CCPA vs CPRA: What changes in California’s Newest Privacy Law
Privacy & Compliance | November 08, 2022
The California Consumer Privacy Act (CCPA) went into effect in 2020 and since then, the law has set the standard as the strongest privacy law in the United States, with follow-up laws in Virginia and Colorado taking a softer approach.
But while the CCPA sets the stage for serious fines against companies that violate the privacy rights of consumers when handling personally identifiable information (PII), for the first two years of its existence, the regulation lacked serious enforcement. It wasn’t until August of this year that we saw the first major settlements come down, as makeup-giant Sephora was hit with a $1.2 million fine.
Now, just as CCPA enforcement seems to be ramping up, compliance in California is getting even more complicated with the implementation of the California Privacy Rights Act (CPRA), which goes into effect on January 1st, 2023.
The CPRA expands upon some aspects of the CCPA and supersedes others, with a host of changes and expansions on the original law. In this article, we’ll break down the key differences between the CCPA and the upcoming CPRA.
For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.
What is the CCPA?
The California Consumer Privacy Act (CCPA) is a state law that can affect businesses across the country and even internationally. It’s arguably the most powerful US privacy law. It establishes and protects privacy rights for Californian residents and imposes specific requirements on the businesses it covers.
What rights do data subjects have under the CCPA?
The key to the CCPA is five rights that apply to all California consumers (that is, people rather than organizations or businesses.)
While the CCPA sets out specific measures to follow, you should always keep these rights in mind when making privacy decisions. That’s because the rights may affect any interpretation of, or ambiguity in, the rest of the legislation. The CCPA specifically says its text “shall be liberally construed to effectuate its purpose.”
The rights, detailed in sections 2 through 6 of the CCPA, are as follows:
- To know what personal information a business collects about you.
- To know if the business sells or shares your personal information with a third party and, if so, who that is.
- To refuse to let the business sell your personal information.
- To see the personal information a business holds on you.
- To exercise these rights without the business discriminating on service availability or price as a result.
What is the CPRA?
The California Privacy Rights Act 2020 (CPRA) is a California privacy law first passed by voters on November 3, 2020. It expands upon the California Consumer Privacy Act (CCPA) of 2018, which lays the groundwork for consumer privacy regulations in the state. The California Personal Data Protection Act will enter into force on January 1, 2023, and will apply to personal information collected after January 1, 2022. That’s important to note, because it means that data collected today can be held to the standards passed in the finalized CPRA.
However, because regulators in California have gone well past their July 1st deadline to finalize regulations, there have been some signals of leniency for organizations doing their best to comply with the as-of-yet unfinalized law. In recent meetings, the California Privacy Protection Agency has stated that it may consider enforcement on a case-by-case basis, considering “all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
What Changes in the CPRA vs. the CCPA?
Increased Enforcement of Consumer Privacy Rights
Key provisions of the CPRA are intended to improve California’s compliance enforcement capabilities, including the creation of an agency dedicated to finding violators: the California Privacy Protection Agency (CPPA).
Businesses will also lose the 30-day “heal” period, which the CCPA allots to give organizations time to mitigate violations that are discovered before being fined. It will also be illegal to share personal information with third parties unless the involved individuals elect to opt-in. Previously, CCPA only made it illegal to sell personal information.
From a fine standpoint, the base penalties for violations do not change between CCPA and CRPA—$2,500 for each unintentional and $7,500 for each intentional violation. But CRPA does add automatic fines ($7,500) for each violation involving the personal information of minors.
New Rights for Data Subjects
The CPRA retains the consumer rights detailed in the CCPA and adds two more:
- The right to rectification. California citizens will have the right to correct any inaccurate personal information.
- The right to limit the use and disclosure of sensitive personal information. Sensitive personal information is defined as any data that includes precise geolocation, race, ethnicity, religion, genetic data, private communications, sexual orientation, and specified health information.
Requiring a ‘Do Not Share’ Button
In addition to requiring a “do not sell my personal information” button, as mandated by the CCPA, the CPRA will require a “do not share my personal data” button, which will allow consumers to opt-out from having their data shared with third parties. If a consumer opts out, businesses are now responsible not only for what they do with customer data but also for what third-party partners do with the data. For example, if you post website ads from a third party, you must ensure they do not store customer data. The same requirement extends to services such as trackers, telemetry, online assistants, and shopping carts. You will need to monitor and control all data flows with third parties, and you will be responsible for any data leakage.
Changes to Third Parties Rules and Thresholds
The combination of CCPA and CPRA means businesses are now firmly responsible not only for what they do with customer data but also for what third-party partners do with the data. For example, if you post website ads from a third party, you must ensure they do not store customer data. The same requirement extends to services such as trackers, telemetry, online assistants, and shopping carts. You will need to monitor and control all data flows with third parties, and you will be responsible for any data leakage.
CRPA also maintains two of the three thresholds established by CCPA while modifying the third threshold. Both regulations pertain to for-profit businesses that have annual revenue over $25 million or generate 50% or more of their revenue from selling or sharing the personal information of California residents. The third threshold now states that any entity buying, selling, or sharing the personal information of 100,000 or more California residents must now comply. This is up from 50,000 as stipulated by CCPA. If your organization meets any one of these three criteria, you are subject to CRPA regulations.
Going Beyond Compliance to Solidify Customer Relationships
The CPRA emerged because it would have been difficult to enforce CCPA and prosecute cases with limited government resources. The emergence of the new act demonstrates just how seriously California is taking data privacy and protection and sends a clear message that businesses and organizations will be penalized for lack of compliance.
It’s clear CPRA will change the game—mainly by creating a new government agency to strictly enforce privacy compliance. Within the next few years, more and more organizations will likely be penalized for non-compliance.
Given that other U.S. states are launching similar initiatives and the major impact GDPR is having on entities that conduct business in Europe, it’s clear companies and organizations also need to take data privacy and protection just as seriously. In addition to avoiding the potential fines and negative publicity that come with violations, implementing data privacy measures is a wise business decision. It demonstrates to your customers just how seriously you take their privacy. And that will help you build stronger, longer-lasting customer relationships.
The CPRA goes into effect in January 2023 and will apply to information collected starting in January 2022. But the time to act is now as data privacy, and protection initiatives require time to deploy correctly and to ensure websites, portals, internal systems, and third-party relationships are compliant with complete visibility into customer data flows.
To stay compliant with these laws, you can’t rely on vendors that offer nominal compliance or privacy management through simple workflow mechanisms that rely on connections to additional systems to enact any policy put in place and greatly aggravate data leakage vulnerabilities. CHEQ’s comprehensive solution enforces privacy preferences and requests in real-time without the need to interact with any other supply chain technology, therefore eliminating the risk of data leakage.
With CHEQ Privacy you can set up opt-out of sale links for California consumers and give your customers a clear-cut choice on how their data is used or whether it is collected. And our low-code, zero-integration deployment means Privacy is easy to use. A simple line of code added to your website is all you need to stop data from being collected before your customers give their consent, allowing real-time enforcement of customer consent regardless of tag management systems or 3rd party tags.
Schedule a demo to see how CHEQ can help your organization comply with the CPRA and other privacy laws.