The document provides an overview of the California Privacy Rights Act (CPRA) which modifies the previous California Consumer Privacy Act (CCPA). Key points:
- The CPRA expands consumer privacy protections, strengthens data rights, and establishes the California Privacy Protection Agency to enforce the law.
- It applies to businesses that collect personal data of California residents and meet certain criteria for revenue, data collection, or common branding.
- The law goes into effect January 1, 2023 and applies retroactively to data collected after January 1, 2022. It grants consumers expanded rights over their data.
- Businesses must comply with regulations around data collection, use and sharing, security, access and
The California Consumer Privacy Act (CCPA) is a law that was signed on June 28, 2018, that established and promoted the consumer privacy rights and business obligations concerning the collection and sales of personal information of citizens of California. The CCPA came into effect on January 1st, 2020. Soon after in November 2020, Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA) was introduced which is soon to replace the CCPA Compliance. CPRA is the updated version that expands the CCPA Compliance. The latest version can be more accurately described as an improvisation of the existing compliance framework with amendments and additions introduced in the provision. Explaining the amendments and new additions introduced, we have shared all the details of CCPA Compliance Vs CPRA Compliance in the article today. But before that let us learn and understand what exactly CPRA Compliance is.
California Consumer Protection Act - Insight from Sia Partners Daniel Connor
This Insight article describes the requirements of the new law applicable to California residents as well as comparing it to the new European standards in GDPR.
California consumer privacy act and its impact on california employersmosmedicalreview
The CCPA could have major implications for employers, the workers’ comp industry, lawyers, medical record retrieval companies serving lawyers, & insurers.
Future-Proof Your Workplace Privacy Approach for CPRA and BeyondTrustArc
The California Privacy Rights Act (CPRA) is coming fast and even companies currently complying with the California Consumer Privacy Act (CCPA) will face new challenges, including the protection of human resource (HR) data, something previously exempt under the CCPA.
Before the CPRA comes into effect, HR professionals need to be prepared to understand and comply with this new legislation. While employers’ were previously obligated to provide disclosure notices, they will now be required to provide their employees with the right to access, correct, and delete data.
Explore what employers need to consider to be compliant with CPRA.
What to expect from the New York Privacy ActVISTA InfoSec
In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon have to gear up for this new data privacy law. If enforced, the law may severely impact businesses, restricting their operations in the way how they collect, use and share consumer’s personal information throughout the State.
Key additions and amendments introduced under the CPRAVISTA InfoSec
On November 3rd, 2020, the California Privacy Right Act was passed as the latest version of the California Consumer Privacy Act which recently came into effect on the 1st of July, 2020. CPRA brings significant amendments and additions to the rules of Data Privacy outlined in the CCPA Compliance. Declaring its enforcement in 2023, the CPRA introduced some new concepts to Data Privacy in California. With new additions and amendments, the CPRA bridges certain potential loopholes in the previous version of CCPA, making the law stringent. Further, introducing the amendments and new additions to the provision has taken this Data Privacy law closer to the EU’s GDPR standard. Let us today through this article take a look at the new provisions introduced and understand the amendments in the Data Privacy Standard.
The California Consumer Privacy Act (CCPA) is a law that was signed on June 28, 2018, that established and promoted the consumer privacy rights and business obligations concerning the collection and sales of personal information of citizens of California. The CCPA came into effect on January 1st, 2020. Soon after in November 2020, Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA) was introduced which is soon to replace the CCPA Compliance. CPRA is the updated version that expands the CCPA Compliance. The latest version can be more accurately described as an improvisation of the existing compliance framework with amendments and additions introduced in the provision. Explaining the amendments and new additions introduced, we have shared all the details of CCPA Compliance Vs CPRA Compliance in the article today. But before that let us learn and understand what exactly CPRA Compliance is.
California Consumer Protection Act - Insight from Sia Partners Daniel Connor
This Insight article describes the requirements of the new law applicable to California residents as well as comparing it to the new European standards in GDPR.
California consumer privacy act and its impact on california employersmosmedicalreview
The CCPA could have major implications for employers, the workers’ comp industry, lawyers, medical record retrieval companies serving lawyers, & insurers.
Future-Proof Your Workplace Privacy Approach for CPRA and BeyondTrustArc
The California Privacy Rights Act (CPRA) is coming fast and even companies currently complying with the California Consumer Privacy Act (CCPA) will face new challenges, including the protection of human resource (HR) data, something previously exempt under the CCPA.
Before the CPRA comes into effect, HR professionals need to be prepared to understand and comply with this new legislation. While employers’ were previously obligated to provide disclosure notices, they will now be required to provide their employees with the right to access, correct, and delete data.
Explore what employers need to consider to be compliant with CPRA.
What to expect from the New York Privacy ActVISTA InfoSec
In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon have to gear up for this new data privacy law. If enforced, the law may severely impact businesses, restricting their operations in the way how they collect, use and share consumer’s personal information throughout the State.
Key additions and amendments introduced under the CPRAVISTA InfoSec
On November 3rd, 2020, the California Privacy Right Act was passed as the latest version of the California Consumer Privacy Act which recently came into effect on the 1st of July, 2020. CPRA brings significant amendments and additions to the rules of Data Privacy outlined in the CCPA Compliance. Declaring its enforcement in 2023, the CPRA introduced some new concepts to Data Privacy in California. With new additions and amendments, the CPRA bridges certain potential loopholes in the previous version of CCPA, making the law stringent. Further, introducing the amendments and new additions to the provision has taken this Data Privacy law closer to the EU’s GDPR standard. Let us today through this article take a look at the new provisions introduced and understand the amendments in the Data Privacy Standard.
The CPRA, known as "The California Privacy Rights Act of 2020" amended the CCPA, "The California Consumer Privacy Act of 2018" and added increased measures of privacy rights and additional data collection, storage and distribution regulations.
Watch the on-demand webinar: https://info.trustarc.com/WB-2019-10-23-CCPASurvivalGuideMasteringConsentDoNotSellConsumerRightsandLookBackRequirements_RegPage.html
The CCPA compliance deadline is fast approaching. Whether you are just starting, or have been working on your program for months, chances are you are having a lot of last minute implementation questions. Join this session to hear from a panel of industry experts who have been working on the front lines with companies of all sizes across all industries as they share tips and best practices on how to handle key aspects of CCPA compliance. You will also have the opportunity to ask the experts questions.
This webinar will provide:
-Tips on how to implement Do Not Sell and manage consumer rights requests
-Best practices and tools to support look back reporting requirements
-Updated guidance on the latest CCPA requirements changes
The california consumer privacy act (ccpa) is in effect starting on january 1...RominaMariaBaltariu
The California Consumer Privacy Act (CCPA) is in Effect Starting Today, January 1, 2020 - Which websites will CCPA impact? - 8 (easy) steps to be GDPR ready if you own a website - You are here: - Visitor Analytics
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-regulations-and-requirements-2021/
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
Part of the webinar series: CYBERSECURITY & DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
California Consumer Privacy Act: What your brand needs to knowOgilvy Health
Joe Youssef provides an insightful overview of the California Consumer Privacy Act (CCPA) that will take into effect in 2020. This presentation explores the key principles of the CCPA and how brands can prepare to ensure they are compliant with the policy.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Cybersecurity, Privacy and Data Security from a Business Lawyer's PerspectiveData Con LA
Data Con LA 2020
Description
The presentation includes a discussion of data breach cases and the takeaways from these cases, i.e., that no companies (large, medium or small) are immune from liability. I discuss the potential impact of a data breach on a business and the steps that businesses can take to protect themselves along the timeline of a breach (i.e, before, during and after.) I discuss the FTC's role in the regulation and enforcement of actions related to data security and data breaches, and talk about the commercially reasonable standard that the FTC applies to determine liability, what that standard means from a legal perspective, and how it relates to data security measures and cyber insurance. I present examples of practices that the FTC has found to be commercially unreasonable and discuss what security experts have deemed to be some of the best practices when it comes to data security. I also discuss businesses' liability for their vendor's data breaches, cyber insurance and current and future data security and privacy regulations and legislation including the GDPR and CCPA.
The objectives of the presentation are to:
1) ensure that attendees know that they are exposed to risk in the area of cybersecurity and data breaches;
2) provide them with information to minimize that risk;
3) make them aware of current and expected privacy laws and regulations; and
4) provide pragmatic, specific actionable information to help enable them to comply with their legal obligations.
Speaker
Kathy Winger, Law Offices of Kathy Delaney Winger, Attorney/Owner
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...Cedar Financial
Delve into the intricate world of debt collection in California and discover the strategies employed by agencies to ensure seamless compliance with the California Consumer Privacy Act (CCPA). This informative PDF outlines key measures taken to protect consumer privacy, navigate data protection regulations, and maintain the highest standards of legal compliance. Gain insights into the intersection of debt recovery and privacy laws, ensuring a secure and lawful debt collection process in alignment with the CCPA. Download now for a comprehensive guide to privacy compliance in California's financial landscape. #DebtCollection #CCPACompliance #CaliforniaPrivacy #DataProtection #PDFSubmission
#CedarFinanical
The CPRA, known as "The California Privacy Rights Act of 2020" amended the CCPA, "The California Consumer Privacy Act of 2018" and added increased measures of privacy rights and additional data collection, storage and distribution regulations.
Watch the on-demand webinar: https://info.trustarc.com/WB-2019-10-23-CCPASurvivalGuideMasteringConsentDoNotSellConsumerRightsandLookBackRequirements_RegPage.html
The CCPA compliance deadline is fast approaching. Whether you are just starting, or have been working on your program for months, chances are you are having a lot of last minute implementation questions. Join this session to hear from a panel of industry experts who have been working on the front lines with companies of all sizes across all industries as they share tips and best practices on how to handle key aspects of CCPA compliance. You will also have the opportunity to ask the experts questions.
This webinar will provide:
-Tips on how to implement Do Not Sell and manage consumer rights requests
-Best practices and tools to support look back reporting requirements
-Updated guidance on the latest CCPA requirements changes
The california consumer privacy act (ccpa) is in effect starting on january 1...RominaMariaBaltariu
The California Consumer Privacy Act (CCPA) is in Effect Starting Today, January 1, 2020 - Which websites will CCPA impact? - 8 (easy) steps to be GDPR ready if you own a website - You are here: - Visitor Analytics
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-regulations-and-requirements-2021/
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
Introduction to US Privacy and Data Security: Regulations and RequirementsFinancial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
Part of the webinar series: CYBERSECURITY & DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
California Consumer Privacy Act: What your brand needs to knowOgilvy Health
Joe Youssef provides an insightful overview of the California Consumer Privacy Act (CCPA) that will take into effect in 2020. This presentation explores the key principles of the CCPA and how brands can prepare to ensure they are compliant with the policy.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
Cybersecurity, Privacy and Data Security from a Business Lawyer's PerspectiveData Con LA
Data Con LA 2020
Description
The presentation includes a discussion of data breach cases and the takeaways from these cases, i.e., that no companies (large, medium or small) are immune from liability. I discuss the potential impact of a data breach on a business and the steps that businesses can take to protect themselves along the timeline of a breach (i.e, before, during and after.) I discuss the FTC's role in the regulation and enforcement of actions related to data security and data breaches, and talk about the commercially reasonable standard that the FTC applies to determine liability, what that standard means from a legal perspective, and how it relates to data security measures and cyber insurance. I present examples of practices that the FTC has found to be commercially unreasonable and discuss what security experts have deemed to be some of the best practices when it comes to data security. I also discuss businesses' liability for their vendor's data breaches, cyber insurance and current and future data security and privacy regulations and legislation including the GDPR and CCPA.
The objectives of the presentation are to:
1) ensure that attendees know that they are exposed to risk in the area of cybersecurity and data breaches;
2) provide them with information to minimize that risk;
3) make them aware of current and expected privacy laws and regulations; and
4) provide pragmatic, specific actionable information to help enable them to comply with their legal obligations.
Speaker
Kathy Winger, Law Offices of Kathy Delaney Winger, Attorney/Owner
Safeguarding Privacy: Compliance Strategies for Debt Collection Agencies unde...Cedar Financial
Delve into the intricate world of debt collection in California and discover the strategies employed by agencies to ensure seamless compliance with the California Consumer Privacy Act (CCPA). This informative PDF outlines key measures taken to protect consumer privacy, navigate data protection regulations, and maintain the highest standards of legal compliance. Gain insights into the intersection of debt recovery and privacy laws, ensuring a secure and lawful debt collection process in alignment with the CCPA. Download now for a comprehensive guide to privacy compliance in California's financial landscape. #DebtCollection #CCPACompliance #CaliforniaPrivacy #DataProtection #PDFSubmission
#CedarFinanical
Stay updated on Indian privacy law and data protection laws in India. Our expert resources provide valuable insights and guidance for businesses and individuals.
Designed to test the effectiveness of perimeter security controls to prevent and detect attacks as well as identify weaknesses in internet-facing assets.
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
Introducing New Government Regulation on Toll Road.pdfAHRP Law Firm
For nearly two decades, Government Regulation Number 15 of 2005 on Toll Roads ("GR No. 15/2005") has served as the cornerstone of toll road legislation. However, with the emergence of various new developments and legal requirements, the Government has enacted Government Regulation Number 23 of 2024 on Toll Roads to replace GR No. 15/2005. This new regulation introduces several provisions impacting toll business entities and toll road users. Find out more out insights about this topic in our Legal Brief publication.
PRECEDENT AS A SOURCE OF LAW (SAIF JAVED).pptxOmGod1
Precedent, or stare decisis, is a cornerstone of common law systems where past judicial decisions guide future cases, ensuring consistency and predictability in the legal system. Binding precedents from higher courts must be followed by lower courts, while persuasive precedents may influence but are not obligatory. This principle promotes fairness and efficiency, allowing for the evolution of the law as higher courts can overrule outdated decisions. Despite criticisms of rigidity and complexity, precedent ensures similar cases are treated alike, balancing stability with flexibility in judicial decision-making.
WINDING UP of COMPANY, Modes of DissolutionKHURRAMWALI
Winding up, also known as liquidation, refers to the legal and financial process of dissolving a company. It involves ceasing operations, selling assets, settling debts, and ultimately removing the company from the official business registry.
Here's a breakdown of the key aspects of winding up:
Reasons for Winding Up:
Insolvency: This is the most common reason, where the company cannot pay its debts. Creditors may initiate a compulsory winding up to recover their dues.
Voluntary Closure: The owners may decide to close the company due to reasons like reaching business goals, facing losses, or merging with another company.
Deadlock: If shareholders or directors cannot agree on how to run the company, a court may order a winding up.
Types of Winding Up:
Voluntary Winding Up: This is initiated by the company's shareholders through a resolution passed by a majority vote. There are two main types:
Members' Voluntary Winding Up: The company is solvent (has enough assets to pay off its debts) and shareholders will receive any remaining assets after debts are settled.
Creditors' Voluntary Winding Up: The company is insolvent and creditors will be prioritized in receiving payment from the sale of assets.
Compulsory Winding Up: This is initiated by a court order, typically at the request of creditors, government agencies, or even by the company itself if it's insolvent.
Process of Winding Up:
Appointment of Liquidator: A qualified professional is appointed to oversee the winding-up process. They are responsible for selling assets, paying off debts, and distributing any remaining funds.
Cease Trading: The company stops its regular business operations.
Notification of Creditors: Creditors are informed about the winding up and invited to submit their claims.
Sale of Assets: The company's assets are sold to generate cash to pay off creditors.
Payment of Debts: Creditors are paid according to a set order of priority, with secured creditors receiving payment before unsecured creditors.
Distribution to Shareholders: If there are any remaining funds after all debts are settled, they are distributed to shareholders according to their ownership stake.
Dissolution: Once all claims are settled and distributions made, the company is officially dissolved and removed from the business register.
Impact of Winding Up:
Employees: Employees will likely lose their jobs during the winding-up process.
Creditors: Creditors may not recover their debts in full, especially if the company is insolvent.
Shareholders: Shareholders may not receive any payout if the company's debts exceed its assets.
Winding up is a complex legal and financial process that can have significant consequences for all parties involved. It's important to seek professional legal and financial advice when considering winding up a company.
2. Overview
Target Audience
The State of California Consumer
Privacy Act ('CCPA') has been
considered a comprehensive
legislation protecting the privacy of
the consumers and the rights vested
with them in this regard. The
California Privacy Rights Act ('CPRA')
is round the corner and, has
increasingly garnered the attention
of organizations and entities
processing personal data, to
understand if the CPRA is applicable
to the activities undertaken by them.
Thereby, it is pivotal to understand
the law and the essential obligations.
The CPRA modifies the previous
State of California law on data
protection and privacy, the CCPA. In
2020, a statewide data privacy
statute was signed into law.
However, it will become fully
enforceable on July 1, 2023, with
retroactive application to January 1,
2022. The bill aims to reinforce State
of California's position as the leader
in data privacy legislation in the
United States by dramatically
expanding the existing CCPA.
This whitepaper seeks to analyse the law
and compare it to other notable
legislative frameworks on data privacy
and protection, like the California
Consumer Privacy Act and the General
Data Protection Regulation. It tries to
provide an overview of the proposed
law. It will be tailored to a wide range of
audience, including senior and mid-level
IT management, programme managers,
and compliance leaders, to help them
comprehend the goals of the CPRA and
the obstacles they may encounter in
showing compliance with this proposed
legislation.
It also intends to generate discussion
among secondary audiences, such as
students and academics, to help
them comprehend the complexities
of the proposed bill and its
provisions.
3. The California Privacy Rights Act of 2020 (CPRA),
also known as Proposition 24, was approved by
a majority of voters on November 3, 2020, after
appearing on the ballot for the state's general
election. It builds upon the California Consumer
Privacy Act (CCPA) of 2018, which provided the
groundwork for consumer privacy legislation.
The law will go into effect on January 1,
2023, and it will apply to personal
information obtained on or after January
1, 2022.
Introduction
The CPRA is an addendum to the CCPA, adding new sections about privacy protection authority,
consumer rights, etc. The proposition establishes additional provisions into the State of
California law, allowing consumers to prevent businesses from sharing their personal data,
correct inaccurate personal data, and limit businesses’ use of “sensitive personal information,”
including precise geolocation, race, ethnicity, religion, genetic data, private communications,
sexual orientation, and specified health information. Considering this, businesses and
organizations processing personal information would have to look out for the compliance with
CPRA and possible repercussions in case of any non-compliance.
Problem Statement
Scope of the Bill
Key changes brought by CPRA
Key topics under CPRA
Exemptions under CPRA
Who needs to comply with CPRA
Rights of consumers under CPRA
Comparison with GDPR
Enforcement and liability
Challenges posed by the CPRA to businesses involved in Data processing
Conclusion
This whitepaper would be covering the following aspects:
Structure
4. SCOPE OF THE BILL
As of January 1, of the calendar year, has a gross revenue in excess
of $25,000,000 in the preceding calendar year;
1.
The compliance requirements under CPRA are different from the CCPA. All the
compliance requirements stem from the definition of ‘business.’ As defined under the
CPRA, a 'business' is a legal entity that conducts business in the State of California, acts
for financial gain, collects or has collected on its behalf the personal information of
consumers, and fits one of the following criteria:
Alone or in combination, annually buys, sells, or shares the personal
information of 100,000 or more consumers or households; or
2.
Derives 50% or more of its annual revenue from selling or sharing
consumers’ personal information.
3.
In addition, the scope of entities required to comply with the CPRA is potentially increased
by defining common branding. Common branding is the use of a shared name,
servicemark or trademark by two or more businesses un a manner which would lead the
consumer in assuming that two or more entities are common owned. Under CPRA, the
exchange of information from a business to a firm that uses common branding brings the
latter company under the jurisdiction of CPRA.
The CPRA introduces two new ways for a business to qualify as an “enterprise”. First, a
joint venture or partnership comprised of enterprises in which each business owns at
least a 40% stake will result in the joint venture being regarded as a “business” subject to
the CPRA. Lastly, any company can self-certify compliance with the CPRA, thereby
agreeing to be governed by the law.
5. KEY CHANGES UNDER CPRA
A consumer has the right to request that an organisation rectify any erroneous
personal information about them.
A business that collects consumers’ personal information must notify them of their
right to request the correction of erroneous information.
A business that receives a verifiable consumer request to update erroneous
personal information is required to make commercially reasonable measures to
comply with the consumer’s request.
CPRA grants consumers the opportunity to amend erroneous personal information. It
states that-
A consumer’s right to limit the collection, use, and disclosure of sensitive personal
information
Additional recourse possibilities for victims of online security breaches such as the
theft of sensitive personal data and financial data.
The CPRA contains a variety of strengthened privacy protections including-
UPDATED CONSUMER PRIVACY RIGHTS
2
3 LIMITATIONS ON TRACKING
The CPRA aims to restrict geolocation tracking by expanding consumer rights. Within a
specified radius, consumers will be able to stop businesses from tracking their
geolocation for the majority of purposes.
4 ADDITIONAL PROTECTION FOR MINORS
Contrary to its predecessor, the CPRA forbids the sale of an individual’s personal
information without permission, and consent may entail opting in rather than opting
out.
In other words, children are automatically protected by the CPRA, and in some
situations, the penalties for noncompliance will be three times as severe as before.
Where businesses intend to sell or share personal information of minors under the
age of 13, an affirmative consent of the parent/guardian is required, whereas, for
minors between the ages of 16, an affirmative consent of minor is considered
adequate.
Under the CPRA, State of California’s minors, identified as an individual below the age of
16 years, will enjoy greater safeguards than they had under the CCPA.
CONSUMERS' RIGHT TO CORRECT INACCURATE
PERSONAL INFORMATION
1
6. Businesses must “establish appropriate security measures and processes” to
protect personal information against unauthorised or illegal access,
destruction, use, modification, or disclosure. However, the CPRA fails to define
any specific standard or certification regarding Data Security Requirements
and thus stands vague in that respect.
A business shall not discriminate against a consumer based on the
consumer's exercise of any CPRA-protected right.
A firm may not discriminate against a customer on the basis of:
Denying a consumer access to goods or services.
Charging various prices or rates for various goods and services.
Providing the consumer with a different level or quality of goods or
services.
Implying the consumer will receive a different price or rate for products
or services, or a different level or quality of goods or services.
Before employee rights became a concern, businesses frequently resorted to
retaliation against employees who opposed the corporation and exercised
their legal rights. The CPRA contains a revised and reinforced anti-retaliation
provision which states that-
EXPRESS INFORMATION SECURITY REQUIREMENTS
5
ANTI-RETALIATION CLAUSE FOR EMPLOYEES
6
7 RIGHT TO KNOW LENGTH OF DATA RETENTION
While the CCPA does not directly address data retention, the CPRA does. It
permits enterprises to store personal information only when it is “necessary and
proportional” for collecting, processing, and other reasons that are properly
declared. According to the look-back provision, even if a business receives a
request to know on January 1, 2023 (the day the law goes into effect), it should
be prepared to provide information going back to January 1, 2022.
8 EXPANDED INITIAL NOTIFICATION OBLIGATIONS
Disclose if collected information will be sold or shared;
Identify the sensitive personal information that will be collected;
Disclose either the duration of information retention or the criteria used to
determine it.
Disclose if they do not gather information using a noticeable notification if
they do not collect information.
The CPRA strengthens the disclosure requirements for privacy notices posted at
or before the actual collection point. Businesses that collect consumer’s
information must:
7. an individual who is in California
for other than a temporary or
transitory purpose.
an individual domiciled in State of
California who is outside of the
state for a temporary or transitory
purpose.
California Resident
The CPRA applies to the personal
information of California Residents
which is defined in State of California
Tax Regulations as-
2
Background and Ethnicity (Political
opinion, sexual orientation etc.)
Genetic/Biometric data, Health
data
Financial account information
Precise geolocation data
Contents of mail, e-mail and text
messages
Government issued IDs.
Sensitive Personal Data
In addition, the CPRA adds a new
subcategory of personal data known
as “sensitive personal data.” This
subcategory includes
Personal Information
The CPRA defines personal
information as “information that
identifies, refers to, describes, is
reasonably capable of being
associated with, or is reasonably
capable of being linked, directly or
indirectly, with a specific consumer or
household.” It comprises information
such as a person’s real name, alias,
mailing address, unique personal
identifier, online identifier, Internet
Protocol address, email address,
account name, social security number,
driver's licence number, or passport
number, among other identifiers.
3
1
KEY TOPICS UNDER CPRA
8. Governed by the Confidentiality of Medical Information Act (the "CMIA") or
protected health information ("PHI") collected by a covered entity or
business associate governed by the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA") and the Health Information
Technology for Economic and Clinical Health Act ("HITECH").
Medical Information
KEY TOPICS UNDER CPRA
EXEMPTIONS UNDER CPRA
Personal Information gathered as part of a clinical trial or other
biomedical research study.
Personal Information obtained by a business concerning an individual as
a job applicant, employee, owner, director, officer, medical staff member,
or independent contractor.
B2B Contracts are exempted.
Personal Information
Information about the car or its ownership is retained or shared between
a new vehicle dealer and the manufacturer.
Vehicle Information
Activity involving the collection, maintenance, disclosure, sale,
communication, or use of any consumer credit information.
Credit Information
9. Follow the Basic Privacy
Principles like Data
Minimisation, legitimate
purpose, Storage limitation,
Accuracy and Transparency,
Non-Discrimination and Data
Retention (restriction).
Businesses must provide
notice disclosing the
collection of sensitive
personal information and
the purpose of such
collection
CPRA requires enterprises to
have contractual agreements
in place not only with service
providers and contractors, but
also with third parties to
whom the businesses sell or
distribute personal
information.
Businesses shall use
adequate security
measures to prevent
unauthorised access to or
disclosure of such
information.
GENERAL DUTIES OF BUSINESSES
UNDER CPRA
1. 2.
3. 4.
10. The CPRA applies to any entity organised and operated for profit or financial gain that:
However, a business does not need to comply with CPRA if it's commercial activities take
place outside of California.
WHO NEEDS TO COMPLY WITH
CPRA
The CPRA transfers enforcement authority from the Attorney General of State of California
to a new privacy-focused agency, the California Privacy Protection Agency (CalPPA). When
facing an enforcement action, businesses will no longer be afforded the CCPA's 30-day cure
period before being fined by CalPPA for a violation. In addition, the CPRA establishes an
automatic $7,500 fine for violations involving minors' personal information. In addition to
the existing private right of action for breaches of unredacted and unencrypted personal
information, the CPRA grants consumers a private right of action if an email address,
password, or security question and answer that would allow access to an account are
compromised.
ENFORCEMENT AND LIABILITY
01
Satisfies the definition of business
under the CPRA (refer pg. 4) 02 Collects the personal information
of consumers
03
Determines the purpose and
means of processing 04
Carries on business in the State of
California
11. Sl.
No.
Basis of
Comparison
EU GDPR CPRA
1. Scope /
Applicability
The GDPR applies to organisations
that have presence in the EU or if
the data of EU residents is
processed irrespective of
company’s location.
The CPRA extends to businesses that
are located in the State of California
and to all the businesses that despite
not being located in State of California
do business in the State. The criteria
of businesses has been laid down as
well.
2. Data Subject Rights
right of access,
right to rectification,
right to erasure,
right to restriction of
processing,
right to data portability,
right to object
The rights vested with data subjects
under EU GDPR are:
right to be forgotten,
right to opt out from having
information sold,
right to equal service and price,
right to receive information on
privacy practices and access
information,
right to deletion,
right to receive information about
onward disclosures,
right to prohibit sale of
information.
The rights vested with data subjects
under the CPRA are:
3. Obligations of
Controllers/
Businesses/
Covered Entities
The EU GDPR elaborately lays down
the obligations and duties
entrusted upon the Controllers and
Processors individually in
furtherance of ensuring the
protection of the personal data so
processed.
The CPRA does not provide for the
obligations and duties of both
controllers and processors
individually in an elaborate manner.
4. Penalties The penalty under GDPR is
defined, and fines and penalties
imposed under Article 83 are
flexible and scale with the firm.
The administrative fines are
determined up to 20 000 000
EUR, or in the case of an
undertaking, up to 4 % of the
total worldwide annual turnover
of the preceding financial year,
whichever is higher.
The maximum penalty under
CPRA for any violation is $7500.
Upon any business not acting
upon violation under the CPRA,
within 30 days, the business would
be liable to civil penalty not more
than $2500 for each violation &
$7500 for any intentional violation.
COMPARISON WITH GDPR
12. CPRA Compliance Toolkit
for Businesses
Determine if your company is subject to CPRA
Take advantage of the CPRA to review and
update your CCPA compliance programme.
Update your personal information database.
Determine if sensitive personal information is
collected.
Establish a method for implementing the right
to collect personal data.
Establish a procedure a procedure to implement
the right to restrict the use and disclosure of
sensitive personal information.
Address compliance requirements for your
vendors.
Address CPRA's limitations on collection, use
and retention.
1
2
3
4
5
6
7
8
13. Determine policies and procedures to be
implemented to deal with minors data,
considering the new provisions about minors'
data in CPRA.
Enable opt-outs to stop sharing personal data
for behavioral advertising, based on the
consumers' activity.
13
14
Determine if your company engages in
"profiling".
Determine if your organisation is subject to new
risk assessment and audit requirements for
high-risk organisations
Refresh your current privacy education
programmes.
Appropriate policies to be drafted for data
retention, incident management, etc. as per the
new provisions.
9
10
11
12
CPRA Compliance Toolkit
for Businesses
15
Businesses are not permitted to store
consumer's personal information on devices
when consumer is in California and later
collecting such information when the consumer
is not in Califorina.
14. RIGHTS OF CONSUMERS
UNDER CPRA
Right to Delete Personal
Information
Right to Rectification of
Incorrect Information
Right to Access Personal
Information
Right to Limit Sensitive
Personal Information
Right to Access
Information About
Automated Decision
Making
Right to Opt-Out of
Automated Decision-
Making Technology
15. CHALLENGES POSED BY THE
INTRODUCTION OF CPRA
The CPRA expands consumer protections and imposes new obligations on businesses. Some of
the definitions have been changed and the mandate of some additional rights has been
expanded, for example the right to opt-out of processing. With the enactment of the CPRA,
businesses must revise and update their compliance.
The CPRA requires entities to provide a 12-month personal data report to residents. In this
regard, businesses will need to improve their data mapping procedures. Organizations will also
be required to disclose whether they have applied artificial intelligence to any personal data.
rights to access, correct, and delete personal information;
the right to opt out of the sale or sharing of their personal information;
right to restrict the use of their sensitive personal data;
the privilege of not being punished for exercising these rights.
The CPRA extends its protections to State of California residents in their roles as employees,
applicants, independent contractors, and other work-related roles, i.e. HR Individuals. As
consumers, HR Individuals will have access to six data rights. These include the
As a consequence of this, CPRA compliance challenges may include a review of existing practises
and the implementation of modifications to contracts, privacy notices, individual rights response
procedures, and other privacy operations.
Develop and document a retention policy that complies with employer data retention
requirements;
Draft a CPRA-compliant employee privacy policy;
Comprehend the information that the organisation collects, the categorization of data, the
location of data, and the steps to access, correct, or delete data;
Examine existing contracts with service-providers and ensure CPRA compliance;
Identify the legal, HR, and technological support responsible for the efforts required to build
a privacy compliance programme;
Develop procedures for responding to requests from employees.
To effectively comply with CPRA requirements, employers can make the following efforts:
16. CONCLUSION
The CPRA is the most comprehensive consumer privacy law in the United States to date,
and additional privacy legislation is likely to follow. To ensure compliance with the CPRA,
organisations will need to become more intelligent and transparent about the
information they collect, on whom, and how they use it. The most effective method for
completing these tasks is to plan ahead and determine what resources are required,
including internal and external support. Given that data governance and security
compliance programmes necessitate time, attention, and effort from all facets of a
business, it is prudent to integrate the appropriate technology to ensure compliance.
BIBLIOGRAPHY
https://iapp.org/resources/topics/ccpa-and-cpra/.
https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-
consumer-privacy-act-ccpa/.
https://oag.ca.gov/privacy/ccpa.
https://www.delphix.com/glossary/cpra-california-privacy-rights-act.
https://www.truevault.com/learn/ccpa/how-does-the-cpra-look-back-provision-work.
https://www.spirion.com/solutions/compliance/what-businesses-need-know-cpra/.
https://www.onetrust.com/solutions/cpra-compliance/
https://www.privacypolicies.com/blog/cpra/.
https://www.osano.com/articles/california-privacy-laws-ccpa-cpra.
https://secureprivacy.ai/blog/what-is-cpra-and-how-does-it-differ-from-ccpa.
https://cpra.gtlaw.com/cpra-full-text/.
https://www.cooley.com/services/practice/cyber-data-privacy/cpra.
https://www.perkinscoie.com/en/practices/security-privacy-law/california-privacy-rights-
act-cpra.html.
https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
https://www.the-future-of-commerce.com/2021/05/27/what-is-cpra-california-privacy-
rights-act-basics-overview/.
https://medium.com/golden-data/section-by-section-summary-of-the-cpra-c1ac70fc8236.
https://cpra.gtlaw.com/1798-155-civil-penalties/
17. Tsaaro Netherlands Office
Regus Schiphol Rijk
Beech Avenue 54-62,
Het Poortgebouw,
Amsterdam, 1119 PW,
Netherlands
P: +31-686053719
Akarsh Singh
(CEO & Co-Founder, Tsaaro)
Akarsh is a fellow in Information Privacy
by IAPP, the highest certification in the
field of privacy. His expertise lies in Data
Privacy and Information Security
Compliance.
Tsaaro provides privacy and cybersecurity services to help organizations meet regulatory
requirements while maintaining a robust security infrastructure.
Our industry-standard privacy services include Privacy compliance, DPO-as-a-service,
Vulnerability Assessment & Penetration Testing, Cyber Strategy, DPIA to name a few,
delivered by our expert privacy professionals recognized by IAPP.
WHY TSAARO?
CONTACT US
You can assess risk with respect to
personal data and strengthen your
data security by contacting Tsaaro.
Email us
info@tsaaro.com
Tsaaro India Office
Manyata Embassy Business
Park, Ground Floor, E1 Block,
Beech Building, Outer
RingRoad,
Bangalore- 560045
India
P: +91-0522–3581
Krishna Srivastava
(Co-Founder & Head of Cyber Security,
Tsaaro)
Krishna is a xKPMG data security
consultant and a fellow in Information
Privacy by IAPP, the highest cerification
in the field of privacy, He has vast
experience in Information Security and
Data Privacy Compliance.
Krishna Chaitanya
(CIPM, CISA, ISO 27001 Lead Auditor,
OCP, MCSE )
Krishna is an Information Security &
Privacy Professional with over 16 years
of progressive Information Technology
& Databases experience, encompassing
7+ years of Information Security Audit
Programs & Data Protection.