Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

California Privacy Rights Act (CPRA): Your Up-To-Date Guide to CCPA 2.0

The California Privacy Rights Act (CPRA), an extension of the CCPA, is expected to pass in Nov 2020 — we’ll explain what the CPRA means for your business.
David Harrington
6 min read
Published August 17, 2020
Last updated March 3, 2022

Technology and social media giants like Facebook and Google are about to get a huge reality check in how they handle customer data. The California Privacy Rights Act (CPRA) is on the ballot for Californians and would introduce a new slew of standards and initiatives to improve data protection and privacy for all Californians.

But CPRA isn’t necessarily bad news for all businesses. As long as companies know the ins and outs of CPRA — and make the right preparations — data privacy and security should improve for all parties involved.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

Quick Review: What is the California Privacy Rights Act?

who does CPRA affect

The CPRA will effectively function as version 2.0 of the California Consumer Privacy Act, strengthening data and privacy rights.

  • The measure is sponsored by the private group California Consumers for Privacy, which collected over 900,000 signatures supporting the measure.
  • Proposition 24 passed, and the CPRA will start phasing in on January 1st, 2021.

CPRA: A Step Towards a US Version of GDPR

Both the CCPA and CPRA are heavily influenced by the European Union’s General Data Protection Regulation (GDPR). The GDPR is one of the first comprehensive data privacy and protection regulations providing consumers greater control of their personal information. In many respects, the CPRA is a United States version of the GDPR.

Who Does the CPRA Affect?

The CPRA will affect large businesses and organizations the most. Any company that engages in the data collection, analysis, and storage of any person located in California is subject to CPRA they fit under the following criteria:

  • For-profit companies that do business in California
  • Over $25 million in annual revenue
  • Companies that buy, sell or share personal information (PI) of over 100,000 consumers or households
  • Derives at least 50 percent of annual revenue from selling or sharing of consumer PI

It’s important to note that even if a business isn’t physically or legally located in California, that company is still subject to CPRA as long as they have users or conduct business in the state.

How Could it Affect Businesses?

  • Businesses will need to improve opt-in and consent processes on their websites, emails, and other digital channels to comply with CPRA
  • Companies will be required to have more robust internal practices for responding to data privacy-related requests from consumers.

When Does the CPRA Go Into Effect?

The CPRA only becomes law if it passes with a majority of California voter support on the November 3rd election. If so, a preliminary version of CPRA would take effect mid-December, followed by a ramp-up year beginning on January 1st of 2022. The law will be fully implemented as of the start of 2023, with the caveat that all businesses taking efforts to be in compliance between now and then. July 1st of 2023 will be the official enforcement date when businesses will be subject to fines and penalties for non-compliance.

Latest Updates and CPRA News

Update: November 2nd, 2020

Some of the largest privacy rights groups and tech leaders announce support for the CPRA. This includes the Electronic Privacy Information Center (EPIC) and the Own Your Own Data Foundation.

Update: November 3rd, 2020

Proposition 24 and the CPRA officially passes. The California vote was 56% in favor of the measure. Various political and technology leaders — like presidential candidate Andrew Yang — react positively to the news.

CCPA vs CPRA: New Terminology

The CPRA is generally a more robust framework than CCPA, protecting more consumer data types and business activities. Here are the key distinctions and alterations in terminology businesses should be aware of.

  • Sensitive Personal Information (SPI). While the CCPA protects PI, the CPRA introduces new terminology in the form of SPI. The list of SPI is long and includes things like SSNs, ethnic/religious background, and biometric data.
  • Selling vs. Sharing. The CCPA only applies to businesses that generate over 50 percent of their revenue from selling data. The CPRA specifies “sharing” rather than selling, making it more broadly applicable.
  • Higher User Threshold. Under CCPA, businesses must comply if they collect data from 50,000 households or more. The CPRA increases this number to 100,000, making it more friendly to small-to-medium sized businesses.
  • Third-Party Opt-out Rights. CCPA gives consumers the “Right to Opt-out of Third Party Sales.” Under CPRA, users now have the “Right to Opt-out of Third Party Sales and Sharing.”
  • Right to Delete. The CCPA provides consumers the right to have their data deleted upon request. If the CPRA takes effect, businesses will also have to notify third-parties to delete that same data upon request.
  • Advertising Usage. Under CCPA, consumers can opt-out of their data being sold to advertisers for monetary compensation. The CPRA extends this right to “cross-context behavioral advertising” where data is shared without direct financial compensation.
  • Right to Correction. The CPRA would introduce this right — not included in the CCPA — where consumers may request the correction of PI held by businesses.
  • Right to Opt-Out of Decision Making Technology. Another provision unique to CPRA, letting consumers opt-out of automated decision-making technologies. This generally refers to “profiling” consumers with regards to factors like health status, location, work history, or other demographic indicators.
  • Opt-in Rights for Minors. The CPRA strengthens opt-in requirements for minors. Businesses must now notify minors if they intend to sell or share user data for behavioral advertising purposes.
  • Right to Restrict Sensitive PI. Sensitive PI is protected under CCPA. But the CPRA extends this right to third-party use. Consumers can now restrict that sensitive PI from being shared with other entities.

While there are other changes in language and terminology, there are the main updates that businesses should be aware of. Businesses should focus on opt-in rights, third-party data sharing, and advertising usage as the primary differences between CCP and CPRA.

How to Prepare for CPRA Compliance

cpra preparation tips

Whether or not CPRA passes — although odds are it will — businesses should still strive to stay ahead of the regulatory curve. Taking a proactive stance towards compliance standards will insulate you from penalties, reduce future compliance costs, and help maintain a trusting relationship between your brand and consumers.

Audit Third-Party Ecosystem

One of the most significant updates with CPRA is the added protection of third-party data. Businesses will want to audit their vendor and partner ecosystem and ensure that all data is being shared, handled, and stored in a secure manner. Have streamlined processes in place to handle requests for correction, deletion or transfer.

Inventory All Personal Data Types

Since CPRA extends rights from PI to SPI, you’ll want to make sure every single piece of data about a user is accounted for. Things like demographic, location and employment data are now subject to regulation. Having all that information organized and attached to the right user will be critical under CPRA.

Update Consent and Opt-in Forms

Since the CPRA raises the bar for consent and opt-in, companies will want to make sure that consumers are well-informed before allowing their data to be used, stored or shared. Companies that do business in Europe will be well-served by strengthening opt-in and consent to comply with GDPR.

Implement Data Request Processes

Passage of CPRA will undoubtedly result in more consumer data privacy requests. This could be for deletion, transmission or update. Businesses will need to have processes, personnel, and technologies in place to handle these requests in a streamlined fashion.

ten important CPRA changes visual

What Could the CPRA Change for Me?

CCPA will primarily change the way businesses share data with third-parties. Companies will also need to better protect broader categories of data per the new SPI category. Here are some of the key developments and what they might mean for you.

1. Point of Collection Notices

Businesses will need to beef up their notifications at the point of data collection. CPRA states that consumers be notified that their data might be sold or shared, in addition to how long that data will be kept.

2. Data Sharing in Advertising

Businesses will need to be more cognizant of how their user data is shared with third-party advertisers. Businesses should have the means in place to opt-out consumers of non-paid data sharing in advertising should they request.

3. Lesser Requirements for SMBs

The good news for small-medium sized businesses is that the CPRA only applies to businesses that use data from users or households over 100,000. The CCPA currently specifies 50,000 so SMBs can expect some relief.

4. New Service Provider Agreements

The CPRA mandates additional terms to be placed in agreements with digital service providers. Companies will have to go over the CPRA in detail and ensure the proper language is included in all service provider agreements.

5. Potential Risk Assessment Audits

Much like the GDPR, the CPRA mandates that businesses undergo regular audits and risk assessments to certify compliance. Businesses can also expect to submit assessments to regulator bodies on a yearly basis.

6. California Privacy Protection Agency

The CPRA also establishes the first U.S. regulatory agency dedicated specifically to privacy, the California Privacy Protection Agency (CPAA). Businesses can expect to potentially engage with the CPAA if the CPRA does pass.

7. Data Retention Notifications

Under CPRA, businesses need to disclose how long they keep data to consumers. Businesses will need to prepare to inform consumers about their data retention timeline. CPRA mandates that businesses only keep data as long as is “reasonably necessary.”

8. Exemptions for Clinical Trials

For pharmaceutical and biotech companies, the CPRA will retain exemptions for clinical trials set forth by the CCPA and Health Insurance Portability and Accountability Act (HIPAA). The CPRA should make compliance efforts easier by further codifying and explaining the scenarios where exemptions are appropriate.

CPRA Sets a New Privacy Standard

The goal of CPRA is to improve upon the CCPA, bringing it closer to GDPR’s current gold standard of data privacy rights regulations. California is at the forefront of this issue and consumers in the state are likely to pass the measure. Given that California is home to most major technology and social media companies, state residents are very aware of the risks that data collection and storage present.

Although it will take around two years to fully implement, the CPRA should generally be viewed as a positive development in the protection of consumer data. Businesses may incur some additional compliance costs, but the CPRA is aimed at larger enterprises that can well afford those costs instead of small-to-medium sized businesses.

The good news is that businesses have plenty of time to get their ducks in a row before CPRA non-compliance becomes a fineable offense in 2023. Starting today, businesses can begin enlisting the right data protection technology and compliance partners to help make their CPRA compliance journey as seamless as possible. Companies should have the infrastructure in place to comply with consumer data privacy requests, update their opt-in and notification processes, and conduct regular risk assessment audits starting in 2021.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

varonis-launches-data-center-in-canada-for-cloud-native-security
Varonis Launches Data Center in Canada for Cloud-Native Security
We're excited to announce the opening of our data center in Toronto to support new customers and existing customers moving to Varonis' SaaS offering.
varonis-expands-dspm-capabilities-with-deeper-azure-and-aws-support
Varonis Expands DSPM Capabilities with Deeper Azure and AWS Support
Varonis is expanding its IaaS coverage to AWS databases and Azure Blob Storage, strengthening the CSPM and DSPM pillars of our Data Security Platform.
what-about-individual-users-on-acl's?
What About Individual Users on ACL's?
One question I received in response to our recent post about aligning windows security groups and automating entitlement reviews was, “If you’re using single-purpose security groups and managing them automatically...
personally-identifiable-information-hides-in-dark-data
Personally Identifiable Information Hides in Dark Data
To my mind, HIPAA has the most sophisticated view of PII of all the US laws on the books. Their working definition encompasses vanilla identifiers: social security and credit card...