CCPA vs. CPRA: what changed?

An Intro to California’s Privacy Acts

Described by some as the US version of Europe’s GDPR, the California Consumer Privacy Act of 2018 (CCPA) is the strongest consumer privacy legislation mandated at the state level. 

On November 3, 2020, CCPA was amended by Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The amendment gives significantly more power to Californian’s to demand accountability and transparency for how their private data is handled, and increases penalties against organizations that collect data and fail to protect it.  

What changed with the passing of Proposition 24: the California Privacy Rights Act of 2020? 

CPRA (sometimes called CCPA 2.0), has been criticized for over broad definitions and ambiguous language. The Prop 24 amendment strengthened the rights of consumers, including the following changes: 

• Triples the fines for violations of children’s privacy, 

• Limits use of “sensitive personal information,” which is broader than CCPA’s personal information definition,  

• Stops businesses from knowing your precise geolocation, 

• Stops businesses from profiling you, 

• Rights to correct your information, 

• Rights to have your personal information kept safe, 

• Rights to see all your information, not just last 12 months, 

• Rights to prohibit both the sharing and sale of personal data,  

• Creation of a new California Privacy Protection Agency for more rigorous enforcement, 

• Imposes penalties for negligence resulting in theft of consumers’ emails and passwords.  

Both CCPA and CPRA keep the burden on consumers to opt-out of the retention and sale of their information. Prop 24 expands current law by exempting loyalty clubs and rewards programs from existing limits and allows businesses to withhold discounts unless they can harvest data about shopping habits. 

Who must comply with CCPA and CPRA?  
The CCPA currently applies to businesses who operate in California which: 

• Have $25 million in gross annual revenue, 

• Obtain or share personal information of at least 50,000 California residents, households, and/or devices per year, 

• Generate at least 50% of their annual revenue from selling California residents’ personal information. 

The CPRA will only apply to businesses who operate in California, which: 

• Have $25 million in gross annual revenue, 

• Obtain or share personal information of at least 100,000 California residents, and households, 

• Generate at least 50% of their annual revenue from selling California residents’ personal information. 

The law defines a business as “a for-profit legal entity that collects consumers’ personal information and does business in the state of California.” 

What are key dates for compliance? 

• November 3, 2020: CPRA passed. CCPA is in effect until CPRA is operative. 

• January 2021: CPRA becomes operative. 

• February 2021: California Privacy Protection Agency (CPPA) established. 

• January 2022: CPRA 12-month look back period for collected data starts 

• July 2022: Deadline for CPPA to adopt final regulations 

• January 2023: CPRA fully operative and enforceable; employment and B2B exemptions expire, and those datasets become fully integrated by the CPRA 

What rights are protected? 

CCPA covers the right: 

• To know whether personal data is collected about them 

• To know what personal data is being collected about them 

• To know specific categories of data a business collects about them 

• To know categories of third parties with whom personal data is shared 

• To know categories of sources of personal data 

• To know the business or commercial purpose of collecting personal information To port (move) their personal data 

• To say no to the sale (broadly defined as sale or exchange) of their personal data  
  To delete their personal data 

CPRA added the right to correct personal data and the right to limit the collection and processing of their sensitive personal information to only those purposes “necessary” for providing the goods or services they’ve requested. The definition of “right to know” now includes information that is collected, sold or shared. Businesses must now disclose upfront what categories of information they will collect or share with third parties.
   

What is a data subject request? 
A data subject access request, often abbreviated as DSAR or DSR, is a request to a business by an individual for access to any and all personal data the business has collected about that person.  

What is a data breach? 
A data breach is the intentional or unintentional exposure of protected, sensitive, or confidential information to an untrusted environment. For example, the unintentional action of emailing personal data to the wrong individual of the same name would still constitute a data breach. A data breach opens the possibility of a private right of action under CCPA, which exponentially increases risk and financial liability.  

What is the impact of non-compliance? 
By 2021, 80% of the negative financial impact of the CCPA will come from failure to implement a scalable subject rights workflow, according to Gartner Research. Gartner found that most organizations receiving DSARs take up to a full working week to respond to each, at an average cost of over $1,400. 

Operationalizing compliance is the first step in avoiding CCPA and CPRA fines. 

• If a CCPA violation is deemed intentional, businesses may face fines of $2,500 to $7,500 per violation. CCPA grants businesses a 30-day period to address a violation after receipt of a consumer’s request.  

• CPRA increases fines to $7,500 for each violation of CPRA involving personal information of consumers under the age of 16. 

• Non-compliance and the negative impacts of data breaches can also damage brand perception and erode consumer trust.  
  

How are companies addressing consumers living outside of California? 
Many businesses are taking a proactive approach to consumer privacy by extending the same CCPA / CPRA privacy options required for Californians through to all US consumers.   

All fifty US states have data breach notification rules, but only California, Maine, and Nevada have data privacy laws in effect. Several US states have new privacy laws proposed and in committee including Washington, Arizona, South Carolina, New York, New Jersey, Maryland, Iowa, Illinois and Minnesota. A full list of current legislation can be found here. Federal privacy bills currently in Congress include the SAFE DATA Act, Consumer Data Privacy and Security Act of 2020 and several proposals related to the data of children. 

What steps can businesses take to stay on top of US privacy compliance regulations? 
CCPA, CPRA, and GDPR are just the start of data privacy and compliance regulation.  
Consumer privacy regulations will continue to evolve and more states and countries develop their own requirements. Most businesses have an individual who is accountable for privacy compliance. That person often collaborates with a broader team within their org, including representatives from Legal, IT, Marketing and Customer Experience.   There are several resources that regularly publish information regarding US privacy laws including: 

• National Conference of State Legislature: offers links to state digital privacy bills currently under consideration, 

• IAPP’s Westin Research Center: has a US state map tracking consumer rights and business obligations for each state law. 

• RadarFirst’s Law Library: provides details on hundreds of global privacy laws, rules, and regulations. 

 
Who needs to be concerned about data privacy and compliance?
Most businesses have an individual who is accountable for privacy compliance. It could be your Legal Counsel, CIO / CTO or Chief Privacy Officer. That person often collaborates with a broader team within their org, including representatives from Legal, IT, Marketing and Customer Experience.  

Here’s a checklist of tasks teams might address:

• Map and identify sources and types of data your organization collects,

• Audit and record all third party data. Assess relationships and data sharing policies with third party vendors,

• Establish unique identifiers,

• De-identify data,

• Consolidate data into a single source of truth,

• Define a process for handling consumer data subject requests (DSARs/ DSRs),

• Review and update privacy, consent and data access policies,

• Review your data collection and storage policies,

• Add Do Not Sell / Do Not Share options to your online properties,

• Establish a consumer facing privacy portal with your privacy policies, opt-out options and the ability to capture DSRs and do not sell/ share requests,

• Define a consent management process or select an automated consent management tool,

• Map the process for, and automate data subject requests (DSRs),

• Define process and protocols for data breach reporting,

• Map, validate and test your full new user to removed profile consumer data lifecycle,

• Educate employees about compliance and the use and protection of consumer data.

Sources: 

• “How to Prepare for the CCPA and Navigate Consumer Privacy Rights,” Gartner, June 2019.  

• “The State of Privacy and Personal Data Protection, 2020-2022,” Gartner, August 2020. 

• CCPA: https://oag.ca.gov/privacy/ccpa/regs 

• CPRA: https://vig.cdn.sos.ca.gov/2020/general/pdf/topl-prop24.pdf