What is the California Privacy Rights Act (CPRA)?

August 12, 2020
California Privacy Rights Act (CPRA)

Senior Privacy Consultant Jodi Daniels shares why you need to have the California Privacy Rights Act (CPRA) on your privacy radar. 

California Privacy Rights Act (CPRA)

While the California Consumer Privacy Act (CCPA) has just become enforceable as of July 1, there’s another privacy rights act lining up for the November 2020 ballot. This new act aims to build off of the work accomplished by CCPA to increase transparency and control for consumers over their personal information.

Call it CCPA 2.0. Call it GDPR, California-style. Call it the California Privacy Rights Act (CPRA). Whatever its name, though, it’s something you need to have on your privacy radar.

[feature_box style="10" only_advanced="There%20are%20no%20title%20options%20for%20the%20choosen%20style" alignment="center"]

Before you continue reading, how about following us on LinkedIn?

lang: en_US


What does the California Privacy Rights Act (CPRA) do?

CPRA builds on CCPA, in that it would give California residents more control over their personal information on a number of fronts and create a more detailed privacy framework for businesses. Here are some of the deliverables for the act.

1. Create a California Privacy Protection Agency

CCPA put enforcement in the hands of the California Attorney General. CPRA would reroute that enforcement to a new office: the California Privacy Protection Agency.

What would this agency do? They’d be responsible for implementing and enforcing CPRA rules. This may sound like a hall monitor type of job, but given the potential volume of business and individual privacy needs, it’s a smart move.

2. More nuanced definition for personal Information

The CPRA would establish a further category of sensitive personal information, a la the General Data Protection Regulation (GDPR), under Cal. Civ. Code § 1798.140(ae)—“sensitive personal information.” This includes:

  • Social security number
  • Driver’s license number
  • Passport number
  • Financial account information
  • Precise geolocation
  • Race and ethnicity
  • Religion
  • Union membership
  • Personal communications
  • Genetic data
  • Biometric and health information
  • Sexual orientation and sex life information
  • For these categories of information, businesses would have to provide transparent disclosures about what they’re processing. New requirements for data minimization would come into play, given the greater security risks for storing sensitive personal information.

CPRA would also allow consumers more extensive rights around the use of their sensitive personal information. Notably, it would give them the right to request corrections of any personal information held by a business if that information is inaccurate.

3. Bolsters child privacy provisions

Protecting children’s privacy has been a major point for the California Privacy Rights Act. CPRA takes it even further. Under CPRA, businesses and organizations that violate CCPA’s opt-in to sell right would face triple the amount of fines.

They would also have to get opt-in consent to sell or share data from any consumer under the age of 16. (Currently, under CCPA, this applies to consumers under the age of 13.)

4. Transparency

Transparency and data governance become more nuanced under CPRA. The bill would require businesses to notify consumers at or before the collection of data:

  • If information is being sold or shared
  • Which categories of sensitive personal information are collected
  • What the data retention timelines are

To this point, CPRA prohibits retaining personal information for longer than "reasonably necessary" to accomplish the disclosed purposes of collection. This is an important security measure, given the risks posed by excessive data retention periods.

5. No day at the data breach
Data breaches are ambiguity in CCPA. The California Privacy Rights Act brings some measure of clarity as to expectations for businesses.

CPRA specifies that if a breach occurs and a consumer’s email address and either their password or security/question combo is compromised - and the company hasn’t taken reasonable measures - the company could be held liable. Bringing “reasonable security measures” to the table is something that CCPA didn’t do, leaving businesses and consumers uncertain about when right to action applied.

And in case companies didn’t need additional reasons to keep data breaches at bay, new fines would be assessed at $7500 per violation.

6. Risky (processing) business

If businesses perform “high-risk processing,” they’ll need to complete annual risk assessments and audits. This includes a cybersecurity audit. As per CPRA, the California Privacy Protection Agency would provide definitions and guidance on these processes.

What comes next?

We know that new compliance requirements can be a challenge to juggle with existing ones. And when data security is part of the picture, the stakes can be high. We’re here to help with that. Contact Red Clover Advisors today for a free consultation.


This article was authored by Jodi Daniels, founder and CEO of Red Clover Advisors, a boutique data privacy consultancy. Jodi also serves on the Board of Idenhaus Consulting.



Learn how an IAM Assessment and Solution Roadmap can help your organization effectively plan for change so you can achieve ongoing excellence with your IAM program. Register for our upcoming webinar now.

How IAM Assessments Define Your Path to Success



Follow @Idenhaus on Twitter and subscribe to our Identity Management biweekly or our healthcare IT biweekly newsletter.

forbes technology council

Idenhaus is honored to be featured in the Top 10 Identity Governance and Administration Consulting/Service Companies of 2019.

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us



More News