Pagoda Blog

The new California Privacy Rights Act (CPRA), spearheaded by real estate developer Alastair Mactaggart, goes into effect January 1, 2023. The CPRA will replace the California Consumer Privacy Act (CCPA) which was put into effect in January, 2020. So why is California enacting a second set of rules and regulations when we’ve barely begun implementing the first? According to those in favor of the CPRA, the CCPA doesn’t do enough to empower users to protect their data. Opponents, however, argue that the new act puts undue burden on the individual consumer. Here’s what you need to know as a consumer and as a business owner in the state of California. 

 

What is the purpose of the CPRA and CCPA?  

The CPRA is intended to be an improvement on the CCPA, a consumer privacy law that gives consumers more control over their data. Both the CPRA and CCPA regulate how businesses collect, use, and disclose your personal data. This includes information you share online such as your full name, birthdate, and location, in addition to the websites you visit, links you click, and any other online activity. According to Coalition, the CCPA “protects the right to know what information is collected, how it is used, the right to delete information, opt-out of the collection of the sale of the data, and the right to non-discrimination for exercising the rights protected by the CCPA.”

 

The CCPA is enforced by the Attorney General of California. Under the original act, California residents have the power to bring class action lawsuits against a business for data breaches without demonstrating proof of loss. Individuals are required to give 30 days written notice to the company before filing a lawsuit, however, providing them time to rectify the alleged breach.

 

The CPRA will be enforced by a new agency, The Privacy Protection Agency, funded by financial penalties resulting from the new regulations. It will give consumers the right to free reports that disclose what personal data businesses are collecting, the ability to opt-out of that data collection, and the ability to request that this data be deleted.  

 

Who does the CCPA apply to? 

The CCPA applies to for-profit businesses in California that collect consumer data and meet one of the following criteria: 

• An annual gross revenue of more than $25,000,000
• 50,000 or more users, households, or devices
• More than half of their annual revenue is generated from the sale of consumers’ personal information   

 

The CCPA was expected to cost small businesses with fewer than 20 employees up to $50,000 to implement and those with between 20 and 500 up to $450,000. 

 

Who does the CPRA apply to? 

Supposedly, the new rules and regulations under the CPRA are intended to exempt small businesses. When you review the criteria that specify who must comply, however, the only difference between the CCPA and the CPRA is the number of users. (Number of users refers to the number of consumers whose data a company buys, sells, or shares.) If your business meets one or more of the following criteria, you must comply with the new CPRA: 

 

• An annual gross revenue of more than $25,000,000 
• 100,000 or more users, households, or devices
• More than half of their annual revenue is generated from the sale of consumers’ personal information

 

What will change when the CPRA takes effect? 

Like the CCPA, the new CPRA requires businesses to notify users when their information is collected, shared, and sold. There are several differences, however, that impact both consumers and business owners. 

 

Creation of a new agency for enforcement 

The CPRA requires the creation of a new agency, titled the Privacy Protection Agency, to oversee and enforce the new rules, costing approximately $10 million per year to operate. As stated above, this agency will be funded by financial penalties resulting from the new regulations. (These penalties could be up to 3 times the current fine and businesses will no longer have 30 days to remedy an alleged breach before action is taken.) Supporters of the CPRA, like former presidential candidate Andrew Yang, say that this new agency will have more power to enforce the regulations, allowing district attorneys from the county and state levels to get involved. "You'll see compliance shoot up because all of a sudden the tech companies know we'll actually be looking at the treatment of our data," says Yang. 

 

Expands the definition of personal information 

Under the CCPA, personal information is defined as an individual’s name combined with another listed data element. This “data element” includes your Social Security number, driver’s license, bank account number, or other identification number. The CPRA expands this definition to include a consumer’s “email address in combination with a password or security question and answer that would permit access to the account.” 

 

The CPRA most notably expands the definition of a subset of personal information referred to as “sensitive” personal information. Whereas sensitive personal information only used to apply to a government-issued identification number, it now also includes geolocation information, the contents of emails or text messages, genetic data, racial or ethnic origin, religious beliefs, biometrics, health data, and data concerning sex life or sexual orientation. This more comprehensive definition of sensitive personal information should give consumers more power over what information data brokers collect and how they use it. (A data broker is a company that either collects data themselves or purchases data collected by another company.)

 

Opt-out vs opt-in

Although the CPRA expands the type of personal information that it protects, the consumer is required to actively opt-out of data collection with each company. Businesses will be required to include a conspicuous link, referred to as an “opt-out preference signal”, on their homepage that provides the option for consumers to opt-out of having their data collected, shared, or sold. 

 

Under the CCPA, companies are allowed to collect data without the explicit permission of the consumer, but they must ask permission before selling a consumer’s data. (This is similar to the European General Data Protection Regulation or GDPR). The Electronic Frontier Foundation, American Civil Liberties Union of Northern California, and other opponents of the new law argue that requiring consumers to opt-out of both the collection and intent to sell their data, puts an undue burden on consumers.  

 

Consumers may pay for their privacy 

Another potentially problematic component of the CPRA is that companies will be allowed to charge consumers more if they opt-out of data collection. This “pay-for-privacy” structure takes the form of companies offering discounts or even paying consumers in exchange for access to their data. This could disproportionately impact low-income users who may need access to a company’s service or product but don’t have the means to pay higher fees in exchange for protecting their privacy.   

 

Expands the right to delete your data

Like the CPPA, consumers can request that a business delete their personal data. The CPRA, however, expands this right to removal by requiring that businesses notify any third parties with which they shared or sold that consumer’s personal information. 

 

Companies have more power to retain data

Companies now also have the right, however, to refuse to delete consumers’ data if they deem it vital for security purposes. It isn’t clear how the new law defines “security purposes” but this could be worrisome for consumers who don’t want data brokers to have access to previously collected personal information.     

 

How to get your business ready for CPRA compliance

As a small or medium-sized business operating in California, you most likely won’t have to make any significant changes to the way you conduct business online. If you do meet one of the three criteria for compliance, however, you will need to add an opt-out preference signal to your homepage and review in more detail the modifications to the CCPA that may affect your business and consumer rights. 

 

For those businesses operating outside of California, the CPRA does not apply, but the new law could set a precedent for other similar laws to take effect in other states. The bottom line is, whether or not you legally have to comply, it’s always good practice to review how you’re using consumers’ data. For what purpose are you collecting it? Are you sharing or selling it to any third-parties that would make your users feel there was a violation of their privacy and trust? 

 

We believe that as a business owner, it is of top priority to do all you can to protect your customers’ personal information. This will not only establish trust, resulting in long-term customers and devoted ambassadors of your brand, but also will protect you from the wide-ranging negative impacts, from your revenue to your reputation, of a potential data breach.  

 

Feature photo by fauxels from Pexels

 

Related posts:
11 Ways to Spot a Phishing Email

How to Train Your Entire Team in Cybersecurity  

5 Virus Protection Tips Beyond Security Software 

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing. 

 

 

Want IT to serve you better?

 

 

 

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.