The California Privacy Rights Act (CPRA) expands and amends the California Consumer Privacy Act, offering stronger rights for consumers to control the personal information collected and used by businesses. It goes into effect on January 1, 2023, applying to personal information provided by employees, independent contractors, applicants, and dependents of employees who receive benefits through an employer.
Wondering if your business qualifies? Here are the criteria for businesses impacted by the CPRA:
- For-profit entities doing business in California that:
- Collect personal information from consumers, either on its own or by others on its behalf, and satisfies at least one of the following:
- Annual gross revenue in excess of $25 million in the preceding calendar year,
- Buys, sells, or shares the personal information of 100,000+ California consumers or households (whether or not for monetary or other valuable consideration),
- Derives at least 50% of its annual revenue from sharing or selling consumer’s personal information.
- Collect personal information from consumers, either on its own or by others on its behalf, and satisfies at least one of the following:
Personal information has an expansive definition to, and can include the following:
- Biometric information
- Identifiers (alias, real name, address, email address, Social Security number, driver’s license number, etc.)
- Commercial information (purchasing/consuming histories, records of items obtained, purchased, or considered)
- Geolocation data
- Professional or employment details
- Sensitive personal information (racial or ethnic origin, philosophical or religious beliefs, union membership)
- Educational information
- Internet or other network activity information
Consult with your company’s legal counsel for information about the CPRA and how to ensure compliance with the new law before it goes into effect.