What You Need to Know as the California Privacy Rights Act (CPRA) Takes Effect in January 2023

Dec 02, 2022 Blog Article

California continues to move ahead on the data privacy frontier. With new requirements just around the corner, we look at the potential impact of the new California Privacy Rights Act (CPRA)—and how those requirements will fit with existing laws.

George Janssen, Blancco Group Legal Counsel

George Janssen George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.

CPRA enforcement officially starts on January 1, 2023, and will expand the state’s consumer privacy laws. It builds on the current California Consumer Privacy Act (CCPA), enacted in 2020 to establish the first foundation for consumer privacy regulations in California.

With the two laws instituted within a short time—and with similar sounding acronyms—it is essential to understand how these statutes differ and relate to each other.

The CCPA has been the first comprehensive privacy law passed by a state legislature in the United States and is quickly becoming one of the leading data privacy laws in the country. It empowers California consumers to see the information a company has saved on them and a complete list of all third parties who can access that data. CCPA also allows data breach victims to sue companies that have compromised their personal information.

The CCPA also includes the right to know what personal information is being processed by a company, the right to delete personal information, and the right to opt out of the sale of such information.

Laws like CPRA set industry benchmarks: Standards, Certifications, Recommendations and Compliance: What’s the Difference?

The California Privacy Rights Act

The CPRA amends and further builds on the CCPA, adding privacy protections for California consumers that we explain in more detail below. It will replace certain aspects of the CCPA and creates additional obligations to companies operating in California that fall under its scope. Any aspects of the CCPA that the CPRA does not address will remain unchanged.

Also, while CPRA officially takes effect at the beginning of 2023, it will retroactively apply to any personal information collected during the 2022 calendar year.

How Do the CCPA and CPRA Impact Organizations?

These laws apply to any for-profit entity doing business in California that collects, shares, or sells California consumers’ personal data. Affected companies must have an annual gross revenue of more than $25 million, collect the personal information of at least 50,000 consumers, or derive at least half of their annual revenue from selling consumer personal information.

The CPRA will increase this threshold. Any organization that processes the personal information of more than 100,000 or more consumers in California will fall under the scope of the new law.

Scope and ReachApplies to all companies that are buying, receiving, selling, or sharing the personal data of 50,000 or more consumers.Applies to all companies that are buying, receiving, selling, or sharing the personal data of 100,000 or more consumers.
Data Privacy Authority (DPA)NoneEstablishes the California Privacy Protection Agency.
Opt-out RequirementsOnly allows for consumers to opt-out of selling their personal information.Gives consumers the right to prevent businesses from sharing their personal information in the first place, using an “opt-in” approach. This point was under discussion by the California Privacy Protection Agency Board at a recent meeting.
Consumer RequestsProvided a limited range of information to consumers.Consumers can get a broader range of information from the business collecting their data, like information on third-party access, collection purposes, etc.
Right to DeleteThe CCPA mandated that businesses delete outdated customer data upon request.The CPRA provides consumers with increased rights to delete their personal data kept by the company. For instance, they can now request that a business completely delete any data that’s been collected from them.
Audit and Risk AssessmentsNo audit and risk assessment provisions.Adds rules regarding audit and data privacy and their vendors. This provision will require businesses that process consumers’ personal information to conduct annual cybersecurity audits and risk assessments to reduce the threats to the privacy and security of consumer data.
Similarity to the EU GDPRSome CCPA structure and principles are similar to the EU GDPR.CPRA introduces more EU GDPR principles, including  
a) Data minimization
b) Purpose limitation (data retention limitation)
Side-by-Side Comparison of CCPA, CPRA

The Larger Impact of CCPA & CPRA

Let’s look at the practical concerns businesses will face:

Erasure made easy: Erasing Assets Remotely Using Blancco Drive Eraser

The emergence of the CPRA creates additional requirements for companies to manage personal data. These laws affect not only California-based companies, but any vendor that sells in the States.

Note: On October 28 and 29, 2022, the California Privacy Protection Agency (CPPA) conducted a meeting to review and propose certain amendments to the California Privacy Rights Act draft bill. The proposed changes contain several changes to the initial CPRA draft. The consultations rounds are still ongoing at the time of writing this article. The CPPA Board also authorized agency staff to take all the steps necessary to prepare and give notice on such modifications to proposed regulatory amendments before submitting final regulations to the office of Administrative Law by year end.