When the California Privacy Rights Act (CPRA) was approved by California voters in the 2020 election, it greatly expanded the privacy protections afforded to consumers. The new law also increased the data security obligations of companies operating in the state. The consumer rights protected by the CPRA are important because they address the kind of digital privacy concerns that are prevalent at a time when businesses have access to an unprecedented amount of personal information about customers. When a company violates the CPRA by failing to protect consumer data, they may be subject to substantial fines and exposed to civil liability.
To learn more about how the California Privacy Rights Act protects consumer privacy rights, keep reading.
What Consumer Privacy Rights Are Protected by the CPRA?
The California Privacy Rights Act (CPRA) was intended to strengthen consumer privacy laws already in effect, such as the California Consumer Privacy Act (CCPA). The idea was to protect California residents against invasions of privacy and data breaches when making purchases from businesses or when communicating with businesses online. The statute does this by strengthening consumer rights that existed under the CCPA and by creating new rights that did not previously exist.
These are the existing consumer rights that the CPRA strengthened:
- The right to know about any personal data that has been collected by companies.
- The right to delete any personal data that has been collected.
- The right to opt out of the sale or sharing of personal data with third parties.
- The right to be free from discrimination or retaliation for having exercised any of these consumer rights.
- The right to bring a private civil action against companies that fail to protect consumers’ personal information against unauthorized access or data breaches.
Additionally, the CPRA created two (2) entirely new consumer privacy rights:
- The right to correct personal information that is inaccurate.
- The right to limit how “sensitive personal information” is collected, used, and disclosed.
Consumer Right to Correct Inaccurate Personal Data
Under the CPRA, consumers now have the right to request that a business correct any collected information that is inaccurate. Moreover, this right must be disclosed to consumers in a company or website privacy notice. After a consumer has requested that certain information be corrected, the company must use “commercially reasonable efforts” to make the correction.
Consumer Right to Opt Out of Sharing Personal Data
Data privacy was a major focus of lawmakers when the California Consumer Privacy Act (CCPA) was enacted, but the statute may not have gone far enough. While the CCPA gives consumers the right to opt out of the sale of their personal information to third parties, the CPRA gives consumers the same right with respect to the sharing of personal information. Significantly, this consumer privacy right may be exercised regardless of whether the data is being shared for a monetary benefit.
It should also be noted that the data privacy law requires businesses to inform consumers of this right directly on the company website’s homepage. The business must include a conspicuous link with the title “Do Not Sell or Share My Personal Information,” which the consumer can click on to exercise their opt-out right.
New Obligations for Businesses Under the California Privacy Rights Act
The California Privacy Rights Act (CPRA) also increased requirements on businesses to protect the sensitive personal information of consumers against data breaches or other invasions of privacy. For example, businesses are now prohibited from maintaining customers’ personal data for any longer than absolutely necessary.
The CPRA also increased the penalties that companies can face for consumer privacy violations. The statutory fines start at $2,000 for each violation, and they can go as high as $7,500 for a willful violation. Beyond that, the maximum fines can be tripled when the violation involves a child under the age of 16. If a company wants to collect the personal data of consumers under 16 years of age, the young consumer must expressly consent to it. If the consumer is under the age of 13, a parent or guardian must first provide permission before a company can collect personal data.
Additionally, civil penalties may be imposed when the violation involves the theft of customer login information. This means that businesses that expose customer data to a data breach are subject to a lawsuit with significant damages.
Tauler Smith LLP Protects Consumer Privacy Rights in California. Call Us Today.
California law places clear limits on how businesses may use customer information collected during a transaction or website visit. The Los Angeles consumer privacy attorneys at Tauler Smith LLP understand the law and how it protects consumers against unlawful invasion of privacy. We represent plaintiffs in both individual lawsuits and class action lawsuits when a company illegally monitors, collects, shares, or sells a customer’s personal data without permission.