CPRA Cheat Sheet
Tom's Attempt at a Logo for CPRA
Category
Topic
CPRA Provision
1
Scope
Effective Date
January 1, 2023 with the following caveats:
(1) the right of access shall only apply to personal information collected by a business on or after January 1, 2022
(2) extends the CCPA's exemption re: the collection of personal data of a job application and/or employee and/or contractor by a business from an expiration date of January 1, 2021 to January 1, 2023
(3) the CPRA's changes to the funding dynamics of the Consumer Privacy Fund, the regulation process, and the creation and funding of the California Privacy Protection agency all become operative on the effective date of the CPRA (i.e. 5 days after voting results are certified)
2
Scope
Who is Regulated?
A for-profit “Business” that "collects consumers' personal information" and has the following thresholds:
(1) gross revenue greater than $25 million in the preceding calendar year OR
(2) buys/sells/shares personal information on over 100,000 consumers or households; OR
(3) derives 50% or more of its revenue from selling or sharing consumer personal information.
Also covers (a) any entity that controls or is controlled by a business and "shares common branding" with the business and "with whom the business shares consumers' personal information"; (b) "a joint venture or partnership composed of businesses In which each business has at least a 40 percent interest"; and (c) any entity that does business in California and voluntarily certifies to the California Privacy Protection Agency that it is in compliance with the CRPA. [§ 1798.140(d)]
3
Scope
Who is Protected?
A "Consumer" that is a natural person who is California resident. [§ 1798.140(i)] Resident defined per Cal. Rev. Code § 17014 as
(1) Every individual who is in this state for other than a temporary or transitory purpose.
(2) Every individual domiciled in this state who is outside the state for a temporary or transitory purpose.
4
Scope
Do Children Get Special Protection?
Yes, "a business shall not sell or share the personal information" of children aged from 13-16 unless the child directly "opts-in" to the sale. For children under 13, a business requires parental consent to the sale or sharing of their child's personal data. [§ 1798.120(c)-(d)] Furthermore, for children under 16 who did not give consent, businesses must "wait for at least 12 months before requesting the consumer's consent again" or "until the consumer attains 16 years of age." [§ 1798.135(a)]
In addition, the Privacy Protection Agency can level administrative enforcement fines of $7500 per violation of the law in cases where the "business, service provider, contractor or other person has actual knowledge that the consumer is under 16 years of age." [§ 1798.155(a)]
Note that the provisions of the CPRA relating to children under 16 years of age shall only apply to the extent not in conflict with Children's Online Privacy Protection Act (COPPA). [Sec. 30 Savings Clause]
5
Scope
Covers Employees?
No, not until January 1, 2023. Specifically, "the title shall not apply to … personal information that is collected by a business about a natural person in the course of the natural person acting as … an employee." Nor shall the consumer rights (right of access, deletion, etc.) "apply to personal information reflecting a written or verbal communication or a transaction between the business" and the employee. Also applies to job applicants and contractors. [§§ 1798.145(m) - (n)]
6
Scope
What Information is Protected?
“Personal information” (PI) means "information that identifies, relates to, describes, is reasonably capable of being associated with ..."a particular consumer or household. It then lists specific examples such as:
(1) Identifiers such as a real name, alias, postal address, unique personal identifier (which can include a device), IP address, email address, account name, social security number, driver’s license number, and passport number;
(2) Commercial information, including records of personal property, products or services purchased, or other purchasing or consuming histories or tendencies;
(3) Biometrics;
(4) Internet or other network activity information (e.g. browsing history);
(5) Geolocation data;
(6) Audio, electronic, visual, thermal, olfactory, or similar information;
(7) Professional or employment-related information;
(8) Education information as defined in FERPA;
(9) Inferences drawn from any of the information above; and
(10) Sensitive personal information (definition below)
It does not include publicly available information, data that is lawfully obtained and truthful and a matter of public concern, and data that is "lawfully made available to the public by the consumer or from widely distributed media." Does not apply to information that is deidentified. Nor does it apply to data already covered by federal privacy laws such as HIPAA, GLBA, FCRA and GLBA. [§§ 1798.140(v) and 1798.145(c)-(f)]
7
Scope
Additional Restrictions on Sensitive Data?
Yes. "Sensitive Personal Information" (SPI) includes a consumer's:
(1) social security, driver's license, state ID card, or passport number;
(2) account log-in (including access code and password), financial account, debit card, or credit card number
(3) precise geolocation;
(4) racial or ethnic origin, religious or philosophical beliefs, or union membership -- ala the GDPR;
(5) mail, email and text messages, unless the business is the intended recipient of the communication;
(6) genetic and biometric data;
(7) personal information collected and analyzed concerning a consumer's health;
(8) personal information collected and analyzed concerning a consumer's sex life or sexual orientation. [§ 1798.140(ae)]
Businesses must inform consumers that they are collecting SPI, the purposes for collection, and whether SPI will be sold and shared as well as the length of time this data will be stored. Businesses cannot collect additional SPI for additional purposes that are incompatible with the disclosed purpose, and cannot store SPI beyond the expressed length of time. [§ 1798.100(a)] A consumer shall have the right at any time to limit the use of their SPI. [§ 1798.121(a)] A business must also either put on its homepage a clear link titled "Limit the Use of My SPI" or support an opt-out signal. As SPI is personal information, a consumer can also request that the business does not sell or share SPI, [§ 1798.135 (a)] as well respect the consumer's rights re: personal information (right to access, delete, rectify, etc.).
8
Scope
Exemptions?
There are several exemptions for both businesses and types of personal data collected.
For businesses:
(1) Businesses that are non-profits and/or small businesses under $25m and/or don't collect the requisite amount of personal data (per "Who is Regulated?" above) [§ 1798.140(d)]
(2) Businesses should not be restricted in order to comply with civil, criminal or regulatory inquiry and/or a subpoena/summons by a government authority [§ 1798.145(a)]
For types of personal data:
(1) Usage of personal data in emergency situations [§ 1798.145(a)]
(2) Personal data subject to sector-specific federal and/or state privacy laws such as GLBA, HIPAA, California's Confidential Medical Information (CMI) Act [§§ 1798.145(c)-(f)]
(3) Personal data involving ownership of motor vehicles (e.g. such as information collected for recalls) [§ 1798.145(g)]
(4) Personal data involving job applicants, employees, contractors and owner/directors of businesses til January 1, 2021 [§ 1798.145(m)]
(5) Personal data that is deidentified or aggregate data [§ 1798.145(a)]
(6) Personal data collected as part of a clinical trial [§ 1798.145(c)]
(7) Personal data collected outside of California involving non-California residents [§ 1798.145(a)]
(8) Personal data involving grades, educational scores and educational test results [§ 1798.145(q)]
(9) Personal data such as a photograph in a yearbook if consent given [§ 1798.145(r)]
9
Scope
Lawful Bases to Process Personal Data?
No. The US Constitution's 1st Amendment in general lets a business collect data that it wants to (see Sorrell v. IMS Health Inc.). But the CRPA requires that a business disclose what categories and the purpose for which they are collecting personal information (see Right to be Informed below), so as long as the consumer is informed and they don't opt out (or opt-in in the case of minors), the business can collect. CRPA also requires businesses to retain personal information for no longer than necessary. But note that Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.” 15 U.S.C. Sec. 45(a)(1).
10
Scope
Law is Protected from Watering Down?
Yes. The CPRA may be amended after its approval by the voters by a statute that is passed by a vote of a majority of the members of each house of the Legislature and signed by the Governor, provided that such amendments are "consistent with and further the purpose and intent" of the CPRA.
11
Individual Rights
Right to be Informed (aka Right to Know or Right to be Notified)
A business that "controls the collection" of PI and/or SPI shall, "at or before the point of collection," inform the consumer the categories and purposes of PI and/or SPI "that are collected or used and whether such information is sold or shared." PI and/or SPI shall not be collected for additional purposes that incompatible with the disclosed purpose for which that information is collected. The business needs to also inform of the length of time of the collection of that information. [§ 1798.100(a)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] Besides having the right to know what personal information is sold and shared, consumers have the right to know to whom. [§ 1798.115(b)]
12
Individual Rights
Right to Access
"A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories" and "specific pieces of personal information the business it has collected.” [§ 1798.110(a)] This includes any third-parties the business has shared the personal data with. And that the business shall provide that information once they verified the consumer request. Furthermore, a business shall "disclose and deliver the required information to a consumer free of charge to the consumer” within a 45 day period of receiving a verifiable consumer request. The disclosure "shall cover the 12-month period preceding the business's receipt of the verifiable consumer request," and any right beyond the 12-month period "shall only apply to personal information collected on or after January 1, 2022." [§ 1798.130(a)] A business "shall not be required to provide personal information to a consumer more than twice in a 12-month period." [§ 1798.130(b)]
13
Individual Rights
Right to Correct (aka Right to Rectification)
"A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer correct such inaccurate personal information." [§ 1798.106(a)]
14
Individual Rights
Right to Delete (aka Right to Erasure or Right to be Forgotten)
“A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” [§ 1798.105(a)] The business must also notify any service providers or contractors, as well as to "notify all third parties to whom the business has sold or shared that information," to also delete the consumer’s personal information from their records. A service provider or contractor is not required to fulfill a deletion requested submitted directly by the consumer. [§ 1798.105(c)] There are 8 exceptions in [§ 1798.105(d)] including performing the contractual obligations that exist between business and consumer, help insure security and integrity, debugging, the exercise of free speech, and engage in research that conforms to applicable ethics and privacy laws.
15
Individual Rights
Right to Restrict Processing
N/A, with exception of the right to opt-out of the selling and sharing of personal information and also the limiting use of sensitive personal information (see below).
16
Individual Rights
Right to Data Portability
As part of a consumer's Right to Access, a business shall "provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at the consumer's request without hindrance." [§ 1798.130 (a)]
17
Individual Rights
Right to Object to Processing
N/A, with exception of the right to opt-out of the selling and sharing of personal information and also the limiting use of sensitive personal information (see below).
18
Individual Rights
Right to "Opt Out" of Sale and Sharing of Personal Information (aka Right to Say No)
"A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information. This right may be referred to as the right to opt-out of sale or sharing." [§ 1798.120(a)]
19
Individual Rights
Right to Limit Use of Sensitive Personal Information (including Precise Geolocation)
"A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer's sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services." [§ 1798.121 (a)] Recall that sensitive personal information includes precise geolocation.
20
Individual Rights
Right to Reject Automated Decision Making and Profiling
The CPRA leaves the possibility of this right being issued as a regulation by the Privacy Protection Agency. [§ 1798.185 (a)]
21
Individual Rights
Right of No Retaliation (aka Right to not be Discriminated Against)
The CPRA states that if a consumer requests access or any of their individual rights, they can’t be discriminated against. Examples include (and directly quoted from [§ 1798.125(a)]):
(1) Denying goods or services to the consumer.
(2) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
(3) Providing a different level or quality of goods or services to the consumer.
(4) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
The CPRA specifically states that this right "does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs."
22
Obligations
Privacy Policy Disclosure
A business that "controls the collection" of PI and/or SPI shall, "at or before the point of collection," inform the consumer the categories and purposes of PI and/or SPI "that are collected or used and whether such information is sold or shared." PI and/or SPI shall not be collected for additional purposes that incompatible with the disclosed purpose for which that information is collected. The business needs to also inform of the length of time of the collection of that information. [§ 1798.100(a)] Furthermore, businesses must also inform consumers what rights the consumer has vis a vis the personal data, e.g. consumers need to be told they also have the right to request deletion of their personal data. [§ 1798.105(b)] Businesses must also tell consumer not only what personal information is sold and shared, but they must disclose to consumers to whom. [§ 1798.115(b)]
23
Obligations
Data Protection by Design and Default
A business shall not collect additional categories of PI and/or SPI that are "incompatible with the disclosed purpose for which the personal information was collected, without providing the consumer with notice." [§ 1798.100(a)] Clearly a business must design their systems and apps to identify not only what data is personal but what is sensitive information. A business shall not collect this data "for longer than is reasonably necessary for that disclosed purpose" (i.e. principle of storage limitation). Furthermore, the "business's collection ... of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed" (i.e. data or purpose minimization, aka principle of proportionality). [§ 1798.100(c)] Finally, a business must also "implement reasonable ... procedures and practices appropriate to the nature of the personal information to protect." [§ 1798.100(e)]
24
Obligations
Written Contracts with Processors / Service Providers / Contractors / Third Parties
"A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with such third party, service provider, or contractor." The contract must include that the PI used, sold or shared is only for a limited and specified purpose and those entities must also comply with the CPRA's obligations re: the protection of PI and the rights of consumers over their PI. [§ 1798.100(d)]
The definition of contractor and service provider does specify that a business can enforce via contract the ability for the business to monitor "compliance with the contract through measures including, but not limited to, ongoing manual reviews and automated scans, and regular assessments, audits, or other technical and operational testing at least once every twelve (12) months." [§ 1798.140(ag)] Furthermore, both service providers and contractors must assist businesses in complying with the CCPA, e.g. verified consumer deletion requests [§ 1798.105(c)]. But "a service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor."
A contractor or service provider that engages another entity to assist in the processing of a business's personal information must "notify the business of such engagement." [§ 1798.140(ag)]
25
Obligations
Maintain Records of Processing Activities
The Privacy Protection Agency will create regulations "specifying record keeping requirements for businesses to ensure compliance with this title." [§ 1798.199.40] It is implied that records need to be maintained re: what personal information is shared or sold with which third parties. Also, a "business may maintain a confidential record of deletion requests." [§ 1798.105(c)] Furthermore, a business should document their security procedures and practices to show compliance of implementing reasonable security procedures. [§ 1798.150(a)]
26
Obligations
Respond to Rights Requests
A business must respond to a "verifiable consumer request." [§ 1798.140(ak)] Furthermore, a business must "disclose and deliver the required information to a consumer free of charge within 45 days" and can extend the 45 days once. [§ 1798.130(a)] This information must be provided "free of charge to the consumer" but "shall not be required to provide personal information to a consumer more than twice in a 12-month period." [§ 1798.130(a)] Businesses must also respond to other rights requests (e.g. deletions, do not sell, etc.) with no limitations. [§ 1798.105(c), 1798.120(d)]
27
Obligations
New Homepage Links Required (e.g. do not sell/share personal information, limit use of sensitive personal information)
A business must "provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell or Share My Personal Information,” as well as a link titled "Limit the Use of My Sensitive Personal Information" to Internet Web page(s) that enable a consumer, or a person authorized by the consumer, to opt-out of the sale and sharing of the consumer’s personal information and/or limiting the use of their SPI. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information." [§ 1798.135(a)] A business may support on their web page and mobile application an "opt-out preference signal" that automatically indicates the consumer's intent to opt-out and/or limit usage. The technical specifications of this "opt-out signal preference" will be defined via regulations created by the Privacy Protection Agency. [§ 1798.135(b)]
28
Obligations
Implement Appropriate Security Measures
"A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure." [§ 1798.100(e)] In addition, the Privacy Protection Agency will issue regulations "requiring businesses whose processing of consumers' personal information presents significant risk to consumers' privacy or security, to: ... perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent." [§ 1798.185(a)]
Furthermore, existing California law states that "a business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." [§ 1798.81.5]
29
Obligations
Security Breach Notification
N/A, but California has an existing (and separate) data breach notification law § 1798.82.
30
Obligations
Data Protection Impact Analysis
The Privacy Protection Agency will issue regulations "requiring businesses whose processing of consumers' personal information presents significant risk to consumers' privacy or security, to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent" ... and (B) "submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal Information." [§ 1798.185(a)]
31
Obligations
Data Protection Officers
N/A
32
Obligations
Adhere to the Rules of Cross-Border Data Transfers
N/A
33
Enforcement
Dedicated Supervisory Authority
The CPRA establishes Privacy Protection Agency (PPA), whose primary mission is to "protect the fundamental privacy rights of natural persons with respect to the use of their personal information" [§ 1798.199.40] and is vested with full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act. [§ 1798.199.10] The PPA has a 5 member board who appoints an executive director. [§ 1798.199.30] The PPA enforces the CPRA through administrative actions, and is also tasked to "promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information." [§ 1798.199.40]. The PPA is funded through the Consumer Privacy Fund, with annual budget of $10 million from the State’s General Fund. [§ 1798.199.195] The regulations associated with the CPRA will be adopted by the California Attorney General with "broad public participation" [§ 1798.185] but once the PPA is operational will assume ownership of the regulation process [§ 1798.199.40]
34
Enforcement
Penalties (Civil Fines)
"Upon the sworn complaint of any person or on its own initiative," the PPA "may investigate possible violations of this title relating to any business, service provider, contractor, or person." [§ 1798.199.45] Violators of the CPRA will be given 30 day notice by the PPA [§ 1798.199.50], and when the PPA "determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred." If the PPA determines a violation has occurred, it can issue a cease and desist order, as well order an entity to "pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state." [§ 1798.199.55] The PPA "may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records or other items material to the performance" of the PPA's duties. [§ 1798.199.65]
35
Enforcement
Penalties (Private Rights of Action)
The CPRA enables a consumer's private right of action if their "nonencrypted and nonredacted personal information" or "whose email address in combination with a password or security question and answer that would permit access to the account" was "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices." Damages may be "not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater." [§ 1798.150(a)] There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request). Furthermore, the definition of "personal information" is from a narrower definition of personal information found in [§ 1798.81.5]. Note that "actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days' written notice identifying the specific provisions of this title the consumer alleges have been or are being violated" but the "implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach." [§ 1798.150(b)]
Source: caprivacy.org