CPRA vs. CCPA: What Has Changed and How Can Businesses Prepare?

What is the CPRA?

The California Privacy Rights Act (CPRA) is a privacy law that was passed in the November 2020 ballot, as 56% of California voters favored it. The law amends and strengthens consumer data privacy rights established initially by the CCPA in 2018.

The CPRA also imposes additional consumer privacy protection obligations on organizations. The new law will take effect from January 1, 2023, and enforcement will start six months later (July 1, 2023).

---

What is the CCPA?

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and came into effect on January 1, 2020. Often compared to GDPR, the CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared, or sold. The CCPA was passed by the California legislature under pressure from rights groups who wished to pass it in the form of a ballot measure.

---

Does CPRA Replace the CCPA?

The CPRA amends and expands the CCPA, creating new requirements, consumer privacy rights, and enforcement mechanisms for applicable organizations. Once the CPRA comes into effect on January 1, 2023, it will effectively replace the CCPA. Till then, CCPA requirements will continue to apply to covered businesses.

What is new in the CPRA?

Amended Definition of Covered Organizations

The California Privacy Rights Act (CPRA) is applicable to companies that purchase, sell or exchange personal data of more than 100,000 households or customers in California. The previous limit under the CCPA was 50,000. This means that some small businesses that might have been subject to the CCPA will be exempt under the CPRA.

Also, the CPRA applies to organizations that derive at least 50% of their revenue from selling or sharing a consumer’s Personal Information. Under the CCPA, this provision only included businesses that “sell” consumers’ Personal Information (PI).

New Sensitive Personal Information Category

The CPRA introduces the Sensitive Personal Information (SPI) category, which is subject to more stringent disclosure and purpose limitation requirements. Specifically, the law says security measures should be appropriate to the data type - thus, SPI would need extra protection.

Finally, the CPRA gives consumers the right to ask organizations to limit the use of their SPI.

SPI includes highly sensitive data such as:

• Social Security Number;
• Driver’s license;
• State identification card;
• Passport Number;
• Financial account information and log-in credentials;
• Debit Card or Credit Card number along with access codes;
• Precise geolocation data;
• Religious or philosophical beliefs;
• Ethnic origin;
• Contents of communication;
• Genetic data;
• Biometric information for the purposes of identification;
• Health information;
• Information about sex or sexual orientation.

Violations Involving Children's Personal Information

The CPRA prohibits selling the personal information of a person under the age of 16 without their consent, similarly to the CCPA. However, under the CPRA, violations involving children’s personal information are liable similarly to intentional violations, i.e., fines of $7500 per violation. This amendment has provided extra protection to children’s personal information in the CPRA.

New Consumer Privacy Rights

The CPRA grants consumers additional rights regarding their personal data.

Right to Restrict Use of Sensitive Personal Information

Data subjects may request to limit the use and disclosure of their sensitive PI for specific secondary purposes, including disclosure to third parties.

Right to Correction

Data subjects can request the correction of any of their PI held by the organization if inaccurate.

Right to Access Information About Automated Decision Making

Data subjects have the right to request information about automated decision-making processes based on their personal information. Data subjects may also request a description of the likely outcomes that will result from these processes.

Right to Opt-Out of Automated Decision-Making Technology

Data subjects may also request to opt-out of the use of automated decision-making technology, which can include “individual profiling.”

Expanded Consumer Privacy Rights

The CPRA has also expanded or modified the organization’s obligations in fulfilling consumer rights requests granted by the CCPA.

Right to Delete

Consumers can now request businesses to instruct third-party vendors, service providers, or contractors to delete the personal information that might have been sold/shared to them by the business.

Right to Access

Businesses must provide all PI data specified in the CCPA along with the categories of PI it has shared with third parties as well as the third parties it has shared the PI with.

Right to Opt-Out

Data subjects now have the right to opt-out of both the sale and sharing of their PI with third parties, including for the purposes of cross-context behavioral advertising.

Right to Data Portability

Data subjects have the right to ask organizations to transmit specific pieces of PI to another entity. However, this transmission should be technically feasible for the organization.

Expanded Notification Requirements

Data Retention information at Notification at Point of Collection

Businesses will need to notify customers, employees, job applicants, and other workers at or before the point of data collection, similarly to the CCPA. However, businesses must also include details about the retention periods for the collected personal data now.

Businesses are only allowed to retain PI as long as it is ‘reasonably necessary’ for the business/commercial purpose the PI has been collected for.

SPI Collection Notifications

The CPRA mandates organizations to also notify consumers about the categories of SPI being collected, the collection purpose, and the length of time the SPI will remain stored in their databases before or at the point of collection of the SPI.

Opt-in Rights for Minors

Another addition is that businesses must notify minors if they intend to sell or share their personal data. It is also important to note that after a consumer under 16 years of age has declined to provide consent to the business to sell or share their personal information, a business must either wait for another 12 months or wait until the consumer turns 16 before requesting their opt-in consent again.

Changes to Privacy Notices

The CPRA also has additional requirements for Privacy Notices. Starting from January 2023, organizations will be required to modify their privacy notices to include three additional categories of disclosure such as:

• Disclose whether they share personal information about consumers along with details (the categories of PI shared and with whom).
• Make disclosures related to their collection, processing, and disclosure of “sensitive personal information.”
• Disclose the length of time they intend to retain each category of personal information or if that is not feasible, the criteria they will use to determine that retention period.

Creation of California Privacy Protection Agency (CPPA)

Unlike the CCPA, the CPRA creates an exclusive agency for the interpretation and enforcement of the law - the California Privacy Protection Agency (CPPA). Tasked with taking over rule-making power from the California Attorney General, the CPPA shall be the first US-based regulatory authority exclusively focused on data privacy issues.

It shall not only provide guidance on the enforcement of the CPRA but shall also have powers to investigate violations, conduct hearings and assign liability to covered entities for violations.

Cyber Security Audit and periodic Risk Assessment Requirements

Cyber Security audit requirement

The CPRA mandates that organizations that hold personal information that might “present a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA.

This audit must be independent and thorough according to the law. To determine the risk of PI processing operations, organizations need to consider the following factors:

1. The size and complexity of data processing activities of the organization.
2. The nature and scope of data processing activities.

Risk Assessment Requirement

The CPRA will also require organizations to conduct regular risk assessments to evaluate their processing activities. All assessments must weigh the privacy risks created by the processing activity against the benefits that are provided. One of the factors that can be used to evaluate a processing activity is the use of consumers’ sensitive personal data. This assessment then needs to be submitted to the CPPA.

Organizations need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This process will allow the organization to conduct timely risk assessments and identify problem areas quickly.

Expanded Private Right of Action

Under the CCPA, consumers can bring a civil suit against a business for actual damages or $100 to $750 in statutory damages (whichever is higher) for failing to take reasonable and appropriate security measures to protect their unencrypted or unredacted personal information from being subject to a breach - under the CPRA the categories of PI for which they can sue has been increased to include, email addresses in combination with a password or security question and answer that would permit access to the account. Since most data breaches involve this category of PI, this is a significant change that could increase liabilities for businesses subject to a breach.

Incorporation of GDPR Principles

Data minimization

Organizations must limit their collection of PI to what is reasonably necessary for its disclosed intended purposes.

Purpose Limitation

Organizations that decide to use PI differently than previously disclosed must notify all data subjects before proceeding.

Storage Limitation

The CPRA mandates that organizations not retain PI for longer than “reasonably necessary” for each disclosed purpose. In addition, organizations must also inform their retention periods for each category of PI data at the time of collection. However, if that is not possible, the organization must at least provide the criteria used to determine the retention period.