CPRA vs CCPA: Key Differences
The California Consumer Privacy Act (CCPA) was passed in 2018.
A first for comprehensive privacy regulation in the US, the CCPA established landmark data rights for California consumers and created new requirements for businesses processing the personal data of California residents.
In 2020, the California Privacy Rights Act (CPRA) was passed. The CPRA amends the CCPA––modifying its scope, expanding consumer rights, and adding additional regulations around commercial data collection and processing.
For businesses operating in California or marketing their goods and services to California residents, these privacy laws can impact digital operations significantly. As these laws come into full force, effective CCPA/CPRA compliance will be crucial for avoiding fines and maintaining consumer trust.
Keep reading to learn about the differences between the CCPA and CPRA, plus how they will affect your business in the future.
Increased data processing thresholds
Under the CPRA, businesses must process the personal data of at least 100,000 consumers––doubling the CCPA’s 50,000 threshold.
Impact: Many small and medium sized businesses may end up exempt.
To be clear, the data processing threshold is not the only way an entity can trigger the CPRA. The CRPA also applies to any business which:
Has a gross annual revenue exceeding $25 million
Buys, sells, or shares personal data for 100,000 or more California residents
Derives 50% or more of annual revenue from selling or sharing California residents’ personal data
If a business meets any of these criteria, the CPRA applies.
Additional consumer rights
The CPRA amended the CCPA to add four new consumer rights.
Right to correction: Consumers have the right to correct inaccuracies in their own personal data held by an organization.
Right to limit sensitive personal information: If a business collects a consumer’s sensitive personal data, the consumer can request that the business limit that data’s use to what’s “necessary to perform the services or provide the goods reasonably expected by an average consumer.”
Automated decision making - right to access and opt-out: Businesses must respond to consumer requests for information about the logic behind automated decision-making and the likely outcome of those processes.
Consumers may opt-out of automated decision-making, including profiling, in regards to their “performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.”
Right to data portability: Consumers can ask a business to transmit their personal data to another business.
Expanded existing consumer rights
Right to know: Under the CCPA, consumers may request information about the personally identifiable information (PII), as well as the categories of PII a business collects and sells. The CPRA expands this right to include the data a business shares.
It also expands the timeframe for which a consumer can request that information. A consumer may request information beyond the standard 12 months prior window with two caveats:
The data was collected on or after January 1, 2022
Fulfilling the request is possible and doesn’t require “disproportionate” effort.
Businesses are not obligated to keep data for a set period of time, so though a consumer may make requests, the data may not be available.
Right to opt out: The CPRA allows consumers to opt out of both data sale and data sharing. Under the CCPA, they could only opt out of data sale. The CPRA defines data sharing as:
“sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party”
An action counts as sharing whether or not money was exchanged.
Right to delete: Though the CPRA maintained the same basic ‘Right to delete’ framework, it added additional guidance about moving these requests downstream.
Under the CPRA, after receiving a consumer data deletion request, businesses must pass the request to any third parties to whom the consumer’s data was shared or sold—instructing they delete the data as well.
The CPRA does offer a few exceptions to this rule, including if the consumer’s data is necessary for completing a requested transaction, part of a security incident, or part of a server log necessary for debugging an error.
Opt-in rights for minors: The CCPA already required businesses get opt-in consent from any minor under 16. Expanding this requirement, the CPRA states that if a minor refuses the sale or sharing of their personal data, the business must wait 12 months to request consent again.
Establishment of the California Privacy Protection Agency
The CPRA established the California Privacy Protection Agency (CPPA), an entirely new agency tasked with enforcing California’s growing canon of privacy regulation.
Headed by Ashkan Soltani, the CPPA will be responsible for auditing business compliance, evaluating potential violations, levying fines, and implementing new privacy laws.
At the time of this writing, the CPPA was in the process of finalizing the CPRA’s requirements––having requested feedback on topics including cybersecurity audits and risk assessments, automated decision-making, CPPA auditing, and the particulars of certain consumer rights. The CPPA’s rulemaking is set to be complete in Q4 2022.
Read the New York Times profile on Mr. Soltani and his novel approach to building out the CPPA.
Elimination of the automatic 30 day cure period
Businesses will no longer have an automatic 30 day cure period, which previously allowed a window where organizations could attempt to address violations. The CPRA made this cure period discretionary, meaning it can be granted by the CPPA on a case-by-case basis.
The CPRA also clarifies that implementing “reasonable security” after a breach does not count towards a meaningful cure.
In other words, if a company fails to provide enough security for sensitive data and then experiences a breach––they will still be held accountable even if they implement additional security measures after the fact.
Addition of the “sensitive personal information” designation
Under the CPRA, sensitive personal information (SPI) includes:
Identifying information like social security and driver’s license numbers
Credit and debit card numbers
Log-in credentials for financial accounts
Precise geolocation data
Information about a consumer’s race, ethnicity, and religious beliefs
Content from a consumers emails, mail, and texts
Uniquely identifying biometric data, including genetic data
Information about a consumers health, sex life, or sexual orientation
In contrast, the CCPA only defined requirements around “personal information,” which was defined as:
“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Put simply, information that could identify you or your household.
Sensitive personal information builds on that definition by including the data types listed above.
Enhanced requirements for data security measures
The CPRA includes several new mandates for enhanced data security, requiring:
“Reasonable” security measures for all categories of personal information
Cybersecurity audits and risk assessments for data processing activities that could negatively impact consumer privacy or data security
Specific contractual language in regards to selling or sharing data with third parties
The CPRA also includes what’s been referred to as an affirmative security requirement, stating:
“…[an organization which] collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification or disclosure…”
All of this diverges from the CCPA in a few ways. The CCPA:
Only covers certain types of personal data, such as social security and drivers license numbers, rather than all personal data.
Though the CCPA does allow a private right of action if the company fails to protect a consumer’s unencrypted or unredacted information, it doesn’t explicitly require implementation of appropriate security measures.
In other words, the CCPA didn’t officially require security measures for personal data, but would allow consumers to take legal action if the lack of reasonable security resulted in the theft, destruction, modification, or use of their personal data.
New requirements around data “sharing”
While the CCPA largely only governs data sale, the CPRA places new requirements on data sharing. Data sharing is defined as:
“sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration”
In other words, if you allow an external party access to consumer information for the purpose of cross-context behavioral advertising, in any form, it’s considered data sharing––even if no money was exchanged.
Data sharing is regulated under the CPRA, which gives consumers the right to opt-out, know, and request deletion for any personal data that’s been shared with a third-party.
This new level of scrutiny stems from the fact that, to circumvent data sale regulations under the CCPA, many businesses were exchanging data without a direct monetary transaction.
Expanding the private right of action
The CCPA offered consumers a private right of action in cases when an organization failed to protect their unencrypted or unredacted data. The CPRA expanded this scope to include a users email address, password, or security question, stating:
“Any consumer whose nonencrypted and nonredacted personal information […] or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices […] institute a civil action”
In light of steadily increasing cyberattacks and high-profile security breaches, organizations should be especially mindful of this scope expansion. A breach that results in exposure of these credentials could lead to significant, consumer-initiated legal action.
Mandatory cybersecurity audits and risk assessments
Under the CPRA, organizations “whose processing of consumers’ personal information presents a significant risk to consumers’ privacy or security,” must conduct annual cybersecurity audits and regular risk assessments.
The CPRA doesn’t provide exact criteria for determining risk, but encourages businesses to examine two factors:
The size and complexity of the business
The scope and nature of processing activities
Cybersecurity audits must have a defined scope, as well as clear guardrails to ensure thoroughness and validity.
Risk assessments must disclose any processing of sensitive personal information and weigh the processing activity’s risks and benefits––with the end goal of limiting or eliminating any activity whose risks outweigh the benefits. All risk assessments are to be submitted to the California Privacy Protection Agency.
Adoption of data minimization principles
Data minimization means businesses may only keep consumer data for specific, limited reasons, and those reasons must be disclosed to consumers. This means businesses may not collect, store, and use consumer data beyond what is “reasonably necessary.”
New contractual requirements for third-party data transfer
The CPRA requires comprehensive contracts between businesses and any third parties with whom data is being shared or sold. More than that, these contracts must:
Specify the purpose for which the data is being sold or shared
Place the third party under the same CPRA obligations as the business, meaning the third party must comply with CPRA privacy protection requirements
Give the business enough power to enforce their CPRA obligations throughout the third-party’s data processing activities
Require notice if the third party feels unable to meet their obligations as defined by the contract
Enable the business to effectively address inappropriate use of consumer data
These new requirements are intended to ensure better data governance and security throughout any third-party processing, so it’s important that businesses consider these contracts carefully.
If your organization has been impacted by the CCPA/CPRA or other consumer privacy laws, Transcend can help you ensure compliance.
Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or discover data silos and auto-generate reports with Data Mapping.