What the New California Privacy Rights Act (CPRA) Means for Out-of-State and International Businesses

Posted by: kevensteinberg
Category: Areas of Practice, Blog, Business Law
California Privacy Rights Act

On election day this past November, California voters approved Proposition 24, or the California Privacy Rights Act (CPRA). This new act strengthens the existing California Consumer Privacy Act (CCPA) by adding additional online privacy rights for consumers, strengthening consumer privacy protections, and holding companies accountable for unauthorized data sharing. The new CPRA also brings California regulations closer to aligning with the European Union’s privacy law, the General Data Protection Regulation (GDPR). 

And like the GDPR, the CPRA doesn’t just apply to California businesses. The CPRA applies to your company if it does business in California and has annual gross revenues over $25 million; buys, sells, or shares personal information from 100,000 or more California consumers or households; or derives at least 50% of its revenue from selling or sharing consumers’ personal information. This means whether your business is based internationally or simply in a different state, the CPRA may apply to you. If you think your business might be affected by the CPRA, keep reading to learn more about this new law and the steps you can take to comply. 

How Does the CPRA Compare to the GDPR?

Many of the new provisions in the CPRA take inspiration from the GDPR, making California’s privacy regulations much more similar to EU regulations. However, there are also a couple of points that make the CPRA unique. So, what do these privacy laws have in common?

Similar to the GDPR’s right to rectification, which allows consumers to correct inaccurate personal data, the CPRA introduces the right for California consumers to correct inaccurate personal information as well. 

The CPRA adds important limits regarding data collection, processing, and storage similar to the limits imposed by the GDPR. The CPRA permits businesses to collect and share only personal information that is “reasonably necessary and proportionate” to achieve the disclosed purposes for being collected. This new California law also imposes a storage limitation on businesses like the limitation imposed by the GDPR: businesses are prohibited from collecting data for longer than is “reasonably necessary” for the disclosed purpose for which the data is collected. 

The CPRA also adds the category of “sensitive personal information” to the kinds of data that falls under privacy regulation. The sensitive personal information includes data like social security numbers, other government identifiers, sexual orientation, biometric or other health data, race, ethnicity, religious beliefs, and more. These additions bring the data protected by the CPRA in alignment with the range of personal information protected by the GDPR. 

One of the most significant differences between the CPRA and the GDPR is that the GDPR is an opt-in system, while the CPRA is opt-out. Under GDPR regulations, businesses are required to prompt consumers to accept cookies and data collection before they can collect or share that personal information. Under the CPRA, on the other hand, consumers have the right to opt-out of personal data collection. Businesses are required to notify consumers of data collection and use, but can continue to collect data until a user opts out. 

How Will the CPRA Affect Businesses in States Outside California? 

Even if your business is located outside of California, if your company does business in California or you meet any of the following thresholds, then your company must comply with the CPRA: 

  • Your business derives 50% or more of its annual revenue from selling or sharing the personal data of California consumers. 
  • Your company has a gross annual revenue over $25 million. 
  • You buy, sell, or share the personal information of 100,000 or more California consumers, households, or devices. 

If your business meets any of these qualifications, it will need to come into compliance with the CPRA when it takes effect in January 2023. Companies who fail to comply may face penalties of up to $7,500 for each violation. 

What about Businesses in Other Countries? Does the CPRA Apply to Them? 

The CPRA applies to any company that does business in California and meets any one of the three thresholds listed above. That means that just as the CPRA can affect businesses in states outside of California, it will also affect businesses in other countries that collect the personal information of California consumers. Companies who are already in compliance with the GDPR may find they only need to make a few adjustments to comply with the CPRA. Other international businesses, however, may need to make major changes to their privacy policies and other online data collection practices in order to comply with the CPRA and avoid penalties. 

Is B2B Data Exempt from CPRA Regulations? 

When the CCPA came into effect in January 2020, there was a temporary exemption in place for employee and B2B data. With the passage of the CPRA, this partial employee and B2B exemption has been extended until January 1, 2023. Until that date, businesses are required to notify employees and prospective employees of any personal information collection and the purpose of that collection, but are not yet required to comply with other aspects of the CCPA or CPRA in regards to employee data. 

Under the business-to-business exemption, businesses are not required to give those same notices or other consumer rights to business contacts. This exemption specifically applies to information “reflecting a written or verbal communication or a transaction” between businesses and contractors, employees, or organizations. 

While there are some exemptions in place for B2B contact data and employee data for the time being, it is critical to note that these exemptions expire. And when they expire at the beginning of 2023, the full CPRA will apply not only to consumer data, but also employee and B2B data. 

What CPRA Compliance and Enforcement Means for Your Business

Because the CPRA significantly expands the CCPA, it’s vital for businesses to reevaluate their data collection practices and determine whether or not the CPRA applies to their specific business. If the CPRA does apply, businesses will need to make changes to privacy policies, notices, vendor contracts, and other third-party agreements, and assess their disclosure obligations in order to come into compliance with the CPRA by January 1, 2023. That date may seem far away now, but businesses should start evaluating their policies and practices as soon as possible to make the transition to CPRA smoother and avoid any gaps in compliance. 

Enforcement of the CPRA will also be more effective than for the CCPA due to the creation of the California Privacy Protection Agency, an agency dedicated to enforcing the CPRA. 

Minimize Risk and Avoid Penalties by Consulting a California Business Lawyer

California attorneys know California laws and regulations better than anyone else. The experienced business lawyers at Steinberg Law have lived and worked in California for years, and they have the knowledge and expertise you can rely on to bring your out-of-state or international business into compliance with California laws like the CPRA. The team at Steinberg Law can help your business determine whether or not the CPRA applies to you and assist you in reviewing privacy policies, data collection practices, agreements and disclosures, and more to bring your company into compliance with this new law.

Make doing business in California easier by contacting Steinberg Law today. 

Author: kevensteinberg