Stealthbits

What is the California Privacy Rights Act?

Blog >What is the California Privacy Rights Act?
What is the California Privacy Rights Act?

Just days before the enforcement of the California Consumer Privacy Act (CCPA) began on July 1st, 2020, the California Privacy Rights Act (CPRA) received enough signatures to qualify to be on the November ballot. This ballot initiative, also referred to as Prop 24, was drafted by the non-profit organization Californians for Consumer Privacy, and looks to extend and clarify several of the provisions in existing California privacy law.  If this measure is approved, it will have major impacts on any company that works with the data of a California citizen.  

CPRA vs CCPA 

The new California Privacy Rights Act incorporates the provisions set forth by the California Consumer Privacy Act (CCPA), but imposes new substantive obligations on businesses, grants consumers new rights, and modifies the CCPA’s enforcement provisions. Alastair Mactaggart, one of the main proponents of the ballot initiative that later served as the foundation of the CCPA, believes that the CCPA serves as a great baseline, but thinks that there are additional rights that California residents deserve.  

Notable Changes 

  • Establishes the California Privacy Protection Agency which will serve to enforce the regulation and protect the privacy of Californians 
  • Defines and establishes a new category of sensitive information, Sensitive Personally Identifiable Information, acknowledging that not all PII is created equal with some categories being more sensitive than others 
  • Provides consumers with new rights 
    • Right to Correction which grants consumers the ability to request that a business corrects inaccurate personal information that has been collected 
    • Right to restriction providing consumers the right to limit a business’s use of their sensitive personal information
  • Increases penalties for breaches that involve the data of minors 
  • Redefines key terms such as the scope of a “business” and what constitutes a “breach”
  • Imposes limitations upon the California Legislature to amend the privacy law 

Significant Dates

CPRA Significant Dates

Who Does it Affect?

The CCPA defined a “business” as any entity that operates for the profit or financial benefit of its shareholders that collects consumers’ personal information that does business within the State of California that meets one or more of the following thresholds 

  • Has an annual gross revenue in excess of $25 million 
  • Annually buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
  • Derives 50% or more of its annual revenues from selling consumers’ personal information 

The CPRA adjusts this definition by 

  • Doubling the threshold from 50,000 to 100,000 for an entity that “buys or sells or shares the information of 100,000 or more consumers or households” 
  • Removes the criteria for a business’s need for a commercial purpose in the buying or selling of personal information
  • Adds the definition of business joint ventures or partnerships composed of businesses in which each business has at least a 40% interest  

How Can Businesses Prepare for CPRA Compliance? 

While it is widely regarded that the CPRA ballot initiative is likely to pass, businesses should continue to progress and maintain their CCPA compliance efforts. However, they should also monitor privacy developments not only in California but also at the federal level. If the CPRA is not approved, then businesses should prepare for the January 1st, 2021 expiration of the temporary exemptions for employee and business to business information.  

In order to adhere to the expanding data privacy regulations, organizations will have to follow common core principles and practices of data privacy and security. In order to do so, they should:  

  • Leverage the necessary tools in order to maintain an ongoing understanding of where sensitive data (specifically personal information) exists
  • Enforce strong Data Access Governance practices to ensure that the right controls are in place in order to prevent unauthorized access to personal data 
  • Conduct regular risk assessments to minimize and address any risks to personal data 
  • Deploy monitoring tools in order to detect and respond to threats in real-time 

Learn more about how Stealthbits can help organizations comply the CCPA and other data privacy regulations.  

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

DON’T MISS A POST. SUBSCRIBE TO THE BLOG!

 

Loading

© 2020 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.

FREE TRIAL