What is CPRA and how does itdiffer from CCPA? | Secure Privacy

When does the CPRA go into effect?

CCPA 2.0 is set to come into effect on January 1, 2023. However, it will have a “look back” provision which means that some of its provisions will be effective as of January 1, 2022. With the enforcement of CCPA 2.0, complying with the CCPA alone may not be enough for businesses operating in the Golden State.

Who does the CPRA apply to?

Similar to the CCPA, the CPRA applies to any for-profit organization doing business in the state of California which meets the following criteria:

• Have a gross annual revenue of more than 25 million USD in the preceding calendar year;
• Buy, sell, or, share the personal information of 100,000 or more California residents or households each year; or
• Earn 50% or more of their annual revenue from selling or sharing California residents' personal information.

The CPRA has some differences with regards to its coverage compared to the CCPA. First, the number of households/consumers whose personal information is bought, sold or shared increased from 50,000 to 100,000. Second, the new law now applies to businesses that generate 50% or more of their revenue from sharing personal information of consumers, and not just from selling it. 

Why was the CPRA adopted?

Even though the CCPA was a ground-breaking privacy law in the US and introduced major privacy protections for California consumers, it fell short with addressing fundamental issues with current privacy regulations and practices which are addressed by some data protection laws such as the GDPR. That is why there was a need for more robust privacy regulation in the Golden State. 

The original CCPA was called California’s version of the GDPR. It lacked many provisions which existed under the GDPR — nonetheless, it can be seen as an attempt to align California's privacy laws with the GDPR.

In particular, the new law grants California consumers new and expanded rights while imposing unique obligations on covered entities. The CPRA also comes with major changes in enforcement provisions of the CCPA.

Who enforces the CPRA?

Similar to Brazil’s General Personal Data Protection Law (LGPD), which created a national data protection agency referred to as the National Data Protection Authority (ANPD), CCPA 2.0 establishes a new government agency whose core duty will be to safeguard the privacy and digital rights of California residents. 

Set to be known as the California Privacy Protection Agency (CPPA), additional duties of this body will be:

• To inform consumers about privacy risks 
• Guide users and businesses about their privacy rights 
• Issue and enforce fines for data protection violations, with the standard fine being $2,500, which can go up to $7,500 if the violation is intentional. 

Additionally, you should be aware that the CPPA, in collaboration with California’s Attorney General, can carry out audits and risk assessments on your business if you process consumer data. 

What rights does the CRPA grant to consumers?

The CCPA granted California residents certain rights. The CPRA provides for new and expanded rights to consumers. The rights that existed under the CCPA include:

• Right to know about the personal information that businesses collect about the consumer;
• Right to access to personal information held by businesses;
• Right to delete personal information collected from consumers;
• Right to opt-out of the sale of the consumer’s data to third parties;
• Right to non-discrimination for exercising their CCPA rights;
• Right to data portability (as part of the right to access).

Under the CPRA, the following rights are modified as follows:

• Right to opt-out now includes the right to opt-out of “sharing” of the consumer’s personal data in addition to the sale of personal information of consumers.
• Right to delete now requires businesses to notify third parties to whom they have sold/shared the personal information of consumers to also delete the consumer’s personal information.
• Right to know now states that under the CPRA a consumer will be able to request that the business disclose the required information beyond the 12-month period and that the business shall be required to provide such information unless doing so proves “impossible” or would involve a “disproportionate effort”.

The new rights which are introduced by the CPRA are the following:

• Right to correct inaccurate information. A consumer may request a covered entity to correct any personal information about them that is inaccurate. 
• Right to limit the use of sensitive personal information. Similar to the GDPR, the CPRA creates a new subset of personal information called “sensitive personal information”. Consumers will now be able to limit the use and disclosure of their sensitive information except when this is necessary for the business to provide services or goods requested by the consumer. For example, a consumer will now be able to limit the disclosure of their sensitive data to third parties. 
• Right to access information about automated decision-making. A consumer may request information about the logic involved in the automated decision-making technology utilized by the business.  
• Right to opt-out of automated decision-making.
  

Does the CPRA replace the CCPA?

Not exactly. The CPRA does not replace the CCPA, but rather, the CPRA amends the CCPA. The CCPA established the basis of the data privacy landscape in the state of California and the CPRA builds upon that and enhances the privacy rights of Californians. The new law specifically states that it amends existing provisions of Title 1.81.5 of the California Civil Code, also known as the CCPA, and adds new provisions. 

Sensitive data under the CPRA

The CPRA introduces a new concept of “sensitive personal information” that requires a special degree of protection given its sensitive nature. The law provides what is considered sensitive information under the CPRA. These are, personal information that reveals:

1. a consumer's social security, driver's license, state identification card, or passport number; 
2. a consumer's account log-in details, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
3. a consumer's precise geolocation; 
4. a consumer's racial or ethnic origin, religious or philosophical beliefs, or union membership; 
5. the contents of a consumer's mail, email, and text messages, unless the business is the intended recipient of the communication; 
6. a consumer's genetic data;
7. the processing of biometric information to uniquely identify a consumer; 
8. personal information collected and analyzed concerning a consumer's health; or,
9. personal information collected and analyzed concerning a consumer's sex life or sexual orientation. 

This new category of personal data under the CPRA will create specific rights and obligations that will allow consumers to limit the use and disclosure of their sensitive personal information. Consumers will be able to dictate that a business can only use their sensitive information for purposes necessary to carry out a service or provide goods requested by consumers.

Consent under the CPRA

The CPRA amends the definition of consent, which expands its scope compared to the CCPA, inspired by the GDPR’s definition of consent. The CPRA defines valid consent as being:

• Freely given
• Unambiguous
• Specific
• Informed

What this means is that valid consent under the CPRA must be based on clear and affirmative action from the user indicating their willingness to allow you to share their personal data for a specific purpose.

Businesses will only be required to obtain consent in the following situations:

• for the selling or sharing personal information after a user has already opted out;
• when selling or sharing the personal information of minors;
• for secondary use, selling, or sharing of sensitive personal information after a user has opted out;
• for research exemptions; or,
• to opt-in to financial incentives

Read more about CPRA requirements.

Penalties under the CPRA

The cost of administrative fines under the CPRA is like CCPA fines — 2,500 USD per violation and 7,500 per intentional violation. The difference is that CPRA removed the “grace period” that existed under the CCPA, which gave the businesses 30 days to fix the alleged violation to avoid getting fined. 

The fines may seem rather low compared to the administrative fines under the GDPR. However, it must be underlined that the CPRA administrative fines are for each count of violation or, in other words, per affected consumer. 

Secure Privacy and the CPRA 

If you are an enterprise operating in California and subject to CCPA compliance, it is important to review and understand the changes and updates set to be introduced by CCPA 2.0 following the approval of Prop 24 in the just-concluded US General election. 

Although a lot can change between now and January 1, 2023, you need to remain compliant with CCPA, while getting ready to comply with the CPRA once it is enforced. 

To learn more about how Secure Privacy can help you comply with CCPA, book a call with us and request a demo of our powerful compliance tool. 

Schedule a call to learn more

Additional Resources;

Learn more about the CCPA and how to make your company compliant with our comprehensive guide. 

Read about Virginia CDPA (Consumer Data Protection Act).

CCPA vs. GDPR: What Businesses Need to Know.

Take a look at our Complete Guide to the New US Federal Data Privacy Bill (ADPPA).