CCPA vs CPRA

The California Consumer Privacy Act (CCPA), effective from January 2020, was a monumental advancement for U.S. privacy legislation. The California Privacy Rights Act (CPRA), which amends and enhances the CCPA, began in January 2023, setting more rigorous standards for data protection. 

This article explores the key similarities and differences between the CCPA and CPRA. 

What is the CCPA? 

The California Consumer Privacy Act (CCPA) provides privacy rights and consumer protections to Californian residents. At the heart of the CCPA is its definition of “personal information,” which is described as: 

“… information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

This definition is intentionally broad, covering a wide range of data that could be used on its own or in combination with other data to identify, associate with, or relate to an individual or household. By including terms like “reasonably be linked,” the CCPA acknowledges the various ways that information can be connected to individuals, ensuring a broad scope of protection to reflect the complexities of modern data use and sharing. 

Who must comply with the CCPA? 

The California Consumer Privacy Act (CCPA) applies to any for-profit business that meets one or more of the following conditions: 

•         Operational presence in California: The business conducts operations within the state of California.
•         Revenue threshold: The business has gross annual revenues exceeding $25 million.
•         Volume of personal data transactions: The business buys, sells, receives, or shares the personal information of 50,000 or more consumers, households, or devices annually.
•         Dependency on data sales: The business derives 50% or more of its annual revenues from selling consumers’ personal information.

What is the CPRA? 

The California Privacy Rights Act (CPRA) builds upon the CCPA’s framework but refines the definition of “personal information” to increase protections. 

While it retains a similar broad scope as the CCPA, the CPRA specifies that personal information must also be “reasonably capable of being associated with a particular consumer or household.” 

This additional criterion tightens the definition, focusing on the realistic potential for an association to ensure even stronger privacy safeguards for consumers.  

Who needs to comply with CPRA? 

The California Privacy Rights Act (CPRA) broadens its scope to encompass larger entities, setting specific criteria that determine which businesses must comply. To fall under the CPRA, a business must meet one or more of the following thresholds: 

• Revenue: The business generates over $25 million in gross annual revenue. 
• Volume of personal information: The business annually buys, sells, or shares the personal information of 100,000 or more consumers or households. 
• Revenue from personal information: The business earns a significant portion of its revenue from selling or sharing consumers’ personal information. 

How is the CCPA similar to the CPRA? 

 The CCPA (California Consumer Privacy Act) and the CPRA (California Privacy Rights Act) share several similarities, as the CPRA builds upon the foundational principles established by the CCPA. Here’s how they are similar: 

• Jurisdiction and scope: Both laws apply to businesses operating in California, regardless of where they are based. They regulate the handling of personal information of California residents. 
• Definition of personal information: Both statutes define personal information broadly, encompassing data that identifies, relates to, or could be reasonably linked with a particular consumer or household. 
• Consumer rights: Both the CCPA and CPRA grant consumers similar fundamental rights concerning their personal data. These include: 
• Right to know: Consumers have the right to know what personal information a business collects about them and how it is used and shared. 
• Right to delete: Consumers can request the deletion of their personal information held by businesses. 
• Right to opt-out: Consumers can opt out of the sale of their personal information to third parties. 
• Right to non-discrimination: Consumers are entitled to equal service and price from businesses, even if they exercise their privacy rights. 
• Business obligations: Both laws impose duties on businesses regarding how they collect, handle, and secure consumer personal information. Businesses must provide notices to consumers at the point of collection and maintain reasonable security practices to protect the personal information they handle. 
• Data breach penalties and remedies: Both the CCPA and CPRA empower consumers to take legal action in the event of a data breach involving non-encrypted and non-redacted personal information due to a business’s failure to maintain reasonable security procedures. 

How does the CCPA differ from the CPRA? 

The CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act) while sharing foundational principles, also differ significantly in several areas as the CPRA builds upon and extends the protections provided by the CCPA. Here’s how they differ: 

1. Threshold for Compliance: 

    a. CCPA: Applies to businesses that annually buy, sell, or share the personal information of 50,000 or more consumers, households, or devices. 

    b. CPRA: Increases this threshold to businesses that buy, sell, or share the personal information of 100,000 or more consumers or households annually, focusing the regulations more on larger data processors. 

2. New Consumer Rights: 

    a. Right to Correction: The CPRA adds the right for consumers to correct inaccurate information about themselves held by businesses. 

    b. Right to Limit Use and Disclosure of Sensitive Personal Information: The CPRA provides consumers with the right to restrict the use of their sensitive personal information, such as health, financial, racial, ethnic, precise geolocation data, etc. 

    c. Right to Opt-Out of Sharing: The CPRA extends the opt-out right to include not just the sale but also the sharing of personal information for cross-context behavioral advertising. 

3. Data Minimization and Retention: 

    a. CCPA: Does not explicitly impose data minimization or retention obligations. 

    b. CPRA: Requires businesses to minimize data collection and not retain personal data longer than necessary, aligning closer with principles found in the GDPR. 

4. New Definitions and Concepts: 

    a. Sensitive Personal Information: The CPRA introduces a new sub-category of personal information, providing special rules for handling such data. 

    b. Contractors and Service Providers: The CPRA clarifies obligations for contractors and third parties, requiring contracts to specify operational limits and granting rights to audit. 

5. Enforcement: 

    a. CCPA: Enforcement is primarily under the purview of the California Attorney General. 

    b. CPRA: Establishes the California Privacy Protection Agency (CPPA), a new regulatory body dedicated to implementing and enforcing privacy legislation, thereby strengthening enforcement capabilities. 

6. Expanded Data Breach Liability: 

    a. CCPA: Provides for consumer lawsuits only in the event of a data breach caused by inadequate security. 

    b. CPRA: Expands this liability to include breaches involving an email address in combination with a password or security question and answer that would permit access to the account. 

Applicability 

The CCPA and CPRA both apply to organisations based outside of California. 

The CCPA applies primarily to “businesses,” defined as any for-profit organisation that does business in California and fulfils one or more of the following characteristics: 

1. It has gross annual revenues of at least $25 million 
2. It annually buys or sells—or receives or shares for commercial purposes—personal information from at least 50,000 consumers, households, or devices 
3. It derives at least half of its annual revenues from selling consumers’ personal information 

The CPRA keeps the CCPA’s definition of a “business,”  with a small but significant change to section “b”. A “business now “ annually buys, sells, or shares the personal information of 100,000 or more consumers or households .” 

Data Rights 

What rights do consumers have? 

Consumers have the following rights under the CCPA: 

• The right to know 
• The right of access 
• The right to delete 
• The right to opt out of the sale of personal information 
• The right to non-discrimination 

The CPRA adds the following rights: 

• The right to correct 
• The right to opt out of the sharing of personal information 
• The right to limit the disclosure of sensitive personal information 

Under both California laws,  businesses must respond to a request within 45 days , with a possible extension of 45 days where necessary. 

Compliance with CCPA and CPRA 

Addressing compliance under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) involves understanding distinct responsibilities for businesses, service providers, third parties, and contractors. These roles have specific obligations designed to safeguard consumer privacy and ensure proper data handling practices are maintained across the ecosystem. Here’s a detailed look at compliance requirements for each category: 

Compliance for businesses 

Businesses under both CCPA and CPRA have a range of obligations, including: 

• Transparency: Providing clear and accessible privacy notices that inform consumers about the categories of personal data collected and the purposes for which the data is used. 
• Consumer rights fulfillment: Facilitating consumer rights such as access, deletion, and correction of their personal data. Businesses must provide mechanisms for consumers to submit requests and must respond to these requests within specified timeframes. 
• Data minimization and purpose limitation: Under CPRA, businesses must not collect more data than necessary and must limit the use of data to the purposes explicitly disclosed to the consumer. 
• Data security: Implementing reasonable security procedures and practices appropriate to the nature of the information to protect personal data from unauthorized access, destruction, use, modification, or disclosure. 

Compliance for service providers 

Service Providers are entities that process personal information on behalf of a business and are subject to specific requirements: 

• Contractual obligations: Must enter into a contract with the business that specifies processing instructions, the nature and purpose of processing, and obligates them to confidentiality and the security of the data. 
• No secondary use: Service providers are prohibited from retaining, using, or disclosing personal information obtained while providing services except for the specific purpose of performing the services specified in the contract. 
• Assistance with consumer rights: Service providers must also help businesses in fulfilling consumer rights requests, including deletion and access requests. 

Compliance for third parties 

Third Parties receive personal information from businesses but do not act as service providers. Their compliance includes: 

• Understanding restrictions: They must understand and respect restrictions imposed by the CCPA/CPRA on how they can use, sell, or disclose the personal information they receive. 
• Transparency and accountability: Ensuring that their data handling practices align with the privacy obligations of the CCPA/CPRA when interacting with consumer data provided by other businesses. 

Compliance for contractors 

Introduced by the CPRA, Contractors are similar to service providers but with slightly nuanced responsibilities: 

• Contractual restrictions: Like service providers, contractors must have a contract in place that limits their ability to process personal information to the purposes specified by the business. 
• Data security and confidentiality: Contractors must adhere to the same levels of data security as required of service providers and are restricted from sharing personal information except as directed by the business. 

Targeted advertising rules 

A critical aspect of both the CCPA and CPRA is how they regulate online advertising, particularly in relation to the use of cookies. These laws address concerns over consumer privacy in the digital advertising space. 

CCPA: The law mandates that businesses provide consumers with the option to opt out of the “sale” of their personal information. Given the law’s broad interpretation of what constitutes a “sale,” this requirement has typically been understood to include mechanisms allowing consumers to refuse third-party cookies that track their activities across the internet. 

CPRA: This act further clarifies and extends the requirements established under the CCPA. Businesses must not only provide an opt-out for the sale of personal information but also its sharing. This enhancement explicitly includes cookies, thereby tightening the regulations around how personal data can be utilized in targeted advertising. The CPRA ensures that consumers have more explicit control over both the sale and the sharing of their information, affecting how businesses handle data within the advertising ecosystem. 

Both laws make it essential for businesses engaged in online advertising to carefully manage how they deploy cookies and other tracking technologies, ensuring that they maintain transparent mechanisms for consumers to exercise their privacy rights effectively.  

Processors/Service providers 

The EU and California laws all include a similar type of entity—called a “processor” under the GDPR and a “service provider” under the CCPA and CPRA. 

Under all three laws, a processor (or service provider) : 

• Processes personal data on behalf of a controller (or business) 
• Acts on the controller’s (or business’) written instructions under a contract 
• May not process personal data for purposes outside of this contract 

Despite this core similarity, there are some important differences between the three laws. 

Under the CCPA, the agreement between a businesses and its service provider contains fewer mandatory clauses. For the most part, the agreement simply has to  oblige the service provider not to process personal information outside of the contract . 

The CPRA adds several  new obligations on service providers , including: 

• Additional mandatory clauses in the service provider agreement 
• A legal requirement to assist the business with data security 
• A legal requirement to assist the business with facilitating consumer rights requests 

Enforcement 

Under the CCPA, the California Attorney-General can issue  civil penalties  of: 

• Up to $7,500 per intentional violation 
• Up to $2,500 per unintentional violation 

Consumers can also bring  private legal claims for data breaches , which can result in: 

• Actual damages covering any losses 
• Statutory damages of between $100 and $750 per consumer, per incident 

The CPRA establishes the  California Privacy Protection Agency (CPPA) , which will enforce the law alongside the California Attorney-General. The CPRA also expands the enforcement CCPA’s provisions slightly: 

• Violations involving children’s personal information under the age of 16 are always treated as “intentional.” 
• The definition of a “data breach” is broadened slightly. 

California leads the way: The evolution of data privacy through CCPA and CPRA 

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are pivotal developments in the United States’ approach to data privacy laws. 

Both laws aim to protect the privacy of California residents by empowering them with substantial control over their personal information. While sharing foundational principles, the CPRA advances these protections by introducing stricter compliance thresholds, broadening consumer rights -including the right to correct inaccuracies and restrict the use of sensitive data – and imposing more rigorous data minimization and retention standards. 

Additionally, the establishment of the California Privacy Protection Agency under the CPRA significantly enhances the enforcement of these privacy laws, ensuring the protection of consumer rights. As digital privacy norms continue to evolve, California’s legislative actions set a progressive example that could influence future data privacy regulations nationwide and beyond.