Contrary to what you might believe, there is no CCPA vs. CPRA conflict. Actually, the purpose of both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) is to strengthen privacy protection for Californians in an age of increasing digitization.
The CPRA goes much further than the original CCPA. It introduces new compliance requirements, categories of sensitive personal information, and enforcement authorities with stricter financial penalties.
In this article, we cover:
- The CCPA vs. CPRA and how one is an expansion of the other
- Which businesses need to comply with the CCPA and CPRA
- Who enforces both acts
- The penalties for breaching CCPA and CPRA
CCPA vs. CPRA: How Are These Laws Similar and Different
When you look at the CCPA vs. the CPRA, they aren’t actually in opposition to each other. In fact, the two laws work together to provide consumer privacy to California residents. The CCPA came first, and then the CPRA was enacted to add further protections.
Many Californians’ daily exposure to both laws is online. They are the laws that require businesses to provide a clear link on their homepage saying either “Do Not Sell My Personal Information” or “Limit the Use of My Sensitive Personal Information.”
So let’s look at both laws in more detail.
What Is the CCPA?
Enacted in 2018, the California Consumer Privacy Act (CCPA) governs how for-profit businesses use consumers’ personal information. The purpose of the act was to give California residents much greater control over their personal data.
Like the General Data Protection Regulations (GDPR), a similar privacy law passed in the EU, CCPA allowed Californians to demand from businesses what information they collected about them and how they used their personal data. For example, they could now ask companies to delete their data.
The CCPA first ruled on what personal information was, and it granted six new data security rights to California consumers.
Defining What Personal Information Is
Under the original CCPA data privacy legislation, the following could be considered to be examples of personal information:
- Data by which you can be directly identified — for example, your real name, any alias by which you’ve been known, any online identity by which you’ve been known, IP address, email address, Social Security number, passport number, driver’s license number, and general account name
- Categories of personal information as defined by the Civ. Code § 1798.80(e)
- Business and commercial data, including your general purchasing or consuming histories or tendencies, products or services you’ve bought, obtained, or considered, and your personal property records
- Activity on the internet or other electronic networks, like your search and browsing history and interactions you’ve had with a website, an app, or an ad
- Biometric information
- Geolocation data
- Olfactory, thermal, visual, audio, electronic, and similar information
- Employment or professional information relating to you
- Details of your education that are not on the public record and personally identifiable information as defined by the Family Educational Rights and Privacy Act
While the CCPA doesn’t ban profiling based on personal information, it provides consumers with rights that limit how businesses use their personal information. This could in effect impact companies’ profiling activities.
The 6 New Rights Granted to Consumers by the CCPA
When the new rights were introduced, consumers in the state of California now benefited from the following six rights:
- Right to know: Consumers can ask which specific personal information your business collects about them. They can also ask where you got the information from, why you wanted it in the first place, and if you sold their information, who bought it.
- Right to delete: If a consumer requests that you (a business) delete whatever personal information you hold on them, you must comply (although there are some exemptions).
- Right to opt-out: For marketing list owners, you must no longer sell a consumer’s personal information if they request it.
- Right to opt-in: If you want to sell personal information about a minor (someone under the age of 16), you must get explicit opt-in consent from that person. Parental consent is required for minors under 13 years of age.
- Right to nondiscrimination: If a consumer exercises their rights under the CCPA law, you then can’t deny them access to your goods or services, charge them different rates or prices (or suggest that this is what they’ll receive), or provide them with a different quality or level of goods and services.
- Right to private action: Consumers can exercise a private right of action against you if a data breach occurs. This means that if someone steals or discloses non-redacted or non-encrypted information about them because of poor internal data security procedures and practices, they could sue you.
Exemptions to the above include aggregated consumer information, de-identified consumer information, and publicly available information.
What Is the CPRA?
The CPRA is not a replacement for the CCPA but an expansion of it. Many campaigners began to feel that the requirements set out under the CCPA were inadequate as privacy regulations, and they started to campaign for a new law. Also known as Proposition 24, California voters approved the CPRA (what some call CCPA 2.0) on November 3, 2020.
The effective date for enforcement of the CPRA was January 1, 2023.
How the CPRA Amended CCPA Requirements
The CPRA amends much of the CCPA, adding three further consumer rights:
- Right to correct inaccurate personal information: Companies now have to make a reasonable effort to respond to consumer requests if they hold erroneous information about them.
- Right to limit use and disclosure of sensitive personal information: Consumers can instruct businesses to limit the use of their sensitive personal information (defined below). The CPRA allows businesses to use and disclose sensitive personal information if it's necessary to perform a service or provide goods requested by the consumer, among other exceptions.
- Right to opt out of automated decision-making: The CPRA requires businesses that use automated decision-making, including profiling, to let consumers know this. On request, they must provide consumers with “meaningful information about the logic involved in such decision-making processes as well as a description of the likely outcome,” as described by Cal. Civ. Code § 1798.185.
Not only that but the CPRA added three new requirements to businesses’ compliance checklists:
- Data minimization: This requires companies to collect and retain only the information they need to meet the purpose for which it was collected.
- Purpose limitation: Businesses must disclose why they are collecting consumer information and then not use that information for any new, unrelated, or incompatible purposes.
- Storage limitation: Companies must delete data when they no longer need it for the purpose collected or if a consumer requests deletion.
The Introduction of Sensitive Personal Information
In addition to the new rights for consumers and new responsibilities for businesses, consumer privacy rights were extended under CPRA with the creation of a sensitive data category.
There is an overlap between some data that’s classed as both personal and sensitive. The data now considered sensitive is:
- Passport, state ID card, driver’s license, or Social Security number
- Financial account logins (like passwords, access codes, or other security measures), financial account details, or credit and debit card numbers
- The precise geolocation of a consumer
- A consumer’s racial or ethnic origin, union membership, or philosophical or religious beliefs
- The contents of text messages, emails, and postal mail, unless the message was sent to the business by a consumer
- A consumer’s genetic data
The new category of sensitive information also extends to:
- Biometric data processing if the purpose is consumer identification
- Collection and analysis (profiling) of personal information concerning a consumer’s health
- Collection and analysis (profiling) of personal information concerning a consumer’s sexual orientation or sex life
As with personal information covered by the CCPA, any publicly available information about a consumer is not considered sensitive or a privacy risk.
What Does “The Sale of” and “Sharing” Consumer Information Mean?
Under both data privacy laws, the following is meant by the sale of or sharing of personal information:
- Sale of personal information (CCPA): If you sell, rent, release, disclose, disseminate, make available, transfer, or in some other way communicate a consumer’s information as a business to another business or third party for monetary or other valuable consideration
- Sharing of personal information (CPRA): Cross-context behavioral advertising that benefits a business even if there is no exchange of money
CCPA and CPRA Compliance for Businesses, Service Providers, and Contractors
The new consumer protection laws apply to businesses, service providers, and contractors.
CCPA and CPRA Compliance for Businesses
The applicability criteria for CCPA and CPRA differ slightly in terms of the size and scope of businesses covered.
The applicability criteria for the CCPA are:
- Annual gross revenue: You turn over $25 million.
- Consumer data threshold: You manage the personal information of 50,000 or more consumers.
- Revenue from possession of personal data: More than 50% of your annual revenue comes from sharing or selling personal data.
CPRA applicability is identical except that you must buy, sell, or share the personal data of at least 100,000 California residents to be covered by these data privacy rules.
Businesses are expected to:
- Provide notice of consumer rights: In practical terms, you have to provide a clear and accessible privacy notice to consumers that outline your personal data collection, how you use it, and what rights consumers have regarding their data. You should also include information on how consumers can access, delete, and correct personal information, and how they can opt-out of the sale of or sharing of personal information.
- Honor consumer rights: You must respond to consumers whenever they exercise their rights on requests like access to personal information. You must also delete personal information if asked (unless there is an exemption).
- Fulfill disclosure and retention obligations: If a consumer asks how you process their information (including categories of personal information you collect, why you use it, and how long you keep it), you must tell them.
- Facilitate consumer requests: You can’t make it difficult for consumers to exercise their rights. Ideally, you should create a process to receive and respond to consumers’ requests, for example, a form on your website.
- Implement security safeguards: You must take all measures possible to protect personal information from unauthorized access, destruction, use, modification, or disclosure. Encryption is a good defense, as is running an annual cybersecurity audit and risk assessment.
CCPA and CPRA Compliance for Service Providers
A service provider is a third-party business that processes data on behalf of another business. Under CPRA rules pertaining to data portability, service providers cannot retain, use, or disclose any information provided except in ways covered by the contract (as long as the contract is itself legal). An example of this might be a data broker who sifts through lists to make sure you don’t contact anyone on the Do Not Call Registry.
If you are a service provider, you cannot combine personal information across databases supplied to you. In addition, if you use contractors, you must notify your client and bind your contractors to the same terms that you are providing service under.
CCPA and CPRA Compliance for Contractors
Contactors are similar to service providers in that they must abide by the written contract they sign that has in its prohibitions and restrictions on the use of personal information. Unlike a service provider, however, a contractor must provide certification that it understands those prohibitions and restrictions and that it will abide by them.
Contractors are subject to the same restrictions on combining databases containing personal information and on their use of contractors as service providers.
CCPA vs. CPRA: Who’s Responsible for Enforcement?
Originally, enforcement of the CCPA fell under the jurisdiction of the California Attorney General's Office.
But when the CPRA was introduced, the California Privacy Protection Agency (CPPA), a new standalone agency, was established, which has investigative, enforcement, and rulemaking powers.
The CPPA’s job is to administer, implement, and enforce CPRA provisions. It will take over most of the enforcement responsibilities from the Office of the Attorney General on July 1, 2023.
In addition, the agency will guide businesses on their compliance with privacy laws and seek engagement with consumers through education and awareness programs.
Regulatory Penalties for Non-Compliance With CCPA and CPRA
The passing of the CPRA has affected the “cure” period that originally pertained to the CCPA.
Under CCPA rules, businesses had 30 days to respond in writing that they had addressed all violations and assert that the violations would no longer occur. This no longer applies.
Now, the CPPA decides how long a business has to rectify its mistakes, considering whether the business intended to violate the CPRA and if efforts were made to correct the alleged violation.
There is a penalty of $2,500 per unintentional violation, which rises to $7,500 per intentional violation or if the violation involves a minor.
Data subjects (consumers) can recover statutory damages of between $100 and $750 for each incident or for actual damages suffered. Consumers may also seek non-monetary relief (including injunctive or declaratory relief) for security breach violations too.