CCPA vs CPRA: Understanding
California’s Data Privacy Laws
Learn more about what these acts are, how they differ, their requirements, and what businesses need to know to be compliant.
What Is the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) is a statewide data privacy law regulating how businesses anywhere in the world are allowed to interact with the personal information of California residents. The CCPA defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” (1798.140.o1). Under this definition, personal information can refer to direct identifiers, biometric data, geolocation data, internet activity, sensitive information such as health data or political affiliations, and other relevant identifiers.
This act became effective on January 1, 2020 with the goal of increasing data privacy and protecting consumers’ data in regard to what information can be collected by companies and what they are allowed to do with data collected. The CCPA also details the strict requirements companies must follow concerning notifying consumers when their data is collected, what data is collected, and their rights to the collected data.
What Is the California Privacy Rights Act (CPRA)?
Not to be confused with the CCPA, the CPRA (California Privacy Rights Act) is an amendment to the CCPA. Though this amendment was voted into law in December of 2020, most of its provisions won’t become operative until January 1st of 2023. The CPRA doesn’t replace the CCPA, but rather augments it to include more detail. Where the CCPA was more broad, the amendments provide specifications. The following are some of the most notable changes.
New Criteria for How Businesses Are Regulated
CPRA redefines what a covered business is, altering the number of businesses subjected to the CCPA. It doubles the CCPA’s threshold number of households from 50,000 to 100,000, which reduces applicability to smaller businesses. It also expands applicability of the law to businesses that generate the majority of their revenue from sharing personal information, not just selling it. Lastly, it expands applicability to joint ventures of partnerships composed of businesses that each have at least a 40% interest.
New “Sensitive Personal Information” Category
The CPRA includes a new regulated dataset: sensitive personal information. Under CPRA, consumers have new rights that include limiting businesses’ use of their sensitive information. Sensitive personal information is described as government identifiers (such as a SSN), financial account and login information, geolocation, race, ethnicity, religious or political affiliations, union membership, content of non-public communication (such as private text messages), genetic data, health information, and sex life or orientation information.
New Consumer Privacy Rights
The CCPA gave consumers the right to know, delete, opt out of third-part sales, and nondiscrimination. In addition to these, the CPRA extends consumer rights to include:
- The right to limit use and disclosure of sensitive personal information
- The right to access information about automated decision making
- The right to opt out of automated decision-making technology
- The right to restrict sensitive personal information
- Audit obligations
It also modifies the right to opt out of third-party sales to include sharing data with third-parties.
New Regulations Regarding Sharing PI for Advertising
Where the CCPA’s opt-out right restricts the sharing of personal information for advertising purposes in exchange for money or other valuable consideration, the CPRA specifically extends to personal information used for cross-context behavioral advertising.
New Privacy Enforcement Authority
The CCPA is currently enforced by the California Office of the Attorney General. The CPRA alters enforcement, establishing the California Privacy Protection Agency and giving it investigative, enforcement, and rule-making power. It also removes the 30-day cure period businesses are currently allowed after being notified by the OAG of a violation, as well as triples the maximum penalty for violations concerning minors to $7,500.
New GDPR-Related Additions
The CPRA includes GDPR concepts of data minimization, purpose limitation, and storage limitation, which GDPR currently enforces across Europe.
The CPRA redefines “service provider” and adds a definition for “contractors.” Service providers and contractors must notify businesses of any engagement with a sub-service provider or subcontractor and bind them to the same written contract otherwise established between businesses and service providers. Both must also cooperate with businesses in response to privacy rights requests and are prohibited from combining personal information received from the businesses with that received from other sources.
New Employee and B2B Exemptions
The CCPA declared ending business-to-business exemptions on January 1st, 2022. However, CPRA allows for exemptions until January 1st, 2023.
New Consent Standard
The CPRA aligns the consent standard more closely to that of Europe, requiring consent for:
- The sale or sharing of personal information after an opt-out
- Minor opt-in consent for sale and sharing of personal information
- Secondary use and disclosure of sensitive personal information after an opt-out
- Research exemptions
- Opt-in consent for financial incentive programs
New Data Types
The CPRA adds consumer login credentials to the list of data types that can be actionable under the law.
Does the CPRA Replace the CCPA?
No, the CPRA does not replace the CCPA. The CPRA is an amendment that significantly alters the CCPA, but doesn’t altogether replace it. Both acts function together. The CPRA alters the existing provisions of Title 1.81.5 of the California Civil Code (the CCPA), as well as adds new provisions. It’s still unknown whether Title 1.81.5 will continue to be known as the CCPA or will become known as CPRA when CPRA amendments become operative on January 1st, 2023.
Who Needs to Comply With the CPRA and CCPA?
The following business types must comply with the existing CCPA and will be required to comply with CPRA come January 2023:
- Those with an annual revenue over $25 million
- Those that collect data on over 50,000 individuals or devices
- Those that collect data on over four million users
- Those whose revenue from selling personal data accounts for over 50% of annual revenue
Though these business types are explicitly required to comply, all businesses should have an understanding of and respect for data privacy and compliance where applicable.
What Are the Requirements for Complying With the CPRA and CCPA?
To be in compliance with the CCPA and CPRA, affected businesses are required to:
- Disclose data privacy policies and practices
- Notify consumers in advance of what personal information is being collected
- Make it easy for consumers to exercise their rights granted by the acts
- Respond to consumer requests within a certain timeframe
- Verify the identity of consumers who make requests
- Disclose any financial incentives offered in exchange for the retention or sale of personal data
- Explain how these incentives are acceptable under the acts
- Keep records of any requests made and their response
- Maintain data inventories and map data flows
How Are the CCPA and CPRA Different From GDPR?
Both the CCPA and CPRA are more relaxed than the EU’s GDPR. Companies that are already considered compliant with GDPR should have no issue complying with these acts. One primary difference is that GDPR requires users to specifically opt in to allow their data be collected, whereas the CCPA merely requires that users be notified and allowed to opt out.
Data privacy and protection is a serious and growing global concern. Though the CPRA doesn’t officially take effect until 2023, affected businesses should be actively working on ensuring compliance now. Okera’s solutions uniquely help companies gain full visibility into how sensitive data is used and how to standardize and simplify fine-grained access control across their enterprise. The result is increased protection and compliance without inhibition to innovation. To better understand how Okera can work for your business, see a demo of our platform.