As part of my continued evangelism of the California Privacy Rights Act (CPRA) Resource Center — which you should most definitely check out! — here is what the authors of the CPRA (Californians for Consumer Privacy aka CCP) considers the top 20 new privacy enhancements found in the CPRA compared to existing California law (the California Consumer Privacy Act or CCPA).
As an added bonus, I added hyperlinks to the actual text of the CPRA that documents each of these major CPRA privacy enhancements, and threw in my own top 12 list.
CCP’s Top 20 CPRA Privacy Enhancements
[Note this is not in order of priority]
- Prevent sale and/or sharing of data: consumers can prevent the sale and/or sharing of their information. CCPA just supported do not sell my personal information.
- Protect children: guardian or teen permission required prior to sale of children’s info.
- Purpose limitation: only use a consumer’s info for a stated purpose.
- Storage limitation: keep a consumer’s info only as long as business has stated publicly.
- Data minimization: don’t collect more consumer info than necessary.
- Chain of custody: onward transferees must offer same level of protection.
- Requirement for reasonable & appropriate security to protect personal info.
- Deletion expansion: businesses must be able to tell businesses they’ve sold personal info to, or shared it with, to delete info when a deletion request is received.
- Right of correction: let consumers correct personal information with businesses.
- Triples fines for violations involving children’s information.
- Sensitive Personal Info: right to stop its use (includes race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, contents of communications).
- Right to see ‘all’ personal info, not just last 12 months’.
- Precise geolocation: no tracking within ~250 acres.
- Profiling: right to object to automated decision-making and learn meaningful information about the logic involved.
- Removing 30 day right to cure violation (ends “two strikes you’re out”).
- Right to opt out of cross-context behavioral advertising fixes major CCPA weakness.
- Data protection agency with guaranteed funding that is 2x+ bigger than current enforcement AND removes exclusive enforcement by AG: allows 58 county and 4 largest city DA’s to enforce the law via Business & Professions Code Sec. 17200
- Annual cybersecurity audits and risk assessments for high-risk data processors.
- Chief Privacy Auditor to audit businesses for compliance with CPRA.
- Prevents law being weakened in the Legislature, because any amendments must be in furtherance of consumer privacy (which are then allowed by a simple majority of the Legislature).
So that is the top 20 enhancements of CPRA from Californians for Consumer Privacy (CCP) — the authors and sponsors of Prop 24 / CPRA — as documented in the CPRA Resource Center.
My Personal Top 12 CPRA Privacy Enhancements
Last July — before the list above was created and when CPRA had recently made the ballot as Prop24 — I created my own separate “Top 12 CPRA Enhancements.” So here is my top 12:
- #1 Creates a New Privacy Right — The Right to Limit the Use of Sensitive Personal Information (maps to CCP’s #11 above, plus I call out geolocation which is CCP’s #13))
- #2 Provides Further Safeguards for Kids (maps to CCP’s #2 above)
- #3 Creates a New Privacy Right — The Right to Correct (maps to CCP’s #9)
- #4 Extends the Right to Opt-out of the Sale of Personal Data to Include Opt-out of the Sharing of Personal Data (maps to CCP’s #1)
- #5 Creates a New Privacy Right — Right to Reject Automated Decision Making and Profiling (maps to CCP’s #14)
- #6 Requires Businesses to Provide Data Protection by Design and Default (maps to CCP’s #3, #4 and #5)
- #7 Requires Businesses to Maintain Records of Processing Activity of Personal Data (not on CCP’s list)
- #8 Requires Business to Do Data Protection Impact Analyses (maps to CCP’s #18)
- #9 Establishes a New Enforcement Arm — the Privacy Protection Agency (maps to CCP’s#17)
- #10 Stricter Fines and Enforcement (maps to CCP’s #10)
- #11 Improves Private Right of Action (maps to CCP’s #15)
- #12 Reduces the ability to weaken privacy law in California (maps to CCP’s #20)
The CCP ones not on my list are chain of custody; deletion expansion; right to see all personal info; right to opt-out of cross-context behavioral advertising and Chief Privacy Auditor. On my list and not on CCP’s is requiring businesses to maintain records of processing activity.
As the timeline for enforcement draw near, I will be curious to hear what others think are CPRA’s top “new features” vis a vis the CCPA!