California Consumer Privacy Act of 2018 (CCPA) is comprehensive privacy legislation that intends to protect the privacy legislation of consumers. It imparts new rights to consumers and gives them more control over their personal information. CCPA was introduced on 3 January 2018 and signed into law on 28 June 2018. California Privacy Rights Act (CPRA) is a ballot proposition and is an upgradation to CCPA. Also known as Proposition 24, the CPRA was put forward in 2020. Approved by the majority of the voters, it will be effective from 1 January 2023. CPRA is the improved version of CCPA. In this article, we will look at CCPA vs CPRA and how this change will impact your business.
Why was CPRA introduced?
There is a common misconception that CPRA replaces CCPA, but in reality, it amends certain provisions of CCPA. The CCPA provisions were framed in such a manner that it took a neutral stand to please businesses as well as privacy advocates. Hence, the provisions were not that strict and had several inadequacies. Moreover, it favored big tech companies. CPRA intends to eliminate such inadequacies and implement more clear and strict laws.
Read more about CPRA.
CCPA vs CPRA: an overview [Infographic]
CCPA vs CPRA: notable changes
Let’s have a detailed look at the major changes introduced by CPRA:
More clarity in conditions for consent
CPRA requires that consent must be explicit and separate from other terms and conditions. Consent implied from actions like hovering, muting, or closing the banner (after the user has already opted out) is invalid. Additionally, it prohibits the use of dark patterns or deceptive designs that tricks users into opting in.
Updated Scope and qualification
Under CCPA, businesses must fall into any of these three criteria to be subject to the law and its provisions.
- The business must have annual revenue of $25 million or more
- The business process the personal information of more than 50,000 consumers, households, or devices.
- The business should be earning more than half of its annual revenue by selling the personal information of the consumers.
CPRA updated and enhanced this scope. The threshold of 50,000 consumers has been raised to 100,000 consumers in the second criterion. Similarly, in the third criterion, the word “sharing” was also added. Therefore. If the business is earning more than half of its annual revenue by “selling” or “sharing” the personal information of the consumers.
Introduction of Sensitive Personal Information
CPRA recognizes a new category of personal information, called Sensitive Personal Information (SPI) which is highly protected personal information. This concept of Sensitive Personal Information is similar to GDPR’s provision relating to the processing of special categories of personal information.
Sensitive personal information includes information related to:
- Race and ethnicity
- Religious beliefs
- Political and philosophical opinions
- Genetics and biometric data
- Social security number
- Driver’s license
- Financial information
- Sex life or sexual orientation
The provision in the CPRA to include a new category of Sensitive Personal Information holds businesses more responsible while processing sensitive personal information. The business needs to take organizational and technical measures to ensure security while dealing with such data.
Further, CPRA asks businesses to meet certain requirements like disclosure and opt-out requirements for SPI.
New and enhanced consumer rights
- Right to opt out of automated decision-making: Consumers can opt out of their SPI being used for automated decision-making.
- Right to know about automated decision-making: Consumers can request access to personal information subject to automated decision-making and its impact on them.
- Right to correct: Consumers can request correction of inaccurate information relating to them.
- Right to limit the use of SPI: Consumers can opt to limit how businesses use and disclose sensitive personal information. Further, consumers have the right to opt out of sharing and selling this sensitive personal information.
In addition to this, CPRA expands the existing rights under CCPA, such as:
- Right to access: CCPA makes businesses disclose to the consumers their information of the preceding 12 months. In CPRA, the right to access will include information collected beyond this 12-month period.
- Right to delete: CCPA grants consumers to request the erasure of PI. In CPRA, businesses must also notify third parties that it shares PI with to delete this information.
- Right to opt-out: CCPA grants consumers the right to opt out of selling of personal information for advertising purposes. In CPRA, consumers can opt out of “sharing” of personal information (including PI of minors) used for cross-context behavioral advertising. However, it exempts non-targeted advertising from this right.
- Right to portability: In CPRA, consumers can request that a business transmit their personal information to other businesses.
- Private Right of Action: CCPA holds that in case of theft, unauthorized access, or disclosure, the consumer can exercise a private right of action. CPRA enhances this right with a clause that stipulates statutory damages for any breach within the purview of California law.
Implementation of data protection principles
Adoption of the GDPR principles like data minimization, purpose limitation, and storage limitation will have a strong impact on the privacy landscape. Further, CPRA holds the regulator to enforce these principles and penalize the non-compliance of the same:
- Data minimization: This principle holds that businesses must process, retain, and share personal information belonging to the consumers only for reasonably necessary and defined purposes for which the personal information was processed.
- Purpose Limitation: This principle holds that businesses must only gather personal information for specific, explicit, and legitimate disclosed purposes, and businesses should not use this information for any other purpose.
- Storage Limitation: The businesses shall only retain personal information for a definite period. That is, till the disclosed purpose is served. They should not retain information unreasonably for too long. Moreover, the businesses should determine the duration for which the company plans to keep each type of personal information, including sensitive PI.
New enforcement authority
This is one of the most significant changes in CPRA. The enforcement authority under CCPA was the California Office of the Attorney General. The CPRA establishes a new agency, California Privacy Protection Agency (CPPA). This agency will have the power to investigate, enforce, and rule-making powers under CPRA.
The powers and responsibilities of CPPA include the:
- Administrative Enforcement, hearing and potential sanctions
- Investigation of violations and complaints received
- Educate and create public awareness about privacy, personal information, and consumer rights
- Cooperate with other agencies over privacy laws including another state
- Advise and assist the legislature
- To advertise for consumers and businesses
Updated penalty (for minors) & removal of the cure period
The penalty imposed in CCPA is up to 2,500 for unintentional violations & up to $7500 for intentional violations. This is the same in CPRA. However, it eliminates the 30-day cure period present in CCPA. Further, CPRA holds a penalty of $7500 for violation of consumer privacy rights of minors (< 16 years).
What will be the impact of CPRA?
- The CPRA will reduce the number of businesses that will fall into its scope. That is only businesses that process the personal information of more than 50,000, consumers, households, or devices will require to comply. Hence, the intermediate-level businesses that needed to comply with the CCPA will not have to comply with CPRA anymore. But, CPRA widened its scope by adding the term “ sharing” along with “selling” in the third criterion, making the businesses fall into its scope if they are earning more than half of their annual revenue through “selling” or “sharing” the personal information of the consumers.
- Now consumers have more rights and control over their personal information. This will make businesses adopt data privacy as a service to their customers to enhance the business reputation and goodwill. Moreover, this will make the businesses develop more robust privacy-related controls.
- California Privacy Protection Agency will have a significant role to play in the rulemaking and enforcement of CPRA. We will have to see how this is going to work. We can expect more investigation and administration on the part of the Agency.
- As there is a new category of personal information, Sensitive Personal Information, businesses need to be extremely vigilant ad must ensure that additional security and privacy-related controls are adopted. They must make available and respect the provision to opt-out from sharing and selling of such sensitive information.
- CPRA will inspire and lead other states to catch up with their privacy law regime.
Frequently Asked Questions
What is California Privacy Rights Act?
California Privacy Rights Act (CPRA) is an amendment to California Consumer Privacy Act (CCPA) and acts as an upgradation or improvement made to CCPA. This comprehensive piece of legislation was introduced in California to strengthen the state’s already-existing consumer privacy laws.
Will CPRA replace CCPA?
No, CPRA will not replace CCPA. It makes the CCPA’s specific provisions more consumer-friendly by amending them. It is an improvement to CCPA.
How is CPRA different from CCPA?
CPRA clarified and added several clauses concerning consent, personal information, consumer rights, and so on were made to CCPA making it more unambiguous.
Who does CPRA apply to?
It applies to businesses
- that cater to at least 100,000 consumers or households. or
- is making 50% of its revenue through the sale or sharing of consumers’ personal information. or
- earning annual revenue of $25 million or more.
Does the CPRA demand opt-in permission before using cookies?
Yes, if the cookies track sensitive personal information or information pertaining to minors.
Who is a minor under CPRA?
A minor is a person under the age of sixteen. If the business has actual knowledge that the person is under the age of sixteen, the business shall not share or sell personal information without the consumer opting in. If the consumer is a person who is below the age of 13, opt-in consent is to be provided by the legal guardian.