SlideShare a Scribd company logo

California-Privacy-Right-Act.pdf

D
DaviesParker

Learn all about California Privacy Rights Act

Law
1 of 17
Download to read offline
California Privacy Rights Act ('CPRA') © 2022 Tsaaro. All rights reserved. Insights into the proposed legislation
Overview Target Audience The State of California Consumer Privacy Act ('CCPA') has been considered a comprehensive legislation protecting the privacy of the consumers and the rights vested with them in this regard. The California Privacy Rights Act ('CPRA') is round the corner and, has increasingly garnered the attention of organizations and entities processing personal data, to understand if the CPRA is applicable to the activities undertaken by them. Thereby, it is pivotal to understand the law and the essential obligations. The CPRA modifies the previous State of California law on data protection and privacy, the CCPA. In 2020, a statewide data privacy statute was signed into law. However, it will become fully enforceable on July 1, 2023, with retroactive application to January 1, 2022. The bill aims to reinforce State of California's position as the leader in data privacy legislation in the United States by dramatically expanding the existing CCPA. This whitepaper seeks to analyse the law and compare it to other notable legislative frameworks on data privacy and protection, like the California Consumer Privacy Act and the General Data Protection Regulation. It tries to provide an overview of the proposed law. It will be tailored to a wide range of audience, including senior and mid-level IT management, programme managers, and compliance leaders, to help them comprehend the goals of the CPRA and the obstacles they may encounter in showing compliance with this proposed legislation. It also intends to generate discussion among secondary audiences, such as students and academics, to help them comprehend the complexities of the proposed bill and its provisions.
The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, was approved by a majority of voters on November 3, 2020, after appearing on the ballot for the state's general election. It builds upon the California Consumer Privacy Act (CCPA) of 2018, which provided the groundwork for consumer privacy legislation. The law will go into effect on January 1, 2023, and it will apply to personal information obtained on or after January 1, 2022. Introduction The CPRA is an addendum to the CCPA, adding new sections about privacy protection authority, consumer rights, etc. The proposition establishes additional provisions into the State of California law, allowing consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses’ use of “sensitive personal information,” including precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information. Considering this, businesses and organizations processing personal information would have to look out for the compliance with CPRA and possible repercussions in case of any non-compliance. Problem Statement Scope of the Bill Key changes brought by CPRA Key topics under CPRA Exemptions under CPRA Who needs to comply with CPRA Rights of consumers under CPRA Comparison with GDPR Enforcement and liability Challenges posed by the CPRA to businesses involved in Data processing Conclusion This whitepaper would be covering the following aspects: Structure
SCOPE OF THE BILL As of January 1, of the calendar year, has a gross revenue in excess of $25,000,000 in the preceding calendar year; 1. The compliance requirements under CPRA are different from the CCPA. All the compliance requirements stem from the definition of ‘business.’ As defined under the CPRA, a 'business' is a legal entity that conducts business in the State of California, acts for financial gain, collects or has collected on its behalf the personal information of consumers, and fits one of the following criteria: Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or 2. Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information. 3. In addition, the scope of entities required to comply with the CPRA is potentially increased by defining common branding. Common branding is the use of a shared name, servicemark or trademark by two or more businesses un a manner which would lead the consumer in assuming that two or more entities are common owned. Under CPRA, the exchange of information from a business to a firm that uses common branding brings the latter company under the jurisdiction of CPRA. The CPRA introduces two new ways for a business to qualify as an “enterprise”. First, a joint venture or partnership comprised of enterprises in which each business owns at least a 40% stake will result in the joint venture being regarded as a “business” subject to the CPRA. Lastly, any company can self-certify compliance with the CPRA, thereby agreeing to be governed by the law.
KEY CHANGES UNDER CPRA A consumer has the right to request that an organisation rectify any erroneous personal information about them. A business that collects consumers’ personal information must notify them of their right to request the correction of erroneous information. A business that receives a verifiable consumer request to update erroneous personal information is required to make commercially reasonable measures to comply with the consumer’s request. CPRA grants consumers the opportunity to amend erroneous personal information. It states that- A consumer’s right to limit the collection, use, and disclosure of sensitive personal information Additional recourse possibilities for victims of online security breaches such as the theft of sensitive personal data and financial data. The CPRA contains a variety of strengthened privacy protections including- UPDATED CONSUMER PRIVACY RIGHTS 2 3 LIMITATIONS ON TRACKING The CPRA aims to restrict geolocation tracking by expanding consumer rights. Within a specified radius, consumers will be able to stop businesses from tracking their geolocation for the majority of purposes. 4 ADDITIONAL PROTECTION FOR MINORS Contrary to its predecessor, the CPRA forbids the sale of an individual’s personal information without permission, and consent may entail opting in rather than opting out. In other words, children are automatically protected by the CPRA, and in some situations, the penalties for noncompliance will be three times as severe as before. Where businesses intend to sell or share personal information of minors under the age of 13, an affirmative consent of the parent/guardian is required, whereas, for minors between the ages of 16, an affirmative consent of minor is considered adequate. Under the CPRA, State of California’s minors, identified as an individual below the age of 16 years, will enjoy greater safeguards than they had under the CCPA. CONSUMERS' RIGHT TO CORRECT INACCURATE PERSONAL INFORMATION 1
Businesses must “establish appropriate security measures and processes” to protect personal information against unauthorised or illegal access, destruction, use, modification, or disclosure. However, the CPRA fails to define any specific standard or certification regarding Data Security Requirements and thus stands vague in that respect. A business shall not discriminate against a consumer based on the consumer's exercise of any CPRA-protected right. A firm may not discriminate against a customer on the basis of: Denying a consumer access to goods or services. Charging various prices or rates for various goods and services. Providing the consumer with a different level or quality of goods or services. Implying the consumer will receive a different price or rate for products or services, or a different level or quality of goods or services. Before employee rights became a concern, businesses frequently resorted to retaliation against employees who opposed the corporation and exercised their legal rights. The CPRA contains a revised and reinforced anti-retaliation provision which states that- EXPRESS INFORMATION SECURITY REQUIREMENTS 5 ANTI-RETALIATION CLAUSE FOR EMPLOYEES 6 7 RIGHT TO KNOW LENGTH OF DATA RETENTION While the CCPA does not directly address data retention, the CPRA does. It permits enterprises to store personal information only when it is “necessary and proportional” for collecting, processing, and other reasons that are properly declared. According to the look-back provision, even if a business receives a request to know on January 1, 2023 (the day the law goes into effect), it should be prepared to provide information going back to January 1, 2022. 8 EXPANDED INITIAL NOTIFICATION OBLIGATIONS Disclose if collected information will be sold or shared; Identify the sensitive personal information that will be collected; Disclose either the duration of information retention or the criteria used to determine it. Disclose if they do not gather information using a noticeable notification if they do not collect information. The CPRA strengthens the disclosure requirements for privacy notices posted at or before the actual collection point. Businesses that collect consumer’s information must:
an individual who is in California for other than a temporary or transitory purpose. an individual domiciled in State of California who is outside of the state for a temporary or transitory purpose. California Resident The CPRA applies to the personal information of California Residents which is defined in State of California Tax Regulations as- 2 Background and Ethnicity (Political opinion, sexual orientation etc.) Genetic/Biometric data, Health data Financial account information Precise geolocation data Contents of mail, e-mail and text messages Government issued IDs. Sensitive Personal Data In addition, the CPRA adds a new subcategory of personal data known as “sensitive personal data.” This subcategory includes Personal Information The CPRA defines personal information as “information that identifies, refers to, describes, is reasonably capable of being associated with, or is reasonably capable of being linked, directly or indirectly, with a specific consumer or household.” It comprises information such as a person’s real name, alias, mailing address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's licence number, or passport number, among other identifiers. 3 1 KEY TOPICS UNDER CPRA
Governed by the Confidentiality of Medical Information Act (the "CMIA") or protected health information ("PHI") collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"). Medical Information KEY TOPICS UNDER CPRA EXEMPTIONS UNDER CPRA Personal Information gathered as part of a clinical trial or other biomedical research study. Personal Information obtained by a business concerning an individual as a job applicant, employee, owner, director, officer, medical staff member, or independent contractor. B2B Contracts are exempted. Personal Information Information about the car or its ownership is retained or shared between a new vehicle dealer and the manufacturer. Vehicle Information Activity involving the collection, maintenance, disclosure, sale, communication, or use of any consumer credit information. Credit Information
Follow the Basic Privacy Principles like Data Minimisation, legitimate purpose, Storage limitation, Accuracy and Transparency, Non-Discrimination and Data Retention (restriction). Businesses must provide notice disclosing the collection of sensitive personal information and the purpose of such collection CPRA requires enterprises to have contractual agreements in place not only with service providers and contractors, but also with third parties to whom the businesses sell or distribute personal information. Businesses shall use adequate security measures to prevent unauthorised access to or disclosure of such information. GENERAL DUTIES OF BUSINESSES UNDER CPRA 1. 2. 3. 4.
The CPRA applies to any entity organised and operated for profit or financial gain that: However, a business does not need to comply with CPRA if it's commercial activities take place outside of California. WHO NEEDS TO COMPLY WITH CPRA The CPRA transfers enforcement authority from the Attorney General of State of California to a new privacy-focused agency, the California Privacy Protection Agency (CalPPA). When facing an enforcement action, businesses will no longer be afforded the CCPA's 30-day cure period before being fined by CalPPA for a violation. In addition, the CPRA establishes an automatic $7,500 fine for violations involving minors' personal information. In addition to the existing private right of action for breaches of unredacted and unencrypted personal information, the CPRA grants consumers a private right of action if an email address, password, or security question and answer that would allow access to an account are compromised. ENFORCEMENT AND LIABILITY 01 Satisfies the definition of business under the CPRA (refer pg. 4) 02 Collects the personal information of consumers 03 Determines the purpose and means of processing 04 Carries on business in the State of California
Sl. No. Basis of Comparison EU GDPR CPRA 1. Scope / Applicability The GDPR applies to organisations that have presence in the EU or if the data of EU residents is processed irrespective of company’s location. The CPRA extends to businesses that are located in the State of California and to all the businesses that despite not being located in State of California do business in the State. The criteria of businesses has been laid down as well. 2. Data Subject Rights right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object The rights vested with data subjects under EU GDPR are: right to be forgotten, right to opt out from having information sold, right to equal service and price, right to receive information on privacy practices and access information, right to deletion, right to receive information about onward disclosures, right to prohibit sale of information. The rights vested with data subjects under the CPRA are: 3. Obligations of Controllers/ Businesses/ Covered Entities The EU GDPR elaborately lays down the obligations and duties entrusted upon the Controllers and Processors individually in furtherance of ensuring the protection of the personal data so processed. The CPRA does not provide for the obligations and duties of both controllers and processors individually in an elaborate manner. 4. Penalties The penalty under GDPR is defined, and fines and penalties imposed under Article 83 are flexible and scale with the firm. The administrative fines are determined up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The maximum penalty under CPRA for any violation is $7500. Upon any business not acting upon violation under the CPRA, within 30 days, the business would be liable to civil penalty not more than $2500 for each violation & $7500 for any intentional violation. COMPARISON WITH GDPR
CPRA Compliance Toolkit for Businesses Determine if your company is subject to CPRA Take advantage of the CPRA to review and update your CCPA compliance programme. Update your personal information database. Determine if sensitive personal information is collected. Establish a method for implementing the right to collect personal data. Establish a procedure a procedure to implement the right to restrict the use and disclosure of sensitive personal information. Address compliance requirements for your vendors. Address CPRA's limitations on collection, use and retention. 1 2 3 4 5 6 7 8
Determine policies and procedures to be implemented to deal with minors data, considering the new provisions about minors' data in CPRA. Enable opt-outs to stop sharing personal data for behavioral advertising, based on the consumers' activity. 13 14 Determine if your company engages in "profiling". Determine if your organisation is subject to new risk assessment and audit requirements for high-risk organisations Refresh your current privacy education programmes. Appropriate policies to be drafted for data retention, incident management, etc. as per the new provisions. 9 10 11 12 CPRA Compliance Toolkit for Businesses 15 Businesses are not permitted to store consumer's personal information on devices when consumer is in California and later collecting such information when the consumer is not in Califorina.
RIGHTS OF CONSUMERS UNDER CPRA Right to Delete Personal Information Right to Rectification of Incorrect Information Right to Access Personal Information Right to Limit Sensitive Personal Information Right to Access Information About Automated Decision Making Right to Opt-Out of Automated Decision- Making Technology
CHALLENGES POSED BY THE INTRODUCTION OF CPRA The CPRA expands consumer protections and imposes new obligations on businesses. Some of the definitions have been changed and the mandate of some additional rights has been expanded, for example the right to opt-out of processing. With the enactment of the CPRA, businesses must revise and update their compliance. The CPRA requires entities to provide a 12-month personal data report to residents. In this regard, businesses will need to improve their data mapping procedures. Organizations will also be required to disclose whether they have applied artificial intelligence to any personal data. rights to access, correct, and delete personal information; the right to opt out of the sale or sharing of their personal information; right to restrict the use of their sensitive personal data; the privilege of not being punished for exercising these rights. The CPRA extends its protections to State of California residents in their roles as employees, applicants, independent contractors, and other work-related roles, i.e. HR Individuals. As consumers, HR Individuals will have access to six data rights. These include the As a consequence of this, CPRA compliance challenges may include a review of existing practises and the implementation of modifications to contracts, privacy notices, individual rights response procedures, and other privacy operations. Develop and document a retention policy that complies with employer data retention requirements; Draft a CPRA-compliant employee privacy policy; Comprehend the information that the organisation collects, the categorization of data, the location of data, and the steps to access, correct, or delete data; Examine existing contracts with service-providers and ensure CPRA compliance; Identify the legal, HR, and technological support responsible for the efforts required to build a privacy compliance programme; Develop procedures for responding to requests from employees. To effectively comply with CPRA requirements, employers can make the following efforts:
CONCLUSION The CPRA is the most comprehensive consumer privacy law in the United States to date, and additional privacy legislation is likely to follow. To ensure compliance with the CPRA, organisations will need to become more intelligent and transparent about the information they collect, on whom, and how they use it. The most effective method for completing these tasks is to plan ahead and determine what resources are required, including internal and external support. Given that data governance and security compliance programmes necessitate time, attention, and effort from all facets of a business, it is prudent to integrate the appropriate technology to ensure compliance. BIBLIOGRAPHY https://iapp.org/resources/topics/ccpa-and-cpra/. https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california- consumer-privacy-act-ccpa/. https://oag.ca.gov/privacy/ccpa. https://www.delphix.com/glossary/cpra-california-privacy-rights-act. https://www.truevault.com/learn/ccpa/how-does-the-cpra-look-back-provision-work. https://www.spirion.com/solutions/compliance/what-businesses-need-know-cpra/. https://www.onetrust.com/solutions/cpra-compliance/ https://www.privacypolicies.com/blog/cpra/. https://www.osano.com/articles/california-privacy-laws-ccpa-cpra. https://secureprivacy.ai/blog/what-is-cpra-and-how-does-it-differ-from-ccpa. https://cpra.gtlaw.com/cpra-full-text/. https://www.cooley.com/services/practice/cyber-data-privacy/cpra. https://www.perkinscoie.com/en/practices/security-privacy-law/california-privacy-rights- act-cpra.html. https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/ https://www.the-future-of-commerce.com/2021/05/27/what-is-cpra-california-privacy- rights-act-basics-overview/. https://medium.com/golden-data/section-by-section-summary-of-the-cpra-c1ac70fc8236. https://cpra.gtlaw.com/1798-155-civil-penalties/
Tsaaro Netherlands Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719 Akarsh Singh (CEO & Co-Founder, Tsaaro) Akarsh is a fellow in Information Privacy by IAPP, the highest certification in the field of privacy. His expertise lies in Data Privacy and Information Security Compliance. Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory requirements while maintaining a robust security infrastructure. Our industry-standard privacy services include Privacy compliance, DPO-as-a-service, Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few, delivered by our expert privacy professionals recognized by IAPP. WHY TSAARO? CONTACT US You can assess risk with respect to personal data and strengthen your data security by contacting Tsaaro. Email us info@tsaaro.com Tsaaro India Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer RingRoad, Bangalore- 560045 India P: +91-0522–3581 Krishna Srivastava (Co-Founder & Head of Cyber Security, Tsaaro) Krishna is a xKPMG data security consultant and a fellow in Information Privacy by IAPP, the highest cerification in the field of privacy, He has vast experience in Information Security and Data Privacy Compliance. Krishna Chaitanya (CIPM, CISA, ISO 27001 Lead Auditor, OCP, MCSE ) Krishna is an Information Security & Privacy Professional with over 16 years of progressive Information Technology & Databases experience, encompassing 7+ years of Information Security Audit Programs & Data Protection.

Recommended

CCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdfCCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdf
VISTA InfoSec
 
California Consumer Protection Act - Insight from Sia Partners
California Consumer Protection Act - Insight from Sia Partners California Consumer Protection Act - Insight from Sia Partners
California Consumer Protection Act - Insight from Sia Partners
Daniel Connor
 
California Consumer Protection Act - Insight from Sia Partners
California Consumer Protection Act - Insight from Sia Partners California Consumer Protection Act - Insight from Sia Partners
California Consumer Protection Act - Insight from Sia Partners
Daniel Connor
 
Sia Partners_CCPA 2018_The American GDPR
Sia Partners_CCPA 2018_The American GDPRSia Partners_CCPA 2018_The American GDPR
Sia Partners_CCPA 2018_The American GDPR
Loïc Vachon
 
California consumer privacy act and its impact on california employers
California consumer privacy act and its impact on california employersCalifornia consumer privacy act and its impact on california employers
California consumer privacy act and its impact on california employers
mosmedicalreview
 
Future-Proof Your Workplace Privacy Approach for CPRA and Beyond
Future-Proof Your Workplace Privacy Approach for CPRA and BeyondFuture-Proof Your Workplace Privacy Approach for CPRA and Beyond
Future-Proof Your Workplace Privacy Approach for CPRA and Beyond
TrustArc
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy Act
VISTA InfoSec
 
Key additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRAKey additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRA
VISTA InfoSec
 

Recommended

CCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdfCCPA Compliance Vs CPRA Compliance.pdf
CCPA Compliance Vs CPRA Compliance.pdf
VISTA InfoSec
 
California Consumer Protection Act - Insight from Sia Partners
California Consumer Protection Act - Insight from Sia Partners California Consumer Protection Act - Insight from Sia Partners
California Consumer Protection Act - Insight from Sia Partners
Daniel Connor
 
California Consumer Protection Act - Insight from Sia Partners
California Consumer Protection Act - Insight from Sia Partners California Consumer Protection Act - Insight from Sia Partners
California Consumer Protection Act - Insight from Sia Partners
Daniel Connor
 
Sia Partners_CCPA 2018_The American GDPR
Sia Partners_CCPA 2018_The American GDPRSia Partners_CCPA 2018_The American GDPR
Sia Partners_CCPA 2018_The American GDPR
Loïc Vachon
 
California consumer privacy act and its impact on california employers
California consumer privacy act and its impact on california employersCalifornia consumer privacy act and its impact on california employers
California consumer privacy act and its impact on california employers
mosmedicalreview
 
Future-Proof Your Workplace Privacy Approach for CPRA and Beyond
Future-Proof Your Workplace Privacy Approach for CPRA and BeyondFuture-Proof Your Workplace Privacy Approach for CPRA and Beyond
Future-Proof Your Workplace Privacy Approach for CPRA and Beyond
TrustArc
 
What to expect from the New York Privacy Act
What to expect from the New York Privacy ActWhat to expect from the New York Privacy Act
What to expect from the New York Privacy Act
VISTA InfoSec
 
Key additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRAKey additions and amendments introduced under the CPRA
Key additions and amendments introduced under the CPRA
VISTA InfoSec
 
CPRA - The California Privacy Rights Act of 2020 - Final Version
CPRA - The California Privacy Rights Act of 2020 - Final VersionCPRA - The California Privacy Rights Act of 2020 - Final Version
CPRA - The California Privacy Rights Act of 2020 - Final Version
Business Developer App
 
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
DaviesParker
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Internet Law Center
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide
TrustArc
 
The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...
RominaMariaBaltariu
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
Privacy update 04.29.2010
Privacy update 04.29.2010Privacy update 04.29.2010
Privacy update 04.29.2010
stevemeltzer
 
California Consumer Privacy Act (CCPA) - Kloudlearn
California Consumer Privacy Act (CCPA) - KloudlearnCalifornia Consumer Privacy Act (CCPA) - Kloudlearn
California Consumer Privacy Act (CCPA) - Kloudlearn
KloudLearn
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
Zuckerman Law Whistleblower Protection Law Firm
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
California Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowCalifornia Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to know
Ogilvy Health
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes Hitech
Candy Matheny
 
epic-adppavccpa-07292022.pdf
epic-adppavccpa-07292022.pdfepic-adppavccpa-07292022.pdf
epic-adppavccpa-07292022.pdf
DanielBerkowitz11
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats up
David Sweigert
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdf
DaviesParker
 
Disposing of Consumer Report Information
Disposing of Consumer Report InformationDisposing of Consumer Report Information
Disposing of Consumer Report Information
- Mark - Fullbright
 
Cybersecurity, Privacy and Data Security from a Business Lawyer's Perspective
Cybersecurity, Privacy and Data Security from a Business Lawyer's PerspectiveCybersecurity, Privacy and Data Security from a Business Lawyer's Perspective
Cybersecurity, Privacy and Data Security from a Business Lawyer's Perspective
Data Con LA
 
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...
Cedar Financial
 
Annual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfAnnual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdf
DaviesParker
 
Report_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfReport_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdf
DaviesParker
 

More Related Content

Similar to California-Privacy-Right-Act.pdf

2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide
TrustArc
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
Cybersecurity, Privacy and Data Security from a Business Lawyer's Perspective
Cybersecurity, Privacy and Data Security from a Business Lawyer's PerspectiveCybersecurity, Privacy and Data Security from a Business Lawyer's Perspective
Cybersecurity, Privacy and Data Security from a Business Lawyer's Perspective
Data Con LA
 
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...
Cedar Financial
 

Similar to California-Privacy-Right-Act.pdf (20)

CPRA - The California Privacy Rights Act of 2020 - Final Version
CPRA - The California Privacy Rights Act of 2020 - Final VersionCPRA - The California Privacy Rights Act of 2020 - Final Version
CPRA - The California Privacy Rights Act of 2020 - Final Version
 
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
SECTOR-SPECIFIC-REGULATIONS-AND-A-FEW-HICCUPS-MORE-U.S.A-AND-ITS-PRIVACY-LAWS...
 
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdfBipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
Bipartisan_Privacy_Discussion_Draft_Section_by_Section39.pdf
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide
 
The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Privacy update 04.29.2010
Privacy update 04.29.2010Privacy update 04.29.2010
Privacy update 04.29.2010
 
California Consumer Privacy Act (CCPA) - Kloudlearn
California Consumer Privacy Act (CCPA) - KloudlearnCalifornia Consumer Privacy Act (CCPA) - Kloudlearn
California Consumer Privacy Act (CCPA) - Kloudlearn
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
California Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowCalifornia Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to know
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes Hitech
 
epic-adppavccpa-07292022.pdf
epic-adppavccpa-07292022.pdfepic-adppavccpa-07292022.pdf
epic-adppavccpa-07292022.pdf
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats up
 
Bahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdfBahrain-Personal-Data-Protection-Law.pdf
Bahrain-Personal-Data-Protection-Law.pdf
 
Disposing of Consumer Report Information
Disposing of Consumer Report InformationDisposing of Consumer Report Information
Disposing of Consumer Report Information
 
Cybersecurity, Privacy and Data Security from a Business Lawyer's Perspective
Cybersecurity, Privacy and Data Security from a Business Lawyer's PerspectiveCybersecurity, Privacy and Data Security from a Business Lawyer's Perspective
Cybersecurity, Privacy and Data Security from a Business Lawyer's Perspective
 
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...
 

More from DaviesParker

More from DaviesParker (14)

Annual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdfAnnual-Report-on-Privacy-Fines-2022.pdf
Annual-Report-on-Privacy-Fines-2022.pdf
 
Report_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfReport_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdf
 
Privacy as a Career
Privacy as a CareerPrivacy as a Career
Privacy as a Career
 
Responsible-A.I-and-Privacy-Report.pdf
Responsible-A.I-and-Privacy-Report.pdfResponsible-A.I-and-Privacy-Report.pdf
Responsible-A.I-and-Privacy-Report.pdf
 
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdfDIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
DIGITAL-PERSONAL-DATA-PROTECTION-ACT-2023-WHITEPAPER.pdf
 
Privacy-in-the-Metaverse
Privacy-in-the-MetaversePrivacy-in-the-Metaverse
Privacy-in-the-Metaverse
 
China-PIPL.pdf
China-PIPL.pdfChina-PIPL.pdf
China-PIPL.pdf
 
KSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdfKSA PDPL - Personal Data Protection Law.pdf
KSA PDPL - Personal Data Protection Law.pdf
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdf
 
A Guide for Businesses.pdf
A Guide for Businesses.pdfA Guide for Businesses.pdf
A Guide for Businesses.pdf
 
FISMA COMPLIANCE.pdf
FISMA COMPLIANCE.pdfFISMA COMPLIANCE.pdf
FISMA COMPLIANCE.pdf
 
What Does A Data Protection Officer Do.pdf
What Does A Data Protection Officer Do.pdfWhat Does A Data Protection Officer Do.pdf
What Does A Data Protection Officer Do.pdf
 
Sarvekshan.pdf
Sarvekshan.pdfSarvekshan.pdf
Sarvekshan.pdf
 
External Network PT - Tsaaro
External Network PT - TsaaroExternal Network PT - Tsaaro
External Network PT - Tsaaro
 

Recently uploaded

一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
e9733fc35af6
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
Fir La
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
JosephCanama
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
Airst S
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
ss
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
e9733fc35af6
 
一比一原版(Waterloo毕业证书)加拿大滑铁卢大学毕业证如何办理
一比一原版(Waterloo毕业证书)加拿大滑铁卢大学毕业证如何办理一比一原版(Waterloo毕业证书)加拿大滑铁卢大学毕业证如何办理
一比一原版(Waterloo毕业证书)加拿大滑铁卢大学毕业证如何办理
e9733fc35af6
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
irst
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
F La
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 

Recently uploaded (20)

一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptx
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
 
The doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteThe doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statute
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentation
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
Sangyun Lee, Duplicate Powers in the Criminal Referral Process and the Overla...
 
一比一原版(Waterloo毕业证书)加拿大滑铁卢大学毕业证如何办理
一比一原版(Waterloo毕业证书)加拿大滑铁卢大学毕业证如何办理一比一原版(Waterloo毕业证书)加拿大滑铁卢大学毕业证如何办理
一比一原版(Waterloo毕业证书)加拿大滑铁卢大学毕业证如何办理
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
 

California-Privacy-Right-Act.pdf

  • 1. California Privacy Rights Act ('CPRA') © 2022 Tsaaro. All rights reserved. Insights into the proposed legislation
  • 2. Overview Target Audience The State of California Consumer Privacy Act ('CCPA') has been considered a comprehensive legislation protecting the privacy of the consumers and the rights vested with them in this regard. The California Privacy Rights Act ('CPRA') is round the corner and, has increasingly garnered the attention of organizations and entities processing personal data, to understand if the CPRA is applicable to the activities undertaken by them. Thereby, it is pivotal to understand the law and the essential obligations. The CPRA modifies the previous State of California law on data protection and privacy, the CCPA. In 2020, a statewide data privacy statute was signed into law. However, it will become fully enforceable on July 1, 2023, with retroactive application to January 1, 2022. The bill aims to reinforce State of California's position as the leader in data privacy legislation in the United States by dramatically expanding the existing CCPA. This whitepaper seeks to analyse the law and compare it to other notable legislative frameworks on data privacy and protection, like the California Consumer Privacy Act and the General Data Protection Regulation. It tries to provide an overview of the proposed law. It will be tailored to a wide range of audience, including senior and mid-level IT management, programme managers, and compliance leaders, to help them comprehend the goals of the CPRA and the obstacles they may encounter in showing compliance with this proposed legislation. It also intends to generate discussion among secondary audiences, such as students and academics, to help them comprehend the complexities of the proposed bill and its provisions.
  • 3. The California Privacy Rights Act of 2020 (CPRA), also known as Proposition 24, was approved by a majority of voters on November 3, 2020, after appearing on the ballot for the state's general election. It builds upon the California Consumer Privacy Act (CCPA) of 2018, which provided the groundwork for consumer privacy legislation. The law will go into effect on January 1, 2023, and it will apply to personal information obtained on or after January 1, 2022. Introduction The CPRA is an addendum to the CCPA, adding new sections about privacy protection authority, consumer rights, etc. The proposition establishes additional provisions into the State of California law, allowing consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses’ use of “sensitive personal information,” including precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information. Considering this, businesses and organizations processing personal information would have to look out for the compliance with CPRA and possible repercussions in case of any non-compliance. Problem Statement Scope of the Bill Key changes brought by CPRA Key topics under CPRA Exemptions under CPRA Who needs to comply with CPRA Rights of consumers under CPRA Comparison with GDPR Enforcement and liability Challenges posed by the CPRA to businesses involved in Data processing Conclusion This whitepaper would be covering the following aspects: Structure
  • 4. SCOPE OF THE BILL As of January 1, of the calendar year, has a gross revenue in excess of $25,000,000 in the preceding calendar year; 1. The compliance requirements under CPRA are different from the CCPA. All the compliance requirements stem from the definition of ‘business.’ As defined under the CPRA, a 'business' is a legal entity that conducts business in the State of California, acts for financial gain, collects or has collected on its behalf the personal information of consumers, and fits one of the following criteria: Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or 2. Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information. 3. In addition, the scope of entities required to comply with the CPRA is potentially increased by defining common branding. Common branding is the use of a shared name, servicemark or trademark by two or more businesses un a manner which would lead the consumer in assuming that two or more entities are common owned. Under CPRA, the exchange of information from a business to a firm that uses common branding brings the latter company under the jurisdiction of CPRA. The CPRA introduces two new ways for a business to qualify as an “enterprise”. First, a joint venture or partnership comprised of enterprises in which each business owns at least a 40% stake will result in the joint venture being regarded as a “business” subject to the CPRA. Lastly, any company can self-certify compliance with the CPRA, thereby agreeing to be governed by the law.
  • 5. KEY CHANGES UNDER CPRA A consumer has the right to request that an organisation rectify any erroneous personal information about them. A business that collects consumers’ personal information must notify them of their right to request the correction of erroneous information. A business that receives a verifiable consumer request to update erroneous personal information is required to make commercially reasonable measures to comply with the consumer’s request. CPRA grants consumers the opportunity to amend erroneous personal information. It states that- A consumer’s right to limit the collection, use, and disclosure of sensitive personal information Additional recourse possibilities for victims of online security breaches such as the theft of sensitive personal data and financial data. The CPRA contains a variety of strengthened privacy protections including- UPDATED CONSUMER PRIVACY RIGHTS 2 3 LIMITATIONS ON TRACKING The CPRA aims to restrict geolocation tracking by expanding consumer rights. Within a specified radius, consumers will be able to stop businesses from tracking their geolocation for the majority of purposes. 4 ADDITIONAL PROTECTION FOR MINORS Contrary to its predecessor, the CPRA forbids the sale of an individual’s personal information without permission, and consent may entail opting in rather than opting out. In other words, children are automatically protected by the CPRA, and in some situations, the penalties for noncompliance will be three times as severe as before. Where businesses intend to sell or share personal information of minors under the age of 13, an affirmative consent of the parent/guardian is required, whereas, for minors between the ages of 16, an affirmative consent of minor is considered adequate. Under the CPRA, State of California’s minors, identified as an individual below the age of 16 years, will enjoy greater safeguards than they had under the CCPA. CONSUMERS' RIGHT TO CORRECT INACCURATE PERSONAL INFORMATION 1
  • 6. Businesses must “establish appropriate security measures and processes” to protect personal information against unauthorised or illegal access, destruction, use, modification, or disclosure. However, the CPRA fails to define any specific standard or certification regarding Data Security Requirements and thus stands vague in that respect. A business shall not discriminate against a consumer based on the consumer's exercise of any CPRA-protected right. A firm may not discriminate against a customer on the basis of: Denying a consumer access to goods or services. Charging various prices or rates for various goods and services. Providing the consumer with a different level or quality of goods or services. Implying the consumer will receive a different price or rate for products or services, or a different level or quality of goods or services. Before employee rights became a concern, businesses frequently resorted to retaliation against employees who opposed the corporation and exercised their legal rights. The CPRA contains a revised and reinforced anti-retaliation provision which states that- EXPRESS INFORMATION SECURITY REQUIREMENTS 5 ANTI-RETALIATION CLAUSE FOR EMPLOYEES 6 7 RIGHT TO KNOW LENGTH OF DATA RETENTION While the CCPA does not directly address data retention, the CPRA does. It permits enterprises to store personal information only when it is “necessary and proportional” for collecting, processing, and other reasons that are properly declared. According to the look-back provision, even if a business receives a request to know on January 1, 2023 (the day the law goes into effect), it should be prepared to provide information going back to January 1, 2022. 8 EXPANDED INITIAL NOTIFICATION OBLIGATIONS Disclose if collected information will be sold or shared; Identify the sensitive personal information that will be collected; Disclose either the duration of information retention or the criteria used to determine it. Disclose if they do not gather information using a noticeable notification if they do not collect information. The CPRA strengthens the disclosure requirements for privacy notices posted at or before the actual collection point. Businesses that collect consumer’s information must:
  • 7. an individual who is in California for other than a temporary or transitory purpose. an individual domiciled in State of California who is outside of the state for a temporary or transitory purpose. California Resident The CPRA applies to the personal information of California Residents which is defined in State of California Tax Regulations as- 2 Background and Ethnicity (Political opinion, sexual orientation etc.) Genetic/Biometric data, Health data Financial account information Precise geolocation data Contents of mail, e-mail and text messages Government issued IDs. Sensitive Personal Data In addition, the CPRA adds a new subcategory of personal data known as “sensitive personal data.” This subcategory includes Personal Information The CPRA defines personal information as “information that identifies, refers to, describes, is reasonably capable of being associated with, or is reasonably capable of being linked, directly or indirectly, with a specific consumer or household.” It comprises information such as a person’s real name, alias, mailing address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's licence number, or passport number, among other identifiers. 3 1 KEY TOPICS UNDER CPRA
  • 8. Governed by the Confidentiality of Medical Information Act (the "CMIA") or protected health information ("PHI") collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH"). Medical Information KEY TOPICS UNDER CPRA EXEMPTIONS UNDER CPRA Personal Information gathered as part of a clinical trial or other biomedical research study. Personal Information obtained by a business concerning an individual as a job applicant, employee, owner, director, officer, medical staff member, or independent contractor. B2B Contracts are exempted. Personal Information Information about the car or its ownership is retained or shared between a new vehicle dealer and the manufacturer. Vehicle Information Activity involving the collection, maintenance, disclosure, sale, communication, or use of any consumer credit information. Credit Information
  • 9. Follow the Basic Privacy Principles like Data Minimisation, legitimate purpose, Storage limitation, Accuracy and Transparency, Non-Discrimination and Data Retention (restriction). Businesses must provide notice disclosing the collection of sensitive personal information and the purpose of such collection CPRA requires enterprises to have contractual agreements in place not only with service providers and contractors, but also with third parties to whom the businesses sell or distribute personal information. Businesses shall use adequate security measures to prevent unauthorised access to or disclosure of such information. GENERAL DUTIES OF BUSINESSES UNDER CPRA 1. 2. 3. 4.
  • 10. The CPRA applies to any entity organised and operated for profit or financial gain that: However, a business does not need to comply with CPRA if it's commercial activities take place outside of California. WHO NEEDS TO COMPLY WITH CPRA The CPRA transfers enforcement authority from the Attorney General of State of California to a new privacy-focused agency, the California Privacy Protection Agency (CalPPA). When facing an enforcement action, businesses will no longer be afforded the CCPA's 30-day cure period before being fined by CalPPA for a violation. In addition, the CPRA establishes an automatic $7,500 fine for violations involving minors' personal information. In addition to the existing private right of action for breaches of unredacted and unencrypted personal information, the CPRA grants consumers a private right of action if an email address, password, or security question and answer that would allow access to an account are compromised. ENFORCEMENT AND LIABILITY 01 Satisfies the definition of business under the CPRA (refer pg. 4) 02 Collects the personal information of consumers 03 Determines the purpose and means of processing 04 Carries on business in the State of California
  • 11. Sl. No. Basis of Comparison EU GDPR CPRA 1. Scope / Applicability The GDPR applies to organisations that have presence in the EU or if the data of EU residents is processed irrespective of company’s location. The CPRA extends to businesses that are located in the State of California and to all the businesses that despite not being located in State of California do business in the State. The criteria of businesses has been laid down as well. 2. Data Subject Rights right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object The rights vested with data subjects under EU GDPR are: right to be forgotten, right to opt out from having information sold, right to equal service and price, right to receive information on privacy practices and access information, right to deletion, right to receive information about onward disclosures, right to prohibit sale of information. The rights vested with data subjects under the CPRA are: 3. Obligations of Controllers/ Businesses/ Covered Entities The EU GDPR elaborately lays down the obligations and duties entrusted upon the Controllers and Processors individually in furtherance of ensuring the protection of the personal data so processed. The CPRA does not provide for the obligations and duties of both controllers and processors individually in an elaborate manner. 4. Penalties The penalty under GDPR is defined, and fines and penalties imposed under Article 83 are flexible and scale with the firm. The administrative fines are determined up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. The maximum penalty under CPRA for any violation is $7500. Upon any business not acting upon violation under the CPRA, within 30 days, the business would be liable to civil penalty not more than $2500 for each violation & $7500 for any intentional violation. COMPARISON WITH GDPR
  • 12. CPRA Compliance Toolkit for Businesses Determine if your company is subject to CPRA Take advantage of the CPRA to review and update your CCPA compliance programme. Update your personal information database. Determine if sensitive personal information is collected. Establish a method for implementing the right to collect personal data. Establish a procedure a procedure to implement the right to restrict the use and disclosure of sensitive personal information. Address compliance requirements for your vendors. Address CPRA's limitations on collection, use and retention. 1 2 3 4 5 6 7 8
  • 13. Determine policies and procedures to be implemented to deal with minors data, considering the new provisions about minors' data in CPRA. Enable opt-outs to stop sharing personal data for behavioral advertising, based on the consumers' activity. 13 14 Determine if your company engages in "profiling". Determine if your organisation is subject to new risk assessment and audit requirements for high-risk organisations Refresh your current privacy education programmes. Appropriate policies to be drafted for data retention, incident management, etc. as per the new provisions. 9 10 11 12 CPRA Compliance Toolkit for Businesses 15 Businesses are not permitted to store consumer's personal information on devices when consumer is in California and later collecting such information when the consumer is not in Califorina.
  • 14. RIGHTS OF CONSUMERS UNDER CPRA Right to Delete Personal Information Right to Rectification of Incorrect Information Right to Access Personal Information Right to Limit Sensitive Personal Information Right to Access Information About Automated Decision Making Right to Opt-Out of Automated Decision- Making Technology
  • 15. CHALLENGES POSED BY THE INTRODUCTION OF CPRA The CPRA expands consumer protections and imposes new obligations on businesses. Some of the definitions have been changed and the mandate of some additional rights has been expanded, for example the right to opt-out of processing. With the enactment of the CPRA, businesses must revise and update their compliance. The CPRA requires entities to provide a 12-month personal data report to residents. In this regard, businesses will need to improve their data mapping procedures. Organizations will also be required to disclose whether they have applied artificial intelligence to any personal data. rights to access, correct, and delete personal information; the right to opt out of the sale or sharing of their personal information; right to restrict the use of their sensitive personal data; the privilege of not being punished for exercising these rights. The CPRA extends its protections to State of California residents in their roles as employees, applicants, independent contractors, and other work-related roles, i.e. HR Individuals. As consumers, HR Individuals will have access to six data rights. These include the As a consequence of this, CPRA compliance challenges may include a review of existing practises and the implementation of modifications to contracts, privacy notices, individual rights response procedures, and other privacy operations. Develop and document a retention policy that complies with employer data retention requirements; Draft a CPRA-compliant employee privacy policy; Comprehend the information that the organisation collects, the categorization of data, the location of data, and the steps to access, correct, or delete data; Examine existing contracts with service-providers and ensure CPRA compliance; Identify the legal, HR, and technological support responsible for the efforts required to build a privacy compliance programme; Develop procedures for responding to requests from employees. To effectively comply with CPRA requirements, employers can make the following efforts:
  • 16. CONCLUSION The CPRA is the most comprehensive consumer privacy law in the United States to date, and additional privacy legislation is likely to follow. To ensure compliance with the CPRA, organisations will need to become more intelligent and transparent about the information they collect, on whom, and how they use it. The most effective method for completing these tasks is to plan ahead and determine what resources are required, including internal and external support. Given that data governance and security compliance programmes necessitate time, attention, and effort from all facets of a business, it is prudent to integrate the appropriate technology to ensure compliance. BIBLIOGRAPHY https://iapp.org/resources/topics/ccpa-and-cpra/. https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california- consumer-privacy-act-ccpa/. https://oag.ca.gov/privacy/ccpa. https://www.delphix.com/glossary/cpra-california-privacy-rights-act. https://www.truevault.com/learn/ccpa/how-does-the-cpra-look-back-provision-work. https://www.spirion.com/solutions/compliance/what-businesses-need-know-cpra/. https://www.onetrust.com/solutions/cpra-compliance/ https://www.privacypolicies.com/blog/cpra/. https://www.osano.com/articles/california-privacy-laws-ccpa-cpra. https://secureprivacy.ai/blog/what-is-cpra-and-how-does-it-differ-from-ccpa. https://cpra.gtlaw.com/cpra-full-text/. https://www.cooley.com/services/practice/cyber-data-privacy/cpra. https://www.perkinscoie.com/en/practices/security-privacy-law/california-privacy-rights- act-cpra.html. https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/ https://www.the-future-of-commerce.com/2021/05/27/what-is-cpra-california-privacy- rights-act-basics-overview/. https://medium.com/golden-data/section-by-section-summary-of-the-cpra-c1ac70fc8236. https://cpra.gtlaw.com/1798-155-civil-penalties/
  • 17. Tsaaro Netherlands Office Regus Schiphol Rijk Beech Avenue 54-62, Het Poortgebouw, Amsterdam, 1119 PW, Netherlands P: +31-686053719 Akarsh Singh (CEO & Co-Founder, Tsaaro) Akarsh is a fellow in Information Privacy by IAPP, the highest certification in the field of privacy. His expertise lies in Data Privacy and Information Security Compliance. Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory requirements while maintaining a robust security infrastructure. Our industry-standard privacy services include Privacy compliance, DPO-as-a-service, Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few, delivered by our expert privacy professionals recognized by IAPP. WHY TSAARO? CONTACT US You can assess risk with respect to personal data and strengthen your data security by contacting Tsaaro. Email us info@tsaaro.com Tsaaro India Office Manyata Embassy Business Park, Ground Floor, E1 Block, Beech Building, Outer RingRoad, Bangalore- 560045 India P: +91-0522–3581 Krishna Srivastava (Co-Founder & Head of Cyber Security, Tsaaro) Krishna is a xKPMG data security consultant and a fellow in Information Privacy by IAPP, the highest cerification in the field of privacy, He has vast experience in Information Security and Data Privacy Compliance. Krishna Chaitanya (CIPM, CISA, ISO 27001 Lead Auditor, OCP, MCSE ) Krishna is an Information Security & Privacy Professional with over 16 years of progressive Information Technology & Databases experience, encompassing 7+ years of Information Security Audit Programs & Data Protection.