When thinking about data privacy for California residents, there are two acronyms that you should be aware of. The CCPA was enacted in 2018 and went into effect on 1 January 2020. The CPRA is set to go into effect on 1 January 2023. What’s the difference? Read on to find out and to learn more about what these data protection acts mean for you!
When thinking about data privacy for California residents, there are two acronyms that you should be aware of. The first is CCPA, or the California Consumer Privacy Act, enacted in 2018 and went into effect on 1 January 2020. The second is CPRA, or the California Privacy Rights Act, which is set to go into effect on 1 January 2023. What’s the difference? Read on to find out--and to learn more about what these data protection acts mean for you!
The California Consumer Privacy Act (CCPA) is a data privacy law that applies to businesses that collect, process, or sell the personal information of Californian consumer data. The law requires businesses to disclose what personal information they collect, why they collect it, and with whom they share it. Businesses must also provide consumers with the ability to opt or signal out of the sale of their personal information. The CCPA went into effect on 1 January 2020.
Explore more privacy compliance insights and best practices
The CCPA is the California answer to the European Union’s General Data Protection Regulation (GDPR). Both laws give consumers the right to know what personal information is involved with the data collection process about them and the consumer right to opt out of the sale of their personal information. However, there are some key differences between the two data privacy regulations.
The GDPR applies to any business that processes or collects the personal data of EU citizens, regardless of where the business is located. The CCPA only applies to businesses that are based in California or that do business in California and meet one or more of the following criteria:
The California Privacy Rights Act (CPRA) is a law specific to the state of California that strengthens and builds upon the California Consumer Privacy Act (CCPA). The CPRA creates new Californian rights and gives the California Attorney General new enforcement powers. Also known as CCPA 2.0 or Proposition 24, the CPRA is a ballot proposition approved by most California voters after appearing on the ballot for the general election on 3 November 2020.
The CPRA, like the CCPA rulemaking, is based on the opt-out cookie consent framework, which means no consumer consent is required to use cookies provided that data subjects are given the right to opt out.
The CPRA was enacted to address concerns that the CCPA did not go far enough to protect data subjects’ privacy rights. The CPRA amends several sections of the CCPA and adds several new provisions, including:
The enforcement will begin on 1 January 2023, and until then, CCPA will remain the primary governing legislation.
The CPRA keeps most CCPA thresholds intact but makes a few significant changes.
CCPA
CPRA
Before the passage of CPRA, businesses could use any common branding even if they shared California consumers’ personal information. Now that CPRA has been passed, applicable businesses will be bound by new laws in addition to the old ones.
The CCPA and CPRA are both data privacy laws regulating how businesses handle California residents’ personal information. They share many similarities, such as:
Read more about the CPRA requests here.
CPRA creates two new categories of businesses. Joint ventures and partnerships where each business has at least 40% interest will be considered separate entities apart from the original. Any company that can’t meet the threshold can self-certify with a newly created California Privacy Protection Agency to comply with CPRA rules.
CPRA was passed because of the need to protect the rights of Californians as consumers. The California Privacy Protection Agency (CPPA) was created because of this need, with the power to implement and enforce the CPRA. It is the primary enforcement authority of California’s privacy program under the Office of the Attorney General. One way CPPA will do this is through its ability to investigate any possible violations to its consumer privacy rights and launch appropriate action. They can also issue binding regulatory rules and enforcement action for providers to avoid noncompliance.
The CPRA expands the categories of personal information to include sensitive personal information, and it includes:
If you check the box under CPRA, you can limit a business’ use of sensitive personal information and disclosure of sensitive data. The business must provide a clear and conspicuous link on its website homepage titled “limit the use of my sensitive personal information.” It’s in addition to the opt-out link required under CCPA.
CPRA explicitly defines what does and does not constitute consumer consent. It defines consent as a specific, freely given, specific, informed, and unambiguous indication of the consumer’s intent.
Consent does not include the following:
The CPRA amends the definition of service providers, contractors, and third parties in the CCPA. The CPRA introduces a new category: contractors. Those are defined as people for the business making consumers’ personal information available to others under a written contract. Also, CPRA requires these contractors to clarify that they understand and will comply with the requirements. Lastly, an independent certification entity would be charged with certifying compliance from those unable to comply with the CPRA.
The CPRA defines a service provider as a “person who processes personal information on behalf of a business” for business purposes under contract. Anyone other than the company, contractor, or service provider is considered a third party. A third party cannot be a business with which the consumer interacts on purpose and collects personal information directly from consumers.
The definition of “sharing” under the CPRA has been introduced. Sharing means any disclosure of personal information to third parties for cross-context behavioral advertising--whether or not it is monetary or other valuable consideration. The definition now makes it clear that any disclosure of personal information for targeted advertising is also subject to consumer opt out. If a company shares personal information, it can post a link that says “Do Not Share My Personal Information” and allow consumers to opt out of sharing.
CPRA defines profiling as any form of automated data processing of personal information to make predictions about an individual, such as “performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements.”
CPRA also broadens the CCPA’s right to opt or signal out by allowing for the sale of personal information and sharing of personal information, including data shared with a third party for “cross-context behavioral advertising.” It refers to targeted advertising to a consumer based on data obtained from the consumer’s activity on websites, apps, or services other than the one with which the consumer interacts intentionally. Learn about Cross-Context Behavioral Advertising under the California Privacy Rights Act (CPRA).
The right to opt out of sharing, like the provision in the CCPA, does not extend to sharing personal information with service providers and contractors.
Consumers will now have the right to know about and opt out of automated decision-making, similar to the GDPR provision. Businesses will be required to provide information about the “logic involved in automated decision-making processes” and to inform customers about the process’s likely outcome.
The CPRA strengthens minors’ opt-in rights. Under 16, a business must obtain opt-in consent before selling or sharing a consumer’s personal information. The CPRA also requests that “technical specifications for an opt-out preference signal that allows the minor or their parent to specify that the consumer is less than 13 or between 13 and 16 years of age” be established.
Furthermore, businesses must inform consumers how long they intend to keep their personal information (retention). Consumers can also request that their data be deleted (deletion) or corrected (modification). Businesses must also notify third parties with whom they have shared consumer request data.
Consumers can now request information about themselves that was collected more than a year ago. Businesses may refuse to provide information beyond a 12-month look-back period if it requires undue effort. This applies to data collected on or after 1 January 2022.
Consumers can use the CPRA to request that businesses send specific personal information to another entity. The CPRA also states that data should be provided in a format easily understood by the average consumer and a commonly used, machine-readable format.
Businesses must have appropriate contractual provisions in place with service providers, contractors, and third parties, according to the CPRA. Such contracts forbid the retention, use, or disclosure of personal information for purposes other than those specified in the contract. Contracts may also allow businesses to monitor service providers’ compliance with contractual provisions through manual reviews, automated scans, regular assessments, and audits at least once a year.
The concept of data minimization and purpose limitation, which are core GDPR principles, is introduced by CPRA. The CPRA requires businesses to collect only personal information reasonably necessary for the purpose for which it is collected. Furthermore, businesses cannot keep personal information longer than is necessary for the purpose for which it was collected.
While the CCPA requires businesses to implement reasonable security procedures and practices to avoid data breaches, intentional violations, and other security risks, the CPRA requires more stringent auditing. Businesses that pose a “significant risk” to the privacy of their customers must conduct annual compliance audits. The California Privacy Protection Agency requires them to submit a regular risk assessment. The risk assessment should be performed concerning their processing of personal information, including whether sensitive data is involved and weighing the benefits to the business, the consumer, and other stakeholders.
Certain employment and personal information involved in business-to-business (B2B) communications and transactions were exempted under the CCPA. This exemption was supposed to end on 1 January 2021. However, the CPRA extended the exemptions for employment and business-to-business data until 1 January 2023.
The CCPA and CPRA are two very important pieces of legislation that will profoundly impact how businesses operate. It’s crucial that you understand the difference between the two to be compliant with both. The CCPA applies to businesses that collect and sell the personal information of California residents. In contrast, the CPRA regulations apply to businesses that process the personal data of Californians for purposes such as targeted advertising. While there are similarities between the two laws, it’s important to understand the key differences to ensure your business has both CCPA and CPRA compliance.
