Table of Contents
- 1 Key Takeaways:
- 2 What Is the California Consumer Privacy Act (CCPA)?
- 3 What Is the California Privacy Rights Act (CPRA)?
- 4 What Is the Difference Between CCPA and CPRA?
- 5 What Is Personal Information According to CPRA?
- 6 What Is Sensitive Personal Information (SPI) in CPRA?
- 7 CPRA Compliance Criteria
- 8 Who Must Comply With the CPRA?
- 9 Who Is Exempted From the CPRA?
- 10 Steps to CPRA Compliance
- 11 Conclusion
- 12 Identity.com
Key Takeaways:
- The California Privacy Rights Act (CPRA) is a law that gives Californians more control over their personal information. It builds on the earlier California Consumer Privacy Act (CCPA).
- The CPRA expands on the rights introduced by the CCPA. This includes the right to request that businesses correct inaccurate information and limit the use of “sensitive personal information” (like Social Security numbers).
- The CPRA established a new government agency, the California Privacy Protection Agency (CPPA), to oversee the law.
- Businesses are required to provide clearer and more detailed information about the data they collect, how it’s used, and with whom it’s shared.
In recent decades, online users have faced growing concerns about data mismanagement. The trade of personal information has fueled the rise of tech giants, highlighting a crucial reality of the Web 2.0 era: user data is a valuable commodity. However, a significant shift is underway, driven by growing demands for online privacy. The rise of Decentralized Identifiers (DIDs) and Self-Sovereign Identity (SSI) technologies signifies a turning point in data ownership. These advancements empower users to control who can access their information and to what extent.
The development of Web3 and Web5 promises increased privacy and enhanced control over user data. In response to growing concerns about data misuse, California legislators implemented the California Privacy Rights Act of 2020 (CPRA). Building upon the foundation of the California Consumer Privacy Act (CCPA) of 2018, the CPRA strengthens privacy rights and protections in a tangible way. It addresses the urgent concerns of data exploitation and privacy breaches, offering significant benefits for both individuals and businesses.
What Is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA), passed in 2018 and effective since January 2020, is a landmark law in the United States aimed at enhancing consumer privacy rights. It echoes the European Union’s General Data Protection Regulation (GDPR) introduced in May 2018. This law grants consumers more control over their personal information by providing details on the data businesses collect and the parties with whom it is shared. Additionally, the CCPA allows individuals to sue companies for privacy violations, focusing on breaches of privacy regulations.
What Is the California Privacy Rights Act (CPRA)?
What Is the Difference Between CCPA and CPRA?
The California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA) are both crucial for consumer privacy, but they offer different levels of protection and requirements for businesses.
Key Differences:
- Consumer Rights: The CPRA expands consumer rights by allowing them to opt-out of targeted advertising across different platforms, a practice not covered by the CCPA. Additionally, the CPRA extends its reach to include employment data.
- Privacy Impact Assessments: The CPRA mandates privacy impact assessments for high-risk data processing activities, requiring businesses to proactively assess potential privacy risks. This is not required under the CCPA.
- Business Applicability Threshold: The CCPA applies to companies that collect and process the personal information of 50,000 or more consumers. The CPRA raises this threshold to 100,000 consumers, making compliance easier for small and medium-sized businesses.
- Consent for Data Sharing: Both acts require consent to sell or share consumer information with third parties. However, the CPRA demands clear disclosure of how the data will be used, providing consumers with more transparency.
- Enforcement: The CCPA relies on the Attorney General’s office for enforcement. The CPRA establishes a dedicated enforcement body, the California Privacy Protection Agency (CPPA).
- Consumer Information Requests: The CPRA mandates businesses to provide at least two accessible channels (like web forms or phone calls) for consumers to inquire about their personal information. This ensures greater transparency and accessibility for Californians.
What Is Personal Information According to CPRA?
The California Privacy Rights Act (CPRA) defines personal information broadly to provide strong protection for individuals. It covers data that identifies, relates to, describes, or could be linked to a person, directly or indirectly. Here are some key categories of personal information under CPRA:
- Identifiers: This includes a person’s name, address, email address, IP address, driver’s license number, social security number, and passport number.
- Biometric Information: Data derived from unique biological characteristics, such as iris scans, fingerprints, and voice recognition patterns, falls into this category.
- Internet Activity: This covers information related to an individual’s online behavior, including browsing history and search history.
- Commercial Information: It includes details about personal property, purchase histories, e-commerce transaction data, and other consumer-related information.
- Employment and Educational Data: Information pertaining to a consumer’s employment history, educational background, and other related data is also considered personal information.
What Is Sensitive Personal Information (SPI) in CPRA?
Sensitive Personal Information (SPI), as defined by the California Privacy Rights Act (CPRA), represents a subset of personal information that holds a higher degree of intimacy and confidentiality. Unlike general personal information, which people might share more freely, SPI refers to data whose unauthorized disclosure could significantly impact an individual’s privacy, security, and well-being. The CPRA states that any information publicly available does not constitute sensitive information. The act categorizes the following as sensitive information, warranting enhanced protection and handling:
- Financial Details: This includes banking information, credit or debit card numbers, along with any passwords or codes that could permit unauthorized access to a consumer’s financial resources or identity.
- Private Communications: Details encapsulating the content of personal emails, text messages, and phone conversations.
- Unique Identifiers: Personal identification numbers such as passport, social security, and driver’s license numbers.
- Personal Characteristics: Information regarding racial origins, religious beliefs, political opinions, or membership in non-public organizations.
- Location Data: Precise geolocation information pinpointing a consumer’s exact whereabouts.
- Online Credentials: Information related to consumers’ account login details.
- Genetic Information: Data including DNA samples that can reveal genetic characteristics.
- Health and Sexual Orientation: Information concerning an individual’s health status, medical history, or sexual orientation.
- Biometric Data: Processed data used for uniquely identifying an individual, such as fingerprints or retina scans.
CPRA Compliance Criteria
- Significant Revenue Threshold: Companies with an annual gross revenue exceeding $25 million fall under CPRA. This targets businesses with substantial economic activity that potentially impacts a large number of consumers.
- High-Volume Data Handling: The CPRA applies to businesses that handle the personal information of more than 100,000 consumers, households, or devices (increased from CCPA’s 50,000 threshold). This captures entities engaged in large-scale data processing while reducing the burden on smaller businesses.
- Revenue from Personal Information: Businesses that derive at least 50% of their annual revenue from selling or sharing consumer personal information must adhere to CPRA. This targets companies that significantly profit from consumer data monetization.
Who Must Comply With the CPRA?
The California Privacy Rights Act (CPRA) exempts many small and medium businesses by raising the consumer data threshold to 100,000. However, it applies to for-profit businesses that collect personal information from California residents if they meet at least one of these criteria:
- Have an annual gross revenue exceeding $25 million.
- Derive 50% or more of their revenue from selling or sharing consumer data.
- Handle the personal information of over 100,000 consumers, households, or devices.
If your business falls into any of these categories, you must comply with the CPRA to protect consumer privacy and avoid potential fines. Learn more about the CPRA’s impact on businesses and steps to ensure compliance here.
Who Is Exempted From the CPRA?
The California Privacy Rights Act (CPRA) establishes criteria for businesses that must comply with its data privacy protections. However, certain entities and data types fall outside the scope of CPRA regulations. These exemptions ensure the law targets businesses with significant data processing activities that impact California residents.
Here’s what’s not covered by CPRA:
- Businesses Outside Data Collection Scope: Companies that don’t collect personal information from Californians are exempt. This applies to businesses whose operations don’t involve handling personal data of California residents.
- Non-Profits and NGOs: Non-governmental organizations (NGOs) and non-profit organizations are exempt, as the CPRA focuses on for-profit businesses.
- De-identified Information: Irreversibly anonymized (de-identified) information is exempt. This means the information cannot be linked to a specific person and doesn’t pose a privacy risk.
- Aggregate Information: Data compiled into anonymous statistics or analytics that don’t identify individual users (e.g., website traffic numbers) is not covered. This allows businesses to use anonymized data for analysis without needing to comply with CPRA.
- Law Enforcement Compliance Exemption: Law enforcement activities that require collecting or providing data in good faith are exempt. In some cases, a court order might be needed for law enforcement to access user information.
- Data Covered by Other Laws: Information already regulated by other laws, particularly in healthcare and insurance (like HIPAA), is exempt from CPRA. These industries have pre-existing legal obligations that address data privacy.
Steps to CPRA Compliance
The California Privacy Rights Act (CPRA) mandates specific data privacy practices for businesses. Here’s a roadmap to achieve compliance:
1. Conduct a Personal Data Inventory
Identify the types of data you collect, how you organize, store, and access it, especially sensitive personal information (SPI) as defined by CPRA. Determine if third parties store or access this data. This assessment will guide changes to cookie banners, agreements, and privacy policies.
2. Classify Data Sensitivity
Categorize your data based on its sensitivity to ensure appropriate security measures. This informs your security team about data requiring extra protection and data with limited retention periods.
3. Update Privacy Policy and Cookie Banners
Revise your cookie banner to clearly explain if and how you collect and process SPI as defined by CPRA. Include details on collection purposes and retention periods. Inform users about their rights regarding the sale or sharing of their personal information, including how they can opt-out.
4. Review Agreements with Partners
Ensure all agreements with partners, service providers, and third parties comply with CPRA requirements.
5. Educate Employees on Data Handling
Train your employees on CPRA requirements and proper data handling practices to minimize compliance risks.
6. Implement Opt-Out Links
Include clearly labeled links on your website for users to opt-out of the sale or sharing of their personal information (“Do Not Sell or Share My Personal Information”) and limit the use of their sensitive data (“Limit the Use of My Sensitive Personal Information”).
7. Establish Channels for Consumer Requests
Provide at least two accessible channels (phone, email, web forms) for consumers to request information about their data. Acknowledge requests within 10 days and fulfill them within 45 days, as required by CPRA.
Conclusion
CPRA is good news for consumers, but it is not exciting news for CEOs and investors who rely on trading customers’ digital footprints to make money. Data trading revenue cushions companies’ running costs, but the CPRA has heavily affected this profit, likely forcing companies to raise prices for goods and services to compensate.
Additionally, compliance costs are high. Even without considering the expensive marketing budget companies will have to work with if privacy laws like this are passed across states. In the past few years, marketing and advertising has been more expensive in California than in some U.S. states. Will this result in customers trading in their data to get lower prices? The future will tell, but for now, privacy laws give data control back to the users.
Identity.com
The CPRA legislation attempts to solve the data management problem that new technologies in the blockchain ecosystem are solving through projects like self-sovereign identity. It is great news that the government is seeing the importance of individual data control, just as it is one of our pursuits at Identity.com. As a company, we want a user-centric internet, where users have control over their data. More reason Identity.com doesn’t take the back seat in contributing to this future via identity management systems and protocols. We also belong to the World Wide Web Consortium (W3C), the standards body for the World Wide Web.
The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.