Over the past few decades, online users have been victimized by data mismanagement. Through the use of users’ data, empires and monopolies have been built. By monetizing users’ information, billionaires and millionaires have multiplied. This is a peculiar reality in web 2.0, users’ data is mostly traded, but a wind of change is sweeping across the online ecosystem. Tech giants like Google and Facebook don’t like this, but regardless of their dislike, The privacy war keeps getting interesting; it will be safe to say, “this is a decade for internet users’ privacy.” The rise of Decentralized Identifiers (DIDs) and Self-Sovereign Identity (SSI) will transform data ownership, allowing users to decide who can access their information and to what extent.

The hype of Web3 and Web5 is centered around increased privacy and user data control. Despite these futuristic promises, California legislators decided to provide a temporary solution. As a result, the California Privacy Rights Act of 2020 (CPRA) was passed into law, having its root in the California Consumer Privacy Act (CCPA) of 2018. What is this CPRA, and how can you protect yourself and your company from penalties and ongoing lawsuits?

Introduction to CPRA – The CCPA Addendum

While CPRA stands for California Privacy Rights Act, CCPA means California Consumer Privacy Act, but there is no CPRA without CCPA. In 2018, a month after the General Data Protection Regulation (GDPR) went into effect in the European Union (EU), California passed the CCPA into law which started taking effect on January 1st, 2020.

It is important to keep the legislation and their respective timelines distinct. CCPA is the piece of legislation passed in 2018 and started taking effect in 2020, while CPRA was passed in 2020 and started taking effect on January 1st, 2023.

With CCPA, any California consumer can request to see all the data a company has saved on them. Traditionally, companies keep data that helps tailor consumers’ experiences and recommend products, but under the CCPA, companies either will not have access to this data again or have to go through the right process with the users to have access to their data/online behavioral pattern. 

As a result, users can now ask to see this information and how many third parties are given access to it. In addition, consumers may sue companies if these privacy guidelines are violated, even if no breach has occurred – just guidelines violations. As supported by the majority of votes during the general election of November 2020, the CPRA of 2020 was built upon this foundation. 

CPRA is a form of an addendum to CCPA, not an entirely new document seeking to replace the existing provision. The CPRA amends the existing provision by expanding the scope of the policy, excluding some levels of businesses, and redefining what private data means while introducing an agency that specifically holds firms accountable (California Privacy Protection agency — CPPA).

Difference Between CCPA and CPRA

A major difference between the two is that the new CPRA provides consumers with more rights, such as opting out of cross-contextual advertising. In addition, CPRA applies to employment data in contrast to CCPA, which does not. The following are some of the differences between CPRA and CCPA:

1. The CPRA now makes performing privacy impact assessments on high-risk processing a requirement.
2. CPRA revised the applicability qualification for businesses, this means that  CCPA applies to companies that collect and process users’ data starting from 50,000 and above. In contrast, CPRA increased the threshold to a minimum of 100,000. Small and medium enterprises serving less than 100,000 customers are relieved of the compliance burden by doing so.
3. There is an increased list of what is considered sensitive personal information (SPI). Affirmative consent is therefore required for sensitive information, including information about children or users under 16. Consent notice for teenagers (13 – 16 years), while parents must give consent for children under 13 years.
4. Consent is required to sell or share consumer information with partners or third parties, with an explicit presentation of how the data will be used.
5. With CCPA, there is a 30-day cure period if notified of guideline violations, but CPRA takes away the cure period.
6. The CCPA is enforced by the office of the Attorney General, while CPRA establishes an enforcement agency called the California Privacy Protection Agency (CPPA).
7. Consumers have the right to be informed about their personal information in your care. You must provide an interface where users can easily request to know their information in your care. CPRA makes it mandatory to have at least two channels where users can easily make such requests, e.g., web page request forms, phone calls, or email requests.

What is Personal Information According to CPRA?

Personal information is data that identifies an individual physically or legally. According to the CPRA legislation, personal information is any information that identifies or can be linked to an individual.. Personal information includes but is not limited to the following:

1. Name, address, email address, IP address, driver’s license, social security, and passport number.
2. Biometric data, such as iris scans, fingerprints, and voice recognition.
3. Internet usage data such as browsing history and search history.
4. Commercial data such as property records, purchase histories, e-commerce transaction data, etc.
5. Consumers’ Employment and educational information.

What is Sensitive Personal Information (SPI) in CPRA?

Sensitive information is still personal information, but it is more secretive to the recipient; it is different from other personal information that can easily be made public. Public disclosure can make the recipient vulnerable in words, societal perceptions, or danger (attacks, thefts, etc.). Hence, it is crucial to be kept personal and, in some cases, highly protected by the law. According to the CPRA, any personal information readily available to the public is not considered sensitive information. The CPRA has outlined the following as sensitive information:

1. Banking details, credit or debit card numbers with passwords or codes that enable bad actors to access consumers’ funds or identities.
2. Personal communication details, such as the content of consumers’ emails, texts, and phone conversations.
3. Personal identification numbers (PIN) in the form of a passport, social security, and driver’s license numbers.
4. Racial origins, religious beliefs, political convictions, or non-public union memberships.
5. Consumers’ exact geolocation.
6. Consumers’ account login information.
7. Consumers’ genetic data, such as DNA samples.
8. Consumers’ health and sexual orientation data.
9. Processed biometric data for consumer identification.

Who Needs to be CPRA Compliant? 

Businesses within a particular category are impacted the most by the release of CPRA. Businesses with annual gross revenue of over $25 million are considered to be in this category, as are businesses that collect, buy, sell, or share personal information about more than 100,000 consumers and households. The last category is businesses that generate 50% or more of their revenue by selling or sharing customers’ personal information with third parties (e.g., using customers’ data for advertisement purposes).

In contrast to CCPA, which had 50,000 consumers’ data, CPRA came with more stringent rules, but by considering businesses that deal with 100,000 consumers’ data, small and medium-sized businesses (SMEs) will not be burdened with compliance, which can be financially burdensome. In summary, CPRA applies to all companies in the world that have a connection with California consumers and meet any of the following criteria:

1. Operates for profit (non-profits are exempted)
2. Collects consumers’ personal information
3. Services California residents but meets one of the following:
   1. Annual gross revenue of $25 million and upward
   2. An upward 50% of its revenue is generated from selling or sharing customers’ personal information.
   3. Collects, shares, buys or sells the personal information of more than 100,000 consumers, households, or devices.

Companies not Affected by CPRA?

Companies that do not fall under the earlier stated requirements are not required to comply with CPRA. Beyond those  criteria, what are the clearly stated industries and data outside the purview of the CPRA legislation?

1. Businesses that do not collect personal information from consumers, users, or individuals from California.
2. Non-Governmental Organizations.
3. Non-Profit Organizations.
4. De-identified Information — Information that cannot be reasonably connected to the owner of the information is considered de-identified.
5. Aggregate information — statistics derived from analytics that do not identify users, e.g., number of views on a Youtube video, amount of traffic to a website, open rate of an email.
6. Law enforcement compliance exemption — CPRA restrictions do not apply to investigations on consumers when necessary data must be collected or supplied. Though, it must be done in good faith. In some cases, the enforcement agency requesting access to the user’s information must provide a court order within 72 hours.
7. Data properly covered by other laws are exempted — the health and insurance industries, for instance, already have other laws covering data, so CPRA and CCPA do not apply to them.

How to be CPRA Compliant?

1. Carry out personal data inventory

The first questions to ask are, what type of data do we collect as a business? Is the data well organized, and can it be easily retrieved if needed? Which data falls under the CPRA’s sensitive personal information category? Do we store this information on a third-party server? Or with which partner or third party do we share data? And what is  the data shared? The answers to these questions will make you re-organize your data if necessary. As well as updating your cookie banner alongside other things like reviewing your agreement and privacy policy.

2. Create classifications for your organization’s data

Classify the data under the control of your company. Not all data are equal, and security measures differ. Proper classification will help you deploy the highest security for the right data. The data classification will inform your security team of data that shouldn’t be kept in your storage silo for a long time and data that should be monitored at regular intervals for potential threats.

3. Update your Cookie Banner notices

You should update your cookie banner to inform consumers if you collect and process sensitive personal information (SPI) and for what purpose. Clearly state how long this information will be kept. Also, your updated cookie banner should inform customers if you sell or share users’ personal information. If Yes, they have the right to know which vendors, service providers, partners, and third parties you exchange data with, including the right to opt out.

4. Review agreement with partners

Due to the connectivity of the web, most companies operate by partnering with or leveraging data from other websites, apps, platforms, etc. All agreements with partners, contractors, service providers, and all third parties should be reviewed to ensure that your company remains compliant, especially with CPRA requirements.

5. Update your Privacy Policy 

Edit your privacy policy to include the additional information mandated by CPRA. Ensure your privacy policy is easy to understand, easily accessible, and compatible with all devices. Your privacy policy should contain the following minimum:

• Details about personally identifiable information (PII) and sensitive personal information (SPI) that you collect.
• Details about personally identifiable information (PII) and sensitive personal information (SPI) that you collect.
• Guidance on how users can change, delete, or access their personal information.
• Step-by-step guide on how to opt out of selling or sharing their personal data.
• Detailed consent notice for minors (13-16) and parental consent for users below 13 years.

6. Add opt-out links to your web pages

CPRA has made it a non-discriminatory request for a user to opt out of the sale or sharing of personal data. It is mandatory to include “Do not sell or share my personal information” and “Limit the use of my sensitive personal information” on your website pages. A wise approach will be to combine these two links on one page and embed them across your website to ensure easy access by users.

7. Provide channels to get customers’ requests 

Consumers have a right to be informed about their information, and CPRA makes it mandatory to create a minimum of two channels to request their information. Phone numbers, emails, and web request forms can be used as communication channels. Consumers should be able to access these channels easily, and their requests should be acknowledged within 10 days and fulfilled within 45 days.

8. Train employees on proper data handling 

Ensure that all employees, especially those handling consumer data, are trained and competent. All employees must understand the importance of protecting personal information under the organization’s care. To ensure continuous compliance, everyone must be in the loop.

Conclusion

CPRA is good news for consumers, but it is not exciting news for CEOs and investors who rely on trading customers’ digital footprints to make money. Revenue from data trading serves as cushion for companies’ running costs, but with CPRA, this profit has been heavily affected, making it more likely that companies will have to raise prices for goods and services to compensate.

Additionally, compliance costs are high. Even without considering the expensive marketing budget companies will have to work with if privacy laws like this are passed across states. In the past few years, marketing and advertising has been more expensive in California than in some U.S. states. Will this result in customers trading in their data to get lower prices? The future will tell, but for now, privacy laws give data control back to the users.

Identity.com

The CPRA legislation attempts to solve the data management problem that new technologies in the blockchain ecosystem are solving through projects like self-sovereign identity. It is great news that the government is seeing the importance of individual data control, just as it is one of our pursuits at Identity.com. As a company, we want a user-centric internet, where users have control over their data. More reason Identity.com doesn’t take the back seat in contributing to this future via identity management systems and protocols. We also belong to the World Wide Web Consortium (W3C), the standards body for the World Wide Web.

The work of Identity.com as a future-oriented company is helping many businesses by giving their customers a hassle-free identity verification process. Identity.com is an open-source ecosystem providing access to on-chain and secure identity verification. Our solutions improve the user experience and reduce onboarding friction through reusable and interoperable Gateway Passes. Please get in touch for more info about how we can help you with identity verification and general KYC processes.