California Privacy Rights Act: How CCPA 2.0 is Shaping the Privacy Landscape
If you’re involved in privacy, you’ve probably been well aware of the two landmark comprehensive data privacy pieces of legislation, the CPRA and the CCPA.
In the age of privacy, user rights are being placed at the forefront of new legislation in the US. As the following regulations are enacted, businesses will need to quickly adapt their privacy policies to align with the legal expectations and enforcements that are responding to growing concerns about how data is collected, processed, and shared. In this detailed comparison, we are breaking down the major differences between the CCPA and CPRA. Read on to learn more about:
- The establishment and impact of California’s brand-new privacy agency
- Where the CPRA extends the CCPA: opt-out requirements, consumer privacy requests, audit & risk assessments, and enforcement
- The major impact on businesses regarding regulation changing in the next 2–3 years
California Consumer Privacy Act (CCPA)
In 2018, Gov. Jerry Brown signed the California Consumer Privacy Act (CCPA) — the first consumer privacy bill in the US, providing California consumers with rights and protections similar to the revolutionary GDPR. It went into effect on January 1, 2020, and enforcement began on July 1, 2020. Any businesses collecting, storing, or selling California consumers’ data are affected by the CCPA, regardless of location.
The original California privacy law ensures consumers the right to know what personal information is collected and shared with third parties. It also offers consumers the ability to access or delete their information and opt out of the sale of personal information.
California Privacy Rights Act (CPRA)
Passed November 3, 2020, the CPRA (sometimes referred to as CCPA 2.0) will be the successor to the CCPA, taking over as the primary privacy regulation in California. The CPRA becomes effective in 2023, with a lookback period going as far back as 2022.
One of the most unique changes already implemented by the CPRA is the creation of a brand-new administrative agency to help enforce and regulate privacy for Californians and make additional rules and guidelines under the CPRA. For consumers, CPRA provides stronger protection, giving them the right to further limit the use and disclosure of their information, including precise geolocation.
Compared to the CCPA, the CPRA aligns more closely with the GDPR. It includes employees as data subjects and grants additional rights to consumers within California. Also, the CPRA allows consumers to limit how businesses handle and share their data beyond the requests allowed under CCPA. The scope for opt-out requests is expanded to include “Do not sell or share” — meaning consumers must be able to easily opt out of both the sale and sharing of their personal data.
The California Privacy Protection Agency
The California Privacy Protection Agency will be the first state agency directly dedicated to privacy. The agency will be governed by a five-member board and requires regulations to be adopted in 22 additional areas, including 15 not originally identified in the CCPA. It will be interesting to see how this regulatory process unfolds and if the attorney general and agency begin CPRA rulemaking efforts over the next several months.
The agency will include a board as well as an appointed executive director. Underneath, the OAG will provide staff until the agency hires its own. Elected board members and the executive director will largely influence what parts of the law will be enforced on what companies. The CPRA has funding allocated towards the agency, including an appropriation of $5 million in 2021 and $10 million each year after.
A primary part of the agency’s role in the future comes from the function of rulemaking. The CPRA requires regulations to be adopted in 22 areas, including 15 not originally identified in the CCPA, which will need to be fully fleshed out by the new agency in terms of specific requirements. More details on the agency’s rulemaking can be found here. If you’re curious about who’s been appointed and the implications of those decisions, check out What the CPPA’s appointments say about enforcement priorities, strategy by Joseph Duball of The IAPP.
The agency will be assuming rulemaking responsibilities for the CPRA by July 1, 2021, at the latest, with the final regulations set to be released by the agency by July 1, 2022.
The agency will have several other functions including:
- Education and awareness surrounding privacy rights
- Advisement for consumers and businesses
- Cooperation with agencies and collaboration with other states that enforce privacy laws
- Advisory on new privacy-related regulation
CCPA vs. CPRA in Detail
Who is subject
The CCPA has three thresholds businesses must meet in order to fall under the statute. To be within the scope of the statute they must fall under one or more of the following situations:
- Have in excess of $25 million in annual gross revenue or
- Buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 50,000 or more consumers or households or
- Derive 50 percent or more of their annual revenue from selling consumers’ personal information.
The CPRA inherits and modifies these thresholds in the following ways:
- Have in excess of $25 million in annual gross revenue or
- Buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of 100,000 or more consumers or households or
- Derive 50 percent or more of their annual revenue from selling or sharing consumers’ personal information.
Not sure if your business has to comply? Find out quickly with our CPRA Compliance Quiz
When it comes to opt-out requirements, the CPRA extends beyond the CCPA. The first modification is that section 1798.120 of the CPRA applies the right to opt out of the sale or sharing of personal information, whereas the CCPA only applied to the sale of information. “Sharing” is defined as providing information for behavioral advertising or the targeting of advertising to a consumer based on personal information. Further, consumers under the CPRA will be granted the right to opt out of this targeted advertising as well as the sales of their personal data.
The CPRA will also enact rules preventing businesses from collecting additional information beyond what is necessary for processing an opt-out request or consumer privacy request.
Consumer Requests to Know
Most provisions of the California Privacy Rights Act become operative on Jan. 1, 2023. This leaves less than two years for businesses subject to it to develop a proper compliance program or update their existing California Consumer Privacy Act compliance program to conform with the amendments introduced by CPRA.
Under the CPRA, there will be five primary groups of information that consumers can request from companies:
- Categories of personal information
- Categories of sources from which the personal information is collected
- The business or commercial purpose for collecting, selling, or sharing personal information
- Categories of third parties to whom the business discloses personal information
- The specific pieces of personal information it has collected about that consumer
Right to Delete
The CPRA provides consumers with the right to request that a business “delete any personal information about the consumer that the business has collected from the consumer.” The right to delete has been modified by the CPRA, so businesses that receive a consumer deletion request must notify and instruct third parties who have purchased or received the consumer’s personal information to delete it. The CCPA has a similar requirement, mandating that businesses delete data in “its existing systems” but the CPRA clarifies this and highlights it as an essential part of a deletion request.
Audit and risk assessments
Provision 1798.185(a) of the CPRA invokes new regulations surrounding audit and risk assessments for companies. This provision will require businesses that process consumers’ personal information to conduct annual cybersecurity audits and risk assessments to reduce risks surrounding consumer privacy and security.
The exact requirements for businesses and the depth of their assessments will be determined by the California Privacy Protection Agency in the next year. The agency will also be developing more guidance on what the cybersecurity and risk assessment entail in a given industry. The risk assessments are required to be presented to the agency for review and must include details regarding where, how, and what personal data is stored by the company.
The CPRA establishes the first state agency dedicated to privacy. The amount of the potential administrative fine is the same as the CCPA — up to $2,500 per violation or $7,500 per intentional violation. However a key difference under the CPRA is fines increase to $7,500 for each violation of CPRA involving personal information of consumers under the age of 16. The new CPRA Privacy Protection Agency can investigate possible violations “on its own initiative”.
Enforcement for the CPRA will officially begin on July 1, 2023 – however the regulation is to be adopted on July 1, 2022 and can be enforced dating back to 2022 at a later time.
The CPRA will enforce a wide array of changes to privacy for California residents and is structured to bring US privacy regulation closer in line with the GDPR. With new requirements for opt-out, audit & risk assessments, and consumer requests, the CPRA will greatly impact privacy practices for small and large businesses alike. The creation of an agency dedicated to privacy will result in additional rules and requirements and allow for faster and more frequent enforcement of the CPRA when it goes into effect in 2023.
Want to find out how many data subject requests (DSRs) you can expect to receive under the CCPA and CPRA? Check out our 2021 CCPA trends report to gain insight from the analysis of millions of DSRs over the past year.