What is CPRA?
The California Privacy Rights Act (CPRA) replaces 2018’s California Consumer Privacy Act (CCPA) as California’s data protection regulation that safeguards the privacy and personal information of consumers online.
You know all those banners that pop up on the bottom of every … single … website you visit? That’s an outcome of privacy regulations like CCPA and Europe’s General Data Protection Regulation (GDPR) that give consumers the right to know and choose what kind of information the site can track, share, or (gulp) buy and sell.
The CPRA was voted in by Californians in 2020 to fill in gaps that the California Privacy Protection Agency (CPPA) felt were not addressed in the CCPA. The changes affect not only what compliance consists of but which organizations must be compliant.
The deadline for compliance is Jan. 1, 2023, so if you are unsure if the CPRA deadline affects your website and/or app, read on.
What is the difference between CCPA and CPRA?
The CCPA gives individuals certain rights regarding their personal information:
- The right to delete personal information collected from them;
- The right to know what personal information a business has collected about them and how it is used and shared;
- The right to opt out of the sale of their personal information; and
- The right to nondiscrimination for exercising their CCPA rights.
The CRPA will add:
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit the use and disclosure of sensitive personal information collected about them.
A “business” is defined under CCPA as:
- For-profit businesses in California
- Collects consumers’ personal information ― or uses a third party to collect personal information for them ― or determines why and how the information will be processed.
“Doing business” is defined by the above meeting any of the following thresholds:
- Have a gross annual revenue of over $25 million;
- Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
- Derive 50% or more of their annual revenue from selling California residents’ personal information.
Threshold changes on Jan. 1, 2023, under CPRA:
- Businesses must annually buy, sell, or share the personal information of 100,000 or more consumers or households
- Derive 50% or more of their annual revenue from selling or sharing consumers’ personal information.
What are the penalties for not being compliant?
Penalties for not being CPRA compliant could be a simple warning or a multimillion ― to even billion-dollar ― penalty for failing to meet privacy laws.
For example, Amazon ($877 million), Instagram ($403 million), and WhatsApp ($255 million) paid millions for GDPR violations and Didi Global was fined $1.19 billion for violation of China’s Personal Information Protection Law (PIPL).
Obviously, those are big tech enterprises, but small and midsize businesses (SMBs) can pay out crippling fines too.
Are you confident you are CPRA compliant?
We get it. It’s a lot to take in, translate, comprehend, and implement. Don’t go it alone.
If your organization needs help dissecting CPRA compliance, a team of cybersecurity and privacy pros can help.
A professional cybersecurity team well-versed in the logistics of ever-changing compliance regulations can assess your security infrastructure and provide guidance around your compliance program. A thorough Privacy Assessment will determine if you are not only compliant with all necessary standards, but that personally identifiable information (PII) is protected adequately as well as tracked. This ensures that compliance with both domestic and international privacy regulations have been met.
We can help. Cyber Defense Group consists of a team of certified data privacy experts with years of experience. We understand how precious your assets are. Don’t go it alone.