Experts on CPRA compliance

January 31, 2022

Part 2: CPRA Vs CCPA - compare California’s privacy laws & get compliant


In our last blog, we explored how the CPRA compares to the CCPA — from enforcement to expanded consumer data rights, and stricter data protection for minors. But that’s not all — in part two, you’ll see how the CPRA creates new consumer rights & we’ll define what those are. In this blog we’ll explore:

  • What is Sensitive Personal Information (SPI) under CPRA
  • How the CPRA changes coverage for businesses
  • How the CPRA affects contractors, service providers, and third-party vendors
  • How to quickly comply with these changes

New consumer rights under the CPRA

In addition to extending the rights provided by the CCPA, the CPRA includes new rights.

The CPRA provides consumers the right to:

  • Correct inaccuracies in personal information
  • Limit how sensitive personal information is processed

Get help prepping for the CPRA.

Control of Sensitive Personal Information

The CPRA provides special protection for sensitive personal information (SPI) — information that could cause harm to an individual if disclosed.

Under the CPRA, SPI includes:

  • Government identity information such as Social Security Numbers
  • Financial information such as account numbers and login credentials
  • Specific geolocation (not zip code-level coarse location data)
  • Race
  • Religion
  • Sexual orientation
  • Union membership
  • Health and genetic data

Companies are required to provide consumers notice if they plan to use or share SPI, along with a “clear and conspicuous” opt-out link. The CPRA also requires companies to limit retention of SPI, keeping the data no longer than necessary to fulfill their declared purposes.

Right to correct inaccurate information

Under the CPRA, consumers have the right to have inaccurate information corrected. Like other CPRA data rights, this right extends to any parties the information has been sold to or shared with — not just the company that collected the data.

How the CPRA changes coverage for businesses

If you’re a small business with limited data collection and use, the CPRA may actually remove you from coverage. Otherwise, you probably have to follow it.

The CCPA never applied to all businesses, and neither does the CPRA. Some small businesses that make little use of personal data will find themselves out of scope of the law.

The CCPA applies to all for-profit businesses that do business in California, collect consumer information, and either:

  • Have an annual revenue of at least $25 million;
  • Buy, sell, receive, or share the personal information of at least 50,000 consumers, households, or devices, or;
  • Make at least 50% of annual revenue from selling consumers’ personal information

The CPRA amends the second and third requirements. The new law covers for-profit companies that do business in California, collect consumer information, and either:

  • Have an annual revenue of at least $25 million;
  • Buy, sell, receive, or share the personal information of at least 100,000 consumers, or households (devices have been removed), or;
  • Get at least 50% of annual revenue from selling or sharing consumers’ personal information

Contractors, service providers, and third parties

The CCPA regulates how covered businesses can share data with business partners and other entities. The CPRA revises and expands these rules.

If you’re doing business with a covered entity and that business involves personal information, the CCPA considers you either a service provider (like a vendor), or considers you what the CCPA calls a “third party,” meaning a purchaser of data.

Third parties — i.e. data purchasers

When a business buys personal information covered by the CCPA, the law generally sees them as a third party. For example, if your sales or marketing team buys lists of leads from a covered business for your marketing program, you become what the CCPA considers a third party.

Under the CCPA, consumers could opt out of these purchases. The CPRA also extends other customer rights, attaching them to the data even after it is sold or shared. For example, if a consumer sends a valid deletion request to a company that sold you personal data, you must delete the data as well.

Service providers

Service providers are entities that are contracted to receive or process personal information from a business on behalf of the business. So if you provide billing, marketing, SaaS products, or any other service that processes personal information covered by the CCPA, you’re covered by the CPRA.

Under both the CCPA and CPRA, service providers can only use the personal information to provide the specific service they’ve agreed to.

The CPRA clarifies service provider rules and adds new requirements

In addition to their obligation under the CCPA, service providers are explicitly prohibited from selling the personal information, or using, retaining, or sharing it with an outside party (and your service provider status falls into question, if you help the covered entity conduct targeted advertising with the data you received). Additionally, the CPRA adds two other requirements.

  • Restriction on combining personal information: The CPRA imposes new restrictions on how service providers can combine personal information received from different sources, such as multiple businesses or businesses and consumers. The rules are not finalized, so expect to see further guidance as the CPPA proceeds with rulemaking. 
  • Compliance obligations: Businesses will be required to monitor how service providers and contractors carry out their obligations. Service providers and contractors, in turn, will need to create contracts that spell out their subcontractors’ CPRA obligations, and monitor their own subcontractors.

Panic-free CPRA compliance.

What are the CPRA requirements for covered businesses?

Make it easy for consumers to understand and exercise their rights.

Under the CPRA, businesses must provide consumers notices of their rights, and honor consumer rights and requests, such as the right to opt-out.

Companies need to clearly and explicitly disclose how they use consumer data. You need to let consumers, B2B customers and prospects, and employees know:

  • What types of information you collect, share, or sell
  • What sources you derived the personal information from
  • What you use the information for
  • What entities you share the information with
  • What information you share with service providers and third parties
  • How long you hold onto each type of data

It’s also crucial to make it as easy as possible for consumers to exercise their rights. Your website and app should have clear, conspicuous buttons to limit or opt-out of the sale of personal information, as well as obvious and user-friendly tools for consumers to exercise their other rights, such as the right to know, and the right to delete.

Monitor your compliance and security

If you possess personal information that presents a significant risk to consumer privacy and security, you need to undergo an annual independent cybersecurity audit. Additionally, you should submit regular risk assessments to the CPPA. The exact requirements of the security audits are still under discussion, so it’s crucial to keep an eye on new rulemaking processes by the CPPA.

Prepare thorough contracts, backed by automated procedures

Under the CPRA, you must have contracts with any service providers, third parties, or contractors you share sensitive data with, spelling out your data practices. These should cover:

  • What data you’re sharing with them
  • How they are allowed to use the data
  • Their obligations for protecting, retaining, and deleting data
  • Requirements for processing consumer requests under the CPRA
  • Breach notification, reporting, and remediation processes

These documents need to be backed up by automated procedures. You need a system in place that can provide, correct or delete consumer records in-house, and coordinate with service providers, contractors and third parties to fulfill these requests.

Service providers:

Your CPRA obligations will depend on the service you provide.

All service providers must secure personal data, and use it only to serve the needs of the business providing it, as specified in their contract. It’s the responsibility of the business furnishing personal data to spell out exactly how the service provider should use it. However, once the data is in the service provider’s hand, the provider may need to be able to change, disclose, or delete it in response to consumer requests.

What role the service provider plays in consumer requests will vary from case to case. A company providing database software in the cloud probably won’t have to play a major role in processing CPRA requests, since their clients manage their own individual databases. On the other hand, a managed services provider may have a more extensive role in handling requests.

Third parties

Learn to fulfill data rights requests.

If you’re a third party, the data you purchase comes with rights attached to it. That means you need to abide by the limits of the contract in how you use personal information. If you intend to change your data practices or sell the consumer data to another company, you must provide consumers with notice, and the opportunity to opt-out.

How to get ready for the CPRA

In many ways, the CPRA is still under development. While the actual law won’t change, the CPPA is still deciding how to enforce key requirements, such as mandatory audits and risk assessments. Your company should prioritize compliance with core rights like the right to know and the right to delete, while waiting for rulings from the CPPA on other issues.

The right technology can make it much easier

While the CPRA provides or enhances a lot of rights, they all have one thing in common: they depend on understanding your data landscape. If you can track how your business collects, stores, shares, and uses data, complying with right to know or deletion requests will become routine. If not, it will be difficult and costly.

TerraTrue can make business under the CPRA a whole lot easier and less expensive. It enables you to map where your existing data is and stay current, quickly reviewing new projects for compliance and updating your data policies. This empowers you to satisfy right to know requirements, and quickly comply with CPRA data requests — and anything else compliance agencies throw at you.