CCPA vs CPRA? What’s the difference in California’s Data Privacy Landscape

California Consumers Privacy Act (CCPA)

California Privacy Rights Act (CPRA)

Applicability

Applies to for-profit entities in any jurisdiction that 

• (i) carry out business in California and control the means of processing personal information; and 
• (ii) one of the following applies to them: 
  • (a) derive over $25 million in annual gross revenues; 
  • (b) purchase, sell, or share the personal information of 50,000 or more consumers, households or devices annually; or 
  • (c) more than half of their annual revenue is derived from selling consumer personal information.

Applies to for-profit entities in any jurisdiction that 

• (i) carry out business in California and control the means of processing personal information; and 
• (ii) one of the following applies to them: 
  • (a) derive over $25 million in annual gross revenues; 
  • (b) purchase, sell, or share the personal information of 100,000 or more consumers or households or devices annually; or 
  • (c) more than half of their annual revenue is derived from selling or sharing consumer personal information.

Definitions 

“Business” is an entity subject to the CCPA. 

“Service Provider” is an entity that processes information on behalf of a business and to which a business discloses a consumer’s personal information for a business purpose pursuant to a written contract.

“Sell” means any disclosure of personal information by a business to another business or third party for money or other valuable consideration, subject to certain exceptions.

“Business” is an entity subject to the CPRA. 

“Service Provider” is an entity that processes personal information on behalf of a business and receives from or on behalf of the business a consumer’s personal information pursuant to a written contract. 

“Contractor” is a person to whom a business provides a consumer’s personal information for a business purpose pursuant to a written contract. 

“Sell” means any disclosures of personal information by a business to another business or third party for money or other valuable consideration, subject to certain exceptions. 

“Share” means making personal information available to a third party for cross-context behavioral advertising (e.g., advertising across different, nonaffiliated websites).

Business responsibilities 

• Businesses must provide two or more methods for submitting requests for information, including a toll-free telephone number. 
• Businesses must make disclosures of their privacy practices on their websites. 
• Businesses must provide a notice at or before the collection of personal information. 
• Businesses have an implicit duty to implement and maintain reasonable security procedures and practices to protect personal information, which must be appropriate to the nature of such information.

• • Businesses must provide two or more methods for submitting requests for information, including a toll-free telephone number. 
  • Businesses must make disclosures of their privacy practices on their websites. 
  •  
  • Businesses must provide a notice at or before the collection of personal information. 
• Collection, use, retention and sharing of personal information must be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed or for another disclosed purpose.
• Businesses may not retain personal information for longer than is reasonably necessary for each disclosed purpose for which the information was collected.
• Businesses, service providers and contractors have an explicit duty to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification or disclosure. 
• Businesses whose processing of personal information presents “significant risk” (subject to new regulations) to consumers’ privacy or security must:
  • perform an annual independent cybersecurity audit;
  • submit a risk assessment to the CPPA on a regular basis, including whether the business processes sensitive personal information and weighing the benefits from the processing against the risks to consumers’ privacy.

Personal information

Personal Information includes any information that is reasonably capable of being associated with a particular consumer or household.

Personal Information includes any information that is reasonably capable of being associated with a particular consumer or household.

• financial account information (i.e., credit card, bank account, login credentials); 
• precise geolocation data; background and beliefs (i.e., racial or ethnic origin, religious beliefs, union membership, sexual orientation); 
• contents of mail, email, and text messages; 
• genetic data and biometric information;
• health-related information. 
• Consumers have the right to direct businesses that collect sensitive personal information to limit the use of such information to that which is necessary to perform services or provide goods reasonably expected.

Data Subject Rights

• Right to access or know; 
• Right to delete;
• Right to restrict, object, or opt out of sale;
• Right to data portability; 
• Businesses must: 
  • (a) confirm receipt within 10 business days and respond to any verified request within 45 calendar days (with limited exceptions); 
  • (b) verify a requesting consumer’s identity; and 
  • (c) maintain records of consumer requests for at least 24 months, including the manner of response.
• Businesses may not discriminate against consumers who exercise their rights by denying products or services, charging or suggesting different prices or offering different levels or quality of goods or services. 

• Right to access or know; 
• Right to delete; 
• Right to correct;
• Right to restrict, object or opt out of sale and share; 
• Right to data portability;
• Limit the use and disclosure of sensitive personal information. 

• Businesses must: 
  • (a) confirm receipt within 10 business days and respond to any verified request within 45 calendar days (with limited exceptions); 
  • (b) verify a requesting consumer’s identity; and 
  • (c) maintain records of consumer requests for at least 24 months, including the manner of response.
• Businesses may not discriminate against consumers, employees, job applicants or independent contractors for exercising their rights under the law.

Enforcement 

• The Attorney General has the primary enforcement responsibility. 
• The Attorney General may seek both injunctive and monetary penalties, up to $2,500 per violation or $7,500 per intentional violation. 
• Businesses are to be provided notice of a violation and a 30-day period to cure before the Attorney General may issue any penalty

• Both the Attorney General and the newly-created California Privacy Protection Agency have enforcement responsibility. 
• The CPPA may investigate possible violations on its own initiative or on receipt of a sworn complaint, hold administrative hearings and issue cease-and-desist orders and fines up to $2,500 per violation or $7,500 per intentional violation or violation involving personal information of consumers under 16 years of age.  
• The Attorney General may request a stay of a CPPA administrative action in order to be able to proceed with an investigation or civil action. 
• The CPRA provides no cure period, but the CPPA has discretion to offer a cure period.