The new California Privacy Rights Act (CPRA or CCPA 2.0) is one of the most comprehensive privacy laws to date. It has jurisdictional power that transcends far beyond state lines.
The CPRA amends and expands the original California Consumer Privacy Act (CCPA, A.B. 375). The data privacy legislation also promises more regulatory oversight with costly fines for non-compliance.
CPRA is effective January 1, 2023, and the regulatory enforcement start date is July 1, 2023. New CCPA compliance requirements under CPRA will apply to all personal information collected on or after January 1, 2022.
Any association that collects, stores, and uses personal data should pay attention to compliance regulations under California's new privacy law as well as other regulatory regimes around the world. Today, I'll explain exactly.
Let's jump in.
The California Privacy Rights Act is a landmark privacy legislation that closes loopholes in the California Consumer Privacy Act and adds stricter data processing, consent, and disclosure requirements.
According to the State of California Department of Justice, the CPRA gives "California consumers" the following additional individual privacy rights:
The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.
In essence, the California privacy law requires you to inform users about how their personal information is collected and shared, make it easy to opt-out of having data disclosed or sold to third parties, and ensure previously collected data is easily accessible and can be removed at any time.
Compared to the CCPA, CPRA expands the definition of personal information. It includes all “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
In other words, personal information under the new California privacy law includes:
A new category for sensitive personal information (SPI) is included in the CPRA as well. This category, of course, has stricter regulations.
Another noteworthy change is the newly established government agency for CCPA and CPRA compliance enforcement. The new regulatory watchdog is called the California Privacy Protection Agency (CPPA). The CPPA's discretionary power officially takes effect on July 1, 2023 (six months after the CPRA becomes effective).
What's the impact of the CPRA on associations? The privacy law technically applies to California residents. But it has much broader implications for any organization that collects personal information.
whether or not your association gathers information from members in California is irrelevant. Here's why:
So even if your organization isn’t physically located within California boundaries, the CPRA likely still applies to your website, as well as any of your other systems or applications that gather personal data.
Also, sensitive personal information like financial account information is at stake. So it's no wonder the public is demanding higher standards, more transparency, and tighter personal control over their own data. If data breaches can happen to large corporations, how vulnerable are local businesses and associations?
To maintain compliance, you can either align your global data protection practices with the CPRA or enact two completely different systems: one for California and one for the rest of the world. Given the cost and utter insensibility of maintaining dual policies, every association that collects personal data should implement stringent CPRA compliance practices that cover international privacy laws as well.
For example, go ahead and update your consent processes and disclosure notices. Put a visible, accessible button or link that clearly says “Do Not Sell My Personal Information.”
The difference between the California privacy law and the General Data Protection Regulation (GDPR) is largely about opting out vs. consent.
Under the California privacy law, users must be able to opt-out of “personal information” collection activities. Under the European GDPR, users must give direct, informed consent to collect and use “personal data” for valid processing purposes.
The definition of personal information is also slightly different. Under the GDPR, personal data is “any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier.” In other words, personal data is exclusively individual. The California privacy law, on the other hand, covers direct and indirect personal information.
Another difference is that the CPRA/CCPA protects California residents within and outside state lines. The GDPR, on the other hand, protects “data subjects,” not just EU residents or citizens, located inside the EU, including tourists and non-residents. A data subject is essentially any individual or organization who has data processed inside the EU by any organization offering services and/or products to the EU.
The new CPRA California privacy law adds GDPR-like provisions to the CCPA. Both the GDPR and CCPA/CPRA regulatory regimes:
Are any of your members or web visitors Chinese? Do you process their personal information?
If so, another individual privacy framework that your website may be subject to is China's new Personal Information Protection Law (PIPL). Since November 2021, the PIPL has required separate consent for high-risk processing activities (e.g. cross-border data transfers) that may impact a Chinese resident or multinational.
Both the CCPA and PIPL:
An important part of digital transformation is making sure your association handles the personal data it collects with the utmost care. This is not just about adhering to new laws; it’s about earning and keeping the trust of your members. And is about keeping pace with security trends and best practices to prevent costly breaches.
With the effective date for the new California privacy law approaching closer than we may like to think, we recommend getting prepared. Get your websites and apps compliant with the CPRA, as well as with privacy requirements across multiple countries and legislations. Any future that does not include a strict data policy, data governance framework, or even a full-on, transparent privacy culture is folly.
Have you taken the necessary steps for successful digital transformation, including the creation of a stricter data collection and use policy to meet the new California privacy law compliance requirements? If not, it's time you make a plan.
We'd love to help your organization achieve and maintain compliance. Drop us a line here.