The California Privacy Rights Act (CPRA) is a ballot measure approved by voters in November 2020.

Who is a ‘consumer’?

A consumer is natural person who is a California resident, as defined in the state’s tax regulations.

What rights do consumers have?

The CCPA creates six specific rights for consumers:

1. the right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom;
2. the right to delete personal information collected from the consumer;
3. the right to opt-out of the sale of personal information (if applicable);
4. the right to opt-into the sale of personal information of consumers under the age of 16 (if applicable);
5. the right to non-discriminatory treatment for exercising any rights; and
6. the right to initiate a private cause of action for data breaches.

The CPRA creates two additional rights:

7. the right to correct inaccurate personal information; and
8. the right to limit use and disclosure of sensitive personal information.

What is a consumer’s personal information’?

The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

What is a consumer’s ‘sensitive personal information’?

SPI is a subset of personal information newly defined in the CPRA. SPI is personal information that reveals:

• a consumer’s social security, driver’s license, state identification card, or passport number
• a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
• a consumer’s precise geolocation
• a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership
• the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication
• a consumer’s genetic data

What constitutes a ‘sale’ of personal information?

The CCPA defines a “sale” as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

What does ‘sharing’ personal information mean?

The CPRA defines “sharing” as renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

When does CPRA go into effect?

The CPRA took effect on Dec. 16, 2020, but most of the provisions revising the CCPA won’t become “operative” until Jan. 1, 2023.

How can Socium Security help?

Socium Security can assist organizations with building a privacy program that will enable compliance with existing Privacy related regulations including the CPRA.