CCPA & CPRA – A Consumer Privacy Primer

Header Image
Privacy image

A Pew Research Study found that 79% of Americans were “Very” or "Somewhat" concerned about how their personal data is being used by companies. And 81% felt they have "Very little" or "No" control over the data that companies collect about them.

This growing consumer concern combined with a string of high profile data breaches in the late 20-teens led the California legislature in 2018 to pass the California Consumer Privacy Act (CCPA), a suite of consumer privacy rights that regulates the collection and sale of personal information. In November of 2020, less than a year after the CCPA went into full effect, California voters passed Prop 24, the California Privacy Rights Act (CPRA) that significantly expands and clarifies the CCPA. This amendment has now just gone into full effect as of January 1, 2023.

Marker Seven advises all our clients, and anyone who is affected by this legislation to check with their legal teams and, in particular, to make sure to evaluate your public facing websites both for compliance, and for ways your website can help meet CPRA requirements.

Here is a brief summary of the changes and additions to be aware of in the CPRA:

  1. Under the CPRA, businesses affected are those that:
  • Do business in California and meets any of the following:
    • Have a gross annual revenue of over $25 million;
    • Buy or sell, or share the personal information of 100,000 or more consumers or households; OR
    • Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

This slightly revised definition tightens up the language to close a loophole used by businesses who claimed that they were not bound by the law because they only shared, not sold, their gathered data with vendors. (See subdivision 1798.140(d) for complete definition)

  1. The CCPA created six specific rights for consumers who are California residents:
  • The right to know
  • The right to delete
  • The right to opt-out of the sale of personal information
  • The right to opt-in to the sale of personal information if consumer is under 16
  • The right to hold businesses accountable in the case of a data breach

The CPRA added two additional rights:

  • The right to correct inaccurate information
  • The right to limit use and disclosure of sensitive personal information

(See Section 3(a) for list of Consumer Rights)

Sensitive information is also newly defined in the CPRA and includes data such as:

  • Legal or governmental ID (Social Security numbers, Passport numbers, etc.)
  • Financial account information
  • Location information
  • Racial, political and Religious affiliations
  • Personal contact information (address, email, text# etc.)
  • Genetic data
  1. The CPRA also includes several items meant to close loopholes and remedy confusions in the CCPA. The CPRA:
  • Defines the compliance requirements of contractors who use personal information
  • Closed a loophole and clearly states that targeted advertising is not included in the “business purpose” exception laid down by the CCPA
  • Allows businesses to offer perks to shoppers signed up for loyalty clubs or rewards programs
  • Allows businesses to charge people different prices based on their privacy choices IF and only if “that difference is reasonably related to the value provided to the business by the consumer’s data.”

Is your website ready? Marker Seven has extensive experience helping businesses understand and implement website updates and features that resolve legal compliance issues. We are experienced engineers and UX designers and have worked with companies and legal teams of all sizes. Contact us today to learn how we can help you.