The Consumer Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA) are data privacy laws that protect consumer privacy and regulate the way that businesses process personal information. And as of January 1st, 2023, these laws have come into full effect. But what is the difference between CPRA vs CCPA? And what does this mean for privacy regulations across the US?
In many ways, the CPRA and CCPA are real game-changers when it comes to consumer privacy and data security. Like other laws regarding bereavement leave and pay transparency, jurisdiction extends to residents of California. However, according to Reuters, this is just the beginning of a new era of changes regarding consumer privacy data security in the United States.
In this article, we’ll go through the details of the two laws and clarify the differences between CPRA vs CCPA. Afterward, we’ll go into detail and discuss specific requirements found in each piece of legislation. Finally, we’ll go through some of the new additions to the CPRA, consumer rights, and CPRA/CCPA compliance.
Table of Contents
CPRA vs CCPA: What’s the difference?
The California Consumer Privacy Act (CCPA) is a law that was initially approved in 2018 and went into effect in 2020. This law regulates how businesses collect, store, share, and sell consumers’ personal information and data.
The Consumer Privacy Rights Act (CPRA), approved in 2020, amends the previously established CCPA law. It outlines additional regulations that businesses must abide by to protect consumer privacy. Recently (as of January 1st, 2023), many of the CPRA’s provisions went into effect. However, much of the law’s enforcement won’t go fully into effect until July 1st, 2023.
Does CPRA replace CCPA?
It’s best to think of the CPRA and the CCPA as one and the same. After the CCPA was initially passed in 2018, many felt that it was not strict enough and needed clarification. As a result, the Californians for Consumer Privacy (CCP) sought to put even more privacy control in the hands of consumers.
Through the group’s campaigning efforts, they were able to secure the CPRA on the citizen’s initiative ballot in 2020. The privacy amendment received majority support, with over 9.3 million favorable votes.
For businesses and consumers in California, the biggest difference between CPRA vs CCPA is that CPRA adds new regulations to the existing CCPA law. These additions strengthen the consumer privacy initiatives that were put into place under the CCPA and specify who the law affects.
If CCPA requirements pertained to your business in the past, then you should also comply with CRPA requirements. In short, compliance with CRPA means that you comply with both legislations.
According to the state of California Department of Justice, The California Consumer Privacy Act (CCPA) “gives consumers more control over the personal information that businesses collect about them.” Under this law, consumers are granted the following rights:
- The right to know how businesses collect and share their personal data.
- Consumers have the right to delete personal information that businesses collect.
- The right to choose whether or not businesses sell their personal information.
- And, the right to “non-discrimination” for exercising their CCPA rights.
The law applies to all California for-profit businesses that meet at least one of the following conditions:
- Make over $25 million in gross annual revenue
- Use (buy, sell or receive) the data of over 50,000 California residents, houses, or devices*
- 50% of their annual revenue comes from selling personal information
*Note the CPRA later changed this requirement to include businesses that buy, sell, receive, or share the data of over 100,000 California residents, houses, or devices.
Those exempt from CCPA and CPRA regulations include non-profits and governmental organizations.
As of now, The California Privacy Rights Act is the most extensive law regarding consumer privacy protection in the United States. Building upon the existing California Consumer Privacy Act (CCPA), it outlines additional consumer privacy rights including:
- Exactly who needs to comply with the law? Under CPRA, the law applies to businesses that buy sell, or share data of over 100,000 California residents, houses, or devices.
- Exactly who the law aims to protect. CPRA clarifies that the term “consumers” is also inclusive of a business’s “employees”.
- The CPRA increases enforcement of data privacy regulations throughout the California Protection Agency (CPPA). These enforcement practices will come into full swing on July 1st, 2023.
- In the CCPA, there was a 30-day “grace period” for businesses that committed privacy violations. The CPRA removed this measure, meaning that businesses can be penalized immediately.
- In addition to the consumer’s right to access, delete, and decide whether or not personal information is sold, consumers also have the right to correct information that businesses collect.
- If consumers request to delete personal information that has already been shared, businesses must request that third parties delete the information as well.
- Under CPRA, consumers can also object to businesses collecting and sharing their personal information from the beginning. For example, consumers can click a button on the company’s website that allows them to opt out of data collection.
- Consumers can object to businesses using their sensitive personal information. It is a requirement for businesses to give consumers a visible option to limit the use of sensitive information.
- Under CPRA, consumers also have the right to data portability. Meaning that if consumers request, businesses are required to transfer their data to another company or organization.
New additions under CPRA
In addition to some of the key changes mentioned above, the CPRA also established the California Privacy Protection Agency (CPPA) which has the power to investigate privacy violations and, come January 1st, 2023, enforce penalties on its own accord. Also, this agency aims to educate consumers, promote public awareness of privacy rights, and inform consumers about how to exercise their rights.
Recent changes also require businesses handling high-risk data to go through regular cybersecurity audits and submit annual results to the CPPA. This measure further strengthens the organization’s power to detect violations and noncompliance.
Consumer rights under CPRA and CCPA
Under the CPRA and CCPA, California residents have the right to ask businesses to share what personal information they collect and how they use it. Businesses must abide by consumers’ requests to delete their information and refrain from selling or sharing it.
If businesses have shared the consumer’s personal information, any third parties involved must delete it as well. Additionally, consumers have the power to require businesses to make corrections to personal information that they have on record.
Personal information and sensitive personal information
The purpose behind CPRA and CCPA is to provide consumers with the right to safeguard their personal information. But, what qualifies as “personal information” and “sensitive personal information” under CPRA and CCPA?
According to the State of California, personal information is “information that identifies, relates to, or could reasonably be linked with a particular consumer or household.” This might include consumers’ names, email addresses, browsing history, or recent purchases.
On the other hand, sensitive information is defined as “a specific subset of personal information that includes certain government identifiers.” This might include personal login information, passwords, social security numbers, email content, health records, or racial and sexual identity.
According to CPRA and CCPA, personal information does not include federal, state, or local government records that are available to the public. For example, physical addresses and the location and ownership of property.
CPRA and CCPA compliance
If you fail to take the appropriate measures to protect consumer privacy, a data breach can occur in which personal information is stolen. Under CCPA requirements, you can be held accountable for inadequate data security practices and possibly sued by consumers.
Violating CCPA and CPRA can also lead to repeated consumer complaints and reports, which might be followed up with consequential measures taken by the Office of the Attorney General. One of the biggest differences between CPRA vs CCPA is the extent to which these laws are enforced. Legal requirements regarding data security will only become more strict with time, and penalties will become more widespread.
The best way to ensure that your business stays compliant with CCPA and CPRA, along with other state and federal employment laws, is by keeping track of them in an HR compliance calendar. That way, you’ll be able to stay on top of important deadlines and plan throughout the year.
Legal issues are not always straightforward to navigate. Especially concerning payroll, document signing and storage, and employee time tracking. And if you’re looking for an all-in-one solution that can reduce your workload considerably, Factorial’s solution is right for you. From electronic signatures to custom reports, Factorial helps you to stay compliant and carefree.