the alleged violation.” In addition to the enforcement initiated by the CPPA, any individual or organization can bring a complaint to the CPPA.

This means that consumers, competitors, vendors, customers, consumer advocacy groups, and other parties have private rights to file complaints about a business’s privacy practices. 

The CPPA was apportioned a healthy budget that is to be increased by the legislature “as may be necessary to carry out the provisions of this title.” Administrative fines collected by the CPPA will be used to reimburse the state courts and the California Attorney General for costs related to CPRA enforcement, and a small portion of the fines go to the agency itself.

Consumer Rights

Five consumer privacy rights defined in the CCPA have been modified under the CPRA. These rights are:  

1. Opt-in rights for minors
The CPRA expands the rules related to the use of minors’ data requiring that businesses obtain opt-in consent to sell the personal information of a California consumer under 16 years of age.

It mandates that businesses wait 12 months before asking a minor consumer for consent to selling or sharing their personal information after the minor has declined. It also states that the opt-in right must explicitly include sharing data for cross-context behavioral advertising.

2. Right to data portability
The CPRA changes the CCPA’s directive that consumers have the right to receive a copy of their personal information by mail or electronically. Instead, the CPRA mandates that a consumer can request that a business transfer specific personal information to another entity “to the extent technically feasible, in a structured, commonly used, machine-readable format.”

3. Right to delete
The CPRA allows California consumers to request that a business delete their personal information if it is no longer needed to fulfill one of the stated purposes. Businesses are also required to send the request to delete to third parties that have bought or received the consumer’s personal information so that all parties are aware that it must be deleted. 

4. Right to know
The CPRA extends the 12-month window that consumers have to request information about how their personal information was collected. 

5. Right to opt-out of the sales or sharing of consumer data to third parties
CPRA expands consumers’ right to opt out of businesses selling their data to include the sharing of personal information. That is, “disclosing, disseminating, making available, transferring, …  a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”

In addition to expanding these CCPA consumer privacy rights, the CPRA also introduces four additional consumer privacy rights. These are:  

  • Right to access information about automated decision making
    A consumer has the right to seek meaningful information about the logic involved in the decision-making processes and a description of the likely outcome based on that process (e.g., profiling).
  • Right to correct information
    A consumer has the right to request that a business correct any inaccurate personal information maintained by the business. 
  • Right to limit use and disclosure of personal information
    A consumer has the right to have businesses restrict the use and disclosure of their personal information to that “use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services.” 
  • Right to opt-out of automated decision-making technology
    A consumer has the right to opt out of having their data used for automated decision-making processes, including profiling.

Three GDPR Principles that Are Included in CPRA

The GDPR has influenced privacy regulations around the world, including the CPRA. Several GDPR principles that were not included in the CCPA are now codified as part of the CPRA. These three are:

1. Data minimization
The GDPR directs businesses to limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.  

2. Purpose limitation
The GDPR requires that businesses only use personal information collected for the stated purpose and may not use it later for a different purpose.

3. Storage limitation
Under the GDPR, businesses must tell consumers how long they intend to retain their personal information or sensitive personal information. If the business does not know how long it will be held, they must state the criteria used to determine how long (e.g., for as long as a consumer has an account with the business).

Four Types of Organizations that Must Comply with the CPRA

The CCPA imposed privacy-related obligations on businesses, service providers, and third parties.

The CPRA added a fourth category—contractors.

1. Businesses

The CPRA defines a business as an organization that “does business” in California as a for-profit legal entity and collects consumers’ personal information or has others collect this information on its behalf. The threshold to be considered a business are:

  • Satisfies at least one of the following thresholds:
    • Has annual gross revenues that are more than $25 million
    • Annually buys, receives, sells, or shares the personal information of 100,000 or more consumers, households, or devices
    • Derives 50% or more of its annual revenues from selling consumers’ personal information

The principal obligations of a business are:

  • Facilitate consumer requests
  • Fulfill disclosure and retention obligations
  • Honor consumer rights
  • Implement security safeguards
  • Provide notice of consumer rights

2. Service Providers

The CPRA defines a service provider as an entity that:

  • Receives personal information from or on behalf of a business 
  • Processes that personal information on behalf of a business 
  • Is contractually obligated not to retain, use, or disclose consumers’ personal information other than as specified in the agreement

The principal obligations of a service provider are:

  • Comply with the terms of that contract
  • Implement security safeguards
  • Use personal information only to perform services on behalf of a business as specified in a contract

3. Contractors

The CPRA defines a contractor as:

According to CPRA, contractors are similar to service providers. Contractors are bound by the terms of a written contract from the business that sets forth certain restrictions and prohibitions on the use of personal information.

However, unlike a service provider, contractors’ requirements include a certification that they understand all of those restrictions and prohibitions and that they will comply with them.

The principal obligations of a contractor are:

  • Comply with the terms of the contract
  • Implement security safeguards
  • Not combine personal information received from a given business with any personal information that’s received from others
  • Notify the business regarding their use of subcontractors, and those subcontractors must be contractually bound to the same terms as contractors
  • Use personal information only to perform services on behalf of a business as specified in a contract

4. Third Parties

The CCPA defines a third party as:

Third parties are defined, by CPRA, as legal entities that do not meet the characteristics of a service provider, but also receive personal information from the business.

The principal obligations of a third party are:

  • Use personal information consistent with promises made at receipt
  • Provide consumers notice of any new or changed practices
  • Give consumers explicit notice of additional sales of personal information and provide consumers with the opportunity to opt-out

CPRA vs. CCPA

The CPRA has been referred to as CCPA 2.0. The amendments that the CPRA makes to the CCPA are seen by many as paradigm-shifting. The intent of the CPRA was to significantly enhance the CCPA to redefine who is in control of consumers’ personal information and put consumers back in charge of their data.

The CPRA introduced a number of new provisions and concepts to the CCPA, which regulators are still fleshing out, and businesses are struggling to understand two years after CCPA was passed.

When considering CPRA vs. CCPA, the following are the key differences.

CCPACPRA
The CCPA effective date is January 1, 2020.The CPRA effective date is January 1, 2023.
Who CCPA applies to:

Businesses that buy, sell or receive personal information about at least 50,000 California consumers, householders, or devices for commercial purposes 

Derives more than 50% of its annual revenue from the sale of personal information
Who CPRA applies to:

Businesses that buy, sell, or share personal information of 100,000 or more California residents or households 

Derives 50% or more of annual revenue from selling or sharing California personal information
The CCPA does not cover the concept of sensitive data.The CPRA stipulates rules for sensitive data, including:

Categories of sensitive data are specified

Consumers must be provided with notice if the business plans to use or share sensitive personal information, along with a “clear and conspicuous” opt-out link

Retention of sensitive personal information must be limited, and it must be deleted after businesses fulfill their declared purposes
The CCPA gives consumers the right to have businesses delete their personal information once it has been used for its designated purpose.The CPRA gives consumers the right to have a business delete their personal information and have it deleted by any third-party organization with whom it has been shared.
The CCPA does not have data protection impact assessment (DPIA) requirements.The CPRA includes DPIA requirements for companies whose data processing presents a significant risk to consumer privacy or security.
The CCPA is enforced by the Attorney General of California.The CPRA is enforced by the California Privacy Protection Agency (CPPA).
Under the CCPA, consumers have the private right to take legal action for a breach of unredacted or unencrypted personal information due to a failure to maintain reasonable security practices.Under the CPRA, consumers have the private right to take legal action for a breach of unredacted or unencrypted personal information and consumer login credentials due to failure to maintain reasonable security practices.
CCPA penalties and damages are:

Maximum civil penalty is $2,500 for each unintentional violation and $7,500 for each intentional violation

A provision that a consumer may recover either statutory damages between $100 and $750 per consumer per incident, or actual damages (i.e., the actual damages suffered by the consumer as a result of the breach), whichever is greater.
CPRA penalties and damages are:

Maximum civil penalty is $2,500 for each unintentional violation and $7,500 for each intentional violation

A provision that a consumer may recover either statutory damages between $100 and $750 per consumer per incident, or actual damages (i.e., the actual damages suffered by the consumer as a result of the breach), whichever is greater.

A $7,500 fine per violation involving the personal information of consumers under the age of 16 is automatically issued.
The CCPA gives consumers the right to request that businesses not sell their data.The CPRA gives consumers the right to request businesses not sell their data or leverage it for targeted advertising.
The CCPA rules regarding minors state that: 

Businesses cannot conduct targeted advertising or sell the data of consumers under the age of 16 unless there is explicit opt-in consent.
The CPRA rules regarding minors state that: 

Businesses can’t sell or conduct targeted advertising with the data of consumers under the age of 16  unless there is explicit opt-in consent. 

If the request for consent is declined, the business cannot ask again for 12 months. 

Minors under the age of 13 must get permission from a parent or guardian to opt-in.
Under the CCPA, the cure period is 30 days.
The CPRA removes the 30-day cure period and gives the California Privacy Protection Agency (CPPA) discretionary power to provide the business with a time period to cure.
The CCPA does not define third parties.The CPRA defines third parties, service providers, and contractors. 

According to the CPRA, businesses must impose contractual obligations on third parties before sharing, selling, or disclosing personal data.

Another California Privacy Law Blazes a Trail

As the first set of comprehensive data privacy regulations in the United States, the CCPA went into effect in 2020, just two years after the ground-breaking GDPR. The same year the CPRA was passed, as Prop 24, garnering the 6th most votes of any initiative in the state’s history.

California’s reputation as a trailblazer has held. Within a year, Virginia and Colorado passed privacy legislation (i.e., the Colorado Privacy Act or CPA, the Virginia Consumer Data Protection Act or VCDPA).

Consumers’ desire for privacy protection provides organizations with an opportunity to stand out and use privacy as a way to enhance their business practices. When woven into the fabric of a business, privacy protections can be more than an IT program. Privacy can be a way to instill trust and deepen relationships with consumers.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 9th May, 2022

Share this Page

Get started with Egnyte.

Request Demo