CCPA vs. CPRA: Key Components Explained

Batja Huisman
Batja Huisman
Jul 6, 2022
min read
CCPA vs. CPRA: Key Components Explained

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) have many provisions that affect businesses operating in the state. The CPRA is an amendment to the CCPA, which was approved in November  2020. The CPRA has technically been in effect since December 16, 2020. However, most of the revisions to the CCPA won’t come into force until January 1, 2023. Learn how the CCPA compares to the CPRA and how it could affect your business.

Expanded consumer privacy rights under the CPRA

The following are the five consumer privacy rights that have been modified under the CPRA:

Right to access

Businesses must provide consumers with their personal and sensitive information collected, shared, or sold to third parties, the categories of PII, and the third parties involved when requested.

There are no legal obligations for companies to save data for a particular amount of time, so it's hard to say how long the company will retain PII.

Right to delete

The CPRA gives consumers new rights that allow them to more easily get rid of the collected data that companies have on them.

Right to data portability

The CCPA gives users the right to access their data. However, users can now transfer their personal information to different companies under the CPRA.

Right to opt-out

While the CCPA only allows for data subjects to opt-out of data sales, the CPRA gives users the right to opt-out of the sale and also out of sharing of their personal information with third parties.

Right to opt-in for minors

CCPA prohibits the sale of personal information of California consumers under 16 years without their opt-in consent. The CPRA states that you have to wait for 12 months before requesting consent from a minor who has refused the initial request.

New consumer rights

The CPRA sets four new user privacy rights.

Right to correct data

This right applies when a consumer’s data is inaccurate. It allows them to ask for this information to be corrected.

Right to access information about automated decision making

Data subjects are entitled to request information about automated decision-making processes concerning their data, as well as the likely results of those processes.

Right to limit use & disclosure of sensitive personal information

A company must, by law, respond to a consumer’s requests to limit the use and disclosure of their data.

Right to opt-out of automated decision making

California residents can also choose to opt-out of automated decision-making technology, such as individual profiling.

Who must comply

The CPRA exempts some small businesses from the CCPA. Previously, under the CCPA, a business that collected data from over 50,000 data users would be subject to the act. Under the CPRA, that number has increased to 100,000.

CPRA also applies to any company with at least half of its revenue involving transactions coming from the sales or sharing of consumers’ data or with a gross annual revenue of over $25 million.

GDPR principles incorporated in CPRA

Storage limitation

The CPRA specifically mentions that companies may not retain PII for longer than necessary. When collecting data, companies also have to inform customers of the length of time each type of data is stored.

Data minimization

Companies should only collect, use, and store users’ personally identifiable information that is reasonably necessary.

Purpose limitation

If a company chooses to use customers’ personal information in a way that differs from how it initially disclosed it, the company needs to first inform all customers.

30-day cure period abolished

In the new context of things, organizations won’t automatically get a 30-day cure period which used to allow the possibility for violations to be addressed. However, at the discretion of the CPPA, cure periods can still be given to violators.

CPRA expanded private right of action

The California Consumer Privacy Act gave consumers who have had their unredacted, or unencrypted data compromised the right to take legal action against companies. The CPRA amended this term to cover some personal data like consumers’ passwords, email addresses, and security questions.

Contractual provisions for data shared with third parties

The CPRA obligates businesses to have a contract in place with any third party that is receiving or sharing their customer data. This enhances customer data security to reduce the number of third-party risks.

Addition of the SPI category

The CPRA adds a group of highly sensitive personal information that is subject to more strict purpose limitations and disclosure requirements. This includes:

  • Biometric information for identification
  • Contents of communication
  • Credit or debit card number with access codes
  • Driver’s license
  • Ethnic origin
  • Financial account information and log-in credentials
  • Genetic data
  • Health information
  • Information about sex or sexual orientation
  • Passport number
  • Precise geolocation data
  • Religious or philosophical beliefs
  • Social Security Number
  • State identification card

Mandatory audit and security risk assessment

The CPRA mandates that businesses comply with annual cybersecurity audits and periodic risk assessments to protect the data of consumers. Businesses must start assessing risks related to data security and information confidentiality to prioritize the risks they face and implement a risk assessment framework. It is an important step in developing a cybersecurity strategy, which helps organizations take the appropriate steps to mitigate risks.

Creation of a new privacy enforcement authority

The CCPA was first enforced by the office of the Attorney General. The CPRA established a new privacy enforcement authority, the California Privacy Protection Agency (CPPA), and grants it powers to investigate and enforce the act.  

Extra data protection for children’s PII

The CPRA is similar to the CCPA because it also prohibits the sale of personal information of those under 16. Nonetheless, violations involving children’s data are liable as intentional violations, meaning they are more severe. Violating CPRA often comes with a penalty of up to $7,500 for intentional violations and a penalty of up to $2,500 for unintentional violations.

Why businesses must pay attention to these laws

CPRA will not go fully into effect until January 1, 2023. However, businesses that operate in California should start now to prepare for it.

With the 30-day cure period being abolished, the penalty for underage violations increased to $7,500, as well as the established body for enforcement (the CPPA), businesses have to be careful not to violate these new privacy regulations.

Businesses should go through the information related to CPRA, conduct an assessment of the measures they currently have for CPRA compliance and check whether there are any gaps in their current policy

Keeping up with a privacy management

Complying with ever-evolving privacy regulations can be a daunting task in today’s landscape. With a full privacy management suite like Mine PrivacyOps, businesses can ensure that their data privacy operations are appropriately managed and compliant with privacy laws, protecting their organization from possible fines, limiting risks, and maintaining users’ trust.