CCPA vs CPRA: Why Businesses Need to Prep Now

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are making sweeping changes to the world of data privacy. As the first significant consumer privacy legislation in the states, these measures serve as a model for other states to change how companies conduct business.

In this article, we’ll cover some of the most frequently asked questions about CCPA and CPRA, what rights they provide, and how it affects businesses. 

What are the CCPA and CPRA? 

Signed into law on June 28, 2018, The California Consumer Privacy Act (CCPA) creates new consumer privacy rights. It establishes new regulations on how businesses collect and handle personal information. 

The California Privacy Rights Act (CPRA), originally known as Prop 24, significantly builds on the CCPA. So much so that some refer to it as “CCPA 2.0.” 

When did the CPRA take effect? 

December 16, 2020. However, most of the legislation that revises the CCPA won’t take effect until January 1, 2023. 

Does the CPRA replace the CCPA? 

Not really. It’s more accurate to consider the CPRA as an addition to the CCPA. The CPRA states that it “amends” current provisions of the CCPA and “adds” new provisions (related to the establishment California Privacy Protection Agency). However, we’re not sure if it will continue to be known as the CCPA or will transition to CPRA next year.  

Who enforces the CCPA and CPRA? 

The California Attorney General has authority under the CCPA, while the CPRA grants the California Privacy Protection Agency administrative power. However, under both pieces of legislation, the California Attorney General still has the final say.  

When will enforcement of the CPRA begin? 

Not until July 1, 2023. And the enforcement will only apply to violations after that date. No retroactive violations will be enforceable. However, the CCPA’s provisions are still active and enforceable.  

What rights are granted to consumers? 

First, let’s establish who is considered a “consumer.” 

A consumer is a California resident as defined by California’s tax regulations. 

What rights do consumers have? 

The CCPA creates six new privacy rights for consumers: 

1. the right to know and request personal information collected by the business  

2. the right to request deletion of personal information  

3. the right to opt-out of the sale of personal information 

4. the right to opt-in to the sale of personal information for consumers 15 and under 

5. the right to avoid discrimination for exercising any rights; and 

6. the right to take private action for data breaches. 

In addition to the initial six, the CPRA adds two more: 

7. the right to correct the false personal information; and 

8. the right to eliminate the use of sensitive personal information. 

What is considered a consumer’s sensitive personal information? 

Sensitive personal information, or SPI, is a new form of personal information the CRPA looks to implement. SPI is personal information that shows: 

• Driver’s license, social security number, and other forms of identification 

• Any financial information such as debit/credit card numbers, bank credentials, logins, or passwords 

• a consumer’s exact location 

• a consumer’s demographic information such as race, ethnicity, or beliefs 

• the contents of a consumer’s postal mail, email, or text messages unless given prior consent 

What’s considered “selling” personal information? 

According to the CCPA, selling personal information also includes releasing, disclosing, renting, or any other means of transferring personal information to another business or third party for gain. 

Who’s subject to these new regulations? 

Businesses, services, third parties, and contractors are all subject to the CPRA.  

The CPRA defines a business as a for-profit entity that collects personal information as part of its operation. Additionally, this business must do business in California and meet one of the following requirements: 

• has annual gross revenues over $25 million 

• annually buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices 

• derives 50% or more of its annual revenues from selling consumers’ personal information  

If a business meets those requirements, they must: 

• supply notice of consumer rights 

• Comply with consumer rights 

• Meet disclosure and retention requirements 

• Respond to consumer requests 

• Act on security safeguards 

How are service providers defined under the CPRA? 

A “service provider” is an entity that collects personal information on behalf of a business per a written contract that forbids any retention, use, or disclosure of personal information other than what’s in the contract. 

A service provider must: 

•  Only use personal information needed to perform services on behalf of a business as specified in a contract 

• follow the terms in the contract 

• Act on security safeguards 

What’s a contractor? 

The new addition in the CPRA, a contractor is similar to a service provider in that personal information is limited to what’s in the contract. Unlike a service provider, a contractor is required to have a “certification” acknowledging they understand the restrictions and will comply with them.  

How do third parties fit in? 

The CCPA defines a third party as an entity that doesn’t qualify as a service provider but still receives personal information from the business. 

 A third party must: 

• use personal information consistent with promises made at receipt 

• supply consumers notice of any new or changed practices 

• provide consumers with explicit notice of added sales of personal information and provide consumers with the opportunity to opt-out. 

What happens if businesses don’t comply? 

The CCPPA has three levels of punishment for non-compliance: 

1. Civil Penalties – businesses can incur fees of up to $7,500 per intentional violation or $2,500 per unintentional violation  

2. Damages – If a security breach is discovered, consumers may recover statutory damages ranging from $100-$750 per incident or actual damages. In this case, consumers must provide written notice to the business first.  

3. Non-Monetary Relief – In situations that deal with security breaches, consumers may receive non-monetary relief as the court deems appropriate. 

Conclusion 

California is setting the standard for data privacy and other states will soon follow. To avoid any issues down the road, it’s best to take steps to compliance today. With Adzapier’s CMP, you can collect and manage your online consumers’ consent and preferences in one place. Try it free for 14 days.