In this article, we'll dive into the current distinctions between CCPA and CPRA, guiding you through the essential updates and adjustments needed to ensure compliance with the California Consumer Privacy Act.
On January 1, 2020, what is considered to be the toughest data privacy in the United States, became effective. The California Consumers Privacy Act (CCPA) came to enhance the privacy rights of residents in the state of California. The CCPA became effective as of July 1, 2020, and by November of 2020, an update was brought forth in the shape of Proposition 24, also known as the California Privacy Rights Act, or CPRA. Despite the fact that there is a common confusion between the two, with some believing that the CPRA replaces the CCPA, in reality, the CPRA amends the CCPA and adds additional privacy protections. The new provisions listed under the CPRA took effect as of the 1st of January 2023, and according to the Attorney General’s website, the CPRA amends the CCPA but does not create a new law. The two work together as one law, referred to as CCPA.
In the below table we take a look at a comparison between the two, highlighting the most critical differences that the CPRA brought to, for example applicability, definitions, responsibilities for covered entities, what is considered personal information, data subject rights, and enforcement. With the CPRA the threshold for consumers is higher, and not just selling but also sharing of consumer’s personal information for profit is covered. There are new definitions added (such as ‘contractor’ or ‘share’), a clear differentiation between personal information and sensitive personal information, as well as new data subject rights (right to correct and right to limit the use and disclosure of sensitive personal information).
California Consumers Privacy Act (CCPA)
|
California Privacy Rights Act (CPRA)
|
Applicability
|
Applies to for-profit entities in any jurisdiction that
- (i) carry out business in California and control the means of processing personal information; and
- (ii) one of the following applies to them:
- (a) derive over $25 million in annual gross revenues;
- (b) purchase, sell, or share the personal information of 50,000 or more consumers, households or devices annually; or
- (c) more than half of their annual revenue is derived from selling consumer personal information.
|
Applies to for-profit entities in any jurisdiction that
- (i) carry out business in California and control the means of processing personal information; and
- (ii) one of the following applies to them:
- (a) derive over $25 million in annual gross revenues;
- (b) purchase, sell, or share the personal information of 100,000 or more consumers or households or devices annually; or
- (c) more than half of their annual revenue is derived from selling or sharing consumer personal information.
|
Definitions
|
“Business” is an entity subject to the CCPA.
“Service Provider” is an entity that processes information on behalf of a business and to which a business discloses a consumer’s personal information for a business purpose pursuant to a written contract.
“Sell” means any disclosure of personal information by a business to another business or third party for money or other valuable consideration, subject to certain exceptions.
|
“Business” is an entity subject to the CPRA.
“Service Provider” is an entity that processes personal information on behalf of a business and receives from or on behalf of the business a consumer’s personal information pursuant to a written contract.
“Contractor” is a person to whom a business provides a consumer’s personal information for a business purpose pursuant to a written contract.
“Sell” means any disclosures of personal information by a business to another business or third party for money or other valuable consideration, subject to certain exceptions.
“Share” means making personal information available to a third party for cross-context behavioral advertising (e.g., advertising across different, nonaffiliated websites).
|
Business responsibilities
|
- Businesses must provide two or more methods for submitting requests for information, including a toll-free telephone number.
- Businesses must make disclosures of their privacy practices on their websites.
- Businesses must provide a notice at or before the collection of personal information.
- Businesses have an implicit duty to implement and maintain reasonable security procedures and practices to protect personal information, which must be appropriate to the nature of such information.
|
-
- Businesses must provide two or more methods for submitting requests for information, including a toll-free telephone number.
- Businesses must make disclosures of their privacy practices on their websites.
-
- Businesses must provide a notice at or before the collection of personal information.
- Collection, use, retention and sharing of personal information must be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed or for another disclosed purpose.
- Businesses may not retain personal information for longer than is reasonably necessary for each disclosed purpose for which the information was collected.
- Businesses, service providers and contractors have an explicit duty to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification or disclosure.
- Businesses whose processing of personal information presents “significant risk” (subject to new regulations) to consumers’ privacy or security must:
- perform an annual independent cybersecurity audit;
- submit a risk assessment to the CPPA on a regular basis, including whether the business processes sensitive personal information and weighing the benefits from the processing against the risks to consumers’ privacy.
|
Personal information
|
Personal Information includes any information that is reasonably capable of being associated with a particular consumer or household.
|
Personal Information includes any information that is reasonably capable of being associated with a particular consumer or household.
Sensitive personal information includes: government-issued IDs (i.e., social security, driver’s license, passport);
- financial account information (i.e., credit card, bank account, login credentials);
- precise geolocation data; background and beliefs (i.e., racial or ethnic origin, religious beliefs, union membership, sexual orientation);
- contents of mail, email, and text messages;
- genetic data and biometric information;
- health-related information.
- Consumers have the right to direct businesses that collect sensitive personal information to limit the use of such information to that which is necessary to perform services or provide goods reasonably expected.
|
Data Subject Rights
|
- Right to access or know;
- Right to delete;
- Right to restrict, object, or opt out of sale;
- Right to data portability;
- Businesses must:
- (a) confirm receipt within 10 business days and respond to any verified request within 45 calendar days (with limited exceptions);
- (b) verify a requesting consumer’s identity; and
- (c) maintain records of consumer requests for at least 24 months, including the manner of response.
- Businesses may not discriminate against consumers who exercise their rights by denying products or services, charging or suggesting different prices or offering different levels or quality of goods or services.
|
- Right to access or know;
- Right to delete;
- Right to correct;
- Right to restrict, object or opt out of sale and share;
- Right to data portability;
- Limit the use and disclosure of sensitive personal information.
- Businesses must:
- (a) confirm receipt within 10 business days and respond to any verified request within 45 calendar days (with limited exceptions);
- (b) verify a requesting consumer’s identity; and
- (c) maintain records of consumer requests for at least 24 months, including the manner of response.
- Businesses may not discriminate against consumers, employees, job applicants or independent contractors for exercising their rights under the law.
|
Enforcement
|
- The Attorney General has the primary enforcement responsibility.
- The Attorney General may seek both injunctive and monetary penalties, up to $2,500 per violation or $7,500 per intentional violation.
- Businesses are to be provided notice of a violation and a 30-day period to cure before the Attorney General may issue any penalty
|
- Both the Attorney General and the newly-created California Privacy Protection Agency have enforcement responsibility.
- The CPPA may investigate possible violations on its own initiative or on receipt of a sworn complaint, hold administrative hearings and issue cease-and-desist orders and fines up to $2,500 per violation or $7,500 per intentional violation or violation involving personal information of consumers under 16 years of age.
- The Attorney General may request a stay of a CPPA administrative action in order to be able to proceed with an investigation or civil action.
- The CPRA provides no cure period, but the CPPA has discretion to offer a cure period.
|
CCPA Compliance Checklist
Here is a checklist to facilitate compliance for your business with the California Consumer Privacy Act:
Conclusion
In summary, we've highlighted the main differences between two important privacy laws in California: the CCPA and CPRA. The CPRA, which builds on the CCPA, doesn't replace it but adds more rules and protections.
For businesses, these changes mean they need to be even more careful about how they handle personal information. The CPRA is stricter, especially because there's no grace period to fix mistakes before penalties apply. This makes it really important for businesses to stay up-to-date and follow these laws closely to avoid legal issues for their organization.
Overall, California is setting a high standard for data privacy in the U.S. with these laws. For online businesses, understanding and following these laws is crucial for legal reasons and for building trust with customers.
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- ReadyCompliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.
You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.