New regulations are already keeping IT professionals on their toes in 2023. One monumental change for California residents and businesses is the California Privacy Rights Act (CPRA).
The legislation came into force on January 1, 2023. Legislators drafted the new rules to empower consumers and close gaps in the California Consumer Privacy Act (CCPA).
The CPRA gives customers more control over their personal data. It also introduces important obligations for businesses to handle consumer data in particular ways.
To help, we have a primer to get you started. Here are the key CPRA provisions and the major implications for businesses and consumers.
What is the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act (CPRA) is a data privacy law that gives consumers more control over their personal information and how businesses that collect them use it.
The CPRA's primary purpose is to secure the privacy rights of California consumers. As such, it clearly identifies their rights regarding their personal information. Specifically, the CPRA establishes that California consumers have the right to:
- Know what personal information businesses collect about them and how this information is being used and shared
- Delete personal information collected from them
- Opt out of businesses sharing or selling their personal information
- Non-discrimination for exercising their privacy rights under the CCPA
Before digging deep into the details, it's important to know that the legislation only applies to consumers and for-profit businesses in California.
Cyber security professionals in this state will need to understand the ins and outs of the CPRA to ensure that their employers comply with the requirements. However, as data privacy rights gain momentum worldwide, cyber security professionals everywhere should pay attention.
How do the New Sensitive Personal Information Protections Work?
Consumers already have data rights under the original CCPA. For instance, consumers have a right to know what data businesses collect and how they use it.
They can ask businesses to delete information and stop selling or sharing it. Businesses cannot discriminate based on access to personal data, for instance, by offering lower prices or special discounts.
With the original CCPA, it was hard for consumers to exercise those rights. The CPRA gives consumers two new rights and makes it easier for consumers to assert them.
The CPRA’s “right to correct” lets consumers fix inaccurate personal information a business has gathered about them. The “right to limit” enables consumers to restrict the use of sensitive personal information businesses have collected about them. Sensitive data might include bank account details, geolocational data, or genetic data.
The new legislation puts more onus on businesses to uphold those rights. Until now, every time consumers visited a website, they faced a barrage of privacy settings.
If a consumer wanted to opt out of data collection, they had to repeat a complicated process for every single website. That’s a lot of work to protect information that you didn’t intend to share in the first place.
With the CPRA, businesses shoulder more of the responsibility. The requirements ensure that businesses comply. They must respond to consumer requests regarding their data. They must also inform consumers that they are collecting personal data and be fully transparent about what they collect and where it goes.
What Obligations do Businesses Have Over Data Collected?
With more onus on businesses, their IT and security professionals urgently need to re-examine their data inventory practices. Monitor the kinds of data the business collects and why. Know where it is stored and how it is processed. Compile a “data map” that lays out how data flows through the business, including vendors. Write a clear, updated privacy policy and make it available on the website.
Businesses need to open up communication channels with consumers so they can withdraw their data or fix inaccuracies. Websites can provide popups and buttons that let consumers easily opt out of data collection. Organize training sessions for employees on CPRA compliance to ensure everyone understands the regulations and the risks of non-compliance.
How do Consumers Benefit?
The CPRA’s new data privacy rights let consumers regain control over their online experience. Some consumers will opt out of data collection to avoid targeted advertising. Others will gain confidence from keeping confidential information in their own hands and away from unknown third-party vendors. Some want to reduce access to sensitive data to keep it away from cyber criminals.
The Government of California website has more information about the CPRA for businesses and consumers. The CCPA site provides a useful FAQ and guidance about the new rights and regulations. You can read the full text of the CPRA on the California Legislative Information website.
A Pathway to More Data Privacy Legislation
The legislation in California has its critics. Still, consumer protection groups and legislators are pushing for similar rights in other jurisdictions. The challenge online is that consumers deal with businesses around the world. They need rights that protect their data wherever they are. Until then, the CPRA is a step forward in increasing cyber security awareness and reducing cyber security risks for consumers.
Let’s all do our part in keeping our private information secure.