What are the requirements of the CPRA?
The CPRA expands on the previous CCPA law with multiple new regulations, outlined as follows:
SPI is interpreted as very sensitive information types such as:
- Biometric data processed to identify an individual
- Data about sexual orientation or sex life
- Financial account details in a combination (for example card number and password) that may provide access to an account
- Genetic data
- Government-issued identifiers and numbers (such as a social security number or a number on a passport, or driver's license)
- Health data
- Philosophical or religious beliefs
- Precise geolocation
- Racial or ethnic origin
- Union membership
Note: under the CPRA, Sensitive Personal Information doesn’t include publicly available information (with some caveats).
The CPRA more concretely defines the use of data from the CCPA’s “Data Sales” to “Data Sharing”. This is broader than the original definition, although it is worth noting the full qualification is Data Sharing for the purpose of behavioral marketing.
Given the new categories of Sensitive Personal Information (SPI) as well as the updated definition to “Data Sharing,” the result is you must modify any previous “Do NOt Sell” button.
Now, you should have a link on the footer of your site that reads “Do Not Sell or Share My Personal Information”.
In addition, if you are processing data defined as SPI, you must provide a link that reads “Limit The Use Of My Sensitive Personal Information,” such that a consumer may control how their SPI is used or with whom it is disclosed.
The general guidance from the CPPA for how best to adopt this is to provide a “single, clearly labeled link” that allows a consumer to opt-out of sale or sharing of data and also options to limit the use of SPI.
In addition to these category changes, a specific data retention notification requires your business to specify how long you will keep data or how you will decide when to dispose of it.
The complete list of enhanced consumer rights, which now also extend to employees, are:
|Right to Opt-Out||Consumers have the option to opt-out of having their personal information sold or shared with third parties for cross-context behavioral advertising.|
|Right to limit the use of sensitive personal information||Consumers have the right to limit the use of special categories of personal data, most specifically when it comes to sharing with third parties.|
|Right to opt-out of automated decision making processes||Consumers have the right to opt-out of automated decisions, such as profiling for targeted behavioral advertising.|
|Right to know about automated decision making||Consumers can ask for, or should be provided with information on how automated decision technologies work when they are used.|
|Right to Access||As before, subjects or consumers have the right to access their data, in addition to which they should be informed with which third parties that data was shared.|
|Right to Delete||Consumers' requests to be deleted must now be enforced by the company and its third-party suppliers, service providers, or contractors. In effect this means deletion must flow through all systems and vendors.|
|Right to correction||Consumers have the right to request that their information be updated if they find it to be incorrect/inaccurate.|
|Right to Data Portability||Consumers have the right to request that organizations provide a copy of their data in a format that can be transmitted to another company.|
|Right of Minors||A business must notify minors if they sell or share their personal information. In the event that a consumer under the age of 16 refused to give consent, the business may not ask the consumer again for a minimum of 12 months.|
Businesses will be required to conduct and submit risk assessments to the CPPA on a regular basis. This requirement differs from the GDPR where Data Protection Impact Assessments (DPIAs) are required to be conducted only prior to processing, or if there is any material change in the processing operations.
In addition to regular risk assessments, businesses must commit to eliminating risks identified in their evaluations. So if you identify a risk to the personal privacy of a user during your risk evaluations, you must mitigate or stop that data processing activity to remove the risk.
The CPRA introduces the concept of data minimization and storage limitation. If you're familiar with the GDPR you may already be familiar with this. The CPRA requires that businesses only collect perosnal information that is reasonably necessary, and that a business should not store data for longer than is necessary.
Put simply -- you should only collect the data you need to perform the business function you are offering, and once completed, you should dispose of that data unless it is truly necessary to retain for a period of time.