CPRA vs CCPA
The California Privacy Rights Act (CPRA) came into effect on January 1st, 2023, creating a wave of confusion between consumers as well as businesses who are finding it difficult to understand if it is a new law altogether or a revised version of the already existing California Consumer Privacy Act (CCPA). Both CPRA and CCPA are privacy acts that empower consumers by giving them the right to decide if they want their personal information to be used by businesses. However, according to CCPA’s official website, CPRA is not a separate, new law. Rather, it is an amended version of CCPA. The new amendments provide more control and more privacy to consumers. CPRA hasn’t yet replaced CCPA, but that will happen once its full enforcement begins, scheduled for July 1st, 2023.
In this article, we will thoroughly compare CCPA and CPRA so you can understand how to start your compliance process before CPRA becomes fully enforceable and CCPA becomes obsolete.
The California Privacy Protection Agency – the biggest difference between CPRA and CCPA
The California Privacy Protection Agency (CPPA) is responsible for almost all matters related to CPRA, including enforcement, supervision, investigation, disputes, violations, and drafting of new regulations. The office of the Attorney General is now free from all responsibilities related to CCPA/CPRA.
Sensitive Personal Information (SPI)
CPRA has a new category of information which is classified as Sensitive Personal Information (SPI).
This category was missing in CCPA. Here is what SPI includes:
- Social Security Number
- Passport number
- State identification card
- Driver’s license
- Biometric information
- Financial information, including log-in credentials, debit and credit card details, and access codes
- Geographical location
- Health records, including genetic data
- Religious, philosophical, and political orientation
- Sexual orientation
- Race and ethnicity details
Sensitive Personal Information is protected under stringent laws. CPRA provides additional rights to consumers to decide how their SPI is collected, disclosed, and used. It also mandates separate consent and provides separate opt-out rights for SPI.
CPRA versus CCPA – who needs to comply?
CPRA has widened the scope of CCPA by tilting the coverage to bigger businesses that rely more on the collection, sharing, disclosing, and sale of the personal information of their consumers.
CPRA applies to businesses:
- That has a gross annual revenue exceeding $25 million (remains unchanged)
- That buys, sells, collects, and shares personal information (including SPI) of more than 100,000 consumers, devices, and households per year ( for CCPA, it was 50,000)
- That derives 50% or more of their annual revenue from selling or sharing PI of consumers (in the case of CCPA, it was only selling. The sharing part fixes a major loophole).
CPRA rights under CCPA
The four new rights are:
- Right to limit use of SPI – California consumers can ask businesses to restrict the use of sensitive personal information for internal purposes and third-party sharing(for monetary benefit or otherwise).
- Right to correction of PI and SPI – Residents can ask businesses to share the data they have collected. They can ask for deletion (as per CCPA) and for correction if the collected data is inaccurate (as per CPRA).
- Right to know about automated decision-making – If a business uses AI to automate various decision-making processes based on the collected PI/SPI, it must inform the consumers about these processes and their outcomes.
- Right to opt-out of automated decision-making – If a California resident is not happy with your automated decision-making approach, they can exercise his right to opt out. In that case, businesses must not use the PI for automated processes such as behavioral advertisements and individual profiling.
The five modified rights are:
- Right to data portability – consumers can request businesses to transfer their PI to other businesses or organizations.
- Right to opt-out – people can now opt out of sharing their PI (earlier, it was only selling)
- Right to know – consumers can ask businesses to provide them details of PI collected beyond 12 months (which was the limit in CCPA).
- Right to delete – When a consumer exercises this right, businesses must inform the third parties to delete the data as well (earlier, it was only limited to the business that originally collected the data)
- Right of minors – if a minor under 16 years of age has declined to provide consent for collecting PI/SPI, businesses can’t approach them again until the consumer turns 16.
CPRA Mandates Data Minimization
CPRA also mandates that businesses must inform the purpose for which they are collecting the data. And they must not divert from the purpose, i.e., use the existing PI for a different purpose (known as purpose limitation). Plus, it also mandates that businesses must inform consumers about the duration for which their personal data will be stored (storage limitation). They have to strictly abide by the duration.
CCPA Data Privacy Course
Introduction to the California Consumer Privacy Act.