December 7th, 2020 · 4 minute read

Why you should be concerned about CPRA

Updated: January 29th, 2021

CPRA - Privacy for Citizens and Impacts for Business


Staying ahead of privacy legislation - How CPRA will impact your business 


With the California Consumer Privacy Act (CCPA) coming into force in January 2020, businesses affected by the legislation have had time to adapt to the requirements and expectations that the legislation introduced.


As discussed in a previous article, 'What does the CCPA mean for your business?', the scope of the legislation and financial penalties, the need to comply with these privacy measures is essential. 


However, while the CCPA created more privacy protections, the push for more hasn't stopped. On November 3rd, 2020, the Californian electorate voted to enact further data privacy legislation when they approved Proposition 24, the Californian Privacy Rights Act, or CPRA.


This new act is due to be effective in January 2023; however, while that may seem a significant time away, managing your risks where privacy is concerned is an ongoing process. Understanding what the CPRA means for your business now gives you time to enact an appropriate response to ensure compliance at the time of its introduction. We begin with what the CPRA is and who it affects.  


An Overview of CPRA 


CPRA sets out to make changes to a broad range of CCPA requirements. Much intends to provide clarity and more effective risk management for businesses regarding data privacy. However, one thing that doesn't change is who is affected. If your business is covered by CCPA legislation, as outlined in our earlier piece, then the new CPRA legislation will also apply to your business operations. 

Think of CPRA as a kind of CCPA version 2.0, with one of the most significant changes being establishing a dedicated privacy enforcement agency at the state level. Following the European Union example, with no similar agency at the national level within the United States, California has decided to create a state enforcement agency, the Californian Privacy Protection Agency, who will be solely responsible for enforcing CPRA. 


Additional Scope 


Other new components of CPRA that are similar to that of the GDPR include: 

  • The Right to Rectification – A consumer has a right to have inaccurate personal information corrected and updated as appropriate. 

  • The Right to Restriction – Consumers will have the right to limit the use and disclosure of sensitive personal information 


Extra emphasis on data discovery and controls is necessary as these measures increase the risk for businesses that share information as all data.  

The legislation adds a category of data, Sensitive Personally Identifiable Data, which will have additional data privacy expectations for consumers. Such data includes specific identifiable information, such as a social security number 

, gender, sex, religion, etc. 


Businesses will also be obliged to protect the privacy of all employees and independent contractors. While the legislation provides data privacy of those employees, it does differ slightly from the measures applied to consumers, and it will require its own set of policies to comply. 


Improved Communications 


Another area where there are new expectations for business is in the area of consent. Companies are required to provide adequate warnings about data usage, including where automated decision making occurs to process data. Importantly, this must be explained in advance of the processing.  

Similarly, there are now more stringent penalties for children's data misuse, tripling the financial penalty, and adding a new approach to consent management that gives parents improved control. 


Data Privacy for the Future 


Several policies within the CPRA build from lessons learned within CPPA. One provides greater authority to the agency to prevent attempts to get around the privacy laws in place, something where CPPA was overtly weak. 

Additionally, the legislation provides flexibility for lawmakers, giving a framework for updating and adding privacy laws to ensure that this legislation remains current over time rather than requiring a complete rewrite, as we see here. For those involved in privacy protection, including data discovery and data masking, this means an ever-changing environment that needs a flexible approach for privacy tools and solutions to ensure compliance.  


With just a year and a half until becoming law, data privacy affects every business operation aspect and can become complicated exceptionally quickly. By preparing today, you have time to fully implement any compliance processes in time for the new legislation launch, avoiding problems of rushed rollouts of new systems and generating issues. 



Are you doing what it takes to protect your organization's sensitive data? 

Sign up to learn more about Apption and Datahunter.

⇠ Back to Blog