🎪 Where to find Transcend at the 2024 RSA Conference →

The Complete Guide to CPRA Compliance

Everything you need to know about CPRA compliance, inlcuding requirements for businesses, consumer rights, and the difference between CPRA and CCPA. Plus, a detailed CPRA compliance checklist.

What is the CCPA?

Passed in 2018, the California Consumer Privacy Act (CCPA) established consumer data rights in California and placed new requirements on businesses processing personal data from California residents.



Two years later, in 2020, California passed Proposition 24. More commonly known as the California Privacy Rights Act (CPRA), this bill amended the CCPA—adding and expanding consumer rights, increasing the data processing threshold, and establishing the California Privacy Protection Agency.



Both CCPA and CPRA are already in full effect. And, after a surprise reversal of a 2023 decision to delay enforcement, the California Privacy Protection Agency is able to begin enforcing CPRA immediately.



Understanding the CCPA/CPRA's scope and requirements is critical for organizations who operate in or market goods and services to Californians.



Keep reading to learn more about CCPA requirements, consumer rights provided by the CCPA, how this law is enforced, and key CCPA amendments made by the CPRA. At the end, there's a checklist to help your organization get started with CCPA compliance.

Who does CCPA/CPRA apply to?

The first question to ask when figuring out if the CCPA/CPRA applies is: Does our organization conduct business in California (CA) or process personal data from CA residents?



If the answer is an unequivocal 'No,' then CCPA/CPRA doesn't apply and you're off the hook. However, if the answer is 'Yes'—you'll want to keep reading.



The CCPA/CPRA applies to organizations that conduct business or market/sell goods in California. In addition, an orgnaization must:

  • Process data for 50,000 or more CA residents (until January 1, 2023 when that threshold increases to 100,000) OR
  • Have a gross annual revenue of over $25 million OR
  • Derive over 50% of annual revenue from sharing or selling personal data from California residents

To be clear, the data processing requirment means that if your commerce website has visitors from California, no matter your company's location, the CCPA applies for that group.



It’s also worth noting that the CCPA covers subsidiaries, so businesses can’t “offshore” consumer data in order to bypass California’s privacy requirements.

CPRA enforcement

California’s privacy laws are relatively new, so enforcement is still actively evolving. While the CCPA came into full force in July 2020, the CPRA didn't become enforceable until 2024.



Originally, CPRA enforcement was meant to start in July 2023, but that date was pushed back after several California businesses pursued challenges in court. Because the California Privacy Protection Agency did not complete rulemaking until mid-2023, many businesses argued they did not have sufficient lead time to move their processing activities into compliance.



When 2024 began, the expectation was the CPRA enforcement would begin on March 29, 2024. However, on February 9, the California Privacy Protection Agency announced that the 2023 lower court decision had been overturned, and the enforcement was set to begin immediately.



Michael Macko, Deputy Director of Enforcement for the California Privacy Protection Agency noted that, “This decision should serve as an important reminder to the regulated community: now would be a good time to review your privacy practices to ensure full compliance with all of our regulations.”

Who enforces CPRA

Under the CCPA, the California Attorney General has exclusive rights to enforcement. However, with the creation of the California Privacy Protection Agency (CPPA), the water has become a bit murky.



According to the CPRA text, the CPPA will have the "full administrative power and jurisdiction to implement and enforce" CPRA. That said, the California Attorney General may still take enforcement action.



Though it's not yet clear exactly how the arrangement will work in practice, this is what we know so far: 

  • Both the CPPA and the CA Attorney General may enforce California’s privacy laws.
  • The Attorney General has precedence, in that they may ask the CPPA to hold off on an investigation until their office has either completed the same inquiry or decided not to pursue the matter further. (1798.199.90 (c))
  • If the CPPA has already issued a decision about an investigation or violation, the Attorney General’s office may not pursue a double jeopardy civil suit. (1798.199.90 (d))

CPRA enforcement actions to date

At the time of this writing, though numerous non-compliance notices have been filed, only settlement has been levied under CCPA or CPRA. On August, 24, 2022, Sephora agreed to a $1.2 million settlement with the California Attorney General, following allegations the cosmetics brand was: 

In January 2023, the Attorney General's office announced another investigative sweep, noting a focus on businesses who are failing to honor privacy requests made via authorized agents.



Time will tell whether the CPPA or Attorney General ends up levying further fines, but as the CPPA was given leave to begin immediate enforcement on Feb 9, 2024 it will definitely be a space to watch. 

Consumer

A consumer is any individual in California for non-temporary and non-transitory reasons, including California residents traveling outside the state who plan to return.

Business

  • Gross annual revenue of at least $25 million
  • Buys, sells, or shares the personal data of at least 100,000 consumers
  • Makes at least half of its revenue from selling data

Opt-Out

A business must inform consumers that they use and sell personal data, and provide an easily accessible link that will allow consumers to opt-out.

Opt-Out

A business must inform consumers that they use and sell personal data, and provide an easily accessible link that will allow consumers to opt-out.

Personal Information

Personal information is anything that might identify an individual or household. The CPRA defines personal information as:

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Personal information can include:

  • Name
  • Home address
  • IP address
  • Account name
  • Email address
  • Social security number
  • Driver's license number
  • Passport number
  • Purhcase history
  • Biometric data
  • Browsing or search history
  • Location data
  • Employment data
  • Inferences made from any of the data above

Keep in mind that personal information does not include information that's been “de-identified.” De-identified information has been stripped of identifying aspects so that businesses can use it safely. To count as de-identified information, the data cannot be re-identified later and businesses must have prevention procedures in place.

Sensitive personal information

Sensitive personal information (SPI) is a new data designation added by the CPRA—one that build on the concept of personal information, which was originally laid out by the CCPA.



Under CPRA, SPI is any personal information that somehow reveals:

  • Driver’s license, social security, or passport numbers
  • Log-in information for financial accounts
  • Credit and debit card numbers
  • Geolocation data
  • Data on a consumer’s religion, ethnicity, or race
  • A consumer's mail, email, or texts
  • Biometric and genetic data
  • Data about a consumer's sexual orientation or health

Processing

Processing refers to the collection, possession, or handling of consumer data, both manual and automated. Collecting data through a form and tracking cookies are two common forms of data processing.

Third-Party

Third parties are any external organization that collects, stores, or processes data on behalf of another business.

Consumer rights provided by the CPRA

California tends to lead the way in consumer rights, and the CCPA is no exception—creating a broad spectrum of new data rights and protections.

Right to delete

Businesses must delete a consumer's data upon request, as long as the consumer's identity can be verified. In addition, the business must direct any vendors and other service providers to do the same.

Right to correct

Right to access

Consumers have the right to request access to any personal data a business has collected.

Right to know what personal data is being collected, sold, or shared

Customers have the right to know what data and categories of data a business is collecting on them. They also have the right to know how that data is being collected and how it’s being used by both the business and any third parties.



If a business sells or shares personal information, consumers may request to know what categories of data are being collected, the categories of personal data being sold or shared with a third party, and the categories of data a business has disclosed.

Right to opt-out of sale or sharing

At any time, a consumer has the right to tell a business that sells their personal information not to do so.

Right to limit use and disclosure of sensitive personal information

Consumers may instruct a business to limit the use of their sensitive personal information to activities that are strictly "necessary to perform the services or provide the goods" that they requested.

Businesses must honor a consumer's request to limit the use or disclosure of their personal information, unless the consumer provides consent at a later date.

Right to equal service and price

Consumers must be able to exercise their data rights without facing penalties from the business. Meaning, regardless of a consumer’s opt-out status, the business may not deny service, charge a higher price, or suggest that price or quality of service is dependent on opt-out status.



However, businesses may offer a bonus or other incentive in exchange for a consumer’s personal information.

CPRA vs CCPA

While the CCPA was California's first landmark privacy law, businesses must also consider the California Privacy Rights Act (CPRA). Passed in 2020, the CPRA amended the CCPA—expanding consumer rights, adding the sensitive personal information data designation, removing the 30 day cure period, and more.



Review the CPRA full text to see all the changes, check out our CPRA vs CCPA blog post, or keep reading below to explore the main highlights.

Expanded privacy rights for consumers

The CPRA has the same intent as the CCPA, protecting consumer data privacy in California, but goes even further. Under the CPRA, consumers were given four net new data rights:

  • Right to correction
  • Right to limit sensitve personal information
  • Right to access information about automated decision making
  • Right to opt-out of automated decision making

The CRPA also expanded the right to know, opt-out, and delete, which already existed under the CCPA.

  • Biometrics
  • Health records
  • Sex life details
  • Sexual orientation

New category of protected data

The CPRA extends legal protection to any “sensitive personal information” (SPI). A broader category than the CCPA's personal data designation, all of the following are considered SPI:

  • Social Security numbers
  • Driver’s license numbers
  • State ID card numbers
  • Passport numbers
  • Account logins and passwords
  • Precise geolocation
  • Racial and ethnic origins
  • Religious and philosophical beliefs
  • Union membership status
  • Contents of mail, email, and text not sent to the business
  • Genetic data
  • Biometrics
  • Health records
  • Sex life details
  • Sexual orientation

Increased data processing threshold

Before CPRA, a business processing data for 50,000 or more consumers fell under the CCPA's scope. The CPRA doubled this number—increasing the threshold to 100,000 consumers.



This means that, under the CPRA, many smaller CA businesses may end up being exempt. However, there are other scope criteria so make sure those are considered.

Elimination of the automatic 30 day cure period

Establishment of the California Privacy Protection Agency

CCPA fines

CCPA violators can be fined up to $2,500 for unintentional incidents and up to $7,500 for intentional refusal to comply. These fines can be applied per person or household without limit—while a single fine may seem rather small, at scale they're quite significant.



Tech giants and large enterprise process data in massive quantities, so a per person infraction can add up to millions or even hundreds of millions of dollars.



Take the 2017 Equifax breach, which involved the data of 15 million CA residents. If the breach occurred under the CCPA, it would have resulted in $1.5 billion in fines.



To date, Sephora's $1.2M settlement is the only CPRA fine on record, but that could easily change once CPRA enforcement begins in July 2023.

CPRA compliance checklist

At the start, getting CPRA compliant may feel like a daunting task, but using the CPRA compliance checklist below will give you a good idea of what's necessary and where to start.



At it's core, complying with CPRA means respecting consumer rights by promptly responding to data requests, honoring requests for opt-out, and securing all personal and/or senstive data held by your company. But, of course, it's easier said than done.



CPRA compliance requires in-depth knowledge of your data and data systems. You'll also need tools and processes, sometimes called privacy infrastructure, that can scale with new data, legislations, and consumer requests.



Aside from your own compliance, it's also critical you ensure compliance among any third-party data processors with whom you have a contract. If they're processing your customer's personal data, you're on the hook.

1. Identify and map sensitive data across all systems

Understanding what data you collect and hold, as well as how it's being used is a critical part of CPRA (or any privacy law) compliance.



This process, often called data mapping, will help your organization fulfill consumer requests for access or deletion, identify risky data processing, and track down affected data in the event of a breach.



Though data mapping isn't required by the CPRA it's key to fulfilling many of the obligations the CPRA places on businesses.

2. Use an automated privacy tool for responding to consumer data requests

Responding to consumer requests for data access, correction, or deletion sounds relatively simple, at first. But fulfilling privacy requests means first knowing where to find the relevant data (part of why an up-to-date data map is so important), and then collating, packaging, and transmitting the data you find.



Without the right privacy infrastructure, this process quickly starts to eat at your team's time. More than that, manual request fulfillment opens opportunity for human error and security vulnerabilities.



Even if you don't take the path of an automated privacy software, it's best to define the data request fulfillment process before requests start pouring in—smoothing inefficiencies where possible and automating what you can.

3. Implement an identity verification system

One key part of data request fulfillment, one that deserves it's own call-out, is identity verification.



Imagine responding to a data request i.e. sending an enormous data file containing a consumer's personal information (which can include credit card info, a social security number, or even sensitive health data)—only to realize after the fact the data was sent to the wrong person. 



Whether a simple accident or the result of a scam, this scenario is a big risk for any privacy program. Implementing an identify verification system like two-factor authentication is critical to ensuring request validity and personal data security (which, if you remember, is an explicit CPRA requirement). 



Organizations are both allowed and expected to verify a consumer's identify before fulfilling a request, so setting up a system to support this process is key. 



Though an automated identity verification system isn't required, it can ease the burden on both your organization and the consumer—and is baked in to many privacy request fulfillment platforms. 

4. Update your privacy policy

Transparency around data processing is an important part of CPRA compliance, so it's important to refresh your organization's privacy policy on, at minimum, an annual basis.



A compliant privacy policy will provide up-to-date information about how your organization collects, stores, shares, and uses consumer data, including:

  • A description of consumer rights under the CPRA
  • The commercial and business reasons for collecting information
  • Types of personal information sold or disclosed in the last 12 months
  • Types of third parties with whom personal information is shared
  • A link that allows the customer to opt out of information sale
  • A description of any financial incentives for providing data, such as a discount
  • Two or more designated measures for submitting information requests
  • Details on how to exercise consumer rights, including the verification process

Transparency around data processing is an important part of CPRA compliance, so it's important to refresh your organization's privacy policy on, at minimum, an annual basis.



A compliant privacy policy will provide up-to-date information about how your organization collects, stores, shares, and uses consumer data, including:

5. Add a "Do not sell my information" link on your homepage

6. Obtain consent from minors age 13 to 16

The majority of CCPA requirements follow an opt-out consent regime, meaning organizations can process data without consent but must provide an option to opt-out at any point. However, the rules for minors age 13 to 16 are different.



Minors under the CPRA are protected by an opt-in consent regime, meaning organizations must obatin consent before selling or sharing personal information. Minors between 13 and 16 may opt-in on their own behalf, while for minors under 13 opt-in must come from a parent or legal guardian.



Minors that opt-in must also have the option to opt-out if they change their mind after the fact.

7. Audit and address security vulnerabilities

Although it’s already a best practice, the need for proactive cybersecurity has never been higher. The CPRA requires annual cybersecurity audits and risk assessments, though specific guidelines are still being determined. 



Despite this, guidance across all the privacy laws is fairly consistent—companies must make a concerted effort to protect and secure personal data within their possession. In the event of a breach, if there are clear security vulnerabilities that should've been addressed, a company will likely be seen in violation of their CPRA responsbilities.



The CPRA also allows a private right of action (meaning a consumer can press charges on their own behalf) for security breaches involving specific types of sensitive personal information.



No other US state privacy law allows a private right of action under any circumstance, so that alone should reflect the CPRA's serious stance on information security. 

About Transcend

Transcend helps companies put privacy on autopilot. Our mission is to make it simple for companies to give their users control of their data.