Back to main menu

Compliance

CPRA

CPRA (California Privacy Rights Act) will considerably improve the lives of California citizens, it’ll give them stronger data rights and even more protection.

Cassie will be able to help you achieve compliance without you having to compromise your business goals.

Talk to us Book a demo

What is CPRA?

The California Privacy Rights Act (CPRA) passed for law in November 2020 and extends the California Consumer Privacy Act (CCPA) by strengthening the existing framework by including additional privacy protections for consumers.

Despite being passed for law in 2020, the CPRA was officially brought into effect on January 1, 2023.

 

How does it differentiate from CCPA?

The CPRA applies to companies that purchase/sell/share personal data of more than 100,000 households or customers whereas the the limit under CCPA was originally 50,000. This means that some businesses who had to adhere to CCPA are now exempt from adhering to CPRA regulations.

The extended act now gives consumers the right to ask organizations to limit the use of sensitive personal information.

The CCPA initially required websites to have a link to say “do not sell my personal information” but this has now been updated with the adoption of CPRA now requires websites to have links saying “do not sell or share my personal information”.

Business woman thinking looking at computer

Will your business need CPRA compliance?

CPRA applies to any for-profit organization that operates in California and collects personal information from Californian residents.

You must adhere to (with some exceptions) CPRA if one or more of the following applies to your business:

  • Annual gross revenue exceeds $25 million
  • 50% or more of your annual revenue comes from the selling or sharing of personal information
  • Purchase/sell/share personal data of more than 100,000 data subjects

Non-profit organizations and government agencies do not need to adhere to CPRA regulations.

Gartner Market Guide 2024 About Us

Download “2024 Gartner Market Guide for Consent Management”

This research allows security and risk management leaders to evaluate universal-consent and preference-management capabilities, and make a product choice.

This guide is usually only available to Gartner clients but for a limited time, we are pleased to offer complimentary access to the full guide.

Download now

Choose Cassie for:

High Volume Icon

Protect individual privacy

Allow end users to take control of their preferences with granular consent controls enforced across domains, devices and platforms

Icon Customer Insight

Avoid fines and brand damage

Cassie enables organizations to meet the complex requirements of CPRA and mitigate risk with a robust framework for managing consent, avoiding severe penalties and reputational damage

Icon Dedicated Experts

Pass audit inspections

Be prepared for compliance audits with demonstrable tracking and complete history logs, alongside advanced RoPA and DSAR modules to improve efficiencies and assess risk

Icon Unlimited Storage

Ensure data security

Cassie is SOC 2 certified, assuring organization’s data is safeguarded from unauthorized access or breaches with industry-leading encryption protocols and practices

 

Icon Audibility

Centralized source of truth

Use Cassie to honor and enforce consent data via APIs and integrations at high volume, in real-time for CPRA compliance across your tech stack (CRMs, CMS, marketing automation tools, BI tools)

Icon Connector Red

Complex consent made simple

For every consent captured, Cassie can store unlimited key value pairs of additional information against those consents to unlock scalable, granular consent management

CPRA FAQs

  • What is the relationship between the CPRA and the CCPA?
    • The CPRA builds on the California Consumer Privacy Act (CCPA) passed in 2018. Both laws were sponsored by Californians for Consumer Privacy, led by Alastair Mactaggart.
  • What are the key components of the CPRA?
      • Access & Deletion Rights: Consumers can obtain and delete their personal information.
      • Prevent Sale of Data: Consumers can prevent the sale of their information.
      • Protect Children: Guardian or teen permission is required before selling children’s information.
      • Purpose Limitation: Use consumer information only for stated purposes.
      • Storage Limitation: Keep consumer information only as long as publicly stated.
      • Data Minimization: Collect only necessary consumer information.
      • Chain of Custody: Onward transferees must offer the same level of protection.
      • Security Requirements: Implement reasonable and appropriate security measures.
      • Deletion Expansion: Businesses must inform other businesses to delete information upon request.
      • Right of Correction: Allow consumers to correct their personal information.
      • Increased Fines: Triple fines for violations involving children’s information.
      • Sensitive Personal Info: Right to stop the use of sensitive information.
      • Access to All Personal Info: Right to see all personal information, not just the last 12 months.
      • Precise Geolocation: No tracking within approximately 250 acres.
      • Profiling: Right to object to automated decision-making and understand the logic involved.
      • No Right to Cure: Removes the 30-day right to cure violations.
      • Opt-Out of Behavioral Advertising: Right to opt out of cross-context behavioral advertising.
      • Data Protection Agency: Establishes a new agency with guaranteed funding.
        • Enforcement: 2x+ bigger than current enforcement, allows local DA’s to enforce the law.
      • Annual Audits: Requires annual cybersecurity audits and risk assessments for high-risk data processors.
      • Chief Privacy Auditor: Appoints a Chief Privacy Auditor to ensure compliance.
      • Legislative Protection: Prevents the law from being weakened, allowing amendments only in furtherance of consumer privacy.