California Privacy Rights Act will be Enforced – Be Ready | TrustArc

This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.

Source URL: https://trustarc.com/resource/california-privacy-rights-act/

Content Type: resource

Section 1

California Proposition 24 adopted On November 3, 2020, the Golden State voted in favor of Proposition 24, thus expanding the State’s privacy legislation with a new set of rules. The law passed with 56.1% of the vote, despite being debated heavily. Surprisingly, civil rights organizations such as the ACLU came out in opposition to the Proposition Privacy prevailed, and on January 1, 2023, the California Consumer Privacy Act (CCPA) will be succeeded by the California Privacy Rights Act (CPRA) with a one-year look back to January 2022. What does the California Privacy Rights Act (CPRA) entail? The CPRA intends to amend the CCPA by adding new definitions, new individual rights, and broadening the enforcement elements of the CCPA. As was

Section 2

the case with the CCPA, there are still a lot of details to be ironed out in the coming months to ensure the CPRA can be fully operational in 2023. However, quite a few of the changes are already clear. Sensitive personal information CPRA introduces the concept of sensitive personal information, which requires more data protection than regular personal information. Sensitive information includes identification numbers like identity card or passport number, account credentials, credit card details, the precise geolocation of a consumer, And the content of communications via mail, email, and text messages (if a business is not the recipient of the communication). As well as GDPR-aligned data elements like religious or philosophical beliefs, union membership, health, genetic and biometric

Section 3

data, and information related to an individual’s sex life or sexual orientation. Under the CPRA, a consumer will have the right to direct a business not to use or disseminate their sensitive information. If so directed, the business may only use the bare minimum of already collected sensitive personal information that would be needed to deliver the agreed goods or services to the consumer. The right to deletion This right is already included in the CCPA and will be extended ensuring that service providers will cooperate with the deletion of personal information, and allowing business to keep a confidential record of deletion requests for future reference. A right of correction CPRA introduces a right of correction, allowing consumers to request

Section 4

the correction of inaccurate personal information. It is further clarified that businesses may not a consumer for exercising their individual rights under the CPRA The exception to allow businesses to run loyalty programs and offer premium discounts in return for personal information, is made more explicit in the law. Consumers will get access to more data A data access request is not limited to just the data collected in the 12 months preceding the consumer’s request. This does not mean that companies will be forced to retain data longer than they usually do. But it may mean that if personal information is retained for 24 months, access will also need to be provided for all data collected and used during

Section 5

those 12 months. This obligation will apply to all data collected after 1 January 2022 . And the intended for personal information needs to be disclosed in the privacy notice. Concept of purpose limitation CPRA introduces the concept of purpose limitation into the law, ensuring personal information can only be processed for pre-determined specific, explicit, and legitimate purposes. Data collection will also need to be limited to what is necessary and proportionate New cross-contextual behavioral advertising and dark pattern limitation Another new limitation relates to cross-context behavioral advertising and the use of so-called dark patterns or deceptive patterns Cross-context behavioral advertising means that advertising publishers can build a profile of an individual, to use as part of their advertising efforts.

Section 6

Under CPRA, individuals will get the possibility to opt-out of such data collections, also because the definition of a sale is expanded to also include the sharing of information without payment. individuals get a right not to be tracked online if they so wish. To make this even easier, consumers may not be nudged towards accepting the processing of their personal information by the visual presentation of privacy preferences. offering a large, bright colored “accept all” button, and a much smaller and less conspicuous link to change data collection preference. Extended data breach requirements Personal information that is both non-encrypted and non-redacted, as well as the combination of an email address and password or security question and answer allowing access

Section 7

to an account that is subject to unauthorized access, is considered a data breach. Under the CPRA, individuals have the right to claim compensation and other relief that is considered necessary by a court. Companies may also face administrative enforcement for breaches caused by insufficient data security. California gets a new enforcement agency From the enforcement perspective, the CPRA introduces a new enforcement agency in California , comparable to data protection supervisory authorities elsewhere in the world. California Privacy Protection Agency (CPPA) will consist of the five persons board, two of which will be appointed by the California Governor and the other members by the California Assembly, the Senate and the Attorney General. The CPPA will, among other things, be

Section 8

allowed to investigate violations of the law, conduct hearings and compel testimony, issue cease and desist orders as well as issue monetary sanctions. Lastly, the CPPA will also provide further guidance on the application and implementation of the CPRA. How can you prepare for the CPRA? Although some of the supporting provisions of the CPRA, including the establishment of the CPPA have already come into force, the main criteria won’t apply until January 2023. This includes an extension of the current exception for employee data in the CCPA, until 2023. But keep in mind, companies operating in California will need a process in place for handling employee privacy as well. Start by documenting the purposes for your data processing and

Section 9

which personal information is necessary and proportionate to achieve those purposes. It will also be helpful to document which categories of sensitive personal information are being processed. Get detailed insights, tools, and templates to help you manage the CPRA and other regulations. Automate Your Privacy Program Centralize privacy tasks, automate your program, and seamlessly align with laws and regulations.