CCPA vs. CPRA: Key Components Explained
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) have many provisions that affect businesses operating in the state. The CPRA is an amendment to the CCPA, which was approved in November 2020. The CPRA has technically been in effect since December 16, 2020. However, most of the revisions to the CCPA won’t come into force until January 1, 2023. Learn how the CCPA compares to the CPRA and how it could affect your business.
Expanded consumer privacy rights under the CPRA
The following are the five consumer privacy rights that have been modified under the CPRA:
Right to access
Businesses must provide consumers with their personal and sensitive information collected, shared, or sold to third parties, the categories of PII, and the third parties involved when requested.
There are no legal obligations for companies to save data for a particular amount of time, so it's hard to say how long the company will retain PII.
Right to delete
The CPRA gives consumers new rights that allow them to more easily get rid of the collected data that companies have on them.
Right to data portability
The CCPA gives users the right to access their data. However, users can now transfer their personal information to different companies under the CPRA.
Right to opt-out
While the CCPA only allows for data subjects to opt-out of data sales, the CPRA gives users the right to opt-out of the sale and also out of sharing of their personal information with third parties.
Right to opt-in for minors
CCPA prohibits the sale of personal information of California consumers under 16 years without their opt-in consent. The CPRA states that you have to wait for 12 months before requesting consent from a minor who has refused the initial request.
New consumer rights
The CPRA sets four new user privacy rights.
Right to correct data
This right applies when a consumer’s data is inaccurate. It allows them to ask for this information to be corrected.
Right to access information about automated decision making
Data subjects are entitled to request information about automated decision-making processes concerning their data, as well as the likely results of those processes.
Right to limit use & disclosure of sensitive personal information
A company must, by law, respond to a consumer’s requests to limit the use and disclosure of their data.
Right to opt-out of automated decision making
California residents can also choose to opt-out of automated decision-making technology, such as individual profiling.
Who must comply
The CPRA exempts some small businesses from the CCPA. Previously, under the CCPA, a business that collected data from over 50,000 data users would be subject to the act. Under the CPRA, that number has increased to 100,000.
CPRA also applies to any company with at least half of its revenue involving transactions coming from the sales or sharing of consumers’ data or with a gross annual revenue of over $25 million.
GDPR principles incorporated in CPRA
Storage limitation
The CPRA specifically mentions that companies may not retain PII for longer than necessary. When collecting data, companies also have to inform customers of the length of time each type of data is stored.
Data minimization
Companies should only collect, use, and store users’ personally identifiable information that is reasonably necessary.
Purpose limitation
If a company chooses to use customers’ personal information in a way that differs from how it initially disclosed it, the company needs to first inform all customers.
30-day cure period abolished
In the new context of things, organizations won’t automatically get a 30-day cure period which used to allow the possibility for violations to be addressed. However, at the discretion of the CPPA, cure periods can still be given to violators.
CPRA expanded private right of action
The California Consumer Privacy Act gave consumers who have had their unredacted, or unencrypted data compromised the right to take legal action against companies. The CPRA amended this term to cover some personal data like consumers’ passwords, email addresses, and security questions.
Contractual provisions for data shared with third parties
The CPRA obligates businesses to have a contract in place with any third party that is receiving or sharing their customer data. This enhances customer data security to reduce the number of third-party risks.
Addition of the SPI category
The CPRA adds a group of highly sensitive personal information that is subject to more strict purpose limitations and disclosure requirements. This includes:
- Biometric information for identification
- Contents of communication
- Credit or debit card number with access codes
- Driver’s license
- Ethnic origin
- Financial account information and log-in credentials
- Genetic data
- Health information
- Information about sex or sexual orientation
- Passport number
- Precise geolocation data
- Religious or philosophical beliefs
- Social Security Number
- State identification card
Mandatory audit and security risk assessment
The CPRA mandates that businesses comply with annual cybersecurity audits and periodic risk assessments to protect the data of consumers. Businesses must start assessing risks related to data security and information confidentiality to prioritize the risks they face and implement a risk assessment framework. It is an important step in developing a cybersecurity strategy, which helps organizations take the appropriate steps to mitigate risks.
Creation of a new privacy enforcement authority
The CCPA was first enforced by the office of the Attorney General. The CPRA established a new privacy enforcement authority, the California Privacy Protection Agency (CPPA), and grants it powers to investigate and enforce the act.
Extra data protection for children’s PII
The CPRA is similar to the CCPA because it also prohibits the sale of personal information of those under 16. Nonetheless, violations involving children’s data are liable as intentional violations, meaning they are more severe. Violating CPRA often comes with a penalty of up to $7,500 for intentional violations and a penalty of up to $2,500 for unintentional violations.
Why businesses must pay attention to these laws
CPRA will not go fully into effect until January 1, 2023. However, businesses that operate in California should start now to prepare for it.
With the 30-day cure period being abolished, the penalty for underage violations increased to $7,500, as well as the established body for enforcement (the CPPA), businesses have to be careful not to violate these new privacy regulations.
Businesses should go through the information related to CPRA, conduct an assessment of the measures they currently have for CPRA compliance and check whether there are any gaps in their current policy
Keeping up with a privacy management
Complying with ever-evolving privacy regulations can be a daunting task in today’s landscape. With a full privacy management suite like Mine PrivacyOps, businesses can ensure that their data privacy operations are appropriately managed and compliant with privacy laws, protecting their organization from possible fines, limiting risks, and maintaining users’ trust.