The California Privacy Rights Act (CPRA) Explained

Consumer privacy is a topic of great concern these days. If your teams utilize customer data carelessly, or without proper consent, your brand will lose trust and potential revenue—and possibly even be discredited. The way businesses use and collect information should be transparent and within the lines of the law.

Regulations like General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) were created to regulate how businesses collect and use consumer data. However, for businesses, this means they have another stringent set of rules to follow.

CCPA came into effect in January 2020. Up next, the California Privacy Rights Act (CPRA) is set to go live in January 2023. With each regulation, businesses need to make organizational and operational changes to stay compliant.

How can your brand navigate these ever-changing consumer privacy regulations? We’ve answered common questions about CPRA to help you better understand how the latest law impacts your business and the next steps you need to take to succeed.

Does CPRA Replace CCPA?

Think of CPRA as CCPA 2.0, a beefed-up version with added regulations regarding data privacy. CPRA is not a radical change of rules and regulations. It is more like an extension to the already existing CCPA.

If you’re doing business in California or with residents in the Golden State, you’re already required to adhere to CCPA (the California Consumer Privacy Act). So, what is the requirement for additional regulations, like the oncoming CPRA?

With CPRA, data privacy laws in the U.S. will be more closely aligned with GDPR in Europe. Meaning…CPRA could leave a significant impact on your business if you don’t have a sound data handling structure, like a customer data platform, in place.

What Has Changed with CPRA?

Let’s look at just some of the changes that CPRA brings to the table. (Keep in mind this list is only a snapshot of the CPRA changes to come.)

The California Privacy Rights Act (CPRA):

  • Triples the fines for violations of children’s privacy.
  • Limits the use of “sensitive personal information,” which is broader than CCPA’s personal information definition.
  • Stops businesses from knowing customer’s precise geolocation.
  • Stops businesses from profiling the customer.
  • Includes rights to correct the customer’s information.
  • Includes rights to have the customer’s personal information kept safe.
  • Includes rights to see all the customer’s information, not just the last 12 months.
  • Includes rights to prohibit both the sharing and sale of personal data.
  • Creates a new California Privacy Protection Agency for more rigorous enforcement.
  • Imposes penalties for negligence resulting in the theft of consumers’ emails and passwords.

How Does CPRA Affect Our Business?

When we look at the evolution happening with CCPA and CPRA, we quickly recognize that these U.S. regulations are looking more and more like the GDPR set in Europe.

Currently, your business must be following CCPA requirements. With the new CPRA regulations announced—and coming into fruition in January 2023—legitimate business concerns regarding this important shift might already be creeping up in your mind.

We understand it’s hard to keep tabs on all of these legislative acronyms, especially when you have enough on your plate already. You don’t have to spend hours decoding both these laws. We’ve made the process of distinguishing between CCPA and CPRA easy for you with a handy checklist that you can download here.

 

Who Must Comply with CCPA and CPRA?

If you are a business that “does business” in California, you must comply with CCPA and CPRA.

The law defines a business as “a for-profit legal entity that collects consumers’ personal information and does business in the state of California.”

The scope of “doing business” in California applies to brands that sell goods or services to California residents, even if the business is not physically located in California. So the location of operations doesn’t exclude you from compliance. Ecommerce brands are a perfect example, since your headquarters might be in Texas but you have hundreds of customers located in California.

CCPA currently applies to businesses that operate in California, which:

  • Have $25 million in gross annual revenue.
  • Obtain or share personal information of at least 50,000 California residents, households, and/or devices per year.
  • Generate at least 50% of their annual revenue from selling California residents’ personal information.

CPRA is also for businesses that operate in California, which:

  • Have $25 million in gross annual revenue.
  • Obtain or share personal information of at least 100,000 California residents and households.
  • Generate at least 50% of their annual revenue from selling California residents’ personal information.

What Happens if My Business Doesn’t Comply With CPRA?

Non-compliance with CPRA brings serious consequences, and you obviously don’t want that.

Everyone behind the scenes at your business has worked hard to keep operations running smoothly, increase revenue, build brand reputation, and maintain customer satisfaction and loyalty. Non-compliance will cause all of this hard work and dedication to unravel.

CCPA already has provisions to penalize businesses for data breaches. Additionally, CPRA violations come with its own civil penalty system—not to mention, possible lawsuits from customers.

The California Privacy Protection Agency can levy anywhere between $2,500 and $7,500 per violation. As a business, you must also consider that CCPA brings in a new category called “Sensitive Personal Information,” where the customers can limit how your organization uses their data.

Moral of the story…if your business violates the mandates set by CPRA, it is going to cost money and reputation. Your brand’s reputation is so valuable that you can’t even put a price on it. Non-compliance with CPRA is not a risk you want to take.

How do Make Our Brand Ready for CCPA and CPRA?

There are two main ways to prepare your business for CPRA compliance and fine-tune processes for CCPA.

The first approach involves studying all the CCPA guidelines and tailoring your business data collection practices to match them. This also requires multiple reviews to see whether you have missed any guidelines.

The second option involves using technology, such as Skypoint’s CCPA compliance software for data collection and compliance in daily operations. Since our privacy software is also a CDP (customer data platform), Skypoint Cloud helps you organize customer data and ensures that everything is in line with these regulations.

For the next steps in your compliance journey, download our CCPA vs. CPRA checklist to fully prepare your organization. Also, our team is happy to give you a demo of Skypoint and answer any other CPRA questions you have…contact us right here.

Share This:

Stay up to date with the latest customer data news, expert guidance, and resources.

More Resources

Your Unified Data, Analytics & AI Partner

Experience the Skypoint AI platform tailored for healthcare, financial services, and the public sector. Securely harness AI with generative AI Copilots and AI Agents to enhance analytics, accurate question answering, automate tasks, and to 10X productivity and efficiency in one compound AI system.