As you close out the calendar year, questions may remain about the new privacy requirements and regulatory challenges you will face in 2023. We have leveraged our California privacy experts to answer frequently asked questions, easing your transition into the new year and helping you gear up for CPRA compliance.

What Are the CCPA, CPRA, and CPPA, and How Do They Interact?

The California Consumer Privacy Act (CCPA) is California’s law regulating for-profit businesses that collect personal data from California residents. The California Privacy Rights Act (CPRA) modifies and extends the requirements of the CCPA and delegates rule-making authority related to the CCPA to the California Privacy Protection Agency (CPPA).

What CCPA Exemptions Are Expiring?

The CCPA’s exemptions for employee data, 1798.145(h), and business-to-business data,1798.145(n), expire Jan. 1, 2023, with the enactment of the CPRA. These exemptions provided carve-outs for some of the requirements of the CCPA for a subset of data, including:

  • Personal data about a business’s employees, job applicants, contractors, owners, and officers that is collected and used within the context of that person’s role as an employee or job applicant from CCPA’s disclosure requirements and private right of action from data breaches.
  • Data collected directly from a consumer in the course of business-to-business communications from all CCPA requirements other than the right for California residents to opt out of the sale or sharing of personal data, the right against retaliation, and the right of action arising from data breaches.

Under the CPRA, California businesses will be required to honor the full suite of consumer privacy rights and business obligations for both employee and business-to-business data.

What Consumer Rights Are Provided Under CPRA?

The CPRA requires California businesses, upon receipt of a verifiable consumer request, to respect seven consumer rights, including:

  1. Right to delete personal data: With limited exemptions, a business must delete any personal data collected from the consumer.
  2. Right to correct inaccurate personal data: A consumer may request to correct their inaccurate personal data.
  3. Right to access personal data: A business must provide the consumer with the categories of personal data collected; the categories of sources from which data is collected; the commercial purpose for collecting, selling, or sharing personal data; the categories of third parties to whom the business discloses personal data; and the specific pieces of personal data it has collected about that consumer.
  4. Right to know what personal data is sold or shared and to whom: A business must disclose the categories of personal data that are collected, sold, or shared about the consumer and the categories of third parties to whom the personal data was sold or shared.
  5. Right to opt-out of sale or sharing of personal data: A consumer may “opt-out” of the sale or sharing of personal data about the consumer to third parties.
  6. Right to limit use and disclosure of sensitive personal data: A consumer may direct a business to limit the use of sensitive personal data to that which is necessary for the business to perform services or provide goods.
  7. Right of no retaliation following opt-out or exercise of other rights: A business shall not discriminate against a consumer because the consumer exercised their rights.

How Must Businesses Respond to Consumer Rights Requests?

Within 45 days of receiving a verifiable consumer request, businesses must:

  • Disclose and deliver the required data to a consumer free of charge,
  • Correct inaccurate personal data, or
  • Delete a consumer’s personal data.

This response period may be extended by an additional 45 days when reasonably necessary if the consumer is notified of the extension within the first 45-day period.

Information disclosed in response to a consumer rights request must be made in writing and delivered through the consumer’s account with the business, if possible, or by mail or electronically, based on the consumer’s preference, in a readily useable format that would allow the consumer to transmit the information to another entity.

Does the CPRA Cover Health Data?

The CPRA provides three exemptions related to health data, including exemptions for:

  1. Medical information governed by California’s Confidentiality of Medical Information Act (CMIA) or the Health Information Portability and Accountability Act (HIPAA).
  2. Health care providers governed by CMIA or covered entities governed by HIPAA to the extent that the healthcare provider or covered entity maintains patient data in the same manner as data governed by CMIA or HIPAA.
  3. Personal data collected as part of a clinical trial or biomedical research study that is subject to and conducted in accordance with the Federal Policy for the Protection of Human Subjects and not sold or shared in a manner that is not permitted or without consent from participants.

Does the CPRA Cover Website Cookie Data?

Cookies can be used to recognize a website visitor or user device that is linked to a consumer over time and across different services, and therefore, qualify as a “unique identifier” and personal data under the CPRA. As with other unique identifiers, businesses should provide appropriate notice regarding the:

  • Categories of cookies collected.
  • Purpose of their collection.
  • Information included in essential cookies.
  • Categories of sensitive personal information collected through or derived from cookies.
  • Cookie expiration dates.
  • Categories of third parties to whom cookies are sold or shared.
  • Ability and right to opt-out, and right to opt-in.

Must Data Collected Before Jan. 1, 2023, Be Disclosed in Response to a Consumer Request?

Yes. The CPRA requires businesses to, at a minimum, disclose any data collected within the 12-month period preceding the business’s receipt of the consumer request. Consumers may request data from beyond this 12-month period, and a business must provide this data unless providing this data would be impossible or require a disproportionate effort. If a business denies a request for an extension of the 12-month period, the business must provide the consumer with a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why providing the data is impossible or would require a disproportionate effort.

What Exemptions, if any, Does CPRA Include for Financial Data?

Information collected, maintained, disclosed, sold, or used by a credit reporting agency, or information regulated by the Gramm-Leach-Bliley Act (GLBA), the California Financial Information Privacy Act (CalFIPA), and the Fair Credit and Reporting Act (FCRA) is exempted from CPRA.

Where Can I Get Help?

CrossCountry Consulting’s robust privacy and data protection team is actively involved in the industry, holds leadership roles within IAPP, and is passionate about data protection and the evolution of the field.

We would love to discuss your organization’s data privacy needs and challenges. Contact CrossCountry Consulting with questions or to discuss how we can best partner to achieve your goals.