Drive CCPA and CPRA sensitive data compliance

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are considered the most comprehensive consumer data privacy laws in the U.S., and a benchmark for other states. 

CCPA was enacted to enhance privacy rights of California residents by setting guidelines on how businesses should handle private consumer information. CPRA, also known as CCPA 2.0, builds on CCPA’s foundation and enhances consumer privacy protections, as well as the obligations for companies and organizations that process personal information. 

CCPA has been fully enforceable since July 2020. Businesses have until January 1, 2023 to become CPRA compliant.

CPRA’s amendments to CCPA apply to any for-profit business that collects personal information on California-based consumers and meets any of the below criteria:

1. Had gross annual revenue of $25M as of January 1, 2022 or the preceding calendar year
2. Buys, receives or sells personal info of 50,000 or more CA residents, households or devices
3. Derives 50% or more of income selling CA residents’ personal info

Note: Businesses need not have operations or employees in CA in order to be subject to CPRA. 

CCPA does not apply to nonprofit orgs or government agencies. Other exemptions include:

• Consumer reporting agencies that are covered by the Fair Credit Reporting Act
• Financial Institutions covered by the Gramm-Leach-Bliley Act
• Entities covered by the Insurance Information and Privacy Protection Act

For purposes of CCPA, a California resident is defined as an individual who uses California residency for income tax purposes. CCPA does not protect consumers who are temporarily in the state of California. 

The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with a particular consumer or household. This includes: name, address, birthday, biometric data, social security number, telephone number, email address, and any other information linkable to a specific individual. 

Sensitive Personal Information is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals:

• social security, driver’s license, state identification card, or passport numbers
• account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
• precise geolocation
• racial or ethnic origin, religious or philosophical beliefs, or union membership
• the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
• genetic data

The CCPA offers two exemptions: 

• Personal information collected by a business about a person who was either a job applicant or past/current employee. The exemption is limited to when the business used the information provided “solely” for employment-related actions. 
• The B2B exemption applies to personal information of employees or business contacts that a business collected to aid in providing or receiving a product or service to and from another business.

Neither the CCPA and CPRA extend to data already protected by other laws, such as:

• Financial services providers already in compliance with the GLBA 
• Medical information protected under the California Confidentiality of Medical Information Act
• Personal information collected as part of a clinical trial or biomedical research study and subject to the Federal Policy for the Protection of Human Subjects
• Information covered under the Fair Credit Reporting Act 

The CCPA creates six specific rights for consumers:

1. The right to know or request disclosure of personal information collected by the business about the consumer. This includes from whom it was collected, why it was collected, and, if sold, to whom.
2. The right to delete personal information collected from the consumer.
3. The right to opt out of the sale of personal information.
4. The right to opt-in to the sale of personal information of consumers under the age of 16.
5. The right to non-discriminatory treatment for exercising any rights.
6. The right to initiate a private cause of action for data breaches.

The CPRA creates three additional rights:

1. The right to opt out of automated decision-making technology.
2. The right to correct inaccurate personal information.
3. The right to limit use and disclosure of sensitive personal information.

The CPRA creates and transfers all rulemaking and enforcement authority from the California attorney general to the new state agency, the California Privacy Protection Agency. 

The CPRA tightens enforcement, removing the mandatory 30-day cure period that businesses currently enjoy under the CCPA and tripling penalties for violations that involve minors under the age of 16. The law also expands the types of data breaches that are considered within the scope of the data breach private right of action to include breaches of a username or email address, in combination with a password or security question and answer that would permit access to an online account.

Penalties include:

• Civil Penalties – In actions by the California Attorney General, businesses can face penalties of up to $7,500 per intentional violation or $2,500 per unintentional violation (but there is an opportunity to cure any alleged violation within 30 days after receiving notice of the alleged violation).
• Damages – In actions brought by consumers for security breach violations, consumers may recover statutory damages not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater. In actions for statutory damages, consumers must first provide businesses with written notice and an opportunity to cure. 
• Non-Monetary Relief – In actions brought by consumers for security breach violations, consumers may seek injunctive or declaratory relief, as well as any other relief the court deems proper.
• Businesses may also be subject to an injunction in actions brought by the Attorney General.