In an age when every person represents a set of valuable data, state governments from Virginia to Utah and Colorado to California are addressing data privacy issues amidst growing concerns about how data and sensitive personal information is collected, processed, and shared.
As new regulations and data privacy laws are enacted, businesses will need to quickly adapt their privacy policies to align with legal expectations and enforcements.
For example, two landmark pieces of comprehensive data privacy legislation, the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA), affect privacy compliance for any company that targets customers in California.
Wondering about the importance of data privacy laws? In this detailed comparison, we’ll break down the major differences between the CCPA and CPRA so that your business can prepare accordingly. Read on to learn more about:
- The establishment and impact of California’s brand-new privacy agency
- Where the CPRA extends the CCPA: opt-out requirements, consumer privacy requests, audit & risk assessments, and enforcement
- The major impact on businesses regarding regulation changing in the next 2-3 years
What is CCPA?
In 2018, Gov. Jerry Brown signed the California Consumer Privacy Act (CCPA), the first comprehensive consumer privacy bill in the United States. This historic bill provides any California resident with rights and protections similar to the European Union’s revolutionary General Data Protection Regulation (GDPR) act, which went into effect in 2018.
The CCPA went into effect on January 1, 2020. Among other rights, protections, and regulations, this data privacy law is characterized by a dual focus on:
- Consumer rights – Under the CCPA, consumers have the right to know what personal information is collected, used and shared with third parties. They also enjoy the right to access their own data, delete their information, and importantly, to opt out of their information being “sold” for monetary or “other valuable consideration”.
- Business regulations – Like the GDPR, the CCPA applies to any businesses that collect, store, or sell data of consumers who reside in California, regardless of location.
What is CPRA?
Passed on November 3, 2020, the California Privacy Rights Act (CPRA) – sometimes referred to as CCPA 2.0 – is a ballot initiative that amends and expands the CCPA. This CPRA compliance is effective on Jan 1, 2023 and enforcement is expected to begin sometime in the summer or fall of 2023.
Compared to the CCPA, the CPRA aligns more closely with the GDPR. It bolsters the strengths of the CCPA and adds additional provisions to prevent a sensitive data breach, such as:
- Employee and business contact rights – The CPRA ends exemptions for HR and B2B data. On Jan 1, 2023 employees, contractors and business contacts will enjoy the same level of protection and will be able to exercise all of the same rights as other California “consumers”.
- Expanded opt-out requests – The CCPA made it possible for California residents to opt-out of data “sales”. The CPRA closes a loophole in the CCPA’s Do Not Sell provision by including an explicit right for Californians to opt-out of having their data “shared” with providers of cross-context behavioral advertising. In other words, California consumers will have the right to stop their data from being collected and shared along a complex targeted advertising ecosystem.
CPRA provides additional protection to consumers by explicitly defining “sensitive personal information”, and giving the right to limit its use and sharing with few exceptions. Sensitive data includes precise geolocation, financial account with login information, social security number, and email contents among other kinds of risky data.
The California Privacy Protection Agency
Perhaps one of the most unique changes already implemented by the CPRA is the creation of a brand-new administrative agency, the California Privacy Protection Agency. As the first-ever state agency dedicated solely to privacy, the organization is responsible for enforcing and regulating privacy laws for Californians and making additional rules and guidelines under the CPRA.
The California Privacy Protection Agency is governed by a five-member board. Board members are elected and assisted by an executive director. This board will largely influence which parts of the law will be enforced on which companies. The CPRA has funding allocated towards the agency, including an appropriation of $5 million in 2021 and $10 million each year after.
Rulemaking will be a primary part of the agency’s role in the future. The CPRA requires regulations to be adopted in 22 areas—including 15 not originally identified in the CCPA. These will need to be fully fleshed out by the new agency to fully specify requirements.
In addition to rulemaking and enforcement, the agency will have several other functions, including:
- Privacy rights education and awareness
- Advisement for consumers and businesses
- Cooperation with agencies and collaboration with other states that enforce privacy laws
- Advisory on new privacy-related regulation
CCPA vs CPRA: Who is Subject?
A business falls within the scope of the CCPA statute if one or more of the following applies:
- Has in excess of $25 million in annual gross revenue
- Buys, receives, sells, or shares the personal data of 50,000 or more consumers
- Derives 50% or more of its annual revenue from selling or sharing personal data
The CPRA, on the other hand, modifies these thresholds. A business falls under its purview if it:
- Has in excess of $25 million in annual gross revenue
- Buys, receives, sells, or shares the personal data of 100,000 or more consumers
- Derives 50% or more of its annual revenue from selling or sharing personal data
Not sure if your business has to comply? Find out quickly with our CPRA Compliance Quiz.
CCPA vs CPRA: Opt-out Requirements
When it comes to opt-out requirements, the CPRA extends consumer rights far beyond the provisions provided by CCPA. Whereas CCPA only allows for consumers to opt out of selling their personal information, the CPRA gives them the right to prevent businesses from sharing their information with providers of targeted ad related services, as mentioned above.
But what constitutes the sharing of consumer data?
Under the CPRA, sharing is defined as providing personal information that can be used for:
- Profiling a consumer’s behavioral across sites, apps and devices
- Targeting a consumer with personalized (behaviorally or interest bease) advertising
The CPRA will also enact rules preventing businesses from collecting additional information beyond what is necessary for processing an opt-out request or consumer privacy request.
CCPA vs CPRA: Consumer Requests
Further improving upon standards set by the CCPA, the CPRA broadens the range of information that consumers can request from businesses. Under the CPRA, consumers can request five primary kinds of information from companies that collect and store their personal data. These include:
- Categories of personal information – Consumers have the right to know what kind of personal data may be collected from various organizations, including race or ethnicity, citizenship status, and religious beliefs.
- Categories of collection sources – CPRA allows consumers to request information regarding where their personal data was harvested.
- Collection purpose – Consumers have the right to request information from businesses on the business’s purpose for collecting, selling, or sharing personal information.
- Third-party access – Consumers have the right to know the categories of third parties to whom the business discloses personal data.
- The specific information collected – Under the CPRA, consumers have the right to know what specific personal data businesses are collecting.
CCPA vs CPRA: Right to Delete
Further distinguishing itself from the CCPA, the CPRA provides consumers with increased right-to-delete power. They can request that a business completely delete any data that’s been collected from them.
Additionally, the CPRA requires that when a company receives a deletion request, it must:
- Notify any third parties with whom it has shared consumer data
- Instruct third parties to comply with the deletion request
The CCPA has a similar requirement, mandating that businesses delete data in “its existing systems.” However, the CPRA clarifies this and highlights it as an essential part of a deletion request.
Interested to know how many data subject requests (DSRs) you can expect to receive under the CCPA and CPRA? Check out our 2021 CCPA trends report to gain insight from the analysis of millions of DSRs over the past year.
CCPA vs CPRA: Audit and Risk Assessments
The CPRA invokes new regulations surrounding audit and risk assessments for companies. This provision will require businesses that process consumers’ personal information to conduct annual cybersecurity audits and risk assessments to reduce the threats to the privacy and security of consumer data.
The exact requirements for businesses and the depth of their assessments will be determined by the California Privacy Protection Agency within the next year. The agency will also be developing more guidance on what cybersecurity and risk assessment entail in a given industry.
The risk assessments are required to be presented to the agency for review and must include details regarding the data such as:
- What it contains
- Where it’s stored
- How it’s stored
Enforcement
The CPRA will be enforced by the California Privacy Protection Agency. The agency will create a range of guidelines, addressing what is CCPA compliance, its specific requirements, and how measures will change under the CPRA.
The amount of the potential administrative fine is the same as under the CCPA. In assessing fines, the agency will distinguish between two kinds of violations:
- Unintentional violations – When a company falls out of compliance by accident or mistake, it may incur CPRA fines up to $2,500 per violation.
- Intentional violations – In instances where companies intentionally mismanage consumer data, fines of up to $7,500 per violation may apply.
However, a key difference under the CPRA is that fines increase to $7,500 for each violation of CPRA involving the personal information of consumers under the age of 16.
Stay Compliant with DataGrail
The CPRA will enforce a wide array of changes to privacy for California residents and bring U.S. privacy regulations closer in line with the GDPR. With new requirements for opt-out, audit and risk assessments, and consumer requests, the CPRA will greatly impact privacy practices for small and large businesses alike.
Most provisions of the California Privacy Rights Act will become operative at the beginning of 2023. Are you concerned about the coming changes and keeping your business compliant? If so, you need DataGrail.
At Datagrail, we know that making sense of all the complicated state, federal, and international privacy laws that your business has to adhere to isn’t easy. For example, if you have questions such as, “What is GDPR?” we’ve got you covered! We built our innovative data privacy platform so that businesses of all kinds have an easy-to-use resource for managing, automating, and keeping your data privacy programs compliant.
Get started now.
Sources:
Bloomberg Law. CCPA vs CPRA: What’s the Difference? https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-consumer-privacy-act-ccpa/ California Attorney General. Consumer Privacy. https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf
Hanson Bridgett. California Privacy Rights Act: What’s Next? https://www.hansonbridgett.com/Publications/articles/2021-09-14-ca-privacy-rights-act