California approved the California Privacy Rights Act (CPRA) on Nov 3, 2020, which amends the existing California Consumer Privacy Act (CCPA) to provide new and additional rights and obligations. It is important to note that his law applies to any organization with investors who reside in California – regardless of the location of the organization.
For BW Cyber Services’ clients, this means that if you are an asset manager (or for that matter any other type of business) located outside of California, BUT have investors who reside in California – you may be subject to this law.
CPRA changes are as follows:
- Sensitive Personal Information – A new category of applicable privacy information and associated rights regarding its use.
- Included in this category are: Social security numbers, driver’s license numbers, passport numbers, financial account information, race information, ethnicity information, religious affiliation information, union membership information, sex life/orientation information, genetic data, health information, biometric data, personal communications, and geolocation data.
- Rights for this category include the right to limit disclosure and use of sensitive personal information except as needed by companies to perform the requested services of an average consumer. Links regarding exercising this right will likewise need to be provided to consumers.
- Right of Correction – California consumers can now request correction of incorrect personal data being held by a business.
- Disclosure – Businesses would have to specify the duration they will retain personal information, the purposes for its collection, and the volume of personal information collected.
- Children’s Data – Fines for violations of CCPA opt-in to sale are tripled. Opt-in consent to sell or share data from consumers under 16 is now required.
- Breach Liability – Breaches resulting in compromise of email addresses in combination with password or security question/answer are subject to relevant liability.
- California Privacy Protection Agency (CPPA) – The law will be enforced by the newly established CPPA rather than the Attorney General’s office. The CPPA will consist of five members appointed by various governmental shareholders (including the Governor, Attorney General, State Senate, and Speaker of the Assembly).
- Transparency and Governance – The law adds new transparency and governance requirements, including additional required content in privacy notices, as well as storage limitation and data minimization principles.
- Violations – The CPPA can issue fines of $2,500 for each statutory violation, or up to $7,500 for intentional violations or violations regarding children’s personal information
Most of the provisions of the CPRA will go into effect on January 1, 2023. The CCPA will remain in effect until that point, as will the existing exemptions regarding human resources and B2B data.
As a refresher, the CCPA applies to for-profit businesses that collect and control California residents’ personal information, do business in the state of California, and meet at least one of the following thresholds:
- Annual gross revenues larger than $25 million
- Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year
- Make 50 percent or greater annual revenue from selling California residents’ personal information
Non-profits, smaller companies that don’t meet the revenue thresholds, and/or those that don’t traffic in large amounts of personal information from California residents, and don’t share a brand with an affiliate that’s covered by the CCPA won’t have to comply.
If you must comply with the CCPA, BW Cyber Services can help you develop a comprehensive cybersecurity compliance program designed to exceed these requirements. For more information on how BW Cyber Services can assist you, please contact us at firstname.lastname@example.org.