What is CPRA? California Privacy Rights Act: Basics and Overview

3 shares

The CPRA will impact privacy and consumer rights for years to come. In November 2020, California voters approved the California Privacy Rights Act of 2020, otherwise known as the CPRA. This is an amendment to the California Consumer Privacy Act (CCPA) that voters approved in 2018. 

The CPRA has modified, expanded, and clarified privacy rights for California residents, and it takes inspiration from the EU’s GDPR policy in a variety of ways. 

For instance, the CPRA creates a new enforcement agency. Previously the CCPA was enforced by the California Office of the Attorney General. However, in the EU, GDPR is enforced by data protection authorities –– and now, California has one, too: the California Privacy Protection Agency (CPPA). 

This agency will be granted investigative, enforcement, and rulemaking powers. More importantly for businesses, this agency will not be required to allow for a 30-day cure period, and penalties for some policy violations can now be up to $7,500 per violation. That’s a 3x increase. 

What is CPRA? CPRA explained

CPRA’s purpose is to redefine and expand the California Consumer Privacy Act (CCPA) in order to strengthen the rights of residents of California. It provides consumers greater opportunity to opt out and requires deliberate data privacy management from businesses.

With so much on the line, you may be left wondering what has changed and what it means for your business. You aren’t alone. While fine potential has increased 3x, your business has until January 1, 2023, as ramp-up time for compliance. Here’s what companies need to know about CPRA

California Privacy Rights Act explained: What your business needs to know 

The CCPA was already the United State’s most robust consumer-focused privacy law. The CPRA takes everything a step further – and makes it more challenging for any future leniency unless the entire policy is revoked. 

In other words, you want to get your business in CPRA shape. There is no turning the clock back on this privacy policy. Instead, it’s likely more states will begin to adopt similar policies. 

Let’s cover the basics. 

When do you need to comply with CPRA?

Most of the California Privacy Rights Act of 2020 provisions will not take effect until January 2, 2023. However, personal information collected on or after January 1, 2022, will be part of the expansion of the “Right to Know” section. 

Your business will be required to allow consumers the “Right to Know” what data you’ve collected on them and how it is being used back to any information you collected beginning on January 1, 2022. 

Who needs to comply with CPRA?

Not everyone, and in fact, this is one of the areas in which the CPRA is actually more lenient than the original CCPA. 

In the CCPA, businesses with a total number of consumers of 50,000 or higher needed to comply. In the CPRA, that number is doubled. CPRA applies only to businesses with consumers greater than 100,000. 

If you are a company with more than 100,000 customers, the CPRA will apply to you if you generate at least 50% of annual revenue from selling or sharing consumer personal information (PI). This is another update in the CPRA in comparison to the CCPA. In the CCPA, only the selling of consumer personal information was covered. In the CPRA, that has been expanded to “sharing,” meaning with third parties. 

What new regulations does the CPRA introduce?

A lot of the CPRA is a modification of the CCPA, but one area of introduction is around “sensitive personal information.” This will now be a regulated dataset in the state of California.

Sensitive personal information for CPRA includes:

  1. Government identifiers: Examples include Social Security numbers and driver’s licenses
  2. Financial account and login information: Examples include credit or debit card number together with login credentials
  3. Precise geolocation
  4. Race, ethnicity, religious or philosophical beliefs, or union membership
  5. Content of nonpublic communications: Examples include mail, email, and text message
  6. Genetic data, biometric or health information
  7. Sex life or sexual orientation information.

Organizations collecting, selling, or sharing this information will be required to disclose that they are doing so, and allow consumers to opt-in and opt-out. 

The brand new rights set out by the CPRA

  • Right to Correction
  • Right to Access Information About Automated Decision Making
  • Right to Opt-Out of Automated Decision Making Technology
  • Audit Obligations

What does CPRA mean for your data privacy program? 

If you’re a business with more than 100,000 customers or with data on more than 100,000 consumers, and you use that data for marketing or advertising, or to generate revenue for your business, then CPRA means several things for your data privacy program. 

Consent and on-going opt-out policies

Consent regulations have been strengthened in the CPRA, specifically for minors. This means that to collect a user’s data, they need to give explicit consent with the knowledge of how their data will be used and for what lengths of time. 

Moreover, consumers can request, and businesses are required to confirm, their opting-out of specific programs, including the deletion of their data, even if previous consent was given. 

For organizations, it will be crucial to use tools like a customer data platform (CDP) to automate what consumers are opted into, what they are opted out of, and the deletion of data when requested. This will also make the audit obligations introduced in this bill far easier for organizations to manage because CDP helps comply with data privacy and governance requirements.

Right to access information

Under the CPRA, consumers now have the right to see what information you have collected on them, and how that is affecting their personalized experience with your brand. In fact, consumers can request a meaningful description of the logic involved in the decision-making process for automated campaigns, ads, and the like. It is essential to have a data privacy plan

To make this easy on teams, again a CDP is helpful –– especially one that is integrated with a CRM solution. Together, these tools can be used to create personalized logins and pages for consumers to see all of their data, what streams they are in as a result, and manage their own data preferences.


Purpose and storage limitations

As mentioned earlier, the CPRA takes some inspiration from the GDPR policy in the EU. These include:

  1. Data minimization
  2. Purpose limitation
  3. Storage limitation

These requirements mean that businesses need to collect the least amount of information they need, and they need to state the purpose for their collection of the data (i.e. how it will be used) and for how long they will keep it. 

Whatever policy your company decides on, you’ll want to make sure to automate what your privacy policy says with your system. For instance, if you state that you’ll keep data in the system for two years, you’ll want to automate the removal of that information as soon as those 24 months are up.

Again, this will be incredibly helpful for audits and ensure no manual errors or forgetfulness on the part of employees. 

Proactive next steps to comply with the California Privacy Rights Act (CPRA) 

For organizations making more than $25 million in annual revenue, collecting data from more than 100,00 consumers, and making at least 50% of profits from the selling or sharing of that data, it’s now time to get a CDP. 

Centralizing customer data from all sources using a CDP will help your team to automate several of the new policies, make audits easy, and keep customers happy – without having to increase team workload for marketing, sales, advertising, or any other department. 

Remember, the CPRA is by far the most robust consumer privacy law in the U.S., but it won’t be the last – nor will this amendment. As the privacy-first web continues to move forward and gain traction, organizations will need to become smarter and more transparent about what they collect, on whom, and how they use it. Investing now saves you in fines and headaches in the future.

What can a CDP do for you?
Watch our interactive demo.

Want to learn more about data privacy and how a CDP can help organizations stay on course with compliance and regulations? Reach out!

  • SAP & The Future of Customer Engagement and Experience will use any of the data provided hereunder in accordance with the Privacy Statement.

Share this:
3 shares
Tracey Wallace

Subscribe to our newsletter for the most up-to-date e-commerce insights.