What is CPRA and how does it differ from CCPA? | Secure Privacy

When does the CPRA go into effect?

CCPA 2.0 is set to come into effect on January 1, 2023. However, it will have a “look back” provision which means that some of its provisions will be effective as of January 1, 2022. With the enforcement of CCPA 2.0, complying with the CCPA alone may not be enough for businesses operating in the Golden State.

Who does the CPRA apply to?

Similar to the CCPA, the CPRA applies to any for-profit organization doing business in the state of California which meets the following criteria:

The CPRA has some differences with regards to its coverage compared to the CCPA. First, the number of households/consumers whose personal information is bought, sold or shared increased from 50,000 to 100,000. Second, the new law now applies to businesses that generate 50% or more of their revenue from sharing personal information of consumers, and not just from selling it. 

Why was the CPRA adopted?

Even though the CCPA was a ground-breaking privacy law in the US and introduced major privacy protections for California consumers, it fell short with addressing fundamental issues with current privacy regulations and practices which are addressed by some data protection laws such as the GDPR. That is why there was a need for more robust privacy regulation in the Golden State. 

The original CCPA was called California’s version of the GDPR. It lacked many provisions which existed under the GDPR — nonetheless, it can be seen as an attempt to align California's privacy laws with the GDPR.

In particular, the new law grants California consumers new and expanded rights while imposing unique obligations on covered entities. The CPRA also comes with major changes in enforcement provisions of the CCPA.

Who enforces the CPRA?

Similar to Brazil’s General Personal Data Protection Law (LGPD), which created a national data protection agency referred to as the National Data Protection Authority (ANPD), CCPA 2.0 establishes a new government agency whose core duty will be to safeguard the privacy and digital rights of California residents. 

Set to be known as the California Privacy Protection Agency (CPPA), additional duties of this body will be:

Additionally, you should be aware that the CPPA, in collaboration with California’s Attorney General, can carry out audits and risk assessments on your business if you process consumer data. 

What rights does the CRPA grant to consumers?

The CCPA granted California residents certain rights. The CPRA provides for new and expanded rights to consumers. The rights that existed under the CCPA include:

Under the CPRA, the following rights are modified as follows:

The new rights which are introduced by the CPRA are the following:

Does the CPRA replace the CCPA?

Not exactly. The CPRA does not replace the CCPA, but rather, the CPRA amends the CCPA. The CCPA established the basis of the data privacy landscape in the state of California and the CPRA builds upon that and enhances the privacy rights of Californians. The new law specifically states that it amends existing provisions of Title 1.81.5 of the California Civil Code, also known as the CCPA, and adds new provisions. 

Sensitive data under the CPRA

The CPRA introduces a new concept of “sensitive personal information” that requires a special degree of protection given its sensitive nature. The law provides what is considered sensitive information under the CPRA. These are, personal information that reveals:

This new category of personal data under the CPRA will create specific rights and obligations that will allow consumers to limit the use and disclosure of their sensitive personal information. Consumers will be able to dictate that a business can only use their sensitive information for purposes necessary to carry out a service or provide goods requested by consumers.

Consent under the CPRA

The CPRA amends the definition of consent, which expands its scope compared to the CCPA, inspired by the GDPR’s definition of consent. The CPRA defines valid consent as being:

What this means is that valid consent under the CPRA must be based on clear and affirmative action from the user indicating their willingness to allow you to share their personal data for a specific purpose.

Businesses will only be required to obtain consent in the following situations:

Read more about CPRA requirements.

Penalties under the CPRA

The cost of administrative fines under the CPRA is like CCPA fines — 2,500 USD per violation and 7,500 per intentional violation. The difference is that CPRA removed the “grace period” that existed under the CCPA, which gave the businesses 30 days to fix the alleged violation to avoid getting fined. 

The fines may seem rather low compared to the administrative fines under the GDPR. However, it must be underlined that the CPRA administrative fines are for each count of violation or, in other words, per affected consumer. 

Secure Privacy and the CPRA 

If you are an enterprise operating in California and subject to CCPA compliance, it is important to review and understand the changes and updates set to be introduced by CCPA 2.0 following the approval of Prop 24 in the just-concluded US General election. 

Although a lot can change between now and January 1, 2023, you need to remain compliant with CCPA, while getting ready to comply with the CPRA once it is enforced. 

To learn more about how Secure Privacy can help you comply with CCPA, book a call with us and request a demo of our powerful compliance tool. 

Schedule a call to learn more

Additional Resources;

Learn more about the CCPA and how to make your company compliant with our comprehensive guide. 

Read about Virginia CDPA (Consumer Data Protection Act).

CCPA vs. GDPR: What Businesses Need to Know.

Take a look at our Complete Guide to the New US Federal Data Privacy Bill (ADPPA).