CPRA And Your Salesforce Org – Part 1

65% of the world’s population will be protected by privacy laws by the year 2023 (Source: Gartner).
California Privacy Rights Act (CPRA) will only protect Californians. So, why is it so significant for your Salesforce Org?

 

In this three-part series, we will explore Data Privacy Laws and specifically CPRA.

 

Privacy Laws: what are they?:

As more end customers get digitally connected to companies, it is important that their data and privacy are respected. It also means that companies need these privacy laws as they need to be more sensitive to their customers’ rights.

However, these laws have a deeper impact. As companies are bursting at their seams with customer data which keeps growing exponentially in our hyper-connected world, they have started asking themselves as to what they can do with this mountain of data? Does it serve any purpose? How much data is enough to keep? More significantly, what data should they delete? They not only need to consolidate and rationalize this data, but they also need to remove what is not relevant anymore.

Thus, both customers and companies need these laws.

 

California’s Current Currency of Privacy – CCPA:

In June 2018, CCPA (California Consumer Privacy Act) came into existence after being signed as law, called Assembly Bill 375 (AB 375).
Thus, CCPA is the existing framework of Privacy law which was passed by Californians in 2020. It is quite robust in itself.
With Silicon Valley at its heart, all eyes around the world were on California and the passing of this law. As you can imagine, many states in the US have now adopted a framework very similar to that of CCPA.
Once it was passed, there was a rising need to make it more powerful and relevant in protecting the privacy of Californians as customers in our digital world. And so CPRA was born.

CPRA the Law: What is it and how is it different from GDPR?

There are fundamentally two facets of any privacy law including CCPA/CPRA, GDPR etc which are

  • Legal implications, and
  • Operationalizing it with Technology

Let us understand these two aspects in detail, and also the differences between CCPA, GDPR, and CPRA.

A. What is CPRA and how does it add to CCPA?

On November 3, 2020, CPRA (California Privacy Rights Act) was passed, and as a law will come into force starting January 1, 2023.

This begs the question: what happens to CCPA once CPRA comes into effect?

Essentially, both CCPA and CPRA are here to stay. CCPA will remain in its current form and CPRA will add a few more significant elements in addition to CCPA. Together, these will: 

  • Become more comprehensive and effective
  • Become more relevant
  • Set optimum standards in terms of how companies handle privacy matters, and
  • Change the way consumers exercise their privacy rights
 

B. Will CCPA & CPRA combined, replace CCPA?

CPRA will add to CCPA to enrich the scope of the two when combined. If you take away CCPA from this scenario, CPRA alone will not be as effective.

 

C. Do all companies need to comply with CCPA/CPRA?

CCPA applies to any business that meets the following criteria:

  1. If you as a company are generating gross annual revenue of more than US$25 million
  2. If you are buying, receiving, or selling the personal data of 50,000 or more California residents, households, or devices;
  3. If you derive 50% or more of your annual revenue from selling Personal Information of California residents.

CPRA has modified the scope of CCPA with the following:

  1. If you as a company are generating gross annual revenue of US$25 million or more
  2. If you are buying, receiving, or selling the personal data of 100,000 or more California residents, households, or devices
  3. If you derive 50% or more of your annual revenue from selling or sharing Personal Information of California residents.

There is also a definition of Sensitive Data added in CPRA. This is discussed in detail later in this blog series.

 

D. How is CCPA different from GDPR?

GDPR is Europe’s privacy rights framework legislation that holistically covers the essential tenets of CCPA and CPRA combined.
A corollary to the above statement would be that when you combine CCPA and CPRA, they together are comparable to GDPR. It is easy to understand that CPRA has taken certain elements from GDPR which were missing in CCPA. So, one can say that CCPA combined with CPRA makes it the GDPR for California.

 

E. Consumer’s rights under CCPA vs CPRA

Let us first understand the Rights of individuals which are protected currently under CCPA:

  1. Right to know and access personal information
  2. Right to Delete it
  3. Right to Opt-in / Opt-out
  4. Right to Non-discrimination 
  5. Right to Data Portability

CPRA has gone a step further in protecting the rights of individuals by adding 

  1. Right to Rectification and Correction. Notice that this is equivalent to GDPR’s Right to Modification.
  2. Right to opt-out of cross-contextual behavioural advertising
  3. Right to limit use and disclosure of sensitive personal data, which is similar to the right to restrict under GDPR
  4. Right to opt-out of usage from automated decision-making, (this is similar to GDPR). 

Apart from the above-added rights, CPRA also now clearly defines data as

  • Anonymous,
  • De-identified, 
  • Pseudonymized, and 
  • Aggregated

as these definitions were slightly indistinct in CCPA.

In the next part, we will cover the latest additions to CPRA.