In November 2020, California voters approved the California Privacy Rights Act (CPRA), a ballot measure that expanded protections already in place with the California Consumer Privacy Act (CCPA). The CPRA is set to come into effect on January 1, 2023.
Both of these privacy acts will impact the privacy and data security landscape. Here are the key differences between the two.
What is the CCPA?
The CCPA governs any for-profit business doing business in California and meets one of the following requirements: has annual gross revenues that exceed $25 million; collects, buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices each year; or receives more than 50% of its annual revenues from selling personal information.
The CCPA gave California residents these new privacy rights:
- The right to know what personal information is collected about them
- The right to have their personal information deleted
- The right to opt-out of having their personal information shared with third-parties
- The right to receive a copy of the collected information for the 12 months prior to the request
- The right to not be discriminated against for exercising these rights
Check out this blog post if you want more information on the CCPA.
What is the CPRA?
The CPRA, also known as Proposition 24, significantly expands on the provisions created in the CCPA. It strengthens California residents’ privacy rights and tightens regulations on the use of personal information.
The CPRA also established the California Privacy Protection Agency to implement and enforce the CCPA and the CPRA. This new agency will be able to issue fines up to $2,500 per violation and/or up-to $7,500 for intentional violations or violations involving minors.
While the CPRA goes into effect on January 1, 2023, it becomes fully enforceable on July 1, 2023. However, businesses will need to make sure any data collected after January 1, 2022 is compliant with CPRA.
Key Differences between the CPPA and CPRA
The CPRA does not replace the CPPA. Instead, it amends key features and adds new protections:
Updates qualifying criteria of businesses
The CPRA increases the threshold of the number of consumers or households they collect personal information from 50,000 to 100,000 and removes devices from the mix. The other two requirements (gross annual revenues of $25+ million and earning 50% or more of its annual revenues from selling or sharing personal information) remain the same.
New classification of personal information
The CPRA creates a new category of personal information: sensitive personal information (SPI). This new category of information includes Social Security, state ID, driver’s license, financial account information, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, union membership, non-public communication, genetic, biometric, and health data, and information about intimate relations or orientation.
Businesses may need to create new use, disclosure, and opt-out requirements to protect this information
New and expanded consumer privacy rights
CPRA introduces four new consumer privacy rights and modifies five existing rights. The new privacy rights include:
- Right to correct information
- Right to limit use and disclosure of SPI
- Right to access information about automated decision making
- Right to opt-out of automated decision-making technology
The modified rights include:
- Right to opt-out of third-party sales and sharing: In addition to selling their personal information, consumers can now opt-out of allowing businesses to share their personal information.
- Right to Know: The CPRA extends that date range they can requestion their information from within the prior 12 months to include information from before that 12-month window.
- Right to Delete: Businesses will now need to send deletion requests to third parties that have purchased or received the consumer’s information.
- Right to data portability: Consumers can now request a business transfer their personal data to another organization, when feasible.
- Opt-in rights for minors: Businesses must wait 12 months before asking a minor for consent to sell or share their information after the minor has initially declined. In addition, the opt-in must explicitly mention sharing data for cross-context behavioral advertising.
Adoption of select GDPR provisions
Some of the principles created for the GDPR, the consumer privacy act protecting EU residents, are now part of the CPRA including new limitations on data minimization, collection purpose, and storage. Businesses are only allowed to collect related information for their stated purpose, and only keep them for the originally disclosed amount of time.
More consumer privacy acts to come
The CCPA and CPRA are the first comprehensive consumer privacy legislation in the United States and paves the way for other states to create similar privacy acts. In fact, two more are set to go into effect on January 1, 2023, as well: the Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (ColoPA).
There are additional acts in development for Maryland, Oklahoma, Ohio, New Jersey, Florida, and Alaska. As more states explore creating legislation to protect consumer data, the federal government may create baseline legislation as well.
Even if your state of business has not implemented its own legislation, putting in the work to get into compliance is a smart move.