California Privacy Rights Act (CPRA) | Changes Going into Effect in 2023
By: Dean Dorton | December 21, 2022
Question? Contact Us
Many states are taking steps to strengthen their data privacy laws and California remains at the forefront of these changes. On July 1, 2023, the CPRA may begin to be enforced for violations occurring on or after that date. The law mandates policies and procedures businesses need to take on consumer and employee privacy.
The law applies to entities doing business in California or collect personal information from California consumers and meet any one of the following criteria:
- As of January 1, of the calendar year, the company exceeded $25 million in gross revenue in the preceding calendar year.
- The company buys, sells, or shares the personal information of 100,000 or more consumers or households.
- The company derives 50% or more of its annual revenue from selling or sharing consumers’ personal information.
If the criteria is met California residents have the following rights to:
- Opt-out of sharing personal information
- Opt-out of certain used and disclosures of sensitive personal information, examples: SSN, DL, geolocation, race, health data
- Correct inaccurate personal information
- Know more details of business’s information practices
- Have options regarding automated decision-making
Increased obligations on businesses include:
- Requirements related to data retention, data minimization, purpose limitation.
- Requirements to pass deletion requests to service providers, contractors, and third parties the business has sold or shared information.
- Requires additional contract provisions with service providers, contractors, and third parties.
- Possibly increasing auditing requirements, performing annual cybersecurity audits, and providing the California Privacy Protection Agency with regular risk assessments.
The enforcement and penalty goes beyond and modifies the California Consumer Privacy Act (CCPA) in the following areas:
- Creates and transfers rulemaking and enforcement from the California attorney general to the California Privacy Protection Agency, which is a new state agency.
- Removes the 30-day cure period.
- Triples penalties for violations involving minors under 16.
- Expands the types of data breaches that are considered within scope of the data breach privacy right of action to include: breaches of a username or email address combined with a password or security question and answer that would permit access to an online account.
California may be leading in data privacy laws, but other states are moving in this direction. Other states include Colorado, Connecticut, New York, Utah, Virginia and Washington.
To meet various state data privacy requirements, we suggest doing the following:
- Know your data – where is it, what is it, who has it.
- Have a holistic data privacy program. Identify the highest bar (likely CPRA) and use this measure for all privacy processes.
- Ensure a plan is in place or has been executed to meet the more stringent privacy requirements.
- Stay well-informed of changes to laws.
Subscribe to Dean Dorton Insights to stay up-to-date with the latest regulatory changes.
Questions? Contact us today:
Kevin W. Cornwell | IT Audit Associate Director
Have a question? Click here to contact this representative.
Public Health Emergency Ending and 1135 Waivers
Centers for Medicare and Medicaid Services (CMS) Outlines a Systematized Proposal to Prior …
How to Use Comparative Billing Reports to Perform Quick Checks for Hot Button …
Are you Ready for the 2023 E & M Code Changes?
Don’t Let Team Member Absence Impact Your Bottom Line: Use On-Call Medical Billing
What Are the Most Valuable Revenue Cycle Metrics to Measure?