CPRA vs CCPA: Unpacking the Differences [Updated 2023]

CPRA vs CCPA: At a glance

  • The California Privacy Rights Act (CPRA) amended the California Consumer Privacy Act (CCPA)‚Äďmodifying its scope, expanding consumer rights, and adding additional regulations around commercial data collection and processing.

  • For businesses operating in California, understanding the difference between CPRA and CCPA is critical‚ÄĒthe CPRA modified regulations have been finalized and California Privacy Protection Agency's enforcement date is right around the corner.

  • Read on learn about the differences between CCPA vs CPRA, plus how these updates will affect your business in the future.

Table of contents

CPRA vs CCPA: New consumer rights

The CPRA amended the CCPA to add four new consumer rights.

Right to correction

Consumers have the right to correct inaccuracies in their own personal data held by an organization.

Right to limit sensitive personal information

If a business collects a consumer‚Äôs sensitive personal data, the¬†consumer can request¬†that the business limit that data‚Äôs use to what‚Äôs ‚Äúnecessary to perform the services or provide the goods reasonably expected by an average consumer.‚ÄĚ

Right to access and opt-out of automated decision making

Businesses must respond to consumer requests for information about the logic behind automated decision-making and the likely outcome of those processes.

Consumers may opt-out of automated decision-making, including¬†profiling, in regards to their ‚Äúperformance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.‚ÄĚ

Right to data portability

Consumers can ask a business to transmit their personal data to another business.

CPRA vs CCPA: Expanded rights

Right to know

Under the CCPA, consumers may request information about the personally identifiable information (PII), as well as the categories of PII a business collects and sells. The CPRA expands this right to include the data a business shares.

It also expands the timeframe for which a consumer can request that information. A consumer may request information beyond the standard 12 months prior window with two caveats:

  • The data was collected on or after January 1, 2022

  • Fulfilling the request is possible and doesn‚Äôt require ‚Äúdisproportionate‚ÄĚ effort.

Businesses are not obligated to keep data for a set period of time, so though a consumer may make requests, the data may not be available.

Right to opt out

The CPRA allows consumers to opt out of both data sale and data sharing. Under the CCPA, they could only opt out of data sale. The CPRA defines data sharing as:

‚Äúsharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer‚Äôs personal information by the business to a third party‚ÄĚ

An action counts as sharing whether or not money was exchanged.

Right to delete

Though the CPRA maintained the same basic ‚ÄėRight to delete‚Äô framework, it added additional guidance about moving these requests downstream.

Under the CPRA, after receiving a consumer data deletion request, businesses must pass the request to any third parties to whom the consumer‚Äôs data was shared or sold‚ÄĒinstructing they delete the data as well.

The CPRA does offer a few exceptions to this rule, including if the consumer’s data is necessary for completing a requested transaction, part of a security incident, or part of a server log necessary for debugging an error.

Opt-in rights for minors 

The CCPA already required businesses get opt-in consent from any minor under 16. Expanding this requirement, the CPRA states that if a minor refuses the sale or sharing of their personal data, the business must wait 12 months to request consent again.

CPRA vs CCPA: Sensitive personal information

Under the CPRA, sensitive personal information (SPI) includes:

  • Identifying information like social security and driver‚Äôs license numbers

  • Credit and debit card numbers

  • Log-in credentials for financial accounts

  • Precise geolocation data

  • Information about a consumer‚Äôs race, ethnicity, and religious beliefs

  • Content from a consumers emails, mail, and texts

  • Uniquely identifying biometric data, including genetic data

  • Information about a consumers health, sex life, or sexual orientation

In contrast, the CCPA only defined requirements around ‚Äúpersonal information,‚ÄĚ which was defined as:

‚Äúinformation that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.‚ÄĚ

Put simply, personal information could identify you or your household. And sensitive personal information builds on that definition by including the data types listed above.

Learn more about how to handle sensitive personal information under CPRA.

CPRA vs CCPA: Data "sharing"

While the CCPA largely only governs data sale, the CPRA places new requirements on data sharing. Data sharing is defined as:

‚Äúsharing, renting, releasing, disclosing, disseminating, making available, [or] transferring [...] a consumer‚Äôs personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration‚ÄĚ

In other words, if you allow an external party access to consumer information for the purpose of cross-context behavioral advertising, in any form, it‚Äôs considered¬†data sharing‚Äď‚Äďeven if no money was exchanged.

Data sharing is regulated under the CPRA, which gives consumers the right to opt-out, know, and request deletion for any personal data that’s been shared with a third-party.

This new level of scrutiny stems from the fact that, to circumvent data sale regulations under the CCPA, many businesses were exchanging data without a direct monetary transaction.

CPRA vs CCPA: California Privacy Protection Agency

The CPRA established the California Privacy Protection Agency (CPPA), an entirely new agency tasked with enforcing California’s growing canon of privacy regulation.

Headed by Ashkan Soltani, the CPPA will be responsible for auditing CPRA compliance, evaluating potential violations, levying fines, and implementing new privacy laws.

The CPPA worked on finalizing the CPRA's requirements through 2022, having requested feedback on topics including cybersecurity audits and risk assessments, automated decision-making, CPPA auditing, and the particulars of certain consumer rights.

As of March 2023, the CPRA modified regulations were finalized and approved by the California Office of Administrative Law.

Read the New York Times profile on Mr. Soltani and his novel approach to building out the CPPA.

CPRA vs CCPA: 30 day cure period

Businesses will no longer have an automatic 30 day cure period, which previously allowed a window where organizations could attempt to address violations. The CPRA made this cure period discretionary, meaning it can be granted by the CPPA on a case-by-case basis.

The CPRA also clarifies that implementing ‚Äúreasonable security‚Ä̬†after¬†a breach does not count towards a meaningful cure.

In other words, if a company fails to provide enough security for sensitive data and then experiences a breach‚Äďthey will still be held accountable even if they implement additional security measures after the fact.

CPRA vs CCPA: Private right of action

The CCPA offered consumers a private right of action in cases when an organization failed to protect their unencrypted or unredacted data. The CPRA expanded this scope to include a users email address, password, or security question, stating:

‚ÄúAny consumer whose nonencrypted and nonredacted personal information¬†[‚Ķ] is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business‚Äôs violation of the duty to implement and maintain reasonable security procedures and practices¬†[may]¬†institute a civil action‚ÄĚ

In light of steadily increasing cyberattacks and high-profile security breaches, organizations should be especially mindful of this scope expansion. A breach that results in exposure of these credentials could lead to significant, consumer-initiated legal action.

Notably, the CCPA and CPRA are the only US state privacy laws that afford the private right of action‚ÄďColorado,¬†Virginia, and¬†Utah¬†don‚Äôt provide this right under any circumstance.

CPRA vs CCPA: Data processing thresholds

Under the California Privacy Rights Act, businesses must process the personal data of at least 100,000 consumers‚Äďdoubling the CCPA‚Äôs 50,000 threshold.

Impact: Many small and medium sized businesses may end up exempt.

To be clear, the data processing threshold is not the only way an entity can trigger the CPRA. The CRPA also applies to any business which:

  • Has a gross annual revenue exceeding $25 million

  • Buys, sells, or shares personal data for 100,000 or more California residents

  • Derives 50% or more of annual revenue from selling or sharing California residents‚Äô personal data

If a business meets any of these criteria, the CPRA applies.

CPRA vs CCPA: Contract requirements for third-parties

The CPRA requires comprehensive contracts between businesses and any third parties with whom data is being shared or sold. More than that, these contracts must:

  • Specify the purpose for which the data is being sold or shared

  • Place the third party under the same CPRA obligations as the business, meaning the third party must comply with CPRA privacy protection requirements

  • Give the business enough power to enforce their CPRA obligations throughout the third-party‚Äôs data processing activities

  • Require notice if the third party feels unable to meet their obligations as defined by the contract

  • Enable the business to effectively address inappropriate use of consumer data

These new requirements are intended to ensure better data governance and security throughout any third-party processing, so it’s important that businesses consider these contracts carefully.

Learn more about third party and service provider contracts under CPRA.


About Transcend

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack. If your organization has been impacted by the CCPA/CPRA or other consumer privacy laws, Transcend can help you ensure compliance.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.


Additional CPRA resources

Share this article

Discover more articles

Snippets

Sign up for Transcend's weekly privacy newsletter.

    By clicking "Sign Up" you agree to the processing of your personal data by Transcend as described in our Data Practices and Privacy Policy. You can unsubscribe at any time.

    Discover more articles