Clarip 2023 Privacy Readiness: CCPA to CPRA
The California Consumer Privacy Act (CPRA) is an amended and amplified version of the California Consumer Privacy Act (CCPA) – many have referred to it colloquially as “CCPA 2.0”. How might the CPRA changes effect your organization? Clarip covers these changes:
- Threshold changes for covered businesses
- New CCPA Definitions
- New CCPA Rights
- Amended Rights
Threshold changes for covered businesses:
As of January 1, 2023, the “original” version of the CCPA goes away, and businesses will only be covered by the surviving CPRA to the extent they:
- (1) had $25M in annual gross revenues as of January 1 in the preceding calendar year, or
- (2) buy, sell, or share the personal information of 100,000 California consumers or households, or
- (3) derive 50% or more of their revenue from selling or sharing consumers’ personal information.
In light of this revised text, most companies that triggered the coverage threshold based on annual revenues likely will continue to be covered, but many businesses that were covered by the CCPA merely because they collected the personal information of 50,000 devices (a threshold not difficult to trip for many online businesses), for example, will now fall outside the scope of the CPRA.
New CCPA Definitions:
“Sensitive personal information” is defined as personal information that reveals:
- A consumer’s social security, driver’s license, state identification card, or passport number.
- A consumer’s account log-in, financial account, debit card or credit card number combined with any required security or access code, password or credentials allowing access to an account.
- A consumer’s precise geolocation.
- A consumer’s racial or ethnic origin, religious or philosophical beliefs or union membership.
- The contents of a consumer’s physical mail, email and text messages, unless the business is the intended recipient of the communication.
- A consumer’s genetic data.
Additionally, “sensitive personal information” means:
- The processing of biometric information processed for the purpose of uniquely identifying a consumer.
- Personal information collected and analyzed concerning a consumer’s health.
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
New Rights:
- Right to Correct Information: A consumer has the right to request that a business correct any inaccurate personal information.
- Right to Limit Use and Disclosure of Sensitive PI: A consumer has the right to limit the use and disclosure of their SPI to that “use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods and services.”
- Right to Access Information About Automated Decision Making: A consumer has the right to request “meaningful information about the logic involved in those decision–making processes, as well as a description of the likely outcome of the process with respect to the consumer.”
- Right to Opt–Out of Automated Decision-Making Technology: A consumer has the right to opt–out of being subject to automated decision–making processes, including profiling.
Amended Rights:
- Right to Opt–Out of Third-Party Sales and Sharing: The CCPA allows consumers to opt–out of businesses selling their data. The CPRA expands this right to include the sharing of personal information, in addition to selling. The CPRA defines sharing as “disclosing, disseminating, making available, transferring, … a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration …”
- Right to Know: The CCPA requires that businesses respond to consumer requests to know personal information that was collected within the prior 12 months. The CPRA extends this timeline, enabling consumers to potentially request personal information collected beyond the prior 12-month window under certain circumstances.
- Right to Delete: Through the CCPA, California consumers can request that a business delete their personal information if it is no longer needed to fulfill one of the purposes listed in Cal. Civ. Code Sec. 1798.105 (e.g., security needs, debugging). The CPRA will also require businesses to send the request to delete to third parties that have bought or received the consumer’s personal information so that all parties are aware that it must be deleted, subject to some exceptions.
- Right to Data Portability: The CCPA includes a “right to know”, which means that consumers have the right to receive a copy of their personal information by mail or electronically. Now, under the CPRA, a consumer can request that a business transfer specific personal information to another entity “to the extent technically feasible, in a structured, commonly used, machine-readable format.”
- Opt-In Rights for Minors: The use of minors’ data is a general concern within the law, and the CCPA requires that businesses obtain opt-in consent to sell the personal information of a California consumer under 16 years of age. The CPRA goes one step further, mandating that businesses wait 12 months before asking a minor consumer for consent in selling or sharing their personal information after the minor has declined. It also states that the opt-in right must explicitly include the sharing of data for cross-context behavioral advertising.
For more 2023 Privacy Readiness on all emerging US laws, request a copy today! Learn how Clarip’s privacy governance platform has prepared with true automation. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
Related Articles:
The Proposed Amendments to the CCPA Coming from the California Assembly
The California Consumer Privacy Act and Regulations
CCPA Compliance Software – Consent, DSAR, Data Mapping Solutions for California Privacy