FREE CONSULTATION
FREE CONSULTATION

What are the Differences between the CPRA and the CCPA

Let’s Discuss: What are the Differences between the CPRA and the CCPA

If you have been in the privacy space for a while, you are probably familiar with the The California Consumer Privacy Act (CCPA). The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and provided much needed consumer privacy rights and business obligations with regard to the collection and sale of personal information. The CCPA went into effect Jan. 1. 2020. This was the pioneer for data protection laws in the US, and has paved the way for the data protection laws in Virginia, Colorado and Utah that we are seeing in 2022. In contrast, the California Privacy Rights Act (CPRA), also known as Proposition 24, was approved by California voters on Nov. 3, 2020. It significantly amends and expands the CCPA, and it is sometimes referred to as “CCPA 2.0.”

With regards to enforcement, the CCPA delegates enforcement powers to the California Attorney General. As a distinction, although the CPRA grants the California Privacy Protection Agency (CPPA) “full administrative power, authority, and jurisdiction to implement and enforce” to the CCPA, the Attorney General still retains enforcement powers. 

You may be asking, who the California Privacy Protection Agency is. It is possible you are not familiar with this agency as it is a new agency, created by the CPRA, which is vested with “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA. The agency will be governed by a five-member board and will require regulations to be adopted in 22 additional areas, including 15 new areas not previously identified in the CCPA. It will be interesting to see how this regulatory process unfolds and if the attorney general and agency begin CPRA rulemaking efforts over the next several months.

The agency will have specific functions to include: 

  • Education and awareness surrounding privacy rights
  • Advice for consumers and businesses
  • Cooperation with agencies and collaboration with other states that enforce privacy laws
  • Advisory on new privacy-related regulation

The CPRA transfers rulemaking authority from the California Attorney General to the California Privacy Protection Agency effective July 1, 2021, with final CPRA regulations due by July 1, 2022.

With regard to when enforcement of the CPRA will begin, it will not start until July 1, 2023, and it will only apply to violations occurring on or after that date. It should be noted, however, that the CCPA’s provisions remain in effect and enforceable until that date.

With regard to some of the key changes introduced by the CPRA, notably are –

  • It expands the definition of “businesses” covered by the privacy act and includes those “sharing” information as liable as well. Commonly controlled businesses or businesses sharing common branding are exempted unless they also share consumers’ personal information.
  • It introduces a new classification of personal information (PI), namely, sensitive personal information (SPI) that has requirements associated with additional use, disclosure, and opt-out characteristics. This includes details like Social Security, state ID, driver’s license, financial account information, geolocation, religious or philosophical beliefs, non-public communication, genetic, biometric, and health data, to name a few
  • The CPRA requires companies holding sensitive data to conduct annual cybersecurity audits, providing its results to the CPPA.
  • It expands on the CCPA’s right to opt-out and provides circumstances upon which companies must allow consumers the right to opt-out of third-party sharing for advertising purposes.
  • It strengthens consumers’ rights by adding the right to delete or correct their personal information. If the collected personal information has been shared with third parties by the respective business, the business must notify them of the request to delete/amend as well.
  • It introduces changes in transparency, including limitations on storage, data minimization, and contract requirements. Only data that is necessary for the purpose stated by the business must be collected, used, or disclosed. Also, data must be retained only for as long as it is necessary for the said purpose.
  • It increases the penalties for violation of CPRA involving the personal information of consumers under the age of 16. Also, the CPPA can investigate violations independently.

The CPRA can be considered a fine-tune or upgrade of the CCPA. The CCPA created the basis of the data privacy landscape of California, and nationally in the US. The CPRA builds upon it to consolidate and improve the privacy regulations in the State and bring it to par with the GDPR of the European Union.

The CPRA is not a substitute to the CCPA but amends it, to improve the right of consumers and increase the compliance requirements for small and big businesses alike.

Share this post:

Related Articles