CCPA vs CPRA: A Side-by-Side Comparison and Guide to Compliance
While the CCPA established basic consumer privacy rights, the CPRA builds upon them by further expanding those protections - aligning California’s data protection landscape with the European Union's General Data Protection Regulation (GDPR).
In January 2020, California Consumer Privacy Act (CCPA) went into effect and granted consumers several new rights, such as accessing their personal data, deleting it, and opting out from data sales.
On the other hand, the California Privacy Rights Act (CPRA), set to take effect January 2023, offers additional consumer safeguards like correcting inaccurate personal data and restricting sensitive data use and sharing. Moreover, the CPPA established the California Privacy Protection Agency (CPPA), an enforcement body dedicated solely to upholding California's data privacy laws.
California Consumer Privacy Act
CCPA is a law passed on June 28, 2018. This law is specifically meant to give consumers more control over how businesses process and handle their data.
The CCPA was enacted to grant consumers certain rights to control how their information is collected, used, and shared/sold.
These rights include:
- The right to know about personal information a business collects about them and how it is used
- The right to delete personal information collected from them
- The right to opt out of the sale/sharing of their personal information
- The right to non-discrimination for exercising their CCPA rights
The CCPA gives consumers more power over their data and creates strict regulations for businesses to follow. This ensures protection for the consumers on both sides.
If they meet the specified criteria, businesses must provide options to the consumers to exercise these rights. They are also required to follow any request made by the consumer regarding their personal information.
CCPA Business Requirements
For businesses, there are requirements that you must meet before being affected by the CCPA. If your business does not meet these requirements, then you are not subject to following the regulations of the CCPA.
The criteria for businesses are as follows:
- Annual revenue above $25 million
- Collect, share, or sell personal information from at least 50,000 consumers
- Earning over 50% of their entire income from selling consumer data
If your business meets any of these criteria, you are subject to the CCPA and must comply with its requirements.
Your business does not have to be based in or have any physical property in California to be subject to this law. You must comply if your business collects, shares, or sells information of consumers in California.
Who Enforces the CCPA?
The California Attorney General is responsible for enforcing the CCPA. They have sole authority to investigate and prosecute any violations of this law and issue fines for noncompliance.
CCPA Key Provisions
To ensure full compliance with the CCPA, businesses must know and understand its key provisions. Follow the regulations carefully to avoid fines and penalties that can cost your business a lot of money.
The key provisions of the CCPA are as follows:
- The right to disclosure: Your business must disclose the types of information you collect and sell, who you are selling it to, and what specific pieces of personal data are being collected and sold for which purposes.
- The right to delete data: Your business must notify consumers that they have the right to request the deletion of their data.
- The right to opt-out: Your business must provide consumers with the right to opt out of collecting and selling their data. They must notify consumers that they have this right and provide a link titled “Do Not Sell My Information” that is easily accessible.
- The right to equal services and pricing: Your business must not discriminate against consumers who exercise their rights under the CCPA. This includes providing the same quality of service and charging them no more than other consumers for exercising these rights.
- The right to a private cause of action for data breaches: Consumers have the right to bring a civil lawsuit against businesses that fail to implement reasonable security procedures and practices in order to protect consumers’ personal information. Businesses may be liable under this section if they suffer a data breach, and the consumer can prove that the business was negligent in protecting their personal information.
CCPA Penalties And Fines
Businesses failing to comply with the CCPA will be fined $7,500 per intentional non-compliance violation and $2,500 per unintentional non-compliance violation. These fines can apply to breaches of any key provisions and are not limited in any way.
A business could be fined for violations of multiple provisions. Fines are issued depending on the quantity of data your business collects and the effort your business can show to achieve compliance.
California Privacy Rights Act
The California Privacy Rights Act (CPRA) which was enacted on November 3, 2020, was passed to amend and upgrade the protection offered bythe CCPA. California has continuously sought to protect and improve its consumers’ rights, and the CPRA is the result of its efforts.
With the new amendments to the CRPA, the rights of California’s consumers have been expanded yet again. The CRPA builds upon the rights of the CCPA. For example, adding a sensitive information category of data and furthering consumer access to decision-making technology that businesses use when processing consumer data.
With the CRPA, there are also stricter regulations for businesses. The CPRA expanded opt-out requests to the “sharing” of data and not only “selling.” Your business must also provide information about decision-making processes that utilize consumer data for targeted advertisements.
In addition to the amendments to consumer rights, the CPRA also established the California Privacy Protection Agency (CPPA). The CPPA is an administrative agency that is entirely dedicated to ensuring the privacy and security of consumers’ data. The CPPA is in charge of enforcing the CCPA.
The CPRA came with six new amendments meant to upgrade the privacy provided by the CCPA. With the recent amendments to the CPRA, consumers would have even more control over the collecting and selling of their information.
The six amendments are as follows:
- Right to delete- This right now requires businesses to delete information from their databases and instruct any third parties to whom they sold the information to do the same
- Right to know- This right initially came with a limit where consumers could only make this request within 12 months of their data being collected. This limit is now removed.
- Right to opt-out- This now allows consumers to opt out of the “sharing” of their information in addition to the “selling” of information described in the original CCPA.
- Right of a minor- Businesses that deal with minors and their information must now also receive permission from minors to share their information.
- Right to request data transfer- This right allows consumers to request the transfer of their information to a third party.
- Changing criteria for businesses- Businesses must now collect, share, or sell the data of at least 100,000 consumers to be required to comply with the CPRA.
CPRA Key Provisions
In addition to the amendments to the original CCPA, the CPRA introduced new rights for consumers. These CPRA compliance requirements are designed to protect more consumer information and extend consumers’ control even further. Your business must understand consumers' new rights and ensure compliance to avoid costly penalties and fines.
The new rights of the CPRA are as follows:
- The right to correct a business's inaccurate personal information about them- Your business must provide consumers with the right to access, update, and correct their personal information.
- The right to opt-out of decision-making- Gives consumers the option to opt-out of their information being used in the decision-making of targeted advertising efforts.
- The right to know of decision-making- Gives consumers the right to request information about how their data is used in the decision-making of targeted advertising and what outcomes it might lead to.
- The right to limit the usage and disclosure of sensitive personal information- Your business must limit the use and disclosure of sensitive personal information, such as Social Security numbers or biometric data.
CPRA Penalties And Fines
In the original CCPA, the penalties were separated by the intentional or unintentional disregard for consumer rights. Unintentional violations are subject to fines of $2,500, and intentional violations receive $7,500 fines.
The CPRA dictates that businesses, regardless of intention, will be fined $7,500 for violations of the privacy rights of a minor. This penalty is included in addition to the expansion of privacy rights for minors and their information in the CPRA.
In the original CCPA, businesses could avoid a penalty if they addressed a violation within a month of it being reported. However, this option has been removed in the CPRA, and businesses will be subject to a fine regardless of their response to their violation.
Scope of Applicability
The scope of applicability determines whether a business is subject to certain laws or regulations. For data privacy laws like the CCPA and CPRA, this applicability defines which businesses must abide by laws based on factors like revenue, data collection practices, and location.
Scope of Applicability: CCPA
Businesses eligible to apply must meet at least one of the following criteria: have gross annual revenues exceeding $25 million; purchase, sell or share personal information of 50,000 consumers or devices; or derive 50% or more of their annual revenue from selling personal data.
Scope of Applicability: CPRA
Refines the scope of applicability, maintaining the $25 million gross annual revenue threshold and 50% annual revenue threshold from selling personal information. However, this threshold increases from 50,000 to 100,000 consumers or households for businesses that buy, sell, or share personal information.
Personal information is a cornerstone of data privacy regulations, encompassing any data that can identify or associate with an individual. Both the CCPA and CPRA provide specific definitions of personal information to define the scope of data protection and consumer rights.
Personal Information: CCPA
The CCPA defines personal information as any data that identifies describes, is reasonably capable of being associated with, or could be linked directly or indirectly to a particular consumer or household. This broad definition encompasses various types of data, such as contact details, financial details, and internet activity.
Personal Information: CPRA
When comparing the CPRA vs CCPA, the CPRA follows the CCPA's definition of personal information but adds a new category called "sensitive personal information." This encompasses data such as precise geolocation, biometric data, and certain types of personal communications.
Under the CPRA, businesses must give consumers a choice to limit the use and sharing of their sensitive personal information, providing an additional layer of protection for such delicate types of data.
Right to Opt-out
The right to opt-out is a fundamental aspect of consumer privacy, giving individuals control over how their personal information is used and shared by businesses. Both CCPA and CPRA incorporate distinct opt-out provisions into their laws in order to safeguard consumer privacy rights and ensure responsible data handling practices.
Opting Out Right: CCPA
Under the CCPA, consumers have the right to opt-out of the sale of their personal information. Businesses must inform customers about this right and provide an easily accessible method for opting out - typically a "Do Not Sell My Personal Information" link on their website.
Businesses must respect the consumer's decision and refrain from selling their personal information for at least 12 months before seeking authorization to resume selling it.
Opting Out Right: CPRA
The CPRA extends the CCPA's opt-out provisions, giving individuals a greater right to opt-out from the sale of personal information and sharing of such data for cross-context behavioral advertising purposes.
This expansion allows consumers to protect their data from being collected and shared within intricate targeted advertising ecosystems.
Under the CPRA, businesses must provide an accessible and user-friendly mechanism for exercising this enhanced opt-out right, giving consumers more control over how their personal information is used and shared.
Right to Correct
The right to correct is an essential privacy right that allows individuals to request businesses to correct any inaccuracies in their personal information. This ensures the data held by businesses is accurate, up-to-date, and reliable.
Right to Correct: CCPA
The CCPA does not explicitly include a right to correction. Nonetheless, it grants consumers the right to access their personal information held by businesses as well as to request the deletion of this data, providing an indirect avenue for them to address inaccurate entries in their records.
Right to Correct: CPRA
Under the Consumer Product Reporting Act (CPRA), consumers have a new privacy right: the right to correct. Businesses must now honor any requests by consumers to update inaccurate personal data they hold. This is one of the major differences between CCPA and CPRA.
Businesses must use commercially reasonable efforts to correct inaccuracies in consumer personal information promptly, ensuring that the data they hold is accurate and up-to-date.
Incorporating the right to correct into the CPRA gives consumers more control over their personal information, improving data accuracy and reliability.
Achieving Compliance with the CCPA
Achieving and maintaining CCPA compliance requires ongoing monitoring and adjustments to ensure that businesses respect consumer privacy rights and fulfill their obligations under the law. Businesses should take the following steps to achieve and maintain CCPA compliance:
1. Strengthen Data Security Measures
Implement a comprehensive security framework, such as SOC 2 or CIS Controls, to protect consumer data. Regularly conduct penetration tests to identify and address vulnerabilities in your infrastructure. Invest in a centralized security management platform to ensure your policies are up-to-date and compliant with CCPA requirements.
2. Train Employees on CCPA Compliance
Equip your staff with the knowledge and skills necessary to handle personal information in accordance with the CCPA. Training should cover the identification of personal information, legal obligations under the CCPA, and procedures for handling potential data breaches.
3. Facilitate Consumer Rights Requests
Develop user-friendly methods for consumers to exercise their CCPA rights. This may include website banners, pop-ups, or contact forms that allow California residents to opt-in or opt-out of data collection easily. Automate the processing of customer requests to expedite response times.
4. Establish a Data Retention Policy
Comply with the CCPA's 12-month look-back requirement by maintaining a data inventory that classifies personal information subject to the law. Ensure your organization can provide records covering the one-year period preceding a consumer's request for information.
5. Update Your Website for Transparency
Make it easy for users to understand and exercise their CCPA rights by including conspicuous banners or links on your website. Use clear and concise language to convey important information and ensure compliance with CCPA-specific requirements, such as the "Do Not Sell My Information" link.
6. Monitor Data Sharing Practices
Review existing contracts and partnerships to ensure third-party data processing complies with the CCPA's standards for consumer privacy rights. Aim to eliminate any unnecessary data sharing and, if needed for business purposes, audit vendors to ensure they are in compliance with CCPA regulations.
Achieving Compliance with the CPRA
Achieving compliance with the California Privacy Rights Act (CPRA) is essential for businesses that collect, store, or process the personal information of California residents.
To help your business meet CPRA requirements, Here are some practical steps to follow:
1. Update Data Security Practices
Strengthen your data security measures by implementing a robust security framework and conducting regular risk assessments. Address any identified vulnerabilities and ensure that your security policies align with CPRA requirements.
2. Train Staff on CPRA Regulations
Provide comprehensive training to your employees, focusing on the differences between the CCPA and CPRA, new consumer rights, and the handling of sensitive personal information. This training will enable your team to respond effectively to consumer requests and maintain compliance.
3. Enhance Consumer Rights Management
Update your processes for handling consumer rights requests to accommodate new rights under the CPRA, such as the right to correct inaccurate personal information and the right to limit the use and sharing of sensitive personal information.
4. Review Data Collection and Sharing Practices
Assess your data collection, processing, and sharing practices to ensure compliance with the CPRA's expanded definitions and requirements. Adjust your practices as needed, paying close attention to the handling of sensitive personal information.
5. Update Privacy Policies and Notices
Revise your privacy policies and notices to reflect the changes introduced by the CPRA. Ensure to include information about new consumer rights, the handling of sensitive personal information, and any other relevant changes.
6. Monitor Third-Party Compliance
Review contracts and agreements with third-party vendors to ensure they comply with the CPRA. Under the CPRA, the business is responsible for how third parties use personal information.
Establish clear guidelines and expectations for third parties regarding handling personal information, and monitor their compliance regularly.
Q. What Is The CPRA That Does Business In California?
A. The CPRA is a data privacy regulation for businesses in California, expanding upon the CCPA and providing additional consumer rights and protections.
Q. What Is CPRA California Privacy Notice?
A. The CPRA California privacy notice informs consumers about data collection practices, use of personal information, and consumer rights under the CPRA.
Q. What Is California CPRA Private Right Of Action?
A. The CPRA private right of action allows consumers to sue businesses for certain violations, such as unauthorized access or disclosure of personal information due to inadequate security measures.
Q. Does CPRA only apply to California residents?
A. Yes, the CPRA primarily applies to California residents to protect their personal information and privacy rights.
Q. Does CPRA Apply Outside Of California?
A. The CPRA applies to businesses operating in California, even if headquartered elsewhere, as long as they meet the criteria and handle personal information of California residents.
Q. Does the CCPA Only Apply To Companies Headquartered In California?
A. No, the CCPA applies to any for-profit business meeting certain thresholds and handling personal information of California residents, regardless of whether they are headquartered in California.
Both the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) are groundbreaking privacy regulations designed to give Californians more control over their personal information.
While the CCPA established basic consumer privacy rights, the CPRA built upon it with enhanced protections and expanded consumer rights. Businesses must stay aware of these changes to remain compliant and safeguard customers' data.
By understanding the differences between these two laws, businesses can ensure that they follow best practices regarding customer data privacy to avoid hefty fines.
To make it easier for you to maintain compliance, Captain Compliance can help you with our data analysis software that will ensure all data is compliant.