March 25, 2024 / by Michael Evans
For anyone in real estate, take note - the CPRA is here and it’s changing our game big time. Stepping up from the CCPA, this new legislation hands more power back to you, letting you control your own personal details like never before.
Okay, but seriously—how does all this affect running a successful property business? Ever wonder how to keep it all straight while steering away from penalty land?
Don't sweat it. I'm here to break down the essentials and show you how to get your business CPRA-compliant. Let's dive in!
Table of Contents:
- What Is the California Privacy Rights Act (CPRA)?
- CPRA Compliance Requirements for Businesses
- Expanded Consumer Rights Under CPRA
- CPRA Enforcement and Penalties for Non-Compliance
- Steps to Achieve CPRA Compliance
- Impact of CPRA on Employee and B2B Data
- Conclusion
What Is the California Privacy Rights Act (CPRA)?
The California Privacy Rights Act (CPRA) is a game-changer when it comes to protecting your personal information.
This new privacy law gives California residents more control over how businesses collect, use, and share their data.
But here's the thing:
The CPRA isn't just a carbon copy of the California Consumer Privacy Act (CCPA).
It takes consumer privacy to a whole new level.
Key Differences Between CCPA and CPRA
So, what sets the CPRA apart from its predecessor?
For starters, the CPRA introduces new rights, like the ability to correct inaccurate personal information and limit the use of sensitive data.
It also extended the exemptions for employee and B2B data until January 1, 2023.
Plus, the CPRA establishes the California Privacy Protection Agency to enforce the law and impose penalties on businesses that don't comply.
When Does the CPRA Go Into Effect?
Mark your calendars, folks.
The CPRA was approved by California voters on November 3, 2020, but most of its provisions were only effective from January 1, 2023.
There's also a 12-month look-back period starting on January 1, 2022.
Who Must Comply With the CPRA?
Not every business has to worry about the CPRA.
It applies to for-profit entities that do business in California and meet any of the following criteria:
- Have a gross annual revenue of over $25 million
- Buy, sell, or share the personal information of 100,000 or more California residents or households
- Derive 50% or more of their annual revenue from selling or sharing California residents' personal information
If your business falls into one of these categories, it's time to get serious about CPRA compliance.
CPRA Compliance Requirements for Businesses
Alright, let's talk about what businesses need to do to stay on the right side of the CPRA.
It's not just about slapping a generic privacy policy on your website and calling it a day.
The CPRA has some pretty specific requirements when it comes to handling personal information.
Defining Personal Information Under CPRA
First things first: what exactly counts as personal information under the CPRA?
The law casts a wide net, covering any information that identifies, relates to, or could reasonably be linked with a particular consumer or household.
This includes obvious stuff like names and email addresses, but also things like IP addresses, biometric data, and even inferences drawn from other personal information.
Sensitive Personal Information Categories
The CPRA takes things a step further by introducing a new category of "sensitive personal information."
This includes:
- Social security numbers
- Driver's license numbers
- Passport numbers
- Financial account information
- Precise geolocation data
- Racial or ethnic origin
- Religious or philosophical beliefs
- Union membership
- Contents of mail, email, and text messages
- Genetic data
Businesses have to be extra careful when collecting and using this type of information.
Data Collection and Usage Limitations
Under the CPRA, businesses can't just collect personal information willy-nilly.
They have to notify consumers about the categories of personal information they're collecting and the purposes for which it will be used.
And if a business wants to collect additional categories of personal information or use it for new purposes, they have to update their privacy notices.
The CPRA also requires businesses to limit their collection, use, retention, and sharing of personal information to what's reasonably necessary and proportionate to achieve the purposes for which it was collected.
Implementing Reasonable Security Measures
Collecting personal information is a big responsibility, and the CPRA expects businesses to take it seriously.
That means implementing reasonable security measures to protect personal information from unauthorized access, destruction, use, modification, or disclosure.
What counts as "reasonable" will depend on the nature of the business and the sensitivity of the information involved.
But at a minimum, businesses should be encrypting personal information, limiting access to those who need it, and regularly monitoring for security incidents.
The California Privacy Rights Act (CPRA) amps up privacy rules, giving Californians more power over their data. It introduces new rights and a dedicated agency to enforce them. Starting January 1, 2023, if your business is big enough or deals heavily with personal info, you need to step up your privacy game.
Expanded Consumer Rights Under CPRA
The CPRA expands on the rights that were already granted to consumers under the CCPA. This means that California residents now have even more control over their personal information.
Let's take a closer look at some of the key rights that have been expanded or added:
Right to Delete Personal Information
Under the CPRA, consumers can request that businesses delete their personal information. This right was already present in the CCPA, but the CPRA takes it a step further.
Now, businesses must notify their service providers and contractors to delete the consumer's personal information from their records as well. This ensures that the data is removed from all sources, not just the business that collected it.
Right to Correct Inaccurate Data
The CPRA introduces a new right for consumers: the right to request that businesses correct any inaccurate personal information about them. This is a significant addition, as it allows individuals to ensure that the data being used to make decisions about them is accurate.
When a consumer makes a verifiable request to correct their information, the business must use commercially reasonable efforts to correct the inaccurate data. They must also instruct their service providers and contractors to make the necessary corrections.
Right to Know About Data Collection and Sharing
Consumers have the right to request that businesses disclose what personal information they have collected about them, as well as the categories of sources from which the information was collected. They can also ask businesses to disclose the specific pieces of personal information that have been collected.
In addition, consumers can request information about how their data is being shared. This includes the categories of third parties with whom the business shares personal information, as well as the categories of personal information that are shared.
Right to Opt-Out of Data Sharing
The CPRA expands the CCPA's right to opt-out of the sale of personal information to include the sharing of personal information. This means that consumers can direct businesses not to share their data with third parties for behavioral advertising purposes.
Businesses must provide a clear and conspicuous link on their website titled "Do Not Sell or Share My Personal Information" to allow consumers to exercise this right. They must also respect global privacy control signals that indicate a consumer's choice to opt-out.
These expanded rights give Californians unprecedented control over their personal information. By exercising these rights, individuals can limit the collection and sharing of their data and ensure that the information being used is accurate.
CPRA Enforcement and Penalties for Non-Compliance
The CPRA not only expands consumer rights, but it also establishes a new enforcement agency and increases penalties for businesses that fail to comply with the law.
Here's what you need to know about CPRA enforcement and penalties:
Role of the California Privacy Protection Agency
The CPRA creates a new state agency, the California Privacy Protection Agency (CPPA), which will be responsible for enforcing the law. This shifts enforcement authority away from the California Attorney General's office.
The CPPA will have the power to investigate potential violations, bring administrative enforcement actions, and levy fines. It will also be responsible for providing guidance to businesses and consumers on their rights and obligations under the CPRA.
Penalties for CPRA Violations
The CPRA significantly increases the penalties for businesses that violate the law. For each violation, businesses can face fines of up to $2,500 per violation or up to $7,500 per intentional violation or violations involving the personal information of minors.
These penalties can add up quickly, especially for businesses that have large numbers of California customers. In addition to these fines, businesses may also be subject to injunctions and other court orders to compel compliance with the law.
Private Right of Action for Data Breaches
The CPRA expands the private right of action that was established under the CCPA. California consumers can now bring a civil action against a business if their nonencrypted and nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business's failure to implement and maintain reasonable security procedures.
Consumers can seek damages between $100 and $750 per incident or actual damages, whichever is greater. Before bringing an action, consumers must provide the business with 30 days' written notice identifying the specific provisions that were allegedly violated.
This private right of action creates significant litigation risk for businesses that experience data breaches. It's more important than ever for companies to implement strong data security measures to protect personal information.
The CPRA's enforcement mechanisms and penalties create strong incentives for businesses to comply with the law. By establishing a dedicated enforcement agency and increasing the potential fines, the CPRA aims to hold businesses accountable for protecting consumer privacy rights.
The California Privacy Rights Act (CPRA) boosts Californians' control over personal info, adding rights to correct data and opt-out of sharing. It also sets tougher penalties for non-compliance and creates a new privacy agency to enforce these rules. Real estate pros need to act now to stay compliant.
Steps to Achieve CPRA Compliance
To make sure your business is fully compliant, there are a few key steps you'll need to take.
But don't worry, we'll walk you through each one.
Conducting Data Inventory and Mapping
First things first: you need to know exactly what personal information you're collecting, using, and sharing. This is where data inventory and mapping come in.
According to the Workplace Privacy Report, successful compliance depends on understanding what information is collected (including sensitive information), who it's collected from, how it's collected, why it's collected, all purposes for which it's used, where it's stored, how long it's kept, and any third parties it's shared with.
If you already did this for CCPA, great. But you may need to update your mapping for any changes in business processes.
Updating Privacy Policies and Notices
Next up: your privacy policies and notices. Under CCPA, you're required to provide consumers (including employees and contractors) with a notice that discloses the categories of personal information you collect and how you use it.
But with CPRA, you need to add a few more disclosures to your notices as of January 2023. Specifically, you need to disclose:
- The categories of sensitive personal information you collect
- The length of time you intend to retain each category of personal information
- Whether personal information is sold or shared
Make sure to update your policies and notices to reflect these changes and provide clear guidance to consumers.
Managing Vendor Relationships
Do you share personal information with any service providers or contractors? If so, you'll need to make sure those relationships are CPRA-compliant.
This means entering into contracts that prohibit your service providers from selling or sharing personal information, using it for any purpose other than the business purpose specified in the contract, or combining it with information from other sources.
Review your vendor contracts and make any necessary updates to ensure compliance.
Implementing Data Subject Request Processes
Under CPRA, consumers have expanded rights to access, delete, and correct their personal information, as well as the right to opt-out of the sale or sharing of their information.
To comply, you'll need to implement processes to handle these requests. This includes having a clear method for consumers to submit requests, verifying the identity of the requestor, and responding within the required timeframes (usually 45 days).
Make sure your staff is trained on these new procedures and that you're documenting all consumer requests and your responses.
Impact of CPRA on Employee and B2B Data
One of the big questions around CPRA is how it will impact employee and business-to-business (B2B) data. Let's break it down.
Employee Data Privacy Rights
Under CCPA, there were some temporary exemptions for employee data. But those expired on January 1, 2023 when CPRA went into effect.
This means that, employees, applicants, and contractors have the same rights as consumers under CPRA. This includes the right to know, the right to delete, the right to opt-out, and the new rights to restrict disclosure and correct personal information.
According to the Workplace Privacy Report, employers will not be able to discriminate or retaliate against California employees who exercise these rights.
So if you haven't already, start preparing to extend CPRA rights to your employees and update your policies and procedures accordingly.
B2B Data Exemptions and Limitations
What about B2B data? The CCPA exemptions for B2B data also expired on January 1, 2023.
After that date, the CPRA will apply to personal information collected in the context of B2B transactions, with some limitations. For example, businesses will not be required to honor requests to delete personal information if it's necessary to complete the transaction or provide the requested product or service.
However, B2B contacts will still have the right to opt-out of the sale or sharing of their personal information. So make sure your B2B data practices are in line with CPRA requirements.
The key takeaway? Start reviewing your employee and B2B data practices now to ensure CPRA compliance. With the right preparation, you'll be protecting the privacy rights of all your California consumers, employees, and business contacts.
Get ahead on CPRA compliance by mapping out the personal info you handle, updating privacy notices, ensuring vendor contracts are tight, setting up request processes for consumer rights, and prepping for changes in employee and B2B data rules. This will keep your real estate biz on track.
Conclusion
Sure, the California Privacy Rights Act sounds tough at first. Yet, with a bit of elbow grease and proactive measures, you'll find your real estate venture ticking all the boxes for compliance and winning over client confidence.
Remember, it's all about transparency, security, and respecting consumer privacy rights. By conducting data inventories, updating your policies, and implementing robust security measures, you'll be well on your way to CPRA compliance.
Grab change with both hands as a chance to beef up how you run your business and make your customer bonds even stronger. The future of real estate is privacy-centric, and with the right approach, you'll be ready to thrive in this new landscape.