close

Data Privacy

What is CCPA vs. CPRA?

DataGrail June 1, 2022

In an age when every person represents a set of valuable data, state governments from Virginia to Utah and Colorado to California are addressing data privacy issues amidst growing concerns about how data and sensitive personal information is collected, processed, and shared. 

As new regulations and data privacy laws are enacted, businesses will need to quickly adapt their privacy policies to align with legal expectations and enforcements. 

For example, two landmark pieces of comprehensive data privacy legislation, the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA), affect privacy compliance for any company that targets customers in California.

Wondering about the importance of data privacy laws? In this detailed comparison, we’ll break down the major differences between the CCPA and CPRA so that your business can prepare accordingly. Read on to learn more about:

  • The establishment and impact of California’s brand-new privacy agency
  • Where the CPRA extends the CCPA: opt-out requirements, consumer privacy requests, audit & risk assessments, and enforcement
  • The major impact on businesses regarding regulation changing in the next 2-3 years

What is CCPA? 

In 2018, Gov. Jerry Brown signed the California Consumer Privacy Act (CCPA), the first comprehensive consumer privacy bill in the United States. This historic bill provides any California resident with rights and protections similar to the European Union’s revolutionary General Data Protection Regulation (GDPR) act, which went into effect in 2018. 

The CCPA went into effect on January 1, 2022. Among other rights, protections, and regulations, this data privacy law is characterized by a dual focus on: 

  • Consumer rights – Under the CCPA, consumers have the right to know what sensitive personal information is collected and shared with third parties. They also enjoy the right to access their own data, delete their information, or opt out of sharing it altogether. 
  • Business regulations – Like the GDPR, the CCPA applies to any businesses that collect, store, or sell data of consumers who reside in California, regardless of location. 

What is CPRA? 

Passed on November 3, 2020, the California Privacy Rights Act (CPRA) – sometimes referred to as CCPA 2.0 – will be the successor to the CCPA. This data privacy law is scheduled to take over as California’s primary privacy regulation in 2023.

Compared to the CCPA, the CPRA aligns more closely with the GDPR. It bolsters the strengths of the CCPA and adds additional provisions to prevent a sensitive data breach, such as:

  • Employee rights – The CPRA takes measures to ensure that employee data is protected with the same diligence as regular consumer data. 
  • Expanded opt-out requests – The CCPA made it possible for California residents to refuse to share their sensitive data. The CPRA improves on that right, expanding that option to include “Do not sell or share.” In other words, California consumers will have the right to decide who can sell and share their personal data in addition to collecting it. 

CPRA provides stronger protection to consumers personal information, giving them the right to further limit the use and disclosure of their information, including precise geolocation.

The California Privacy Protection Agency

Perhaps one of the most unique changes already implemented by the CPRA is the creation of a brand-new administrative agency, the California Privacy Protection Agency. As the first-ever state agency dedicated solely to privacy, the organization is responsible for enforcing and regulating privacy laws for Californians and making additional rules and guidelines under the CPRA. 

The California Privacy Protection Agency is governed by a five-member board. Board members are elected and assisted by an executive director. This board will largely influence which parts of the law will be enforced on which companies. The CPRA has funding allocated towards the agency, including an appropriation of $5 million in 2021 and $10 million each year after.

Rulemaking will be a primary part of the agency’s role in the future. The CPRA requires regulations to be adopted in 22 areas—including 15 not originally identified in the CCPA. These will need to be fully fleshed out by the new agency to fully specify requirements.

In addition to rulemaking and enforcement, the agency will have several other functions, including: 

  • Privacy rights education and awareness 
  • Advisement for consumers and businesses
  • Cooperation with agencies and collaboration with other states that enforce privacy laws
  • Advisory on new privacy-related regulation

CCPA vs CPRA: Who is Subject?

A business falls within the scope of the CCPA statute if one or more of the following applies:

  • Has in excess of $25 million in annual gross revenue 
  • Buys, receives, sells, or shares the personal data of 50,000 or more consumers 
  • Derives 50% or more of its annual revenue from selling or sharing personal data

The CPRA, on the other hand, modifies these thresholds. A business falls under its purview if it:

  • Has in excess of $25 million in annual gross revenue 
  • Buys, receives, sells, or shares the personal data of 100,000 or more consumers 
  • Derives 50% or more of its annual revenue from selling or sharing personal data 

Not sure if your business has to comply? Find out quickly with our CPRA Compliance Quiz.

CCPA vs CPRA: Opt-out Requirements

When it comes to opt-out requirements, the CPRA extends consumer rights far beyond the provisions provided by CCPA. Whereas CCPA only allows for consumers to opt out of selling their personal information, the CPRA gives them the right to prevent businesses from sharing their information, as mentioned above.

But what constitutes the sharing of consumer data? 

Under the CPRA, sharing is defined as providing personal information that can be used for:

  • Behavioral advertising
  • Targeted advertising 

The CPRA will also enact rules preventing businesses from collecting additional information beyond what is necessary for processing an opt-out request or consumer privacy request. 

CCPA vs CPRA: Consumer Requests 

Further improving upon standards set by the CCPA, the CPRA broadens the range of information that consumers can request from businesses. Under the CPRA, consumers can request five primary kinds of information from companies that collect and store their personal data. These include:

  1. Categories of personal information – Consumers have the right to know what kind of personal data may be collected from various organizations, including race or ethnicity, citizenship status, and religious beliefs.
  2. Categories of collection sources – CPRA allows consumers to request information regarding where their personal data was harvested.
  3. Collection purpose  – Consumers have the right to request information from businesses on the business’s purpose for collecting, selling, or sharing personal information.
  4. Third-party access – Consumers have the right to know the categories of third parties to whom the business discloses personal data.
  5. The specific information collected – Under the CPRA, consumers have the right to know what specific personal data businesses are collecting.

CCPA vs CPRA: Right to Delete

Further distinguishing itself from the CCPA, the CPRA provides consumers with increased right-to-delete power. They can request that a business completely delete any data that’s been collected from them.

Additionally, the CPRA requires that when a company receives a deletion request, it must: 

  • Notify any third parties with whom it has shared consumer data 
  • Instruct third parties to comply with the deletion request

The CCPA has a similar requirement, mandating that businesses delete data in “its existing systems.” However, the CPRA clarifies this and highlights it as an essential part of a deletion request.

Interested to know how many data subject requests (DSRs) you can expect to receive under the CCPA and CPRA? Check out our 2021 CCPA trends report to gain insight from the analysis of millions of DSRs over the past year.

CCPA vs CPRA: Audit and Risk Assessments

The CPRA invokes new regulations surrounding audit and risk assessments for companies. This provision will require businesses that process consumers’ personal information to conduct annual cybersecurity audits and risk assessments to reduce the threats to the privacy and security of consumer data.

The exact requirements for businesses and the depth of their assessments will be determined by the California Privacy Protection Agency within the next year. The agency will also be developing more guidance on what cybersecurity and risk assessment entail in a given industry.

The risk assessments are required to be presented to the agency for review and must include details regarding the data such as:

  • What it contains
  • Where it’s stored
  • How it’s stored 

Enforcement

The CPRA will be enforced by the California Privacy Protection Agency. The agency will create a range of guidelines, addressing what is CCPA compliance, its specific requirements, and how measures will change under the CPRA.

The amount of the potential administrative fine is the same as under the CCPA. In assessing fines, the agency will distinguish between two kinds of violations:

  • Unintentional violations – When a company falls out of compliance by accident or mistake, it may incur CPRA fines up to $2,500 per violation.
  • Intentional violations – In instances where companies intentionally mismanage consumer data, fines of up to $7,500 per violation may apply. 

However, a key difference under the CPRA is that fines increase to $7,500 for each violation of CPRA involving the personal information of consumers under the age of 16.

Stay Compliant with DataGrail 

The CPRA will enforce a wide array of changes to privacy for California residents and bring U.S. privacy regulations closer in line with the GDPR. With new requirements for opt-out, audit and risk assessments, and consumer requests, the CPRA will greatly impact privacy practices for small and large businesses alike. 

Most provisions of the California Privacy Rights Act will become operative at the beginning of 2023. Are you concerned about the coming changes and keeping your business compliant? If so, you need DataGrail.

At Datagrail, we know that making sense of all the complicated state, federal, and international privacy laws that your business has to adhere to isn’t easy. For example, if you have questions such as, “What is GDPR?” we’ve got you covered! We built our innovative data privacy platform so that businesses of all kinds have an easy-to-use resource for managing, automating, and keeping your data privacy programs compliant. 

Get started now. 


Sources: 

Bloomberg Law. CCPA vs CPRA: What’s the Difference? https://pro.bloomberglaw.com/brief/the-far-reaching-implications-of-the-california-consumer-privacy-act-ccpa/ 

California Attorney General. Consumer Privacy. https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf 

Hanson Bridgett. California Privacy Rights Act: What’s Next? https://www.hansonbridgett.com/Publications/articles/2021-09-14-ca-privacy-rights-act