In this article, we explore want to expect in terms CCPA 2.0 vs CCPA.
If you have visitors from California on your website, you definitely want to know what to expect in terms CCPA 2.0 vs CCPA.
What am I talking about? Basically CCPA 2.0 is set to come into effect on Jan. 1, 2023, meaning CCPA compliance alone (Check out Secure Privacy's GDPR and CCPA Compliance features for Publishers), may soon not be enough for businesses operating in the Golden State.
Explore more privacy compliance insights and best practices
Officially known as the California Privacy Rights Act (CPRA) and proposed by the Californian's for Consumer Privacy coalition as ballot Proposition 24 (Prop 24) in the 2020 US General Election, CCPA 2.0 is focused on expanding the scope of the existing California Consumer Privacy Act (CCPA).
Additionally, hence the name, CCPA 2.0.
Furthermore, the CPRA is also expected to address ambiguities identified under the CCPA.
Although CCPA 2.0’s provisions are expected to come into effect on January 1, 2023, it is important for businesses operating in California to start preparing in advance for the enforcement of the CPRA. Read more about how CPRA it differs from CCPA.
Early readiness is important because the precedent set by the GDPR, and later, California’s CCPA, as well as Brazil’s LGPD, is for businesses to implement data protection measures by design and default.
So, which provisions of the CCPA are expected to be affected by clarification changes introduced by CCPA 2.0?
One of the notable changes to be introduced by the California Privacy Rights Act (CPRA), is the introduction of a new subcategory of personal data referred to as “Sensitive Personal Information.”
In a move widely considered as following the precedent set by the GDPR, the CPRA specifically defines the following as what you can consider sensitive personal information;
Check out Secure Privacy's Ultimate CCPA Guide.
With the CPRA comes an amended definition that expands the scope of what consent entails in the current CCPA framework.
There is a general feeling that this definition is inspired by the GDPR’s definition of cookie consent.
Basically, the CPRA defines valid consent as being;
What this means is; valid consent under CCPA 2.0 must is based on clear and affirmative action from the user indicating their willingness to allow you to share their personal data for a specific purpose.
However, it is important to note that unlike GDPR, CCPA 2.0 only requires prior consent from minors under 16 years of age and only for sharing of their data, not for collection.
If you are already compliant with GDPR, this requirement may not pose a big challenge.
However, if you are only CCPA-compliant, you will be expected to stop relying on implied consent through the continuous use of a service.
Similarly, if you obtain it through your privacy policy or terms of service incorporated by reference, this consent will be considered invalid.
CCPA 2.0 adopts some changes to this requirement and provides some clarifications to ambiguities identified in the current CCPA framework. Essentially, CPRA compliance will require you to reveal to your users;
With CCPA 2.0, you will be required to have a clear opt-in for minors under the age of 16 before any business can share or sell their data.
However, unlike the current CCPA, the California Privacy Rights Act (CPRA) imposes a fine three times heavier than an ordinary penalty if you are found to violate data protection requirements in the collection or processing of children’s personal data.
Similar to Brazil’s LGPD, which created a national data protection agency referred to as the ANPD, CCPA 2.0 will set a precedent in the US with the creation of a government agency whose core duty will be to safeguard the privacy and digital rights of California residents.
Set to be known as the California Privacy Protection Agency (CPPA), additional duties of this body will be;
Additionally, you should be aware that the CPPA, in collaboration with California’s Attorney General can carry out audits and risk assessments on your enterprise if you process consumer data.
One of the key measures you will need to undertake under CCPA 2.0 unlike the situation in the existing CCPA framework is to identify the data categories that will be classified as sensitive data.
Imagine a situation where sensitive personal information is integrated with other categories of personal data and is not systematically organized.
In this scenario, you may encounter challenges in applying the CPRA’s “Limit the Use of My Sensitive Personal Information.” requirement adequately.
For this reason, CCPA 2.0 will require you to create a standardized data protection framework consistent with various data protection laws and standards.
It is advisable to have dedicated personnel within your company to oversee your data security program.
Additionally, you need to carry out a risk assessment of your current environment with a key focus on;
While the existing CCPA’s definition of service providers is ambiguous, CCPA 2.0 explicitly defines the role of service providers.
The key change that comes with this clarification is that service providers are explicitly prohibited from selling or sharing personal information.
Similarly, the CPRA prohibits service providers from combining data received from or on behalf of a data controller with personal data received from other sources, including the service provider’s own engagements with a user.
CCPA 2.0 also introduces explicit requirements for service providers to help data controllers in address verifiable consumer requests that a business may get.
This specific help should be informed by the type and purpose of the processing activity involved.
Another crucial change under CPRA in relation to service providers is that you need to have a written agreement that meets specific set provisions.
The provisions are;
While the CCPA’s employees’ personal information and user data collected in a business-to-business context are set to expire on January 1, 2021, the CPRA provides an extension to these exceptions immediately.
In the current CCPA framework, you have a 30-day grace period to address a data breach that may affect the personal data of your users before you are liable for administrative action.
However, the CPRA will remove this 30-day cure period for an alleged data breach or non-compliance.
What this means is that you need to adopt data protection by design and default approach in your company to avoid CCPA 2.0 non-compliance penalties since you will not have a guaranteed chance to address any case of non-compliance before your company is subject to a fine.
CCPA 2.0 makes it clear that it supersedes and preempts all laws and regulations established by local or municipal governments in California concerning the collection and sale of consumers’ personal data.
Although the private right of action provision is already in effect under the current CCPA framework, the recently adopted Prop 24 provides an update to this provision.
Specifically, CCPA 2.0 guarantees users a private right of action in case of unauthorized access or disclosure of an email address and password or security question for an account so long as the access is connected to your company’s inability to implement reasonable data protection measures.
Read more about CPRA requirements.
If you are an enterprise operating in California and subject to CCPA compliance, it is important to review and understand the changes and updates set to be introduced by CCPA 2.0 following the approval of Prop 24 in the just-concluded US General election.
Although a lot can change between now and Jan 1, 2023, you need to remain compliant with CCPA, while getting ready to comply with the CPRA when it comes into force.
Learn about Secure Privacy's CCPA Certification.
To learn more about how Secure Privacy can help you comply with CCPA, book a call with us and request a demo of our powerful compliance tool.
Schedule a call to learn more
California Governor’s Notice on CCPA 2.0
California’s Attorney General published the revisions to CCPA’s proposed regulations on February 7, 2020.
Download our CCPA eBook,
