California Privacy Rights Act (CPRA)
California passed a state-wide data privacy bill that enhances the current CCPA in November 2020. The new law takes effect on January 1, 2023 and fully enforceable on July 1, 2023. CPRA is an addendum to CCPA, and strengthen the privacy and security much like the EU's GDPR Privacy and Security Law. Unlike the existing CCPA, the new CPRA includes the California Privacy Protection Agency (CPPA) that can enforce the law.
With growing trend in consumer privacy concerns and exponential growth in data breaches, the state of California has created the California Consumer Privacy Act (CCPA) in 2018, and fully in effect on January 1, 2020. CCPA gives consumers more control over how businesses collect and use their personal information, and gives them the right to know, opt-out, delete, and non-discriminated for exercising their privacy rights.
What is CCPA?
Unlike EU's GDPR which mandates organizations doing business with EU citizens to protect and secure personal data and enforce them with hefty fines for nonconformances, the CCPA is more about offering privacy rights to the consumers in addition to mandating businesses to comply with data protection standards. The Act offers California residents the following rights:
- The right to know what personal information is collected, and how it is used.
- The right to know whether their personal data is sold, and if so to whom?
- The right to opt-out of sale of their personal data.
- The right to ask businesses to delete their personal data.
- The right to access their personal data.
- The right to non-discriminate against exercising their privacy rights.
The CCPA is only applicable to California residents who live in California even if they are out-of-town temporarily. Also, the CCPA is only applicable to for-profit businesses with over $25 milling in gross revenue who engage in receiving, buying, and selling over 50K records or earns more than 50% of revenue from selling consumer data. It does not apply to non-profit organizations and small businesses with less than $25M in revenue.
Penalties for non-compliance are usually dismissed with a warning if a company fixes the non-conformance within 30-days of notice. However, if the problem cannot be resolved within the allotted timeframe, there will be a $2,500 fee per violation if unintended, and $7,500 per violation if deemed intentional.
What is considered personal data under CCPA?
Personal data is information that can be used to identify a person. For example, the personal data include but not limited to person's name, email, birthdate (age), IP address, geolocation, Internet browsing history, and biometric data. More sensitive information such as the SSN, credit card numbers, driver's license number, and passport number are all part of the personal information we care about. The information publicly available through federal, state, and local governments such as real estate records and professional licensing information are excluded.
The goal of creating the CCPA is to protect consumers from data breaches and gives them rights to protect their own data stored in business clouds. By requiring businesses to comply with CCPA, businesses must have a policy in place to protect consumer data with security and also allow Californian consumers to react to their own data. By implementing security policies like GDPR and CCPA, there will be less occurrences of data breaches and data abuse.
Leave a comment
All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.