Who is Covered by CPRA and What Does It Require?

In January 2020, the California Consumer Privacy Act (CCPA), aka “California’s GDPR,” ushered in a new era of compliance, prompting companies to do far more than update their privacy policies. California’s new law affected thousands of businesses that leverage a wide range of personal data connected to the nearly-40-million California residents, their households, and devices.

In November 2020, voters approved the California Privacy Rights Act (CPRA), also known as Proposition 24,to build on CCPA. CPRA went into effect on January 1, 2023, providing California consumers even more rights to control the personal information that businesses hold about them.

CPRA adds significant new compliance obligations on covered businesses. There’s no singular roadmap or strategy to being “CPRA compliant”, but there’s no shortage of strategies to prepare for CPRA and DocuSign can help.

This information is provided for general information purposes only. It does not constitute and is not a substitute for legal advice. 

Who exactly is covered by CPRA?

As of January 1, 2023, the CPRA applies to any for-profit entity doing business in California that collects California consumers' personal data, and:

  • Had gross revenues exceeding $25 million as of January 1 in the preceding calendar year; or
  • Buys, sells, or shares the information of 100,000 or more consumers or households; or
  • Derives 50 percent or more of their annual revenue from selling or sharing consumers’ personal information.

If your business leverages personal data from California residents and meets any of the three criteria above, it is likely subject to CPRA. While CPRA does not provide a definition of “doing business in California,” related legal standards suggest this is an easy threshold to meet and does not require having operations or employees in California.

CCPA vs CPRA

Where CCPA applied to any entity that owns, is owned by, or shares common branding with a covered business, CPRA   takes the definition further: the covered business must share personal information with the entity, and sharing common branding would cause the average consumer to understand that the entities are under common ownership.

CPRA also adds a third group of applicable entities that were not covered by CCPA: a joint venture or partnership made up of businesses in which each business has at least a 40 percent interest. The joint venture or partnership itself, and each business that composes the joint venture or partnership will be separately considered a single business. Personal information in the possession of each business and disclosed to the joint venture or partnership will not be shared with the other business.

Though CPRA has various exemptions to avoid overlap with other data privacy laws like the Health Insurance Portability and Accountability Act (HIPAA), and the finance-focused Gramm-Leach-Bliley Act (GLBA), such exemptions are not absolute. Health and life sciences providers and financial services firms can potentially be impacted by CCPA/CPRA as well.

Do CPRA’s requirements differ from those of GDPR?

Despite some similarities, CPRA is narrower than the European Union’s General Data Protection Regulation (GDPR) in some respects and provides more limited rights for consumers to access and delete personal data. However, CPRA is pushing privacy law closer to GDPR including specific requirements for businesses to:

  • Disclose to consumers that they sell or share personal information
  • Add a “Do Not Sell My Personal Information” option to their websites, privacy policy on their websites, and a toll-free phone number for consumer requests
  • Affirmatively collect consent to sell data from any consumer under 16, or from a parent or guardian for any consumer under 13
  • Treat customers equally on service and price regardless of whether they have exercised their rights under the law
  • Provide notice to consumers, at or before the point of collection, about how the business uses, sells, and shares personal information
  • Only collect, use, or share personal information that is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected 
  • Delete consumers’ personal information following a consumer’s request to delete, subject to certain CPRA exceptions

These additional requirements necessitate action above and beyond the steps that affected businesses may have already taken for GDPR compliance.

What are the penalties under CPRA?

CPRA creates a private right of action for consumers whose personal information or email login information is compromised via data breaches, with penalties up to $750 per consumer per violation. These statutory damages can add up: a single breach affecting 100,000 California customers could yield $75M in statutory damages alone, which can be pursued via class action litigation. And consumers are not limited by the statutory amount if they are able to show greater actual damages from a violation.

The private right of action only arises, however, where the business failed to follow “reasonable practices and procedures” to avoid the data breach. Although CPRA does not define what such practices are, there are numerous cybersecurity standards and certifications judges can look to when cases arise.

The law also provides a 30-day cure period for noticed violations, theoretically providing a critical way out of statutory penalties. However, “cure” is not defined in the law, and it’s not entirely clear how a business could “cure” a data breach that has already affected consumers.

CPRA slightly clarifies this ambiguity by stating that the implementation and maintenance of reasonable security procedures and practices following a breach does not constitute a cure to that breach. What’s more, the California Attorney General may seek additional penalties of up to $2,500 per violation, or up to $7,500 for each intentional violation. Further, the AG may seek an injunction against a company it believes to be violating CPRA, which could grind business to a halt.

CPRA expands on CCPA?

CCPA was drafted quickly, and creating an effective law of such broad reach was a legislative challenge under the best of circumstances.

CPRA does not replace CCPA. Rather, it updates CCPA’s privacy regulations, provides clarity and specificity to implement the requirements, and reorganizes and consolidates CCPA requirements set forth in the law to make them easier to follow and understand.

How can DocuSign help with CRPA?

DocuSign provides much more than the industry-leading e-signature service. DocuSign solutions include a broad array of tools to help organizations prepare, sign, act on, and manage their agreements.

For addressing the challenges of CPRA, that means tools to help:

  • Securely process consumer requests to access private data and “opt out” of sharing
  • Automatically analyze data privacy risk areas across volumes of agreements 
  • Reliably capture consent to changing Terms and Conditions and privacy policies 
  • Efficiently prepare and execute revised agreements with third parties that handle private customer data

Data privacy compliance challenges continue to grow. In addition to California, Colorado, Connecticut, Utah and Virginia have enacted comprehensive consumer data privacy laws. These laws also give consumers greater rights and control over their personal data, including the right to access and delete personal information and the ability to opt-out of the sharing of their personal information.

With all these laws on the books, in addition to proposed successor federal legislation on the horizon aimed at remediating the invalidated US Privacy Shield, managing data privacy risk is an ever-more-challenging priority and presents a patchwork quilt of compliance obligations. Now more than ever, modernizing your organization’s system of agreement can go a long way toward achieving privacy law readiness.

Learn more:

Published
Related Topics