This blogpost will try to provide a comparison guide concerning the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
The CCPA, which went into effect on the 1st of January 2020, consists the first state law in the U.S. – as we have already mentioned in our previous blog posts   – and it is intended to enhance privacy rights and consumer protection for residents of California.
The CPRA is a new state-wide data privacy bill which has passed into law on the 3rd of November 2020, during the US General Election of 2020, and it works as an addendum to the CCPA by significantly expanding upon the aforementioned act. The CPRA will take effect on the 1st of January 2023 and it will become fully enforceable on the 1st of July 2023. The CPRA will have a lookback period from the 1st of January 2022, which means that all data collected from that date on is liable for compliance.
The scope of the CCPA applies to all businesses which have a gross revenue greater than $25M, and/or handle personal data of more than 50,000 consumers for commercial purposes, and/or derive 50% or more of their annual revenues from selling consumers’ personal data. The CPRA changes the definition of “doing business” by increasing the number of consumers to 100,000, and including businesses which derive 50% or more of their annual revenues from selling and/or sharing consumers’ personal information.
“Personal information” under the CCPA includes all data which may be associated and/or linked, directly or indirectly, with a consumer or household.
The CPRA introduces “sensitive personal information” which includes government identifiers, financial account and login information, geo-location, race, ethnicity, religious or philosophical beliefs, or union membership, content of non-public communications (mail, email and text messages), genetic data, biometric or health information and sex life or sexual orientation information. Sensitive personal information (SPI) is regulated separately from normal personal information by including specific provisions, such as disclosure requirements, opt-out requirements for use and disclosure, opt-in consent standard for use and disclosure and purpose limitation requirements.
The right to opt out of automated decision-making technology, including “profiling,” in connection with decisions related to a consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements is explicitly required by the CPRA. This is a critical amendment since the CCPA had as an only requirement the “Do Not Sell My Personal Information” link on the companies’ websites, giving consumers the right to opt out from the selling and/or disclosing of their personal information. The CPRA explicitly extends to sharing of personal data used for cross-context behavioural advertising, while at the same time, the new act strengthens the opt-in rights for minors. As with the opt-out right, businesses must wait 12 months before asking a minor for consent to sell or share their personal data after the minor has declined to provide it.
The aforementioned right is one of the four new rights provided by the CPRA to California residents. In addition to this, the right to correction, the right to know about automated decision making and the right to limit use of sensitive personal information are also added.
However, the CPRA also modifies the CCPA existing rights. Specifically, under the CPRA, the California residents can request the deletion of their personal information and business must now have to notify third parties to delete this as well. The right to know is enhanced, since under the CPRA the California residents can request access to any personal data collected beyond the original 12-month limit which was provided in the CCPA. The right to opt-out now provides California residents to opt out of businesses sharing their personal information specifically for behavioural advertisement, and not only of the sale of their personal data, as in the CCPA. Additionally, the rights of minors are extended since the opt-in requirement for businesses when dealing with minors also includes the sharing of personal data for behavioural advertising. Under the CPRA, California residents can also request to have their personal information transported to other businesses or organizations.
The CPRA introduces three additional requirements for business. Businesses are not allowed to collect or share more data than what is strictly necessary for their stated purpose of collection (data minimization). Likewise, a business is not allowed to collect, use or share California residents’ personal information for a new purpose without first stating so (purpose limitation). The CPRA also amends the CCPA so that a website or business will be required to notify (at the point of collection) Californian residents about the retention time of each collected category of personal information (storage limitation). Additionally, the CPRA expands the CCPA’s current consent requirements.
The CCPA does not define or impose data security requirements. On the other hand, the CPRA calls for businesses, which process California consumers’ personal information that presents significant risk to consumers’ privacy or security, to perform a cybersecurity audit on an annual basis, and to submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information.
The California Privacy Protection Agency is established under the CPRA in order to enforce the act. The Agency will be vested with full administrative power, authority, and jurisdiction to implement both the CPRA and the CCPA, and it will assume its rulemaking and enforcement authority from the California Attorney General no later than the 1st of July 2021. With the creation of the California Privacy Protection Agency, California is the first state to shift privacy responsibilities away from the state’s attorney general.
The CPRA triples penalties for violations regarding minors under the age of 16, eliminates the 30-day cure period following notice of alleged non-compliance, and it expands the scope of consumers’ privacy right of action. Under the CPRA, this private right of action will include breaches involving email account credentials that might grant access to a user’s account.
As a conclusion, we could say that the CPRA is more of an overlay to the CCPA than a new law in itself. California doesn’t really have two separate data privacy laws, but one data privacy regime consisting of the CCPA/CPRA setup. The CPRA is written with a main purpose to expand the CCPA existing provisions and/or add entirely new ones, but it always refers back to the original CCPA law text itself.
We hope the article helped you to grasp the basics regarding CCPA and CPRA, and gave you a starting point if you want to research the subject in depth.
Until next time.