Summary: CCPA and CPRA are data privacy laws in California. While both aim to protect the data rights of Californian citizens, the CPRA is an amendment to the CCPA that introduces some changes and additions to the original law. Explore this blog to understand the key differences between them and how these amendments will affect Californian citizens and businesses.
On June 28, 2018, the Golden State made history by becoming the first US state to enact a comprehensive data privacy law known as the California Consumer Privacy Act (CCPA). Less than a year after the CCPA went into effect, Californians approved the California Privacy Rights Act (CPRA), a significant amendment to CCPA that builds upon its foundation by further enhancing consumer rights and imposing additional obligations on organizations. This approval marked an important development in the state’s data privacy landscape.
Californian businesses need to know about these amendments to understand their impact on their business.
What is CCPA?
The California Consumer Privacy Act (CCPA) is a comprehensive data privacy regulation that took effect on January 1, 2020. CCPA grants the residents of California enhanced control over their personal information and enforces obligations on businesses that collect, store, or process such data.
What is CPRA?
The California Privacy Rights Act (CPRA), also known as Proposition 24, is an amendment to CCPA that went into effect on January 1, 2023, and will become enforceable from July 1, 2023, onwards. The law has amended and expanded the scope of the CCPA making it more closely aligned with European Union’s trailblazer regulation General Data Protection Regulation (GDPR).
CCPA Vs CPRA – Key Differences:
Before we start penning the difference between CCPA and CPRA, It is important to know that CPRA is technically an amendment to CCPA and any provision of CCPA that has not been amended by CPRA will remain in effect.
|Definition of Personal Information||Any information that can identify, relate, describes, or can be reasonably linked to the consumer or household.||A new category titled ‘Sensitive Information’ has been created. It includes precise geolocation data, biometric information, health information, social security number, racial and ethnic information, etc.|
|Business Categories||Business and Service Providers||A new category is added to CCPA – Third Party contractors.|
|Scope and Applicability||This applies to businesses that meet any of the following criteria:|
- Minimum annual gross revenue over $25 Million
- Bought, received, or sold data of 50,000 or more households, or customers
- Generate 50% or more of their gross revenue by selling consumer PII data
|CPRA expands the scope to include businesses that:|
- Minimum annual gross revenue over $25 Million from the previous calendar year
- Buys sells, or shares the data of over 100,000 or more consumers or households
- Derive 50% or more annual gross revenue from selling or sharing personal information. Data sharing has been added as a new criterion
|Applicability Date||Effective January 1, 2020||Effective January 1, 2023|
|Consumer Rights||It provides Californians with rights like:|
- Right, to know what information is collected
- Right, to request deletion
- Right to opt out of the sale of their information
- Right to not get discriminated against for not sharing information
|Additional rights added under the law are:|
- Right to get incorrect information corrected
- Right to limit or opt-out of sharing sensitive information
- Right to limit or opt-out of business automated decision-making processes and profiling
|Extension of the Opt-Out Right||Consumers have the right to opt out of the sale of their personal information.||The right to opt out has been extended to sharing personal information with third parties for cross-context behavioral advertising or other purposes.|
|Enforcement Agency||California Attorney General||Establishes the California Privacy Protection Agency (CPPA)|
|Risk Assessments and Data Minimization||No requirement for conducting risk assessments or following data minimization practices.||Regular risk assessment is to be carried out and submitted to CPPA. It also mandates that businesses minimize data collection and retention.|
|Cure Period||Businesses have a 30-day cure period before being fined in case of a violation.||The cure Period is REMOVED.|
- $7,500/intentional incident
- $7500/violation involving minors (anyone under the age of 16)
- Consumers can request access to their personal information for the past 12 months
- Consumers can request access to their personal data beyond 12 months.
- Businesses may deny requests only when it is impossible or entails disproportionate effort.
What is Sensitive Personal Information as per CPRA?
Sensitive information is a new category added by CPRA. It includes the following:
- Social Security Numbers (SSN)
- State ID numbers
- Passport numbers
- User credentials such as usernames and passwords
- Biometric data including genetics
- Racial origins
- Geo Locations
- Religious beliefs
- Info about sexual orientation, sex life, or health
- Contents of a consumer’s text, mail, and email
- Driver’s license
The Key Changes that CPRA brings to the California Consumer Protection Act include:
- New Category of Data: Inclusion of Sensitive Personal Information.
- Enhanced Consumer Rights: Consumers can take legal action against companies that expose their login credentials. Likewise, they have the right to ask for a change in their personal information, if they found it incorrect.
- Revised Legal Threshold: Companies that have a 100,000 consumer base instead of 50,000 earlier.
- New Concepts: CPRA introduces the concept of “sharing” personal information in addition to “selling.” This means that businesses now need to follow specific rules and guidelines when they exchange consumer data with third parties, even if no monetary transactions are involved.
- Changes to Business Requirements: Minimize data collection and retention by businesses.
These are some of the key differences between the CCPA and the CPRA. Businesses need to stay informed about evolving privacy regulations and ensure compliance with the applicable requirements. You can access the official CPRA document on the official website of the Californian government or by following the provided link here.
Does CPRA override CCPA?
No, CPRA is an amendment to CCPA, and any provision of CCPA that has not been amended by CPRA will remain in effect.
What businesses must comply with CPRA?
In addition to the criteria already mentioned in CPRA expands it to include businesses that, buy, sell, or share the data of over 100,000 or more consumers or households, as well as data brokers. Data sharing has been added as a new criterion.
What is the penalty for non-compliance with CPRA?
In addition to the penalties set by CCPA, which were $2,500 per incident and $7,500 per intentional incident, CPRA introduces a new criterion of $7,500 per violation involving anyone under the age of 16.