![California's Upcoming Privacy Law: Crucial Information for Preparation [Updated April 2022]](/en/content/images/size/w1280/format/webp/20250730014309_businesses-complying-with-california.jpeg)
California's Upcoming Privacy Law Overview: Essential Preparation Guidelines [Revised April 2022]
California Privacy Rights Act (CPRA) Expands Data Protection for Californians
The California Privacy Rights Act (CPRA), an amendment to the Consumer Privacy Act (CCPA) of June 28th, 2018, is set to provide Californians with enhanced control over their personal data. The CPRA, which was approved on November 3rd, 2020, introduces new rights, restrictions, and obligations for businesses handling Californian residents' data.
The CPRA gives individuals the right to request correction of inaccurate data, opt-out of the use of sensitive personal information, and access any information collected, regardless of when it was collected or whether it was personally identifiable data. Businesses must respond to such requests within 45 days and ensure an advanced level of data access for consumers.
To fall under the CPRA, a business must meet one or more of the following criteria in 2025:
- Annual gross revenue exceeding $26,625,000
- Processing personal information of 100,000 or more California residents or households annually
- Deriving 50% or more of annual revenue from selling or sharing personal information
The CPRA also extends its reach to include employee data and introduces a new category called sensitive personal information (SPI), which requires stronger protections. Businesses must conduct regular risk assessments, especially regarding activities such as sale/sharing of personal information, processing of SPI, profiling in certain contexts, and training automated decision-making technologies (ADMT).
Starting 2027, some businesses will face annual independent cybersecurity audits, which include executive reporting and sworn certifications. There will also be new consumer rights related to ADMT use in significant decisions like finance and housing.
The CPRA established the California Privacy Protection Agency (CPPA) as the new regulatory authority enforcing these rules. Businesses must update their opt-out options depending on the type of personal information they handle, with separate links for general and sensitive personal information.
Under the CPRA, consumers may collect between $100 and $750 for each instance of a data breach where data is not harmed. However, if harm is done during a data breach, consumers may collect more than $750.
The CPRA allows users to opt out of both the sale and sharing of their personal information to third parties. A subcategory of personal information defined as "sensitive personal information" or SPI includes social security numbers, financial accounts, race or ethnicity, contents of mail, emails, or text messages, biometry, personal information concerning health, sex life or sexual orientation, genetic data, and precise geolocation.
Businesses disclosing personal information to contractors and service providers must follow the restrictions set by the regulation and write them into the contracts. Covered businesses are obliged to provide California residents with mechanisms to take advantage of their privacy rights, including the right to know what personal information is collected, the purpose for which it is collected, whether their personal information is shared or sold, to access their personal information, to ask a business to delete their personal information, and to refuse the "selling or sharing" of their personal information.
In summary, the CPRA marks a significant step forward in data protection for Californians. Businesses must prepare for new obligations under CPRA, such as risk assessments, cybersecurity audits (phased by 2027), and expanded consumer rights relating to sensitive data and automated decision-making.
References: [1] California Privacy Rights Act of 2020. (2020, November 3). Ballotpedia. https://ballotpedia.org/California_Privacy_Rights_Act_of_2020 [2] California Privacy Rights Act (CPRA) Thresholds for 2025. (2021, July 1). Privacy Policy Generator. https://privacypolicygenerator.info/blog/cprathresholds/ [3] California Privacy Rights Act (CPRA): What You Need to Know. (2021, March 1). Privacy Policy Generator. https://privacypolicygenerator.info/blog/cpraknow/ [4] California Consumer Privacy Act (CCPA) Thresholds for 2021. (2020, December 31). Privacy Policy Generator. https://privacypolicygenerator.info/blog/ccpathresholds/ [5] California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA): What's the Difference? (2021, June 1). Privacy Policy Generator. https://privacypolicygenerator.info/blog/cpraccpadifference/
- In the realm of education and self-development, understanding the California Privacy Rights Act (CPRA) is crucial for businesses and individuals residing in California, especially those handling personal data, to stay informed about their data protection rights and obligations.
- The CPRA (California Privacy Rights Act) not only affects general news about data protection but also general news about business practices and privacy policies in California.
