Home » Resources » What You Need to Know as the California Privacy Rights Act (CPRA) Takes Effect in January 2023

What You Need to Know as the California Privacy Rights Act (CPRA) Takes Effect in January 2023

Dec 02, 2022 Blog Article

California continues to move ahead on the data privacy frontier. With new requirements just around the corner, we look at the potential impact of the new California Privacy Rights Act (CPRA)—and how those requirements will fit with existing laws.

George Janssen, Blancco Group Legal Counsel

George Janssen George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.

CPRA enforcement officially starts on January 1, 2023, and will expand the state’s consumer privacy laws. It builds on the current California Consumer Privacy Act (CCPA), enacted in 2020 to establish the first foundation for consumer privacy regulations in California.

With the two laws instituted within a short time—and with similar sounding acronyms—it is essential to understand how these statutes differ and relate to each other.

The CCPA has been the first comprehensive privacy law passed by a state legislature in the United States and is quickly becoming one of the leading data privacy laws in the country. It empowers California consumers to see the information a company has saved on them and a complete list of all third parties who can access that data. CCPA also allows data breach victims to sue companies that have compromised their personal information.

The CCPA also includes the right to know what personal information is being processed by a company, the right to delete personal information, and the right to opt out of the sale of such information.

Laws like CPRA set industry benchmarks: Standards, Certifications, Recommendations and Compliance: What’s the Difference?

The California Privacy Rights Act

The CPRA amends and further builds on the CCPA, adding privacy protections for California consumers that we explain in more detail below. It will replace certain aspects of the CCPA and creates additional obligations to companies operating in California that fall under its scope. Any aspects of the CCPA that the CPRA does not address will remain unchanged.

Also, while CPRA officially takes effect at the beginning of 2023, it will retroactively apply to any personal information collected during the 2022 calendar year.

How Do the CCPA and CPRA Impact Organizations?

These laws apply to any for-profit entity doing business in California that collects, shares, or sells California consumers’ personal data. Affected companies must have an annual gross revenue of more than $25 million, collect the personal information of at least 50,000 consumers, or derive at least half of their annual revenue from selling consumer personal information.

The CPRA will increase this threshold. Any organization that processes the personal information of more than 100,000 or more consumers in California will fall under the scope of the new law.

ASPECTS	CCPA	CPRA
Scope and Reach	Applies to all companies that are buying, receiving, selling, or sharing the personal data of 50,000 or more consumers.	Applies to all companies that are buying, receiving, selling, or sharing the personal data of 100,000 or more consumers.
Data Privacy Authority (DPA)	None	Establishes the California Privacy Protection Agency.
Opt-out Requirements	Only allows for consumers to opt-out of selling their personal information.	Gives consumers the right to prevent businesses from sharing their personal information in the first place, using an “opt-in” approach. This point was under discussion by the California Privacy Protection Agency Board at a recent meeting.
Consumer Requests	Provided a limited range of information to consumers.	Consumers can get a broader range of information from the business collecting their data, like information on third-party access, collection purposes, etc.
Right to Delete	The CCPA mandated that businesses delete outdated customer data upon request.	The CPRA provides consumers with increased rights to delete their personal data kept by the company. For instance, they can now request that a business completely delete any data that’s been collected from them.
Audit and Risk Assessments	No audit and risk assessment provisions.	Adds rules regarding audit and data privacy and their vendors. This provision will require businesses that process consumers’ personal information to conduct annual cybersecurity audits and risk assessments to reduce the threats to the privacy and security of consumer data.
Similarity to the EU GDPR	Some CCPA structure and principles are similar to the EU GDPR.	CPRA introduces more EU GDPR principles, including a) Data minimization b) Purpose limitation (data retention limitation)

Side-by-Side Comparison of CCPA, CPRA

The Larger Impact of CCPA & CPRA

Let’s look at the practical concerns businesses will face:

The new CPRA will establish a governing administrative agency (Data Privacy Authority) that will operate as a watchdog to protect consumer privacy. This agency will vigorously enforce the law against businesses that violate consumers’ privacy rights.
The CCPA currently penalizes companies $2,500 per violation with fines reaching $7,500 for intentional violations. The CPRA introduces a new penalty of up to $7,500 for each violation (even if unintentional) of the consumer privacy rights of minors. This is in addition to consumer claims allowed under the CPRA.
The CPRA will offer consumers an additional right of data erasure.
Organizations are required to complete yearly data privacy and cybersecurity risk assessments, which will include the way they manage data and dispose of it in a secure way.

Erasure made easy: Erasing Assets Remotely Using Blancco Drive Eraser

The emergence of the CPRA creates additional requirements for companies to manage personal data. These laws affect not only California-based companies, but any vendor that sells in the States.

Note: On October 28 and 29, 2022, the California Privacy Protection Agency (CPPA) conducted a meeting to review and propose certain amendments to the California Privacy Rights Act draft bill. The proposed changes contain several changes to the initial CPRA draft. The consultations rounds are still ongoing at the time of writing this article. The CPPA Board also authorized agency staff to take all the steps necessary to prepare and give notice on such modifications to proposed regulatory amendments before submitting final regulations to the office of Administrative Law by year end.

Are You Ready for CPRA?

Blancco’s data erasure solutions provide simple, straightforward methods for meeting new data destruction requirements.
Experience our solutions in your environment to see how.

Get My Free Trial

Laptop & Desktop Erasure for Enterprise

Data Center

Cloud Migration

Storage & Loose Drives

Diagnostics & Erasure

Mobile – Buy-Back/Trade-In

Mobile Insurance

Fault Management

Storage

Laptop & Desktop Erasure for ITAD

Loose Drives

Server