Comply With the California Privacy Rights Act

Privacy and IT professionals must build a plan to minimize operational impact of the CPRA obligations.
It is unclear which CPRA provisions are most important for your organization and how far you need to go to be compliant.
Organizations must decide how to maintain trust with their customers while being transparent about the use of their data.

Our Advice

Critical Insight

Not all requirements are equal. You must understand the business impact of compliance – and potential impact of non-compliance – and prioritize your privacy activities accordingly.
Your privacy program can be compliant today and quickly fall out of compliance tomorrow amid constantly evolving requirements.
"Checkbox Compliance" will no longer work in this dynamic privacy environment.

Impact and Result

Understand what is new in the CPRA as compared to what is in the CCPA
Understand the risk of CPRA non-compliance
Quickly assess your compliance status

Comply With the California Privacy Rights Act Research & Tools

1. Business-Aligned Privacy Program Deck – A step-by-step document that walks you through building an industry standard privacy program that can handle CPRA and will prepare your organization for future regulations.

This deck will help businesses understand the differences between the CCPA and the CPRA and how they will affect their business operation. It will support privacy leaders as they build an industry standard privacy program that can handle CPRA and prepare them for other future regulations.

2. CPRA Checklist – A comprehensive checklist to help your business assess the scope and obligations under the CPRA status.

Use this checklist to assess whether you fall in scope of the CPRA and what your obligations are.

Comply With the California Privacy Rights Act

Go beyond “checkbox compliance” to stay ahead of the latest regulations

Analyst Perspective

Privacy is here to stay.

Starting in 2023, the California Privacy Rights Act (CPRA) will supplant the current California Consumer Privacy Act (CCPA).

California is leading the United States in the whirlwind of Privacy Legislations. In a span of three years, California has passed landmark legislation to protect consumer privacy with the CCPA, and is now further expanding on these consumer rights with the CPRA, bringing the state close to being on par with the highest global standard, which is the European Union’s General Data Protection Regulation (GDPR).

Regardless of which jurisdiction you find your business operating in, complying with the provisions of the CPRA puts you in a better position, safe from potential fines and lawsuits.

The challenge for businesses is to find a non-disruptive way to adopt privacy practices into your business operations and goals. Three key practices a business can master will be: to know what data it collects and where that data is stored, to proactively respond and track Verifiable Consumer Request or Data Subject Access Request (DSAR) under GDPR, and to regularly conduct Risk Assessments.

Iris Akwetey
Senior Research Analyst
Info-Tech Research Group

Executive Summary

Your Challenge	Common Obstacles	Info-Tech’s Approach
Complying with new the CPRA obligations will involve business-critical data, and you must build a plan to minimize its operational impact. It is unclear which CPRA provisions are most important for your organization and how far you need to go to be compliant. Expanded transparency requirements of CPRA will make it difficult to protect your trusted relationships with customers.	The lack of knowledge, tools, or professional time to map the complex Sensitive Data categories of CPRA to your business operations. Privacy regulations are dynamic, requiring constant updates to your privacy practices (and lots of time to understand and interpret each regulation!). Privacy is a cross-functional project that requires communication and coordination for smooth implementation.	Info-Tech will design a customizable checklist of the new CPRA provisions that will affect your business. Build an industry standard privacy program that can handle CPRA and is prepared for other future regulations as well. Prepare to respond to verifiable consumer requests to manage consumer communication and foster trust.

Info-Tech Overarching Insight

Your privacy program can be compliant today and quickly fall out of compliance tomorrow amid constantly evolving requirements.

Keeping up with new and amended regulations can be daunting, and “checkbox compliance” no longer works in this dynamic environment. You will need a privacy program that is proactive and can measure your success as regulations keep evolving.

What is CPRA and what does it mean?

The California Privacy Right Act (CPRA) is a state-wide privacy regulation passed in 2020 to supplant the California Consumer Privacy Act (CCPA). The CPRA takes effect on January 1st, 2023, with a lookback period from January 1, 2022.

The CPRA introduces new concepts to Data Privacy in California. It contains concepts that draw the regulation closer to EU’s GDPR, expand consumer rights, and close potential loopholes in the previous version of CCPA.

Privacy is here to stay, and like GDPR paved the way for global privacy, the CPRA will likely serve to spur similar new regulations in other North American jurisdictions.

Source: Cytrio

CPRA vs. CCPA for Qualifying Businesses

Comply with California Privacy Rights Act 2023

The image contains a screenshot of tables that demonstrate how to Comply with California Privacy Rights Act 2023.

Compare the CPRA to the CCPA

Both the CCPA and CPRA protect the data privacy of all consumers who are residents of California. However, the CPRA is an expanded, more comprehensive version of the CCPA. The information below introduces you to the differences, similarities, and business implications of the new CPRA provisions.

Provisions	CCPA	CPRA	Business Implications
Businesses Scope	Organizations that are subject to CCPA will: Have >25 million USD in revenue; OR Use personal data of 50,000 persons or more for commercial purposes; OR Derive >50% of annual revenue from selling personal data. Exclusions: Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA) covered entities. Charities or non-profit organizations.	Organizations that are subject to CCPA will: Have >25 million USD in revenue; OR Buy, Sell, or Share personal data of >100,000 consumers or households; OR Derive >50% of annual revenue from selling or sharing personal data. Exclusions: Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA) covered entities. Charities or non-profit organizations.	Some small to midsize businesses may not qualify under the threshold related to scope of "more than 100,000 consumer household." The inclusion of “sharing” as it relates to the scope of "more than 50% annual revenue from selling or sharing personal data" would likely increase the number of businesses that would qualify under that threshold.
Data Governance	Purpose Limitation Business Contracts for Third Parties	Data Minimization Purpose and Use Limitation Data Retention Limitation Business Agreements/Contract Requirements Pre-Collection Notice Regularly submit a risk assessment of how Sensitive Personal Data is processed Identify and weigh the potential risks and benefits of the data	Businesses will be required to reasonably limit the collection of personal information to what is necessary for the purpose for which the information was collected. Retention of personal information will also be limited to the least amount of time necessary. Service providers or contractors shall not combine personal information received directly from opted-out consumers with personal information received from businesses on behalf of the consumer. Employee data must be treated the same as consumer data and as such organizational obligation and consumer rights apply.

Provisions

CCPA

CPRA

Business Implications

Businesses Scope

Organizations that are subject to CCPA will:

Have >25 million USD in revenue; OR
Use personal data of 50,000 persons or more for commercial purposes; OR
Derive >50% of annual revenue from selling personal data.

Exclusions:

Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA) covered entities.
Charities or non-profit organizations.

Organizations that are subject to CCPA will:

Have >25 million USD in revenue; OR
Buy, Sell, or Share personal data of >100,000 consumers or households; OR
Derive >50% of annual revenue from selling or sharing personal data.

Exclusions:

Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA) covered entities.
Charities or non-profit organizations.

Some small to midsize businesses may not qualify under the threshold related to scope of "more than 100,000 consumer household."
The inclusion of “sharing” as it relates to the scope of "more than 50% annual revenue from selling or sharing personal data" would likely increase the number of businesses that would qualify under that threshold.

Data Governance

Purpose Limitation
Business Contracts for Third Parties

Data Minimization
Purpose and Use Limitation
Data Retention Limitation
Business Agreements/Contract Requirements
Pre-Collection Notice
Regularly submit a risk assessment of how Sensitive Personal Data is processed
Identify and weigh the potential risks and benefits of the data

Businesses will be required to reasonably limit the collection of personal information to what is necessary for the purpose for which the information was collected.
Retention of personal information will also be limited to the least amount of time necessary.
Service providers or contractors shall not combine personal information received directly from opted-out consumers with personal information received from businesses on behalf of the consumer.
Employee data must be treated the same as consumer data and as such organizational obligation and consumer rights apply.

Compare the CPRA to the CCPA

Provisions	CCPA	CPRA	Business Implications
Consumer Rights	Right to Opt-Out of Third-Party Sales Right to Know and Access Right to Delete Right to Data Portability Rights for Minors/Children Also: Display “Do Not Sell My Personal Information” link on your website Concept of “Sensitive Data Category” is NOT introduced	Right to Access Information About Automatic Decision Making Right to Limit Use and Disclosure of Sensitive PI Right to Correct Information Right to Delete Right for Minors/ Children Right to Data Portability Right to Opt-out of sale and sharing. new classification and disclosure for SPI Also: Display “Limit the Use of My Sensitive Personal Information” link on website Display “Do Not Sell or Share My Personal Information” link on your website	Businesses must develop strong verifiable consumer request policies and procedures to swiftly deal with consumer requests. Businesses must review their cyber insurance to cover financial losses from lawsuits and breach incidents. Privacy policies must be transparent for consumers to know their right of access to their personal information for correction, deletion or opting out of sharing or selling Businesses must be ready to protect the new category of personal data and respond accordingly when a consumer decides to opt out. Businesses must make sure that their website is updated to display the “Limit the Use of My Sensitive Personal Information” link to give consumers the option to limit the processing of their sensitive personal information. Business must also include a link on their website stating “Do Not Sell or Share My Personal Information’’ to opt consumers out of sharing and sale.
Rights of Action and Enforcement	Private right to take legal action for exposed nonencrypted or nonredacted personal information California Office of the Attorney General (OAG) $2,500 (USD) fine for each unintentional violation or $7,500 for each intentional violation 30-day remedy period	Private right to take legal action for exposed nonencrypted or nonredacted personal information Private right of action to include unauthorized access to email addresses and passwords or security questions California Privacy Protection Agency (“Privacy Agency”) $2,500 (USD) fine for each unintentional violation or $7,500 for each intentional violation or each violation involving a minor Elimination of the 30-day remedy period	The addition of login credentials as a legally actionable personal Information security breach means businesses consider implementing advanced layers of data encryption, like multi-factor authentication, as a security measure. Businesses may also encourage and enforce the use of more complex passwords. Anticipation of "ambulance chasing" and an increased number of investigations and enforcement actions to be taken by the CPPA.

Provisions

CCPA

CPRA

Business Implications

Consumer Rights

Right to Opt-Out of Third-Party Sales
Right to Know and Access
Right to Delete
Right to Data Portability
Rights for Minors/Children

Also:

Display “Do Not Sell My Personal Information” link on your website
Concept of “Sensitive Data Category” is NOT introduced

Right to Access Information About Automatic Decision Making
Right to Limit Use and Disclosure of Sensitive PI
Right to Correct Information
Right to Delete
Right for Minors/ Children
Right to Data Portability
Right to Opt-out of sale and sharing.
new classification and disclosure for SPI

Also:

Display “Limit the Use of My Sensitive Personal Information” link on website
Display “Do Not Sell or Share My Personal Information” link on your website

Businesses must develop strong verifiable consumer request policies and procedures to swiftly deal with consumer requests.
Businesses must review their cyber insurance to cover financial losses from lawsuits and breach incidents.
Privacy policies must be transparent for consumers to know their right of access to their personal information for correction, deletion or opting out of sharing or selling
Businesses must be ready to protect the new category of personal data and respond accordingly when a consumer decides to opt out.
Businesses must make sure that their website is updated to display the “Limit the Use of My Sensitive Personal Information” link to give consumers the option to limit the processing of their sensitive personal information.
Business must also include a link on their website stating “Do Not Sell or Share My Personal Information’’ to opt consumers out of sharing and sale.

Rights of
Action and Enforcement

Private right to take legal action for exposed nonencrypted or nonredacted personal information

California Office of the Attorney General (OAG)

$2,500 (USD) fine for each unintentional violation or $7,500 for each intentional violation

30-day remedy period

Private right to take legal action for exposed nonencrypted or nonredacted personal information
Private right of action to include unauthorized access to email addresses and passwords or security questions
California Privacy Protection Agency (“Privacy Agency”)
$2,500 (USD) fine for each unintentional violation or $7,500 for each intentional violation or each violation involving a minor
Elimination of the 30-day remedy period

The addition of login credentials as a legally actionable personal Information security breach means businesses consider implementing advanced layers of data encryption, like multi-factor authentication, as a security measure.
Businesses may also encourage and enforce the use of more complex passwords.
Anticipation of "ambulance chasing" and an increased number of investigations and enforcement actions to be taken by the CPPA.

Key Business Obligations

Many states have published or will publish new privacy regulations – so be aware of your business obligations under each regulation. As better privacy becomes the expectation from both B2B customers and end-consumers, you can expect to gain a competitive advantage by strengthening your privacy program. Privacy metrics take your program from a static framework to an operational model.

Requirement	CPRA	CCPA	CPA	GDPR	VCDPA
Disclosure of Privacy Policy	✓	✓	✓	✓	✘
Cross-Border Transfer Requirements	✘	✘	✓	✓	✘
Special Requirements for Children’s Data	✓	✓	✓	✓	✓
Data Minimization	✓	✘	✓	✓	✓
Implement Data Security Measures	✓	✓	✓	✓	✓
Risk Assessment	✓	✓	✘	✘	✘
Verifiable Consumer Request	✓	✓	✓	✓	✓
New website link requirements (do not sell or share personal information, limit the use of my personal information)	✓	✓	✘	✘	✘
Vendor Contracts Requirements	✓	✓	✓	✓	✓
Enforcing Agency	✓	✘	✘	✓	✘
Penalties and Fines	✓	✓	✓	✓	✓

Privacy Regulation Acronyms

CPRA – California Privacy Right Act
CPA – Colorado Privacy Act
GDPR – General Data Protection Regulation
VCDPA – Virginia Consumer Data Protection Act

Info-tech’s Privacy Framework tool

Leverage Info-tech’s Privacy Framework Tool to assess your current organizational privacy maturity while comparing against current privacy frameworks.

Determine your CPRA obligations

The extent of your obligations under CPRA depend on how your organization is defined.

CPRA defines five key roles (listed here) and contains details on the obligations each group is subject to.

NON-PROFIT

Both CPRA and CCPA exclude non-profit organizations as subject to their requirements. However, CPRA's third definition of “business,” which is any entity that operates alone or jointly with others, as defined above, may qualify nonprofit under this scope only if the related businesses shares consumer personal Information.

Best Practice:

The best practice for a nonprofit is to be informed about the privacy policy of their vendors and suppliers who may be subject to CPRA and want to pass on downstream requirements to you.

Be aware of all policies you must comply with, as well as respect and protect the intentions and privacy of donor and personal information.

Business

Any entity that:

Operates for profit in California (whether physically present in California or not)
Collects California residents' personal information (or on whose behalf such information is collected)
Either alone or jointly with others, determines the purposes and means of the processing California residents' personal information, and satisfies at least one of the three (3) requirements as listed on slide 8.

Third Party

An organization that is NOT any of the following:

A business with whom the consumer intentionally interacts
A service provider to the business
A contractor

Consumer

A natural person who is a California resident.

Service Provider

A person that processes personal information received from or on behalf of the business.

Contractor

A person to whom the business makes available consumer’s personal information for a business purpose.

Data Governance

Data Processing Agreements

A data processing agreement that was drafted under the CCPA will need a thorough review before its renewal in 2023. As the chart indicates, the CPRA has additional requirements for businesses that process consumer data.

DATA MINIMIZATION
Data minimization NOT COVERED

Purpose limitation [1798.100 (b)]

Retention limitation NOT COVERED

CCPA

CPRA

DATA MINIMIZATION
Data minimization Obligation [1798.100 (1)]

Purpose limitation Obligation [1798.100 (2)]

Retention limitation Obligation [1798.100 (3)]

BUSINESS CONTRACT

Business contract is required to disclose PI to third parties and service providers. [1798.140 (v) , Section 1798.140 (w) (2)(A)]

BUSINESS AGREEMENT

Business agreement is required to sell or share PI with third parties and disclose to service providers or contractors. [1798.100 (d)]

RIGHT TO CORRECT PERSONAL DATA

NOT COVERED

RIGHT TO CORRECT PERSONAL DATA Consumer’s right to have their personal data corrected by the business if it is incorrect.[1798.106]

VERIFIABLE CONSUMER REQUEST

Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer [1798.130 (a) (2)]

VERIFIABLE CONSUMER REQUEST

Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer [1798.130 (a) (2)]

SECURITY CONTROL

Businesses are a duty implement and maintain reasonable security procedure and practices appropriate to the kind of PI they collect [1798.150 (a) (1)]

SECURITY CONTROL

Businesses are required to implement a reasonable security procedure and practices appropriate to the kind of PI they collect. Section [1798.81.5, 1798.100(e)]

Digital Marketing Under CPRA

Most businesses rely on personal data from social media analytics to promote their campaign. These three CPRA requirements stand out to significantly impact the marketing and digital advertising industry as soon as the regulation goes into effect in 2023. Businesses in this capacity must start considering privacy in all planning and design discussions for marketing and advertising initiatives.

Provide the option to consumers to opt-out of the sharing and selling of their personal data.	Provide the option for consumers to opt-out of cross-contextual behavioral advertising and opt-out of both the “sale” and “sharing” of their personal information.	Fulfil consumers' right to correct any inaccurate personal information in an organization's repository.
DO NOT SHARE OR SELL	OPT-OUT	RIGHT TO CORRECT

Info-Tech Insight

Predictively, digital marketing under CPRA will require a complete evaluation of business marketing strategy.

Marketing behavior or using personalized behavioral advertising or “targeted advertising” to improve conversion rates in ten folds will no longer be possible.

Consumer Rights

Verifiable Consumer Request Response

Consumers’ rights to access and control their data is a key part of the CPRA, and any implicated organization must have robust process to respond to these requests in a timely manner.

1. Establish a method to respond to requests

Understand your data flows. Next, build visuals for how consumer data typically flows through your organization.

2. Identify request type and verify requester
Data requests could be for example: collection, sale, or disclosure for a business purpose.

3. Provide the information requested on time
Build internal procedures to address each type of consumer request. Validate procedures.

4. Document your actions
Record request types and responses in a centralized location. Build demonstrable compliance.

Info-Tech Insight

The phrase “Data Subject Access Request” has become a proper noun amongst privacy professionals, but it does not appear anywhere in the CPRA.
Rather, the CPRA requires organizations to respond to “Verifiable Consumer Requests.”

Sensitive Personal Information

The CPRA introduces the concept of “sensitive personal information” (SPI), which has a subcategory of personal information. According to the CPRA, ”“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.“ (section 1798.140 (o)(1))

“Sensitive Personal Information” on the other hand means personal information that reveals the following:

Genetics: A consumer’s genetic data.

Geolocation: A consumer’s precise geolocation.

Diversity, Equity, Inclusion: A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership.

Identifications: A consumer’s social security, driver’s license, state identification card, or passport number.

Authentication: A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

Communication Mode: The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication.

Risk assessment under CPRA

CPRA requires risk assessment (DPIA) to be conducted on regular basis. Follow these steps to complete an industry standard DPIA :

For all identified high-risk processing activities, work through the dynamic questionnaire.
Complete one threshold assessment per activity.
Based on the recommendation and risk score, move to complete the DPIA on a per-activity basis.
Complete either a Lite or Full version of the DPIA, based on the nature of the process.
Involve the process owner (Project Owner) and a third-party stakeholder (Project Reviewer).
Refer to the results report (tab 4) to review each of the priority processes and subsequent next steps toward compliance.

Download this tool

Complete this activity by filling out Info-Tech's DPIA Tool.

Input	Output
Prioritization of sensitive PI involved Benefits vs. potential risk of processing activities	Analysis of high-risk business processes Understanding of impact (risk or benefit) of data involved in processing activities
Materials	Participants
Risk Assessment Tool	Privacy Officer Core privacy team InfoSec representative (optional) IT representative (optional)

Enforcement and Right of Action

Expect CPRA to be enforced

Everybody wants to know whether they will face actual financial losses due to privacy non-compliance. Fortunately, we have GDPR and CCPA as historical indicators of how we should expect CPRA to be enforced.

The image contains a screenshot of a graph to demonstrate the Cumulative Number of GDPR Fines.

GDPR, which was technically adopted in 2016, provided a two year grace period before its enforcement where few fines were brought as organizations came to terms with the new requirements.

However, CPRA is not an entirely new privacy act as it supplants CCPA. Regulators should not be expected to provide such a grace period – so be prepared to comply as soon as possible if you have CPRA obligations.

The image contains a screenshot of a graph to demonstrate the Cumulative Dollars in GDPR Fines.

Since the enforcement of the GDPR in 2018, the number of fines brought has been fairly linear from year-to-year, but the magnitude of fines has not.

Since mid-2021, the cost of non-compliance has been significantly larger than what was seen in the past, and we should estimate future potential fines on the recent, much more costly types of fines.

If you underestimate the potential financial impact of a privacy non-compliance, you do so at your own peril!

Violation implications of the CPRA

Privacy is here to stay, and different regulations and regions will learn from pacesetters like the CPRA. California is notorious for privacy class actions and the new dedicated agency under the CPRA (CPPA) is likely to champion this cause.

Reputational Damages	Financial Damages
Lawsuits that will jeopardize customer relationships and trust	$2,500 USD for each violation
Loss of customers, partners, and revenue	$7,500 USD for each violation

The chart illustrates the number of CCPA violation cases by industry filed from January 2022 to April 2022.

(Source: Perkins Coie)

CPRA’s Children’s Right Violation Insight

The CPRA will automatically triple fines for violations involving children’s data (children under the age of 16), totaling to a maximum of $7,500 per violation as opposed to $2,500 for other, non-intentional violations.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Table of Contents

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.