California Privacy Rights Act – What Businesses Must Do to Comply

The California Privacy Rights Act (CPRA), also known as Proposition 24, was approved on November 3rd, 2020 and amended the existing California law, the Consumer Privacy Act (CCPA) from June 28th, 2018. January 2023 will see new amendments to the data privacy regulations of California and will require businesses to make the necessary changes to stay compliant.

The new regulations not only apply to businesses operating in California but also to those operating outside it and promoting their services in the state. This makes the new amendments quite important, as California is a leading economy that hosts the largest total population of a US state.

Businesses that Need to Oblige

Both the CPRA and CCPA are applicable to businesses based in California and offer services from outside its borders. The conditions for businesses to fall under the new regulations are as follows:

California Consumer Privacy Act (CCPA)

The CCPA applies to businesses that generate annual gross revenue of over $25 million, or deal in buying or selling personal data of over 50,000 individuals, households, or devices for commercial purposes. Another condition is that the business sells customers’ personal information for more than half of its annual revenue.

California Privacy Rights Act (CPRA)

The CPRA applies to businesses that generate annual revenue of over $25 million and deal in the sale or purchase of personal information of more than 100,000 individuals or households. The other condition is that the business takes more than half of its earnings from selling or transferring the personal information of its customers.

As per the new regulations, there is a broad scope of the terms “selling” and “sharing” of personal information, which implies that businesses need to pay close attention to know what they must do. The regulations define selling as: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”.

Whereas, sharing is defined as: “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged”.

New Types of Businesses Under the Updated Regulations

The amendments to the CPRA have brought new types of businesses under the scope of the regulations. For instance, joint ventures and partnerships that provide every business with at least 40% interest fall under the same criteria. Similarly, a business that voluntarily decides to certify to the regulation will also be obliged to comply. Moreover, the CPRA also applies to those businesses that share common branding with an already regulated business. As per the amendments, common branding is defined as a “shared name, service mark, or trademark that the average consumer would understand that two or more entities are commonly owned”.

Parties that Fall Under the Regulations

As per the CCPA and the CPRA, the sending and sharing of personal information involve three major parties, which are contractors, service providers, and third parties. A contractor is defined as a “person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract”. A service provider is defined as “a legal entity organized for profit that processes personal information on behalf of a business.” Just like a contractor, service providers get information from businesses “for a business purpose, pursuant to a written contract”. Third parties are defined as entities that do not fall under the category of contractors or service providers but are counterparts to whom businesses “sell or share” personal information.

The sharing of personal information with contractors and service providers is overseen by a written contract, which states the rules for the transfer of personal data and imposes a ban on its resale. However, there is a different system for transferring personal information to third parties, which considers the customers’ rights to their information. 

What are Consumer Rights Under the Regulations?

The CCPA and the CPRA state that personal information includes anything that a business collects related to its customers. This means that personal information is not limited to names, dates of birth, and locations. It also includes IP addresses, behavioral patterns, web search history, and even cookies. The businesses that fall under these regulations are required to offer California’s people the measures to fully utilise their privacy rights. These include the right to know which information is collected, its source, and the purpose for which it is required. Consumers also have the right to know with who their personal information is shared, and to whom it is sold. They also have the right to reject “selling or sharing” their personal information.

Customers of any business can access their previously provided personal information and get it deleted/amended at any time. Furthermore, the regulation also mentions that businesses cannot refuse or change the quality of their services in case a customer utilises any of the above-mentioned rights.

Depending on the type of violation, businesses can face different amounts of civil penalties under the regulation. In case of an intentional violation, the business will be fined $7,500 per violation. Whereas in the case of accidental violation, the business will be fined $2,500 per violation. However, penalties are only effective when businesses fail to rectify a violation within a period of 30 days. In case an individual sues the business, the regulatory fines vary depending on the personal information used or breached. If personal information is not harmed in a data breach, the customer can take between $100 and $750 for each instance. If the personal information is affected, the customer can take more than $750. Although the actual amendment will not be effective until January 1st, 2023, it will be applicable to the personal information collected from January 1st, 2022.

What Shufti Offers

For businesses that fall under the CPRA and CCPA, it’s important to understand the importance of complying with the new regulations. In order to comply, they need to protect the personal information of their customers. Although it is a challenge to manage compliance costs, businesses with stringent identity verification measures can steer clear of regulatory fines.

Shufti’s robust identity verification solution allows your business to avoid the hassle of a manual verification system and saves it from regulatory fines. The system deploys thousands of AI models to verify identities in less than a second with an accuracy of 98.67%. 

Want to know more about this solution? Get in touch with our experts!