Table of Contents
- 1 Key Takeaways:
- 2 What Is the CCPA (California Consumer Privacy Act)?
- 3 What Is the CPRA (California Privacy Rights Act)?
- 4 CCPA vs. CPRA: Key Differences
- 5 What Is Personal Information According to CPRA?
- 6 What Is Sensitive Personal Information (SPI) in CPRA?
- 7 CPRA Compliance Criteria
- 8 Who Must Comply With the CPRA?
- 9 Who Is Exempted From the CPRA?
- 10 Steps to CPRA Compliance
- 11 Conclusion
- 12 Identity.com
Key Takeaways:
- The California Consumer Privacy Act (CCPA) provides Californians with the right to access the information companies have collected about them, request its deletion, and opt out of its sale.
- The California Privacy Rights Act (CPRA) strengthens consumer privacy rights established by the CCPA and imposes stricter regulations on how businesses handle personal information.
- Businesses operating in California or handling the personal information of California residents must comply with the requirements set forth by the CPRA.
Over the past few decades, online users have been increasingly exposed to data mismanagement. The trade of users’ data has built empires and created numerous billionaires and millionaires, highlighting a critical reality in the Web 2.0 era: personal information is frequently traded. Despite opposition from tech giants such as Google and Facebook, a significant shift is taking place within the online ecosystem, signaling a new era focused on the privacy of internet users. The rise of Decentralized Identifiers (DIDs) and Self-Sovereign Identity (SSI) marks a turning point in data ownership, empowering users to control who can access their information and to what extent.
What Is the CCPA (California Consumer Privacy Act)?
Passed in 2018 and effective since January 2020, the California Consumer Privacy Act (CCPA) is an important law in the United States aimed at enhancing consumer privacy rights, drawing similarities to the European Union’s General Data Protection Regulation (GDPR) introduced in May 2018.
The CCPA gives California residents the right to know what data companies collect about them. This law aims to give consumers more control over their personal information, providing details on the data collected and its sharing parties. Additionally, the CCPA allows individuals to take legal action against companies for privacy violations, focusing on breaches of privacy regulations, regardless of data breach incidents.
What Is the CPRA (California Privacy Rights Act)?
CCPA vs. CPRA: Key Differences
The California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA) are both crucial for enhancing consumer privacy rights, but they offer different levels of protection and requirements for businesses.
Here’s a breakdown of the key differences between CCPA and CPRA:
Consumer Rights
The CPRA expands consumer rights by allowing them to opt-out of cross-contextual advertising, a practice not covered by the CCPA. Additionally, the CPRA extends its reach to include employment data, giving Californians more control over their professional information.
Privacy Impact Assessments
The CPRA mandates privacy impact assessments for high-risk data processing activities, requiring businesses to proactively assess potential privacy risks. This is not required under the CCPA.
Business Applicability Threshold
The CCPA applies to companies that collect and process the personal information of 50,000 or more consumers. The CPRA raises this threshold to 100,000 consumers, reducing the compliance burden on small and medium-sized enterprises.
Consent for Data Sharing
Both acts require consent to sell or share consumer information with third parties. However, the CPRA demands clear disclosure of how the data will be used, providing consumers with more transparency.
Enforcement
The CCPA relies on the Attorney General’s office for enforcement. The CPRA establishes a dedicated enforcement body, the California Privacy Protection Agency (CPPA).
Consumer Information Requests
The CPRA mandates businesses to provide at least two accessible channels (like web forms or phone calls) for consumers to inquire about their personal information. This ensures greater transparency and accessibility for Californians.
What Is Personal Information According to CPRA?
The California Privacy Rights Act (CPRA) defines personal information broadly to provide strong protection for individuals. It covers data that identifies, relates to, describes, or could be linked to a person, directly or indirectly. Here are some key categories of personal information under CPRA:
- Identifiers: This includes a person’s name, address, email address, IP address, driver’s license number, social security number, and passport number.
- Biometric Information: Data derived from unique biological characteristics, such as iris scans, fingerprints, and voice recognition patterns, falls into this category.
- Internet Activity: This covers information related to an individual’s online behavior, including browsing history and search history.
- Commercial Information: It includes details about personal property, purchase histories, e-commerce transaction data, and other consumer-related information.
- Employment and Educational Data: Information pertaining to a consumer’s employment history, educational background, and other related data is also considered personal information.
What Is Sensitive Personal Information (SPI) in CPRA?
Sensitive Personal Information (SPI), as defined by the California Privacy Rights Act (CPRA), represents a subset of personal information that holds a higher degree of intimacy and confidentiality. Unlike general personal information, which people might share more freely, SPI refers to data whose unauthorized disclosure could significantly impact an individual’s privacy, security, and well-being. The CPRA states that any information publicly available does not constitute sensitive information. The act categorizes the following as sensitive information, warranting enhanced protection and handling:
- Financial Details: This includes banking information, credit or debit card numbers, along with any passwords or codes that could permit unauthorized access to a consumer’s financial resources or identity.
- Private Communications: Details encapsulating the content of personal emails, text messages, and phone conversations.
- Unique Identifiers: Personal identification numbers such as passport, social security, and driver’s license numbers.
- Personal Characteristics: Information regarding racial origins, religious beliefs, political opinions, or membership in non-public organizations.
- Location Data: Precise geolocation information pinpointing a consumer’s exact whereabouts.
- Online Credentials: Information related to consumers’ account login details.
- Genetic Information: Data including DNA samples that can reveal genetic characteristics.
- Health and Sexual Orientation: Information concerning an individual’s health status, medical history, or sexual orientation.
- Biometric Data: Processed data used for uniquely identifying an individual, such as fingerprints or retina scans.
CPRA Compliance Criteria
- Significant Revenue Threshold: Companies with an annual gross revenue exceeding $25 million fall under CPRA. This targets businesses with substantial economic activity that potentially impacts a large number of consumers.
- High-Volume Data Handling: The CPRA applies to businesses that handle the personal information of more than 100,000 consumers, households, or devices (increased from CCPA’s 50,000 threshold). This captures entities engaged in large-scale data processing while reducing the burden on smaller businesses.
- Revenue from Personal Information: Businesses that derive at least 50% of their annual revenue from selling or sharing consumer personal information must adhere to CPRA. This targets companies that significantly profit from consumer data monetization.
Who Must Comply With the CPRA?
The California Privacy Rights Act (CPRA) exempts many small and medium businesses by raising the consumer data threshold to 100,000. However, it applies to for-profit businesses that collect personal information from California residents if they meet at least one of these criteria:
- Have an annual gross revenue exceeding $25 million.
- Derive 50% or more of their revenue from selling or sharing consumer data.
- Handle the personal information of over 100,000 consumers, households, or devices.
If your business falls into any of these categories, you must comply with the CPRA to protect consumer privacy and avoid potential fines. Learn more about the CPRA’s impact on businesses and steps to ensure compliance here.
Who Is Exempted From the CPRA?
The California Privacy Rights Act (CPRA) establishes criteria for businesses that must comply with its data privacy protections. However, certain entities and data types fall outside the scope of CPRA regulations. These exemptions ensure the law targets businesses with significant data processing activities that impact California residents.
Here’s what’s not covered by CPRA:
- Businesses Outside Data Collection Scope: Companies that don’t collect personal information from Californians are exempt. This applies to businesses whose operations don’t involve handling personal data of California residents.
- Non-Profits and NGOs: Non-governmental organizations (NGOs) and non-profit organizations are exempt, as the CPRA focuses on for-profit businesses.
- De-identified Information: Information that has been irreversibly anonymized (de-identified) is exempt. This means the information cannot be linked to a specific person and doesn’t pose a privacy risk.
- Aggregate Information: Data compiled into anonymous statistics or analytics that don’t identify individual users (e.g., website traffic numbers) is not covered. This allows businesses to use anonymized data for analysis without needing to comply with CPRA.
- Law Enforcement Compliance Exemption: Law enforcement activities that require collecting or providing data in good faith are exempt. In some cases, a court order might be needed for law enforcement to access user information.
- Data Covered by Other Laws: Information already regulated by other laws, particularly in healthcare and insurance (like HIPAA), is exempt from CPRA. These industries have pre-existing legal obligations that address data privacy.
Steps to CPRA Compliance
The California Privacy Rights Act (CPRA) mandates specific data privacy practices for businesses. Here’s a roadmap to achieve compliance:
1. Conduct a Personal Data Inventory
Identify the types of data you collect, how you organize, store, and access it, especially sensitive personal information (SPI) as defined by CPRA. Determine if third parties store or access this data. This assessment will guide changes to cookie banners, agreements, and privacy policies.
2. Classify Data Sensitivity
Categorize your data based on its sensitivity to ensure appropriate security measures. This informs your security team about data requiring extra protection and data with limited retention periods.
3. Update Cookie Banner Notices
Revise your cookie banner to clearly explain if and how you collect and process SPI as defined by CPRA. Include details on collection purposes and retention periods. Inform users about their rights regarding the sale or sharing of their personal information, including how they can opt-out.
4. Review Agreements with Partners
Ensure all agreements with partners, service providers, and third parties comply with CPRA requirements.
5. Revise Your Privacy Policy
Update your privacy policy to reflect CPRA requirements, making it clear, concise, and accessible on mobile devices. Your policy should cover:
- Types of personally identifiable information (PII) and SPI collected
- User rights regarding data access, modification, and deletion
- Instructions for opting out of the sale/sharing of personal data
- Consent procedures for minors (aged 13-16) and parental consent requirements
6. Implement Opt-Out Links
Include clearly labeled links on your website for users to opt-out of the sale or sharing of their personal information (“Do Not Sell or Share My Personal Information”) and limit the use of their sensitive data (“Limit the Use of My Sensitive Personal Information”).
7. Establish Channels for Consumer Requests
Provide at least two accessible channels (phone, email, web forms) for consumers to request information about their data. Acknowledge requests within 10 days and fulfill them within 45 days, as required by CPRA.
8. Educate employees on Data Handling
Provide at least two accessible channels (phone, email, web forms) for consumers to request information about their data. Acknowledge requests within 10 days and fulfill them within 45 days, as required by CPRA.
Conclusion
CPRA is good news for consumers, but it is not exciting news for CEOs and investors who rely on trading customers’ digital footprints to make money. Data trading revenue cushions companies’ running costs, but the CPRA has heavily affected this profit, likely forcing companies to raise prices for goods and services to compensate.
Additionally, compliance costs are high. Even without considering the expensive marketing budget companies will have to work with if privacy laws like this are passed across states. In the past few years, marketing and advertising has been more expensive in California than in some U.S. states. Will this result in customers trading in their data to get lower prices? The future will tell, but for now, privacy laws give data control back to the users.
Identity.com
The CPRA legislation attempts to solve the data management problem that new technologies in the blockchain ecosystem are solving through projects like self-sovereign identity. It is great news that the government is seeing the importance of individual data control, just as it is one of our pursuits at Identity.com. As a company, we want a user-centric internet, where users have control over their data. More reason Identity.com doesn’t take the back seat in contributing to this future via identity management systems and protocols. We also belong to the World Wide Web Consortium (W3C), the standards body for the World Wide Web.
The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.