On January 1, 2023, the California Privacy Rights Act (CPRA) of 2020 went into effect. Passed by a majority of voters as Ballot Proposition 24, the CPRA expands the personal data protections of California’s 2018 Consumer Privacy Act (CCPA) and creates a new state agency, the California Privacy Protection Agency, to investigate violations and assess penalties.
To avoid fines, businesses operating in the U.S. or handling the customer data of California residents should familiarize themselves with the legal obligations created by these laws.
In 2018, the CCPA put into place the first internet-era consumer data privacy regulations in the U.S. Drawing extensively on the data trafficking restrictions of the E.U.’s General Data Protection Regulation (GDPR), the government of California defined consumer rights concerning the use and sale of personal data collected by businesses.
Specifically, the CCPA stipulates that businesses must disclose what kinds of personal information they capture and store, such as names, addresses, contact information, and purchase histories. Additionally, businesses must honor any consumer requests to delete their personal information or opt out of data sales to third parties.
In its original formulation, the CCPA granted violating businesses 30 days from the time of official notification to comply before initiating any punitive actions, and its restrictions applied only to companies that sell consumer data to third-party buyers.
The CPRA enhances the existing consumer protections and business obligations of the CCPA. The newly enacted changes fall into three categories.
The CPRA expands the scope of regulated businesses. Under Proposition 24, organizations must now comply if they:
As granting service providers such as cloud hosting and computing platforms access to consumer data constitutes data sharing, the CPRA effectively brings most businesses with modern cloud IT architectures under its umbrella.
Although the CCPA established resident rights to know what kinds of data businesses collect and to opt out of data sales, the act’s original definition of personal information contained many loopholes and its specified resident rights did not include any process to amend incorrect data.
To correct this oversight, the CPRA creates new resident rights and a new category of personal information. The act’s new resident rights afford consumers the ability to correct errors in their personal data, request disclosures and terms of service regarding any automated decision-making technology applied to their data, and place restrictions on the use of a new data type called sensitive personal information (SPI).
Under the CPRA, SPI comprises personal information that potentially enables discrimination or crimes such as identity fraud. Examples of SPI include:
Presently, these rights and protections apply only to consumer data, but they will also apply to employee data and business-to-business communications after an initial grace period.
For businesses, compliance with the CPRA’s new regulations will require several proactive steps and the maintenance of guarantees to customers. There are four important steps businesses must take on their own:
Additionally, businesses must be able to demonstrate that their policies guarantee consumers’ rights concerning their personal data. Among these are the right to:
Businesses that collect personal information from clients can jumpstart their compliance efforts for the CPRA with FileInvite’s secure file-sharing and document portal platform. With SOC 2 Type 2 compliance and 256-bit end-to-end encryption for data in transit and at rest, FileInvite meets the information security standards of both the CPRA and the GDPR and helps businesses replace insecure, outmoded file-sharing methods such as email.
To learn more and request a demo, visit FileInvite today.