CCPA vs. CPRA: What’s The Difference?

When thinking about data privacy for California residents, there are two acronyms that you should be aware of. The first is CCPA, or the California Consumer Privacy Act, enacted in 2018 and went into effect on 1 January 2020. The second is CPRA, or the California Privacy Rights Act, which is set to go into effect on 1 January 2023. What’s the difference? Read on to find out--and to learn more about what these data protection acts mean for you!

What is the CCPA?

The California Consumer Privacy Act (CCPA) is a data privacy law that applies to businesses that collect, process, or sell the personal information of Californian consumer data. The law requires businesses to disclose what personal information they collect, why they collect it, and with whom they share it. Businesses must also provide consumers with the ability to opt out of the sale of their personal information. The CCPA went into effect on 1 January 2020.

The CCPA is the California answer to the European Union’s General Data Protection Regulation (GDPR). Both laws give consumers the right to know what personal information is involved with the data collection process about them and the consumer right to opt out of the sale of their personal information. However, there are some key differences between the two data privacy regulations.

The GDPR applies to any business that processes or collects the personal data of EU citizens, regardless of where the business is located. The CCPA only applies to businesses that are based in California or that do business in California and meet one or more of the following criteria:

• Have annual gross revenues above $25 million
• Collects, sells or shares for commercial purposes the personal information of 50,000 or more consumers , households or devices
• Derives 50% or more of its annual revenue from selling consumers’ personal information
  

What is the CPRA?

The California Privacy Rights Act (CPRA) is a law specific to the state of California that strengthens and builds upon the California Consumer Privacy Act (CCPA). The CPRA creates new Californian rights and gives the California Attorney General new enforcement powers. Also known as CCPA 2.0 or Proposition 24, the CPRA is a ballot proposition approved by most California voters after appearing on the ballot for the general election on 3 November 2020.

The CPRA, like the CCPA rulemaking, is based on the opt-out cookie consent framework, which means no consumer consent is required to use cookies provided that data subjects are given the right to opt out.

The CPRA was enacted to address concerns that the CCPA did not go far enough to protect data subjects’ privacy rights. The CPRA amends several sections of the CCPA and adds several new provisions, including:

• Creating a right to know what personal information is being collected about you
• Giving you the right to opt out of the sale of your personal information (as opposed to opt-in)
• Giving you the right to request that your personal information be deleted
• Prohibiting businesses from discriminating against you if you exercise your privacy rights
• Establishing a new enforcement agency, the California Privacy Protection Agency (CPPA), with greater powers to enforce the law

The enforcement will begin on 1 January 2023, and until then, CCPA will remain the primary governing legislation. 

Who needs to comply with CPRA?

The CPRA keeps most CCPA thresholds intact but makes a few significant changes.

CCPA

• Has annual gross revenue over $25 million.
• Buys, or receives, or sells, or shares personal information of 50,000 or more consumers, households or devices for commercial purposes.
• Gets 50% or more of its annual revenues from consumer’s selling personal information.

CPRA

• Has annual gross revenue over $25 million in the preceding calendar year.
• Buys, or sells, or shares the personal information of 100,000 or more consumers or households.
• Gets 50% or more of its annual revenues from selling, or sharing consumer’s personal information.

Before the passage of CPRA, businesses could use any common branding even if they shared California consumers’ personal information. Now that CPRA has been passed, applicable businesses will be bound by new laws in addition to the old ones.

How is the CCPA similar to the CPRA?

The CCPA and CPRA are both data privacy laws regulating how businesses handle California residents’ personal information. They share many similarities, such as:

• Both laws give Californians the right to know what personal information is being collected about them, why it is being collected, and how it will be used.
• Both laws give Californians the right to request that their personal information be deleted.
• Both laws give Californians the right to opt out of having their personal information sold to third parties.
• Both laws require businesses to provide a clear and conspicuous link on their website homepage that says “Do Not Sell My Personal Information.”

Read more about the CPRA requests here.

How does the CCPA differ from the CPRA?

CPRA covers new categories of businesses

CPRA creates two new categories of businesses. Joint ventures and partnerships where each business has at least 40% interest will be considered separate entities apart from the original. Any company that can’t meet the threshold can self-certify with a newly created California Privacy Protection Agency to comply with CPRA rules.

California Privacy Protection Agency (CPPA)

CPRA was passed because of the need to protect the rights of Californians as consumers. The California Privacy Protection Agency (CPPA) was created because of this need, with the power to implement and enforce the CPRA. It is the primary enforcement authority of California’s privacy program under the Office of the Attorney General. One way CPPA will do this is through its ability to investigate any possible violations to its consumer privacy rights and launch appropriate action. They can also issue binding regulatory rules and enforcement action for providers to avoid noncompliance.

New definitions included in CPRA

Sensitive personal information

The CPRA expands the categories of personal information to include sensitive personal information, and it includes:

• Social security number, driver’s license, passport, or state ID card numbers 
• Account log-in credentials like password, security, or access code
• Precise geolocation
• Racial or ethnic origin, religious belief, or union membership
• Contents of mail, email, or text
• Genetic information
• Biometric information that can identify the consumer 
• Medical data
• Sex life or sexual orientation

If you check the box under CPRA, you can limit a business’ use of sensitive personal information and disclosure of sensitive data. The business must provide a clear and conspicuous link on its website homepage titled “limit the use of my sensitive personal information.” It’s in addition to the opt-out link required under CCPA.

Consent

CPRA explicitly defines what does and does not constitute consumer consent. It defines consent as a specific, freely given, specific, informed, and unambiguous indication of the consumer’s intent.

Consent does not include the following:

• General or broad acceptance of terms of use or similar document
• Hovering over, muting, pausing, or closing a given piece of content (such as cookie banners or privacy notices) or
• Consent obtained through the use of dark patterns

Contractor

The CPRA amends the definition of service providers, contractors, and third parties in the CCPA. The CPRA introduces a new category: contractors. Those are defined as people for the business making consumers’ personal information available to others under a written contract. Also, CPRA requires these contractors to clarify that they understand and will comply with the requirements. Lastly, an independent certification entity would be charged with certifying compliance from those unable to comply with the CPRA.

Third-party and service provider

The CPRA defines a service provider as a “person who processes personal information on behalf of a business” for business purposes under contract. Anyone other than the company, contractor, or service provider is considered a third party. A third party cannot be a business with which the consumer interacts on purpose and collects personal information directly from consumers.

Sharing

The definition of “sharing” under the CPRA has been introduced. Sharing means any disclosure of personal information to third parties for cross-context behavioral advertising--whether or not it is monetary or other valuable consideration. The definition now makes it clear that any disclosure of personal information for targeted advertising is also subject to consumer opt out. If a company shares personal information, it can post a link that says “Do Not Share My Personal Information” and allow consumers to opt out of sharing.

Profiling

CPRA defines profiling as any form of automated data processing of personal information to make predictions about an individual, such as “performance at work, economic situation, health, preferences, interests, reliability, behavior, location or movements.”

New rights for consumers under CPRA

Right to opt out of sharing

CPRA also broadens the CCPA’s right to opt out by allowing for the sale of personal information and sharing of personal information, including data shared with a third party for “cross-context behavioral advertising.” It refers to targeted advertising to a consumer based on data obtained from the consumer’s activity on websites, apps, or services other than the one with which the consumer interacts intentionally. Learn about Cross-Context Behavioral Advertising under the California Privacy Rights Act (CPRA).

The right to opt out of sharing, like the provision in the CCPA, does not extend to sharing personal information with service providers and contractors.

Right to opt out of automated decision making

Consumers will now have the right to know about and opt out of automated decision-making, similar to the GDPR provision. Businesses will be required to provide information about the “logic involved in automated decision-making processes” and to inform customers about the process’s likely outcome.

Rights of children

The CPRA strengthens minors’ opt-in rights. Under 16, a business must obtain opt-in consent before selling or sharing a consumer’s personal information. The CPRA also requests that “technical specifications for an opt-out preference signal that allows the minor or their parent to specify that the consumer is less than 13 or between 13 and 16 years of age” be established.

Right to delete and correct

Furthermore, businesses must inform consumers how long they intend to keep their personal information (retention). Consumers can also request that their data be deleted (deletion) or corrected (modification). Businesses must also notify third parties with whom they have shared consumer request data.

Right to access

Consumers can now request information about themselves that was collected more than a year ago. Businesses may refuse to provide information beyond a 12-month look-back period if it requires undue effort. This applies to data collected on or after 1 January 2022.

Right to data portability

Consumers can use the CPRA to request that businesses send specific personal information to another entity. The CPRA also states that data should be provided in a format easily understood by the average consumer and a commonly used, machine-readable format.

Other significant CPRA changes

Contractual requirements

Businesses must have appropriate contractual provisions in place with service providers, contractors, and third parties, according to the CPRA. Such contracts forbid the retention, use, or disclosure of personal information for purposes other than those specified in the contract. Contracts may also allow businesses to monitor service providers’ compliance with contractual provisions through manual reviews, automated scans, regular assessments, and audits at least once a year.

Data minimization

The concept of data minimization and purpose limitation, which are core GDPR principles, is introduced by CPRA. The CPRA requires businesses to collect only personal information reasonably necessary for the purpose for which it is collected. Furthermore, businesses cannot keep personal information longer than is necessary for the purpose for which it was collected.

Risk assessment

While the CCPA requires businesses to implement reasonable security procedures and practices to avoid data breaches, intentional violations, and other security risks, the CPRA requires more stringent auditing. Businesses that pose a “significant risk” to the privacy of their customers must conduct annual cybersecurity audits. The California Privacy Protection Agency requires them to submit a regular risk assessment. The risk assessment should be performed concerning their processing of personal information, including whether sensitive data is involved and weighing the benefits to the business, the consumer, and other stakeholders.

Extension of employee exemption

Certain employment and personal information involved in business-to-business (B2B) communications and transactions were exempted under the CCPA. This exemption was supposed to end on 1 January 2021. However, the CPRA extended the exemptions for employment and business-to-business data until 1 January 2023.

Conclusion

The CCPA and CPRA are two very important pieces of legislation that will profoundly impact how businesses operate. It’s crucial that you understand the difference between the two to be compliant with both. The CCPA applies to businesses that collect and sell the personal information of California residents. In contrast, the CPRA regulations apply to businesses that process the personal data of Californians for purposes such as targeted advertising. While there are similarities between the two laws, it’s important to understand the key differences to ensure your business has both CCPA and CPRA compliance.