For a long time, California has been a leader in making sure its citizens’ privacy is protected. In the early days of the modern internet, California’s privacy policy law led the charge in making sure websites didn’t deceive visitors or otherwise use deceptive practices by collecting data without a privacy notice. Today, it is California again—with the California Privacy Rights Act (CPRA) building on the California Consumer Privacy Act (CCPA)—that is leading the way in making sure consumers have control over how businesses collect and share their personal data.
As more states—like Virginia, Colorado, Iowa, and more—join California in implementing comprehensive privacy legislation, it is vital to understand the requirements of California data privacy law. Not only will it allow you to continue to access what amounts to the world’s fifth largest economy, but it will also put you in good standing with the rest of the U.S. state privacy laws and prepare you for compliance with stricter global privacy laws, like the EU’s GDPR or China’s PIPL.
In this blog, we’ll take a look at:
Let’s get started.
It’s best to think of the California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA) as essentially the same thing.
The CCPA passed through the California legislature and was signed by the governor in 2018, with an effective date of January 1, 2020. However, the Californians for Consumer Privacy (the group that pushed hardest for the CCPA) almost immediately felt it wasn’t strong enough. They started a campaign to make it stronger and more protective of consumer rights to control the collection and use of personal information.
The California Consumer Protection Act (CPPA) of 2018 is already in force, and now it has been updated by the California Privacy Rights Act (CPRA)
Because of the Californians for Consumer Privacy push, the California legislature added a citizen’s initiative ballot question in 2020 on whether or not an amendment to the CCPA should be created—the CPRA. The CPRA built upon the CCPA text, changing some items, adding others, and clarifying some questions around enforcement and who’s actually covered by the law.
At this point, for all intents and purposes, the CPRA is the only law you need to worry about. It’s like the CCPA+, or CCPA 2.0, and it covers everything you need to know to understand California data privacy law.
The vast majority of the CPRA came into force on January 1, 2023, but the CPRA also regulates data collected starting January 1, 2022.
The initial CPRA enforcement date was July 1, 2023, but due to a challenge from the California Chamber of Commerce, which argued that since the CPPA didn't finalize the CPRA's requirements until March of 2023, the date was pushed to March 29, 2024. However, on February 9, 2024, the CPPA won its appeal, immediately allowing enforcement of the initial CPRA regulations and retroactively setting the enforcement effective date to July 1, 2023.
The CPRA changed the rules for who has to comply only slightly. As of January 1, 2023, the CPRA applies if you are a for-profit organization that “does business” in the state of California, collects the personal data of Californians or has it collected for you, and fits one or more of these criteria:
In theory, you could have to comply with CPRA one year and not the next, depending on your revenue mix and business initiatives. However, the CPRA is in line with many laws around the country and the world, and most of what it requires is considered general best practice, so it doesn’t make a lot of sense to try to figure out whether you can get out of CPRA compliance each year.
The penalties for not complying with the law haven’t changed much from the CCPA to the CPRA. However, the new CPRA empowers the Attorney General, California’s 62 different district attorneys and a brand-new California Privacy Protection Agency (CPPA) to enforce it—the CPPA’s ability to CPRA enforcement powers begin on July 1, 2023.
That means there are a lot more “cops on the beat,” so to speak, with the ability to investigate business practices and bring actions to penalize those organizations that are not in compliance.
Each person affected in a violation constitutes an offense, so the fines can add up quickly, especially if you are willfully negligent. And the bad news: If you’re reading this and then decide not to bother with compliance, you’re being willfully negligent. Oops.
Is it likely that enforcers of California privacy law will look kindly on businesses that make small mistakes or have small oversights in their compliance plans, especially in the first few years? Absolutely.
Is it likely that “I had no idea I had to comply with this law,” will work as an excuse when a regulator comes calling? Absolutely not.
How serious is California? In the CCPA, there was a 30-day grace period where you were offered a chance to fix your violations. In the CPRA, there is no such grace period.
First and most importantly, you need to make sure consumers can exercise their new rights to control the collection and use of their personal data, many of which have been augmented in some way. Note that the CPRA broadened the definition of “consumers” to include your employees—previously employees and other commercial partners were exempt from California privacy law protection, but no longer.
Remember: “Personal data” or “personal information” is defined broadly in both the CCPA and the CPRA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Unless you take steps to de-identify data after you collect it, much of the data you collect from customers and employees is personal data according to California privacy law.
The CPRA also now puts the onus on you to make sure consumers (and employees) know their privacy rights. That means you’ll need to explain their rights at the point of collection as part of the notice you provide.
• The categories of personal information you have collected.
• The categories of sources from which you collected their personal information.
• The business purpose for which you collected their data.
Break down the major tasks you need to complete for CPRA compliance - Download the Guide.
You also need to abide by a new set of “privacy principles” in all of your data-handling practices, many of which are new with the CPRA:
As if the change from the CCPA to the CPRA wasn’t enough, the law was further modified by the California Privacy Protection Agency (known as the CPPA, which isn’t confusing at all, surely). After consulting with stakeholders, the CPPA created a number of “rules” that gave further guidance and specificity on how organizations should comply with the CPRA.
On March 29, 2023, the CPPA finalized rulemaking for the CPRA.
Most notably, the CPPA codified the need for organizations to conduct risk assessments. Prior to certain “high-risk” collections and uses of personal information, you need to conduct an assessment. After completing the assessment, you must file it with the CPPA to prove you’ve considered the dangers surrounding the data collection and mitigated the risk of harm to the consumer.
Be prepared to create a process in your organization for conducting these risk assessments.
The CPPA also clarified that organizations must honor authorized third-party opt-out signals. Essentially, certain entities can provide consent on behalf of an individual, such as the Global Privacy Control (GPC). If a user adds the GPC to their browser and instructs it to send out an opt-out signal, businesses need to respond as though the user had opted out of data collection on their website.
For a quick, at-a-glance look at other changes from CCPA to CPRA, here’s a handy chart:
What’s Changed Between the CCPA and CPRA? |
||
|
CCPA |
CPRA |
Enforcement |
California Attorney General’s Office |
Newly created California Privacy Protection Agency, plus the AG and District Attorneys |
Profiling |
N/A |
Consumers can opt out of automated decision-making. |
Sensitive data |
N/A |
New definition of some data as “sensitive.” Businesses must disclose how they collect, use, sell, and share sensitive data. Consumers may opt out of the use, entirely, of their sensitive data. |
Data minimization |
N/A |
Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose. |
Consumer remedies |
Consumers may file a private right of action when a lack of reasonable security leads to a breach. |
Expands the private right of action to include remedy for breached data that includes consumers' email address and password or security question. |
Risk Assessments |
N/A |
For certain collection and use of personal information, organizations will have to conduct risk assessments before beginning the collection or use process. |
Deletion |
Businesses must fulfill validated consumer requests to delete their data. |
Companies fulfilling legitimate deletion requests must also notify third parties to delete such information. |
Third parties |
Not defined. |
Third parties defined, excludes service providers and contractors. Businesses must impose CPRA-level contractual obligations on third parties before sharing, selling, or disclosing personal data. |
Opt-out links on websites |
Businesses must have a “Do not sell my personal information” link. |
Companies must have a “Do not sell or share my personal information” link and a “Limit the use of my sensitive personal information” link. Businesses must also honor opt-out signals such as the GPC. |
Fines |
Up to $7,500 per violation or $2,500 per unintentional violation. |
Automatic $7,500 fine for violations of minors’ data (children under the age of 16). |
CCPA and CPRA compliance is an all-hands-on-deck sort of thing, but will look different at every organization, depending on the type of personal information you’re collecting and your business plan. The following checklist isn’t comprehensive (for a more comprehensive resource, check out our eBook CPRA Compliance How Osano Can Help), but it will help you build a strong foundation for CPRA compliance.
CEOs and CIOs often lead the charge, but it may be worthwhile to appoint a chief privacy officer (CPO) or a privacy director of some kind, often in the legal or compliance time, who can be tasked with overseeing compliance.
Privacy compliance is an ongoing activity, so rather than kickoff a compliance project, you’ll really want to establish a privacy program. The program will be responsible for coordinating and launching compliance activities for the CPRA and any other privacy laws your business is subject to.
Because so many departments collect and use consumer data, it’s important to record any data collecting and processing activities to make sure personal information is being handled appropriately.
Under the EU’s GDPR, this kind of auditing is formalized in a document known as a record of processing activities, or RoPA. Even though the CPRA doesn’t explicitly mention conducting a RoPA, doing so will set the stage for future compliance activities. Check out our article, What Is a RoPA?, to learn more.
Understanding where your organization collects personal data is important, but it’s even more important to ensure that your team members who collect personal data know how to handle it compliantly.
For example, marketers consistently rely on consumer data to influence their campaigns. Consumer data is precisely what makes companies able to effectively target their marketing efforts to the right people at the right time to increase sales. Every time a consumer is tracked with a website cookie, fills out a form, or makes a purchase online, they are giving the company their personal information, which is now protected by the CCPA and the CPRA.
These marketers need to be trained in how to comply with the law and systems need to be put into place to make sure they follow policy.
The same goes for your sales department. All of that customer data that's stored in systems such as Salesforce must be protected and only used appropriately. If it's shared with other departments, those departments now have some ownership. You can see how quickly and easily consumer data spread across the organization.
It’s not just other departments who will handle your consumers’ data; you likely have relationships with other organizations who may be processing consumer personal data.
These third parties might do things like perform sophisticated data analytics, fill in profiles for people with only partial records, and other potentially privacy-invasive activities. These third-party relationships must be managed via contracts and audits, as you’ll be responsible for how they handle the data supplied to you by your customers and employees.
Given the volume of third-party relationships you may manage, this task can quickly become overwhelming. That’s why it’s important to identify a vendor privacy risk management solution to streamline the vendor assessment process.
On its face, allowing website visitors to opt out of data collection seems simple enough. But in reality, it can become technically complex very quickly. Consider cookies (just one of several data trackers on your website). Some cookies may be necessary to your website’s functionality; so, if you provide a “Do not sell or share my personal information” link on your website, it can’t just block all cookies.
Furthermore, you’ll need to record individual users’ consent preferences so you don’t accidentally collect data from them in the future, and so you can prove you gathered consent should the CPPA or attorney general come investigating.
Then, you need to provide a banner that discloses your privacy policy, and you need to do it in a way that complies with the CPRA in the user’s preferred language.
We dive into the specifics of cookie consent in our blog, Cookie Banners: How to Stay Compliant with Privacy Laws.
If you collect data from your consumers (or from your employees) and they aren’t aware of what you’re collecting and why, you’ll be out of compliance with the CPRA.
A key part of CPRA compliance and data privacy compliance as a whole is transparency—that’s why you’ll need to develop and maintain a privacy policy and present that policy at the point of collection. Since the data you collect from consumers and employees may be entirely distinct, it’s a good idea to craft a separate employee privacy policy as well.
You can also digest these steps towards compliance here: CPRA compliance checklist
Does compliance sound difficult? It is. The CPRA, especially, represents a major evolution in the responsibilities many companies have in regard to handling personal data.
Luckily, many companies, like Osano, have created software packages that allow you to:
Well, yes and no. The CCPA and CPRA don’t focus on the mechanisms involved with how personal data is collected and used, they just focus on the fact that personal data is actually being collected and used.
Thus, if your cookies don’t collect personal information, California data privacy law isn’t particularly worried about them. But, if your cookies do pass along personal information to your organization or others, then all of the CCPA and CPRA rules apply.
Got it? Luckily, there are plenty of cookie consent managers out there to help make sure you know the difference between essential cookies and those that collect data (and those that do both).
The people behind the CCPA, CPRA, and CPPA are first and foremost concerned with protecting the privacy of California consumers. They are very likely to prioritize enforcement against the most egregious violators of the law.
However, that does not mean they don’t care about the little guys. While how the CPPA will act is somewhat unpredictable, you should expect audits of classes of websites, roundups of certain types of violations that include large groups of companies, and other enforcement action that seeks to prod large sections of the California marketplace into compliance.
Most especially, you don’t want to be caught looking like you don’t care. Good faith efforts will result in kind attention from the regulators; pleas of ignorance will result in much harsher treatment, indeed.
You must comply with the CPRA if you are a for-profit organizations that do business in California, collect the personal data of Californians or has it collected for them, and fits one or more of these criteria:
The CPRA came into force on January 1, 2023, but it also protects data collected starting January 1, 2022. The CPRA’s enforcement date is July 1, 2023.
The CPRA defines personal information as "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Sensitive personal information has extra requirements for its collection and processing. Sensitive personal information includes:
The CPRA requires businesses to accept opt-out requests, meaning that they can collect users’ personal information by default so long as they provide notice about the collection and means of opting out of it.
Businesses must provide a "Do not sell or share my personal information” link, which stops the share or sale of personal data to third parties, in particular for the purpose of targeted advertising. Businesses must also honor opt-out requests from authorized third-party signals, like the GPC.
Businesses must also provide a “Limit the use of my sensitive personal information” link, which prevents any sale or share of sensitive personal information unless it's strictly necessary for the provision of your product or service, or for specific business purposes listed in the law (such as debugging purposes, providing customer service, and other purposes).
While most personal data collection is opt-out, businesses must acquire opt-in consent (i.e., not collecting unless the user agrees first) in the following circumstances:
The CPRA provides consumers, employees, and other commercial partners with the following rights:
Subject rights requests must be fulfilled within a 45-day window, with the option for a 45-day extension for complex and/or high-volume requests. Businesses may refuse or charge a fee for subject rights request if they are manifestly unfounded or excessive. However, the onus is on the business to prove whether a request is manifestly unfounded or excessive.
The state attorney general, district attorneys, and the California Privacy Protection Agency may enforce the CPRA. In some limited circumstances, private citizens may sue businesses for CPRA violations.
Businesses that violate the CPRA may be penalized with: