The California Consumer Privacy Act (CCPA) is a law that was signed on June 28, 2018, that established and promoted the consumer privacy rights and business obligations concerning the collection and sales of personal information of citizens of California. The CCPA came into effect on January 1st, 2020. Soon after in November 2020, Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA) was introduced which is soon to replace the CCPA Compliance. CPRA is the updated version that expands the CCPA Compliance. The latest version can be more accurately described as an improvisation of the existing compliance framework with amendments and additions introduced in the provision. Explaining the amendments and new additions introduced, we have shared all the details of CCPA Compliance Vs CPRA Compliance in the article today. But before that let us learn and understand what exactly CPRA Compliance is.
What is CPRA?
The California Privacy Rights Act is an enhanced version of the CCPA Compliance. It is set to go effective on January 1, 2023, and is said to improve the existing privacy rights of citizens of California. The CPRA regulation ensures maximum security and privacy of consumers’ personal information. The regulation applies to any business in California that collects, and processes the personal information of citizens of California. In case of Non-compliance, civil penalties of up to $2,500 per violation, or $7,500 in case of intentional violations. Further, higher penalties may be charged for violations involving the information of children.
What are the Key Changes Introduced in CPRA?
Broadly speaking, the new regulation is an updated version of the existing CCPA Compliance. It amends the regulation, updates the data subject rights, and introduced several new requirements in CPRA Compliance. The below-given table is the summary of changes introduced in the CPRA Compliance.
| CCPA Compliance | CPRA Compliance | |
|---|---|---|
| Selling & Sharing of Data | CCPA applies to businesses for selling personal data for monetary or other valuable considerations. | CPRA applies to businesses for selling personal data for monetary or other valuable considerations. Further shared by a business to a third party for cross-context behavioral advertising for the benefit of a business where no money is exchanged. |
| Applicability Threshold | Businesses for profit that collect and process personal information of California residents and fall under the below-stated thresh hold need to comply with CCPA Compliance – • Gross annual revenue of over $25 million; • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or • Derive 50% or more of their annual revenue from selling California residents’ personal information. | Businesses for profit that collect and process personal information of California residents and fall under the below-stated thresh hold need to comply with CCPA Compliance- • Gross annual revenue of over $25 million; • Buy, sell, or share the personal information of 100,000 or more California residents or households; or • Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information. |
| Covered Data | CCPA Compliance covers Personal information which is an information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. | CPRA Compliance covers Personal information, as well as “Sensitive Personal Information” which includes information such as SSN, driver's license numbers, biometric information, precise geo-location, and racial and ethnic origin. |
| Third-Party Service Provider | CCPA defines Third-party Service Provider as an entity that processes personal information on behalf of a business pursuant to a written contract. | CPRA defines Third-party Service Provider as an entity that processes personal information on behalf of a business pursuant to a written contract. This would also include Contractors to whom a business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business |
| Enforcement | • California Attorney General can pursue a violation • Consumers have the right to action for a breach of certain information. • Businesses have a 30-day cure period before being fined for a violation by the AG. | • California Privacy Protection Agency (CPPA) ensures enforcement and provides guidance. • Consumers have the right to action for a breach of certain information. • Businesses no longer have a 30-day cure period before being fined for a violation by the CPPA. |
| Data Retention & Minimization | NA | Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose |
| Consumer Rights | 1. Consumer Rights to Opt-Out of Third-Party Sales-CCPA allows consumers to opt out of businesses selling their data. 2. Right to Know: The CCPA requires that businesses respond to consumer requests to know personal information that was collected within the prior 12 months. 3. Right to Delete: Under CCPA California consumers can request businesses to delete their personal information if it is no longer needed to fulfill the purposes for which it was collected. 4. Right to Data Portability: Under the CCPA right to data portability consumers have the right to receive a copy of their personal information by mail or electronically. 5. Opt-In Rights for Minors: CCPA requires that businesses obtain opt-in consent to sell the personal information of a California consumer under 16 years of age | 1. Consumer Rights to Opt-Out of Third-Party Sales and Sharing- CPRA expanded this right to include the sharing of personal information, in addition to selling. 2. Right to Know: CPRA extends the timeline for businesses to respond to consumer requests to know personal information that was collected beyond the prior 12 month window under certain circumstances 3. Right to Delete: Under CPRA California consumers can request businesses to delete their personal information if it is no longer needed to fulfill the purposes for which it was collected. It also requires businesses to send the request to delete to third parties that have bought or received the consumer’s personal information. This way all parties having access to personal information delete the data. 4. Right to Data Portability: Under CPRA consumers have the right to receive a copy of their personal information by mail or electronically and further they can request to transfer specific personal information to another entity “to the extent technically feasible, in a structured, commonly used, machine-readable format.” 5. Opt-In Rights for Minors: CPRA requires that businesses obtain opt-in consent to sell the personal information of a California consumer under 16 years of age. Further CPRA mandates businesses to wait 12 months before asking a minor consumer for consent to selling or sharing their personal information after the minor has declined. It also states that the opt-in right must explicitly include the sharing of data for cross-context behavioral advertising. 6. Right to Correct Information: A consumer has the right to request that a business correct any inaccurate personal information. 7. Right to Limit Use & Disclosure Sensitive Data The consumer has the right to limit the use of their sensitive data to only what is necessary to perform the services they requested and limit disclosure of specific sensitive data. 8. Right to Access Information About Automated Decision Making: Consumer has the right to request information about the logic involved in the automated decision-making processes, and a description of the likely outcome of the process with respect to their personal data. 9. Right to Opt-Out of Automated Decision-Making Technology: Consumer has the right to opt out of being subject to automated decision-making processes, including profiling. |
| Privacy Right of Action | Under the CCPA, consumers can file a civil suit against a business for damages or $100 to $750 in statutory damages (whichever is higher) for failing to take reasonable and appropriate security measures to protect their unencrypted or unredacted personal information from being subject to a breach | Under CPRA consumers can file a civil suit against a business for damages for failing to take reasonable and appropriate security measures to protect their unencrypted or unredacted personal information from being subject to a breach and further the categories of PI for which they can sue have been increased to include, email addresses in combination with a password or security question and answer that would permit access to the account. |
| Penalties | Fines for violations of the personal information of minors are the same as the fines for other types of personal information which are $2,500 for each unintentional and $7,500 for each intentional violation | Under CPRA, a $7,500 fine for a violation involving the personal information of minors |
| Cyber Security Audits | N/A | Under CPRA, an annual cyber security audit is required to be performed by businesses whose processing presents a significant risk to consumer privacy or security. |
| Risk Assessment | N/A | Under CPRA, a business whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA |
Also Watch the Webinar : CPRA & CCPA 2.0
Final Thought
CPRA is said to take full effect by January 1, 2023. So, businesses in California that deal with the personal information of California residents should kick-start groundwork for the upcoming CPRA compliance by 2022. Further, for those businesses who are currently CCPA compliant, must now work towards performing a gap assessment against the new CPRA.
We also recommend organizations to keep a tab on any latest updates introduced regarding CPRA during the course of this year until January 2023. Further, also recommend businesses to consult with compliance experts like us at VISTA InfoSec who can guide you through the process of compliance and help you meet the requirements of CPRA.
Also Read Other Articles
3. Key Additions And Amendments Introduced Under The CPRA Act
