Data Subject Rights under California Privacy Rights Act (CPRA)

What is the CPRA?

For the uninitiated, the CPRA will soon become California’s primary data protection law when it replaces the current CCPA on January 1st, 2023. It was passed via a vote in November 2018. While in its essence, it is more or less similar to the CCPA because it amends and improves upon it, however, it does significantly differ from the CCPA in some areas.

  • Driver’s license;
  • State identification card;
  • Passport Number;
  • Financial account information and log-in credentials;
  • Debit Card or Credit Card number along with access codes;
  • Precise geolocation data;
  • Religious or philosophical beliefs;
  • Ethnic origin;
  • Contents of communication;
  • Genetic data;
  • Biometric information for identification;
  • Health information;
  • Information about sex or sexual orientation.

What are Data Subject Rights?

In a nutshell, data subject rights (or consumer rights requests) are a set of rights users have that guarantee consumers retain control over how their data is collected,processed or shared/disclosed by data controllers. The purpose of these rights is to provide data subjects power over their own personal data/personal information and how it is used by data controllers/businesses while also ensuring data controllers and businesses act in a responsible manner.

What are the Data Subject Rights Under CPRA?

Consumer rights requests formulate the basic skeleton of the CPRA legislation. Like all major data protection laws, these rights ensure that consumers have adequate rights over how their personal information is collected, stored, used, protected, or sold to third parties. As per the CPRA, consumers can directly request a business to enforce their rights. Businesses must provide a mechanism to consumers to make these requests and it must honor them free of cost within 45 days or risk facing a penalty.

a. Right to Delete Personal Information

Consumers in California have the right to request any personal information collected on them by businesses be deleted.

  • Debug to identify and repair errors;
  • Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law;
  • Comply with the California Electronic Communications Privacy Act;
  • Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws;
  • To enable solely internal uses;
  • Comply with a legal or contractual obligation.

b. Right to Correct Inaccurate Personal Information

In a significant development, CPRA has granted consumers the right to request changes and alterations to the personal information collected by the business that has since become outdated/incorrect/obsolete.

c. Right to Know What Personal Information is Being Collected. Right to Access Personal Information

A consumer has the right to know explicitly what data is being collected on them as well as for what exact purpose.

d. Right to Access Personal Information

Consumers have the right to request access to specific pieces of personal information or categories of personal information collected about them including the sources from where it was collected, the business or commercial purpose for which it was collected, sold or shared and the categories of third parties with whom the personal information was disclosed to.

e. Right to Opt-Out of Sale or Sharing of Personal Information

The consumers have the right to opt out of having any of their collected data or information being sold/shared by a business.

f. Right to Limit Use and Disclosure of Sensitive Personal Information

Consumers have the right to restrict the usage of their sensitive personal information collected.

g. Right of No Retaliation Following Opt-Out or Exercise of Other Right

Consumers have the right to exercise any of their data subject rights without having to endure any form of retaliation or loss in their user experience.

How Can Securiti Help?

California is not the only state that has its own data protection laws. Several other US states have followed suit since the CPRA was passed in November 2018. It signals just how important data privacy has become, and perhaps more critically, just how informed the average user has become of their right to data privacy.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store