Data Privacy

CPRA: A look at the state of California’s data privacy law

A look at California’s new and more robust data privacy legislation - California Privacy Rights Act (CPRA).


It’s a little difficult to look at the overall state of data privacy across the US, mainly because there is no universal privacy legislation at a federal level. Instead, regulations surrounding data privacy are an assortment of varying state laws catering to various sectors with different definitions of data breaches. Some advancements have been made in states like Colorado and Virginia who have both passed consumer privacy legislation in 2021. But the front-runner for privacy protection is the state of California. 

California passed the California Consumer Privacy Act (CCPA) back in 2018, and is introducing another, more robust data privacy legislation - California Privacy Rights Act (CPRA). The law comes into effect on 1st January 2023, with “right to know” requests applicable from January 1, 2022.

The law is set to drive more changes for businesses, after having already adjusted the way they collect and use consumer data under CCPA. It means more operational and administrative costs.

California Privacy Rights Act (CPRA) vs CCPA

The CCPA was introduced with the intention of improving consumer protections, following in the footsteps of GDPR. A major focus of the CCPA was that it applied to ‘controllers’ (institutions or organisations) doing business in the state, to the extent that those businesses process data of Californian residents. It provided four main pillars of privacy rights for consumers; the right to know, the right to delete, the right to opt-out, and the right to non-discrimination for exercising CCPA rights. Ultimately, the CCPA was a framework for businesses operating in California regarding their privacy practices.

The aim of the CPRA is to bolster existing privacy law and grant greater control to Californian consumers, and address the use of ‘sensitive information’. Starting from 2023, ‘consumers’ will be defined as a broader group, applying to Californian employees and people involved in a company’s trade and business contacts. The additional privacy rights being included are the right to correct inaccurate information, the right for data minimisation and purpose limitation, and the right to receive notice of personal information use with the choice to opt out.

While many believe the law to be more of a CCPA 2.0, Elizabeth Schweyen, Senior Manager, Global Privacy & Compliance at Druva explains the difference between the two regulations. She states, “CPRA will establish a new category of ‘sensitive personal information’ that is regulated separately. The law will give consumers more rights around the use of this sensitive personal information, and businesses will be required to protect this class of data and respond accordingly based on individual requests.”

CCPRA sets new restrictions on the data that businesses collect, specifically on how that data is collected, kept, and used. Schweyen believes that ultimately, CPRA provides the motivation for “businesses to improve their data management; they must now define how they use data, how long they retain it, who it’s shared with, and ensure that they follow their policies. The regulations exceed even basic data management to include retaining algorithms that drive automated decision making about people. Regulators will expect businesses to be able to reproduce and explain any decisions made by artificial intelligence and consumers will be able to challenge those decisions.”

A more significant element of the CCPRA is the scope of data that consumers can force businesses to stop using, it includes the usual identity markers such as identification, race, and religion, but also consist of things like genetics, specific geolocation, union membership, and biometrics.

Since the category of ‘consumer’ now refers to actual employees, biometrics will be a complicated area for businesses. If an employee chooses to opt out of providing biometric data, it can potentially affect office security systems for Californian businesses. Organisations will need to be able to justify their use of biometric information.

Where CPRA differs from GDPR

Europe's General Data Protection Regulation (GDPR) has proven itself to be a watershed moment for data privacy, with no argument on its impact on data privacy laws across the world. The influence of GDPR on the CPRA is evident, especially in relation to data minimisation and purpose limitation. Not only do consumers have the choice to opt of out their data being sold to third parties, but there is also greater legal action and enforcement over the regulation. Under CPRA, consumers can now sue a business for a data breach that contains personal information like usernames and passwords.

Schweyen discusses the potential consequences of breaking CPRA compliance, and how it compares to GDPR. She states, “Under the GDPR, administrative fines can reach 20 million euros or 4% of annual global revenue. For CPRA, the California Attorney General can fine companies $2,500 per violation or up to $7,500 for each intentional violation. Note that each affected individual is counted as a violation, so an intentional breach of 100,000 people’s data could bring a total fine of $750M, plus damages of $1M-$7.5M to the victims.”

She goes on to note a new change under CPRA, where “businesses no longer have a 30-day window to cure alleged noncompliance before being subject to administrative enforcement. However, the newly formed California Privacy Protection Agency will retain discretion to allow business to cure alleged violations, but the exclusion of a guaranteed right-to-cure makes early monitoring and compliance a much more critical area of focus for CPRA compliance.”

CPRA security pitfall

CPRA’s purpose is to ensure data privacy compliance and is making significant strides in terms of how businesses should handle their data. But there is one potential pitfall that businesses may struggle with. Mike Weaver, Microsoft MVP and Senior Product Manager, at Quest Software raises the security complication that businesses can face with PST (Personal Storage Table) files, especially since the ability to save and retain email data is now under CPRA law.

Weaver explains, “Where PST files can be stored just about anywhere with limited indexing and control options, compliance becomes unmanageable. The information is de-centralized and off-the-radar so there’s no telling what’s stored where, or for how long. Just as with GDPR, the new CPRA regulations are putting PST files back in the spotlight. If users in your organisation still revert to PSTs as part of their email storage, you simply can’t comply with these privacy regulations as you have no idea what’s lurking in the ‘Wild West’ of your environment.”

Under CPRA, organisations face greater penalties when it comes to a data breach, and PST data which usually does not have built-in security, puts businesses at risk of hefty fines. One way Weaver recommends solving this issue is by centralising an organisation’s PST data with modern storage.

What's next?

Ultimately, organisations have a responsibility to not misuse personal consumer data and keep it secure. The CPRA only re-emphasises the importance of data privacy compliance, which will continue to be a crucial priority for businesses in the future. But what is clear is that comprehensive privacy laws are already making way in the US, some of the prospective states for possible legislation in 2022 range from Oklahoma to Connecticut, and it’s only a matter of time before businesses see a US federal bill.