Data Privacy Hub

Articles
News & Press
Glossary
Articles

CCPA vs CPRA: Key Differences Explained

Regulations
Batja Huisman
Batja Huisman
Jul 6, 2022
7
min read
CCPA vs CPRA: Key Differences Explained

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) have many provisions that affect businesses operating in the state. The CPRA is an amendment to the CCPA, which was approved in November  2020. The CPRA has technically been in effect since December 16, 2020. However, most of the revisions to the CCPA won’t come into force until January 1, 2023. Learn how the CCPA compares to the CPRA and how it could affect your business.

Key Takeaways

  • CPRA is an expansion of CCPA with stricter rules. It amends the original California privacy law by adding new rights, broadening enforcement, and raising the bar for business obligations.
  • Consumers now have more control over their data. CPRA adds rights like correcting inaccurate data, limiting use of sensitive data, and opting out of automated decision-making.
  • The definition of sensitive personal data is expanded. CPRA introduces a new category (SPI) that includes biometric data, geolocation, and login credentials, all subject to tighter rules.
  • More businesses are covered—but some are exempt. The threshold for compliance increased from 50,000 to 100,000 consumers, but businesses with high revenue or data sales must still comply.
  • Enforcement is tougher under CPRA. The 30-day grace period for violations is gone, children’s data violations are treated more seriously, and a new enforcement agency—the CPPA—has been created.

Expanded Consumer Privacy Rights Under the CPRA

The following are the five consumer privacy rights that have been modified under the CPRA:

Right to Access

Businesses must provide consumers with their personal and sensitive information collected, shared, or sold to third parties, the categories of PII, and the third parties involved when requested.

There are no legal obligations for companies to save data for a particular amount of time, so it's hard to say how long the company will retain PII.

Right to Delete

The CPRA gives consumers new rights that allow them to more easily get rid of the collected data that companies have on them.

Right to Data Portability

The CCPA gives users the right to access their data. However, users can now transfer their personal information to different companies under the CPRA.

Right to Opt-Out

While the CCPA only allows for data subjects to opt-out of data sales, the CPRA gives users the right to opt-out of the sale and also out of sharing of their personal information with third parties.

Right to Opt-In for Minors

CCPA prohibits the sale of personal information of California consumers under 16 years without their opt-in consent. The CPRA states that you have to wait for 12 months before requesting consent from a minor who has refused the initial request.

New Consumer Rights

The CPRA sets four new user privacy rights.

Right to Correct Data

This right applies when a consumer’s data is inaccurate. It allows them to ask for this information to be corrected.

Right to Access Information About Automated Decision Making

Data subjects are entitled to request information about automated decision-making processes concerning their data, as well as the likely results of those processes.

Right to Limit Use & Disclosure of Sensitive Personal Information

A company must, by law, respond to a consumer’s requests to limit the use and disclosure of their data.

Right to Opt-Out of Automated Decision Making

California residents can also choose to opt-out of automated decision-making technology, such as individual profiling.

Pro Tip: Rethink Opt-Out Design as a Multi-Stakeholder Process

  • Coordinate opt-out scope with martech and legal: CPRA expands opt-out to include “sharing,” which impacts marketing pixels, custom audiences, and cookie tools. Legal may be aware of obligations, but tech teams need specifics to implement.
  • Distinguish between sales and sharing in UI/UX: Combine cookie banners and privacy pages with clear segmentations: what is sold vs. what is shared. Avoid vague “do not sell or share” catchalls, which could raise enforcement scrutiny.
  • Automate GPC signal ingestion across systems: CPRA mandates honoring Global Privacy Control (GPC) signals. Manually processing these in consent management platforms or relying solely on frontend scripts often creates compliance gaps.

Who Must Comply

The CPRA exempts some small businesses from the CCPA. Previously, under the CCPA, a business that collected data from over 50,000 data users would be subject to the act. Under the CPRA, that number has increased to 100,000.

CPRA also applies to any company with at least half of its revenue involving transactions coming from the sales or sharing of consumers’ data or with a gross annual revenue of over $25 million.

GDPR Principles Incorporated in CPRA

Storage Limitation

The CPRA specifically mentions that companies may not retain PII for longer than necessary. When collecting data, companies also have to inform customers of the length of time each type of data is stored.

Data Minimization

Companies should only collect, use, and store users’ personally identifiable information that is reasonably necessary.

Purpose Limitation

If a company chooses to use customers’ personal information in a way that differs from how it initially disclosed it, the company needs to first inform all customers.

30-Day Cure Period Abolished

In the new context of things, organizations won’t automatically get a 30-day cure period which used to allow the possibility for violations to be addressed. However, at the discretion of the CPPA, cure periods can still be given to violators.

CPRA Expanded Private Right of Action

The California Consumer Privacy Act gave consumers who have had their unredacted, or unencrypted data compromised the right to take legal action against companies. The CPRA amended this term to cover some personal data like consumers’ passwords, email addresses, and security questions.

Contractual Provisions for Data Shared with Third Parties

The CPRA obligates businesses to have a contract in place with any third party that is receiving or sharing their customer data. This enhances customer data security to reduce the number of third-party risks.

Addition of the SPI Category

The CPRA adds a group of highly sensitive personal information that is subject to more strict purpose limitations and disclosure requirements. This includes:

  • Biometric information for identification
  • Contents of communication
  • Credit or debit card number with access codes
  • Driver’s license
  • Ethnic origin
  • Financial account information and log-in credentials
  • Genetic data
  • Health information
  • Information about sex or sexual orientation
  • Passport number
  • Precise geolocation data
  • Religious or philosophical beliefs
  • Social Security Number
  • State identification card

Mandatory Audit and Security Risk Assessment

The CPRA mandates that businesses comply with annual cybersecurity audits and periodic risk assessments to protect the data of consumers. Businesses must start assessing risks related to data security and information confidentiality to prioritize the risks they face and implement a risk assessment framework. It is an important step in developing a cybersecurity strategy, which helps organizations take the appropriate steps to mitigate risks.

Creation of a New Privacy Enforcement Authority

The CCPA was first enforced by the office of the Attorney General. The CPRA established a new privacy enforcement authority, the California Privacy Protection Agency (CPPA), and grants it powers to investigate and enforce the act.  

Extra Data Protection for Children’s PII

The CPRA is similar to the CCPA because it also prohibits the sale of personal information of those under 16. Nonetheless, violations involving children’s data are liable as intentional violations, meaning they are more severe. Violating CPRA often comes with a penalty of up to $7,500 for intentional violations and a penalty of up to $2,500 for unintentional violations.

Why Businesses Must Pay Attention to These Laws

CPRA will not go fully into effect until January 1, 2023. However, businesses that operate in California should start now to prepare for it.

With the 30-day cure period being abolished, the penalty for underage violations increased to $7,500, as well as the established body for enforcement (the CPPA), businesses have to be careful not to violate these new privacy regulations.

Businesses should go through the information related to CPRA, conduct an assessment of the measures they currently have for CPRA compliance and check whether there are any gaps in their current policy

Keeping Up With a Privacy Management

Complying with ever-evolving privacy regulations can be a daunting task in today’s landscape. With a full privacy management suite like Mine PrivacyOps, businesses can ensure that their data privacy operations are appropriately managed and compliant with privacy laws, protecting their organization from possible fines, limiting risks, and maintaining users’ trust.

Learn more about CCPA & CPRA with these resources:

Related Articles

Articles

4 Clever Tactics to Ace Your Company’s Privacy Management

Jun 29, 2022

Discover the top 4 privacy tactics experts are using and how you can leverage them to your business advantage.

Business
Articles

How to choose data privacy management software that's right for your business

Apr 4, 2022

Choosing data privacy management software can seem intimidating, but no worries ... we'll help you through it and break it down step by step.

Software