Experiencing a breach? Contact us now!

What is California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) Compliance?

The California Privacy Rights Act (CPRA) replaces 2018’s California Consumer Privacy Act (CCPA) as California’s data protection regulation that safeguards the privacy and personal information of consumers online. The CCPA defines a consumer as a natural person who is a California resident. The CPRA and CCPA are part of broader California and federal law efforts to protect consumer privacy and ensure transparency in business practices.

switch, toggle, switch button

You know all those banners that pop up on the bottom of every … single … website you visit? That’s an outcome of privacy regulations like CCPA and Europe’s General Data Protection Regulation (GDPR) that give consumers the right to know and choose what kind of information the site can track, share, or (gulp) buy and sell.

The CPRA was voted in by California voters in 2020 to fill in gaps that the California Privacy Protection Agency (CPPA) felt were not addressed in the CCPA. The changes affect not only what compliance consists of but which organizations must be compliant.

The deadline for compliance was Jan. 1, 2023, so if you are unsure if the CPRA deadline affects your website and/or app, read on.

For consumers: California consumer privacy

The CCPA gives individuals certain rights regarding their personal information:

  • The right to delete personal information collected from them in response to consumer requests;
  • The right to know what personal information a business has collected about a particular consumer, including postal address, and how it is used and shared;
  • The right to opt out of the sale of their personal information;
  • The right to nondiscrimination for exercising their CCPA rights; and
  • The right to know whether their personal information is sold or disclosed and to whom, emphasizing selling consumers personal information.

Personal information includes identifiers such as driver’s license number, electronic network activity information, and internet protocol address (IP address).

The CRPA will add:

  • The right to correct inaccurate personal information that a business has about them; and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

For organizations: Sensitive personal information

A “business” is defined under CCPA as:

  • For-profit businesses in California;
  • Collects consumers’ personal information  ― or uses a third party to collect personal information for them  ― or determines why and how the information will be processed.

Businesses must implement and maintain reasonable security procedures to protect consumer data.

“Doing business” is defined by the above meeting any of the following thresholds:

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

Thresholds that changed on Jan. 1, 2023, under CPRA:

  • Businesses must annually buy, sell, or share the personal information of 100,000 or more consumers or households
  • Derive 50% or more of their annual revenue from selling or sharing consumers’ personal information.

Penalties for non-compliance

Penalties for not being CPRA compliant could be a simple warning or a multimillion  ― to even billion-dollar  ― penalty for failing to meet privacy laws. Courts can offer ‘injunctive or declaratory relief,’ or ‘any other relief the court deems proper’ in cases of non-compliance.

For example, Amazon ($877 million), Instagram ($403 million), and WhatsApp ($255 million) paid millions for GDPR violations and Didi Global was fined $1.19 billion for violation of China’s Personal Information Protection Law (PIPL).

Obviously, those are big tech enterprises, but small and midsize businesses (SMBs) can pay out crippling fines too.

Businesses must provide a written notice of CCPA violations and have 30 days to respond.

How to Protect Yourself

We get it. It’s a lot to take in, translate, comprehend, and implement. Don’t do it alone.

If your organization needs help dissecting CPRA compliance, a team of cybersecurity and privacy pros can help.

A professional cybersecurity team well-versed in the logistics of ever-changing compliance regulations can assess your security infrastructure and provide guidance around your compliance program. A thorough Privacy Assessment will determine if you are not only compliant with all necessary standards, but that personally identifiable information (PII) is protected adequately as well as tracked. This ensures that compliance with both domestic and international privacy regulations have been met.

We can help. Cyber Defense Group consists of a team of certified data privacy experts with years of experience. We understand how precious your assets are, including your personal property. Don’t go it alone.