Articles

The Expert's Guide to California Data Privacy Law | CCPA & CPRA

Written by Sam Pfeifle | August 24, 2022

For a long time, California has been a leader in making sure its citizens’ privacy is protected. In the early days of the modern internet, California’s privacy policy law led the charge in making sure websites didn’t deceive visitors or otherwise use deceptive practices by collecting data without a privacy notice. Today, it is California again—with the California Privacy Rights Act (CPRA) building on the California Consumer Privacy Act (CCPA)—that is leading the way in making sure consumers have control over how businesses collect and share their personal data.  

As more states—like Virginia, Colorado, Iowa, and more—join California in implementing comprehensive privacy legislation, it is vital to understand the requirements of California data privacy law. Not only will it allow you to continue to access what amounts to the world’s fifth largest economy, but it will also put you in good standing with the rest of the U.S. state privacy laws and prepare you for compliance with stricter global privacy laws, like the EU’s GDPR or China’s PIPL. 

In this blog, we’ll take a look at: 

  • Where California privacy law stands right now. 
  • How CPRA builds on CCPA. 
  • What steps to take to comply and avoid penalties and reputational harm. 
  • What to look for in the future to remain in compliance. 
  • Frequently asked questions regarding the CPRA. 

Let’s get started. 

CCPA vs. CPRA: How Are They Different?

It’s best to think of the California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA) as essentially the same thing.  

What is the California Consumer Privacy Act (CCPA)? 

The CCPA passed through the California legislature and was signed by the governor in 2018, with an effective date of January 1, 2020. However, the Californians for Consumer Privacy (the group that pushed hardest for the CCPA) almost immediately felt it wasn’t strong enough. They started a campaign to make it stronger and more protective of consumer rights to control the collection and use of personal information.  

What is the California Privacy Rights Act (CPRA)? 

The California Consumer Protection Act (CPPA) of 2018 is already in force, and now it has been updated by the California Privacy Rights Act (CPRA) 

Because of the Californians for Consumer Privacy push, the California legislature added a citizen’s initiative ballot question in 2020 on whether or not an amendment to the CCPA should be created—the CPRA. The CPRA built upon the CCPA text, changing some items, adding others, and clarifying some questions around enforcement and who’s actually covered by the law.  

At this point, for all intents and purposes, the CPRA is the only law you need to worry about. It’s like the CCPA+, or CCPA 2.0, and it covers everything you need to know to understand California data privacy law.  

CPRA Enforcement Date 

The vast majority of the CPRA came into force on January 1, 2023, but the CPRA also regulates data collected starting January 1, 2022.

The initial CPRA enforcement date was July 1, 2023, but due to a challenge from the California Chamber of Commerce, which argued that since the CPPA didn't finalize the CPRA's requirements until March of 2023, the date was pushed to March 29, 2024. However, on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial CPRA regulations and retroactively setting the enforcement effective date to July 1, 2023. 

CPRA Compliance: How Do You Know if You Have to Comply With the CCPA and CPRA?  

The CPRA changed the rules for who has to comply only slightly. As of January 1, 2023, the CPRA applies if you are a for-profit organization that “does business” in the state of California, collects the personal data of Californians or has it collected for you, and fits one or more of these criteria: 

  • Buys, sells, or shares the personal information of 100,000 people or households. The “shares” part was added with the CPRA, and the number of people was doubled. 
  • Creates 50% or more of your revenue through the sale or sharing of personal information. 
  • Had $25 million in gross revenue in the preceding calendar year. The “preceding calendar year” part was added with the CPRA to make it clear what they meant by $25 million in annual gross revenues.  

In theory, you could have to comply with CPRA one year and not the next, depending on your revenue mix and business initiatives. However, the CPRA is in line with many laws around the country and the world, and most of what it requires is considered general best practice, so it doesn’t make a lot of sense to try to figure out whether you can get out of CPRA compliance each year. 

What Happens if You Don’t Comply With the CPRA? 

The penalties for not complying with the law haven’t changed much from the CCPA to the CPRA. However, the new CPRA empowers the Attorney General, California’s 62 different district attorneys and a brand-new California Privacy Protection Agency (CPPA) to enforce it—the CPPA’s ability to CPRA enforcement powers begin on July 1, 2023.  

That means there are a lot more “cops on the beat,” so to speak, with the ability to investigate business practices and bring actions to penalize those organizations that are not in compliance. 

CPRA Penalties include: 

  • $2500 per offense for negligent mistakes.  
  • $7500 per offense for willful offenses.  

Each person affected in a violation constitutes an offense, so the fines can add up quickly, especially if you are willfully negligent. And the bad news: If you’re reading this and then decide not to bother with compliance, you’re being willfully negligent. Oops. 

Is it likely that enforcers of California privacy law will look kindly on businesses that make small mistakes or have small oversights in their compliance plans, especially in the first few years? Absolutely.  

Is it likely that “I had no idea I had to comply with this law,” will work as an excuse when a regulator comes calling? Absolutely not.  

How serious is California? In the CCPA, there was a 30-day grace period where you were offered a chance to fix your violations. In the CPRA, there is no such grace period. 

CPRA Requirements: What’s Really Changed?

First and most importantly, you need to make sure consumers can exercise their new rights to control the collection and use of their personal data, many of which have been augmented in some way. Note that the CPRA broadened the definition of “consumers” to include your employees—previously employees and other commercial partners were exempt from California privacy law protection, but no longer. 

Remember: “Personal data” or “personal information” is defined broadly in both the CCPA and the CPRA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Unless you take steps to de-identify data after you collect it, much of the data you collect from customers and employees is personal data according to California privacy law. 

The CPRA also now puts the onus on you to make sure consumers (and employees) know their privacy rights. That means you’ll need to explain their rights at the point of collection as part of the notice you provide. 

The CPRA Definition of Privacy Rights: 

  • Right to Access, Deletion, and Correction: Consumers must be able to obtain and delete their own personal information at any time and have it corrected if it is incorrect. If they ask you to delete it, you have to make anyone you’ve shared it with or sold it to delete it as well. The right to correction was introduced by the CPRA, as is the requirement to pass along deletion requests to third parties.

  • As part of sharing their personal data with them and in addition to the actual data you possess, you must provide consumers with a list of:  

• The categories of personal information you have collected. 

• The categories of sources from which you collected their personal information. 

• The business purpose for which you collected their data.  

  • The Categories of Third Parties to Which You Sell or Share Their Data. Previously, the CCPA lacked language around the sharing of data and only regulated the sale of data. 
  • Right to Object to Sale or Share: Consumers can prevent the sale or sharing of their information (and you need a “do not share” button on your website to make this easy). The right to object to sharing was added by the CPRA. 
  • Right to Opt-Out of Behavioral Profiling and Automated Decision-Making: Consumers can ask you to stop profiling and serving ads based on behavior, and they can ask you not to use automated decision-making to provide them with offers, products, services, etc. This entire right is new with the CPRA. 
  • Right to Object to the Use of Sensitive Personal Information: Consumers can stop you from using certain data at all, including data surrounding race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, and the contents of communications. This new piece in the CPRA also requires you to have a prominent button or link people can use to “limit the use of my sensitive personal information.” 
  • Right to Data Portability: If asked, you must transfer any personal data you hold about a person to another organization, “to the extent technically feasible, in a structured, commonly used, machine-readable format.” This is new with the CPRA. 

Break down the major tasks you need to complete for CPRA compliance - Download the Guide.


Introduction of New Privacy Principles: 

You also need to abide by a new set of “privacy principles” in all of your data-handling practices, many of which are new with the CPRA: 

  • Purpose Limitation: You can only use personal data for the purpose for which it was originally collected. This is new with the CPRA. 
  • Protection of Children’s Data: Compared to the CCPA, the CPRA tripled fines for violations associated with the data privacy of children under 16. Permission from a guardian is needed for the collection of a child’s data, too. Another new piece here is that if you don’t receive consent to collect a child’s data, you have to wait 12 months before asking again. 
  • Storage Limitation: Data should be destroyed or deleted once the data has been used for its collected purpose. 
  • Reasonable and Appropriate Security: Security for personal data must be appropriate based on how sensitive the data is and the harm that would result because of unauthorized access.  

More Changes via CPPA Rulemaking 

As if the change from the CCPA to the CPRA wasn’t enough, the law was further modified by the California Privacy Protection Agency (known as the CPPA, which isn’t confusing at all, surely). After consulting with stakeholders, the CPPA created a number of “rules” that gave further guidance and specificity on how organizations should comply with the CPRA. 

On March 29, 2023, the CPPA finalized rulemaking for the CPRA. 

Most notably, the CPPA codified the need for organizations to conduct risk assessments. Prior to certain “high-risk” collections and uses of personal information, you need to conduct an assessment. After completing the assessment, you must file it with the CPPA to prove you’ve considered the dangers surrounding the data collection and mitigated the risk of harm to the consumer.   

Be prepared to create a process in your organization for conducting these risk assessments.   

The CPPA also clarified that organizations must honor authorized third-party opt-out signals. Essentially, certain entities can provide consent on behalf of an individual, such as the Global Privacy Control (GPC). If a user adds the GPC to their browser and instructs it to send out an opt-out signal, businesses need to respond as though the user had opted out of data collection on their website. 

CCPA vs. CPRA comparison chart

For a quick, at-a-glance look at other changes from CCPA to CPRA, here’s a handy chart:

What’s Changed Between the CCPA and CPRA? 

  

CCPA 

CPRA 

Enforcement 

California Attorney General’s Office  

Newly created California Privacy Protection Agency, plus the AG and District Attorneys 

Profiling  

N/A 

Consumers can opt out of automated decision-making.  

Sensitive data  

N/A 

New definition of some data as “sensitive.”  

Businesses must disclose how they collect, use, sell, and share sensitive data. 

Consumers may opt out of the use, entirely, of their sensitive data. 

Data minimization  

N/A 

Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose. 

Consumer remedies 

Consumers may file a private right of action when a lack of reasonable security leads to a breach. 

Expands the private right of action to include remedy for breached data that includes consumers' email address and password or security question. 

Risk Assessments 

N/A 

For certain collection and use of personal information, organizations will have to conduct risk assessments before beginning the collection or use process. 

Deletion 

Businesses must fulfill validated consumer requests to delete their data. 

Companies fulfilling legitimate deletion requests must also notify third parties to delete such information. 

Third parties 

Not defined. 

Third parties defined, excludes service providers and contractors. 

 
 

Businesses must impose CPRA-level contractual obligations on third parties before sharing, selling, or disclosing personal data. 

Opt-out links on websites 

Businesses must have a “Do not sell my personal information” link. 

Companies must have a “Do not sell or share my personal information” link and a “Limit the use of my sensitive personal information” link.  

Businesses must also honor opt-out signals such as the GPC. 

Fines 

Up to $7,500 per violation or $2,500 per unintentional violation. 

Automatic $7,500 fine for violations of minors’ data (children under the age of 16). 

CPRA Checklist: How to Build Toward Compliance 

CCPA and CPRA compliance is an all-hands-on-deck sort of thing, but will look different at every organization, depending on the type of personal information you’re collecting and your business plan. The following checklist isn’t comprehensive (for a more comprehensive resource, check out our eBook CPRA Compliance How Osano Can Help), but it will help you build a strong foundation for CPRA compliance.

1. Appoint a Responsible Party to Oversee Compliance 

CEOs and CIOs often lead the charge, but it may be worthwhile to appoint a chief privacy officer (CPO) or a privacy director of some kind, often in the legal or compliance time, who can be tasked with overseeing compliance. 

2. Establish a Privacy Compliance Program 

Privacy compliance is an ongoing activity, so rather than kickoff a compliance project, you’ll really want to establish a privacy program. The program will be responsible for coordinating and launching compliance activities for the CPRA and any other privacy laws your business is subject to. 

3. Audit How Personal Information Is Collected and Used 

Because so many departments collect and use consumer data, it’s important to record any data collecting and processing activities to make sure personal information is being handled appropriately. 

Under the EU’s GDPR, this kind of auditing is formalized in a document known as a record of processing activities, or RoPA. Even though the CPRA doesn’t explicitly mention conducting a RoPA, doing so will set the stage for future compliance activities. Check out our article, What Is a RoPA?, to learn more.  

4. Conduct Training 

Understanding where your organization collects personal data is important, but it’s even more important to ensure that your team members who collect personal data know how to handle it compliantly. 

For example, marketers consistently rely on consumer data to influence their campaigns. Consumer data is precisely what makes companies able to effectively target their marketing efforts to the right people at the right time to increase sales. Every time a consumer is tracked with a website cookie, fills out a form, or makes a purchase online, they are giving the company their personal information, which is now protected by the CCPA and the CPRA. 

These marketers need to be trained in how to comply with the law and systems need to be put into place to make sure they follow policy.  

The same goes for your sales department. All of that customer data that's stored in systems such as Salesforce must be protected and only used appropriately. If it's shared with other departments, those departments now have some ownership. You can see how quickly and easily consumer data spread across the organization. 

5. Manage Third-Party Relationships 

It’s not just other departments who will handle your consumers’ data; you likely have relationships with other organizations who may be processing consumer personal data. 

These third parties might do things like perform sophisticated data analytics, fill in profiles for people with only partial records, and other potentially privacy-invasive activities. These third-party relationships must be managed via contracts and audits, as you’ll be responsible for how they handle the data supplied to you by your customers and employees. 

Given the volume of third-party relationships you may manage, this task can quickly become overwhelming. That’s why it’s important to identify a vendor privacy risk management solution to streamline the vendor assessment process. 

6. Establish a Means of Managing Consent 

On its face, allowing website visitors to opt out of data collection seems simple enough. But in reality, it can become technically complex very quickly. Consider cookies (just one of several data trackers on your website). Some cookies may be necessary to your website’s functionality; so, if you provide a “Do not sell or share my personal information” link on your website, it can’t just block all cookies. 

Furthermore, you’ll need to record individual users’ consent preferences so you don’t accidentally collect data from them in the future, and so you can prove you gathered consent should the CPPA or attorney general come investigating. 

Then, you need to provide a banner that discloses your privacy policy, and you need to do it in a way that complies with the CPRA in the user’s preferred language. 

We dive into the specifics of cookie consent in our blog, Cookie Banners: How to Stay Compliant with Privacy Laws. 

7. Develop and Regularly Review Notices and Privacy Policies 

If you collect data from your consumers (or from your employees) and they aren’t aware of what you’re collecting and why, you’ll be out of compliance with the CPRA. 

A key part of CPRA compliance and data privacy compliance as a whole is transparency—that’s why you’ll need to develop and maintain a privacy policy and present that policy at the point of collection. Since the data you collect from consumers and employees may be entirely distinct, it’s a good idea to craft a separate employee privacy policy as well. 

You can also digest these steps towards compliance here: CPRA compliance checklist

CPRA Solutions: Make Sure You Don’t Try to Do It Alone 

Does compliance sound difficult? It is. The CPRA, especially, represents a major evolution in the responsibilities many companies have in regard to handling personal data.  

Luckily, many companies, like Osano, have created software packages that allow you to: 

  • Track and document consent. 
  • Manage your contracts and third-party data sharing in a dashboard-like environment. 
  • Manage and document consent for cookie placement. 
  • Conduct and manage risk assessments. 
  • Quickly respond to requests for access, deletion, and correction.  
  • Quickly produce privacy notices that are targeted toward the type of information you’re collecting. 

Wait. Cookies?! Does the CPRA Change the Rules Around Cookies? 

Well, yes and no. The CCPA and CPRA don’t focus on the mechanisms involved with how personal data is collected and used, they just focus on the fact that personal data is actually being collected and used.  

Thus, if your cookies don’t collect personal information, California data privacy law isn’t particularly worried about them. But, if your cookies do pass along personal information to your organization or others, then all of the CCPA and CPRA rules apply.  

Got it? Luckily, there are plenty of cookie consent managers out there to help make sure you know the difference between essential cookies and those that collect data (and those that do both).  

Protecting Californian Consumers' Privacy

The people behind the CCPA, CPRA, and CPPA are first and foremost concerned with protecting the privacy of California consumers. They are very likely to prioritize enforcement against the most egregious violators of the law.  

However, that does not mean they don’t care about the little guys. While how the CPPA will act is somewhat unpredictable, you should expect audits of classes of websites, roundups of certain types of violations that include large groups of companies, and other enforcement action that seeks to prod large sections of the California marketplace into compliance. 

Most especially, you don’t want to be caught looking like you don’t care. Good faith efforts will result in kind attention from the regulators; pleas of ignorance will result in much harsher treatment, indeed. 

CPRA FAQ 

Who Must Comply With the CPRA? 

You must comply with the CPRA if you are a for-profit organizations that do business in California, collect the personal data of Californians or has it collected for them, and fits one or more of these criteria:  

  • Buys, sells, or shares the personal information of 100,000 people or households.  
  • Creates 50% or more of their revenue through the sale or sharing of personal information.  
  • Had $25 million in gross revenue in the preceding calendar year. 

When Did the CPRA Go Into Effect? 

The CPRA came into force on January 1, 2023, but it also protects data collected starting January 1, 2022. The CPRA’s enforcement date is July 1, 2023. 

What Is the CPRA Definition of Personal Information? 

The CPRA defines personal information as "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." 

What Is the CPRA Definition of Sensitive Personal Information? 

Sensitive personal information has extra requirements for its collection and processing. Sensitive personal information includes: 

  • A consumer’s social security, driver’s license, and similar identifiers.  
  • Account access information.  
  • Precise geolocation.  
  • Sexual identity, ethnicity, etc. 
  • Genetic and biometric data. 
  • Neural data.
  • And more. 

What Are the CPRA’s Requirements Around Data Collection Consent? 

The CPRA requires businesses to accept opt-out requests, meaning that they can collect users’ personal information by default so long as they provide notice about the collection and means of opting out of it. 

Businesses must provide a "Do not sell or share my personal information” link, which stops the share or sale of personal data to third parties, in particular for the purpose of targeted advertising. Businesses must also honor opt-out requests from authorized third-party signals, like the GPC. 

Businesses must also provide a “Limit the use of my sensitive personal information” link, which prevents any sale or share of sensitive personal information unless it's strictly necessary for the provision of your product or service, or for specific business purposes listed in the law (such as debugging purposes, providing customer service, and other purposes). 

While most personal data collection is opt-out, businesses must acquire opt-in consent (i.e., not collecting unless the user agrees first) in the following circumstances: 

  • When selling or sharing personal information of minors. 
  • When Offering participation in financial incentive programs. 
  • When selling or sharing the personal information of consumers who have previously opted out. 
  • When using personal information for a secondary purpose beyond the original stated purpose. 
  • When using personal information for scientific research. 

What Are the CPRA’s Requirements Around Data Subject Rights? 

The CPRA provides consumers, employees, and other commercial partners with the following rights: 

  • Right to Access, Deletion, and Correction  
  • Right To Object to Sale or Share  
  • Right To Opt-out of Behavioral Profiling and Automated Decision-Making  
  • Right To Object to the Use of Sensitive Personal Information  
  • Right to Data Portability 

Subject rights requests must be fulfilled within a 45-day window, with the option for a 45-day extension for complex and/or high-volume requests. Businesses may refuse or charge a fee for subject rights request if they are manifestly unfounded or excessive. However, the onus is on the business to prove whether a request is manifestly unfounded or excessive. 

How Does CPRA Enforcement Work? 

The state attorney general, district attorneys, and the California Privacy Protection Agency may enforce the CPRA. In some limited circumstances, private citizens may sue businesses for CPRA violations.  

Businesses that violate the CPRA may be penalized with: 

  • A $2.5k fine per negligent mistakes 
  • A $7.5k per willfully negligent violations