Table of Contents
- 1 Key Takeaways:
- 2 What Is the CCPA (California Consumer Privacy Act)?
- 3 What Is the CPRA (California Privacy Rights Act)?
- 4 Difference Between CCPA and CPRA
- 5 What Is Personal Information According to CPRA?
- 6 What Is Sensitive Personal Information (SPI) in CPRA?
- 7 What Is the Criteria for CPRA Compliance?
- 8 Ensuring CPRA Compliance
- 9 Companies Not Affected by CPRA?
- 10 How to Achieve CPRA Compliance
- 11 Conclusion
- 12 Identity.com
Over the past few decades, online users have been increasingly exposed to data mismanagement. The trade of users’ data has built empires and created numerous billionaires and millionaires, highlighting a critical reality in the Web 2.0 era: personal information is frequently traded. Despite opposition from tech giants such as Google and Facebook, a significant shift is taking place within the online ecosystem, signaling a new era focused on the privacy of internet users. The rise of Decentralized Identifiers (DIDs) and Self-Sovereign Identity (SSI) marks a turning point in data ownership, empowering users to control who can access their information and to what extent.
What Is the CCPA (California Consumer Privacy Act)?
The California Consumer Privacy Act (CCPA) is a significant piece of legislation passed in 2018 and took effect on January 1, 2020. This law marked a substantial step in the United States towards the privacy rights of consumers, closely following the footsteps of the European Union’s General Data Protection Regulation (GDPR) which came into effect in May 2018.
The CCPA provides California consumers with the right to request disclosure of the data a company has collected on them. This legislation aims to give consumers more control over their personal information, allowing them to see what data companies collect and to whom they disclose it. Under CCPA, consumers also have the right to sue companies for privacy violations, regardless of whether a data breach has occurred, focusing purely on violations of privacy guidelines.
What Is the CPRA (California Privacy Rights Act)?
Difference Between CCPA and CPRA
The California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA) are both crucial in enhancing consumer privacy rights, but they serve different extents of protection and requirements for businesses. One of the primary distinctions is that the CPRA provides consumers with additional rights, including the option to opt-out of cross-contextual advertising, and extends its applicability to include employment data, which the CCPA does not cover. Below are key differences between the CPRA and CCPA:
Privacy Impact Assessments
The CPRA mandates privacy impact assessments for high-risk data processing activities, a requirement not specified by the CCPA.
Business Applicability Threshold
The CCPA applies to companies that collect and process the personal information of 50,000 consumers or more. In contrast, the CPRA raises this threshold to businesses affecting 100,000 consumers or more, easing the compliance burden on small and medium-sized enterprises.
Sensitive Personal Information (SPI)
The CPRA expands the definition of sensitive personal information and requires affirmative consent for its use, especially regarding children under 16 years of age. Consent must be obtained from teenagers aged 13 to 16, and parental consent is necessary for children under 13.
Consent for Data Sharing
Both acts require consent to sell or share consumer information with third parties, but the CPRA demands clear disclosure of how the data will be used.
Under the CCPA, businesses have a 30-day period to rectify violations upon notification. The CPRA eliminates this cure period, intensifying the immediate compliance requirement.
While the CCPA’s enforcement falls under the jurisdiction of the Attorney General’s office, the CPRA establishes a dedicated enforcement body, the California Privacy Protection Agency (CPPA).
Consumer Information Requests
The CPRA mandates businesses to provide at least two accessible channels for consumers to inquire about their personal information, such as web page forms, phone calls, or emails, ensuring transparency and accessibility.
What Is Personal Information According to CPRA?
Under the California Privacy Rights Act (CPRA), personal information encompasses data that identifies, relates to, describes, or could reasonably be linked with an individual either directly or indirectly. This broad definition aims to ensure comprehensive protection for individuals by covering a wide array of data types that could potentially reveal their identity. Personal information under the CPRA includes, but is not limited to, the following categories:
- Identifiers: This includes a person’s name, address, email address, IP address, driver’s license number, social security number, and passport number.
- Biometric Information: Data derived from unique biological characteristics, such as iris scans, fingerprints, and voice recognition patterns, falls into this category.
- Internet Activity: This covers information related to an individual’s online behavior, including browsing history and search history.
- Commercial Information: It includes details about personal property, purchase histories, e-commerce transaction data, and other consumer-related information.
- Employment and Educational Data: Information pertaining to a consumer’s employment history, educational background, and other related data is also considered personal information.
What Is Sensitive Personal Information (SPI) in CPRA?
Sensitive Personal Information (SPI), as defined by the California Privacy Rights Act (CPRA), represents a subset of personal information that holds a higher degree of intimacy and confidentiality. Unlike general personal information, which people might share more freely, SPI refers to data whose unauthorized disclosure could significantly impact an individual’s privacy, security, and well-being. The CPRA states that any information publicly available does not constitute sensitive information. The act categorizes the following as sensitive information, warranting enhanced protection and handling:
- Financial Details: This includes banking information, credit or debit card numbers, along with any passwords or codes that could permit unauthorized access to a consumer’s financial resources or identity.
- Private Communications: Details encapsulating the content of personal emails, text messages, and phone conversations.
- Unique Identifiers: Personal identification numbers such as passport, social security, and driver’s license numbers.
- Personal Characteristics: Information regarding racial origins, religious beliefs, political opinions, or membership in non-public organizations.
- Location Data: Precise geolocation information pinpointing a consumer’s exact whereabouts.
- Online Credentials: Information related to consumers’ account login details.
- Genetic Information: Data including DNA samples that can reveal genetic characteristics.
- Health and Sexual Orientation: Information concerning an individual’s health status, medical history, or sexual orientation.
- Biometric Data: Processed data used for uniquely identifying an individual, such as fingerprints or retina scans.
What Is the Criteria for CPRA Compliance?
- Businesses with Significant Revenue: Companies that have an annual gross revenue exceeding $25 million are subject to CPRA regulations. This criterion aims to encompass entities with substantial economic activities that impact a large number of consumers.
- High-Volume Data Handlers: Businesses that collect, buy, sell, or share the personal information of more than 100,000 consumers, households, or devices fall under the CPRA’s purview. This increase from the CCPA’s threshold of 50,000 aims to focus on entities with significant data processing activities while reducing the compliance burden on smaller businesses.
- Revenue from Personal Information: Entities that derive 50% or more of their annual revenues from selling or sharing consumers’ personal information are required to comply with the CPRA. This includes businesses that utilize customer data for advertising purposes and profit significantly from these activities.
Ensuring CPRA Compliance
Adjusting the consumer data threshold to 100,000, the CPRA seeks to alleviate the compliance load on small and medium-sized enterprises (SMEs), which could otherwise face significant financial challenges. Consequently, the CPRA’s reach is global, affecting any business that:
- Operates for profit (excluding non-profits).
- Collects personal information from consumers.
- Provides services to California residents and also meets at least one of these additional criteria:
- Has an annual gross revenue exceeding $25 million.
- Generates 50% or more of its revenue from selling or sharing consumers’ personal information.
- Handles the personal information of more than 100,000 consumers, households, or devices.
Companies Not Affected by CPRA?
The California Privacy Rights Act (CPRA) sets forth specific criteria to identify businesses that must comply with its provisions, focusing on the protection of consumer data and privacy rights. However, there are entities and certain types of data that fall outside the scope of CPRA regulations. These exemptions are designed to ensure the law targets businesses with significant data processing activities that impact California residents. The following outlines those entities and data types not subject to CPRA requirements:
Businesses Outside Data Collection Scope
Entities that do not collect personal information from consumers, users, or individuals in California are not obliged to adhere to CPRA regulations. This exemption applies to companies whose operations do not involve the handling of personal data related to California residents.
Non-Governmental and Non-Profit Organizations
CPRA requirements do not extend to non-governmental organizations (NGOs) and non-profit organizations. These entities are exempt from compliance, reflecting the law’s focus on commercial operations profiting from personal data.
CPRA excludes information that has been processed to remove or obscure personal identifiers, rendering it unable to be linked to a specific individual, as de-identified data. This exclusion is because such data does not pose a risk to consumer privacy.
Law Enforcement Compliance Exemption
Data Covered by Other Laws
Data that falls under the jurisdiction of other regulatory frameworks, particularly in the health and insurance sectors, is exempt from CPRA. Industries governed by specific privacy and data protection laws, such as HIPAA for healthcare, are not subject to CPRA and CCPA regulations due to these pre-existing legal obligations.
How to Achieve CPRA Compliance
Achieving compliance with the California Privacy Rights Act (CPRA) involves a comprehensive approach to data management and privacy practices. Here are the essential steps organizations should take:
1. Conduct a Personal Data Inventory
Begin by identifying the types of data your business collects. Assess the organization, storage, and retrieval of this data, especially the sensitive personal information (SPI) as defined by CPRA. Determine if third-party servers store this data or if it is shared with external partners. This evaluation will guide necessary organizational changes, including updates to cookie banners, agreements, and privacy policies.
2. Classify Your Organization’s Data
Differentiate your data by its level of sensitivity and importance. This classification aids in applying appropriate security measures to protect data adequately. It informs your security team about data that requires regular monitoring for threats and data that should not be stored indefinitely.
3. Update Cookie Banner Notices
Revise your cookie banner to transparently communicate if and how you collect and process SPI, including the purposes for collection and retention periods. Inform users about their rights regarding the sale or sharing of their personal information, including how they can opt-out.
4. Review Agreements With Partners
Ensure all collaborations with partners, service providers, and third parties comply with CPRA standards. This review is crucial to maintaining compliance across your data processing and sharing activities.
- The types of personally identifiable information (PII) and SPI collected.
- How users can modify, delete, or access their personal data.
- Instructions for opting out of the sale or sharing of personal data.
- Consent procedures for minors (ages 13-16) and parental consent for children under 13.
6. Implement Opt-Out Links
CPRA mandates clear options for users to decline the sale or sharing of their personal data. Include conspicuous links for “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” on your website, ensuring they are easily accessible.
7. Establish Channels for Consumer Requests
Provide at least two accessible channels (such as phone, email, or web forms) for consumers to request information about their data. Acknowledge requests within 10 days and fulfill them within 45 days, as required by CPRA.
8. Educate employees on Data Handling
Train all employees, particularly those who manage consumer data, on the importance of data protection and CPRA compliance. Regular training and updates will help maintain an organization-wide culture of privacy and security.
CPRA is good news for consumers, but it is not exciting news for CEOs and investors who rely on trading customers’ digital footprints to make money. Data trading revenue cushions companies’ running costs, but the CPRA has heavily affected this profit, likely forcing companies to raise prices for goods and services to compensate.
Additionally, compliance costs are high. Even without considering the expensive marketing budget companies will have to work with if privacy laws like this are passed across states. In the past few years, marketing and advertising has been more expensive in California than in some U.S. states. Will this result in customers trading in their data to get lower prices? The future will tell, but for now, privacy laws give data control back to the users.
The CPRA legislation attempts to solve the data management problem that new technologies in the blockchain ecosystem are solving through projects like self-sovereign identity. It is great news that the government is seeing the importance of individual data control, just as it is one of our pursuits at Identity.com. As a company, we want a user-centric internet, where users have control over their data. More reason Identity.com doesn’t take the back seat in contributing to this future via identity management systems and protocols. We also belong to the World Wide Web Consortium (W3C), the standards body for the World Wide Web.
The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.