Securiti AI Launches Context-Aware LLM Firewalls to Secure GenAI Applications


CPRA vs. CCPA: What’s the Difference?

By Anas Baig | Reviewed By Omer Imran Malik
Published July 19, 2023 / Updated March 4, 2024

Listen to the content

What is the CPRA?

The California Privacy Rights Act (CPRA) is a privacy law that was passed in the November 2020 ballot, as 56% of California voters favored it. The law amends and strengthens consumer data privacy rights established initially by the CCPA in 2018.

The CPRA also imposes additional consumer privacy protection obligations on organizations. The new law will take effect from January 1, 2023, and enforcement will start six months later (July 1, 2023).

What is the CCPA?

The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018, and came into effect on January 1, 2020. Often compared to GDPR, the CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared, or sold. The CCPA was passed by the California legislature under pressure from rights groups who wished to pass it in the form of a ballot measure.

Does CPRA Replace the CCPA?

The CPRA amends and expands the CCPA, creating new requirements, consumer privacy rights, and enforcement mechanisms for applicable organizations. Once the CPRA comes into effect on January 1, 2023, it will effectively replace the CCPA. Till then, CCPA requirements will continue to apply to covered businesses.

Get California Privacy Rights Act (CPRA) Readiness Assessment

Securiti’s CPRA assessment evaluates your readiness for CPRA and reviews how compliant your current practices are. This assessment highlights any deficiencies in your practices & aid in your CPRA compliance efforts.

For more information about the California Privacy Rights Act (CPRA) and how to kickstart your CPRA compliance program, see our CPRA Compliance Checklist here and download our white paper on 7 Essential Tips to Prepare for the CPRA.

What is new in the CPRA?

Amended Definition of Covered Organizations

The California Privacy Rights Act (CPRA) is applicable to companies that purchase, sell or exchange personal data of more than 100,000 households or customers in California. The previous limit under the CCPA was 50,000. This means that some small businesses that might have been subject to the CCPA will be exempt under the CPRA.

Also, the CPRA applies to organizations that derive at least 50% of their revenue from selling or sharing a consumer’s Personal Information. Under the CCPA, this provision only included businesses that “sell” consumers’ Personal Information (PI).

New Sensitive Personal Information Category

The CPRA introduces the Sensitive Personal Information (SPI) category, which is subject to more stringent disclosure and purpose limitation requirements. Specifically, the law says security measures should be appropriate to the data type - thus, SPI would need extra protection.

Finally, the CPRA gives consumers the right to ask organizations to limit the use of their SPI.

SPI includes highly sensitive data such as:

  • Social Security Number;
  • Driver’s license;
  • State identification card;
  • Passport Number;
  • Financial account information and log-in credentials;
  • Debit Card or Credit Card number along with access codes;
  • Precise geolocation data;
  • Religious or philosophical beliefs;
  • Citizenship or immigration status;
  • Ethnic origin;
  • Contents of communication;
  • Genetic data;
  • Biometric information for the purposes of identification;
  • Health information;
  • Information about sex or sexual orientation.

Violations Involving Children's Personal Information

The CPRA prohibits selling the personal information of a person under the age of 16 without their consent, similarly to the CCPA. However, under the CPRA, violations involving children’s personal information are liable similarly to intentional violations, i.e., fines of $7500 per violation. This amendment has provided extra protection to children’s personal information in the CPRA.

New Consumer Privacy Rights

The CPRA grants consumers additional rights regarding their personal data.

Right to Restrict Use of Sensitive Personal Information

Data subjects may request to limit the use and disclosure of their sensitive PI for specific secondary purposes, including disclosure to third parties.

Right to Correction

Data subjects can request the correction of any of their PI held by the organization if inaccurate.

Right to Access Information About Automated Decision Making

Data subjects have the right to request information about automated decision-making processes based on their personal information. Data subjects may also request a description of the likely outcomes that will result from these processes.

Right to Opt-Out of Automated Decision-Making Technology

Data subjects may also request to opt-out of the use of automated decision-making technology, which can include “individual profiling.”

Expanded Consumer Privacy Rights

The CPRA has also expanded or modified the organization’s obligations in fulfilling consumer rights requests granted by the CCPA.

Right to Delete

Consumers can now request businesses to instruct third-party vendors, service providers, or contractors to delete the personal information that might have been sold/shared to them by the business.

Right to Access

Businesses must provide all PI data specified in the CCPA along with the categories of PI it has shared with third parties as well as the third parties it has shared the PI with.

Right to Opt-Out

Data subjects now have the right to opt-out of both the sale and sharing of their PI with third parties, including for the purposes of cross-context behavioral advertising.

Right to Data Portability

Data subjects have the right to ask organizations to transmit specific pieces of PI to another entity. However, this transmission should be technically feasible for the organization.

Expanded Notification Requirements

Data Retention information at Notification at Point of Collection

Businesses will need to notify customers, employees, job applicants, and other workers at or before the point of data collection, similarly to the CCPA. However, businesses must also include details about the retention periods for the collected personal data now.

Businesses are only allowed to retain PI as long as it is ‘reasonably necessary’ for the business/commercial purpose the PI has been collected for.

SPI Collection Notifications

The CPRA mandates organizations to also notify consumers about the categories of SPI being collected, the collection purpose, and the length of time the SPI will remain stored in their databases before or at the point of collection of the SPI.

Opt-in Rights for Minors

Another addition is that businesses must notify minors if they intend to sell or share their personal data. It is also important to note that after a consumer under 16 years of age has declined to provide consent to the business to sell or share their personal information, a business must either wait for another 12 months or wait until the consumer turns 16 before requesting their opt-in consent again.

Changes to Privacy Notices

The CPRA also has additional requirements for Privacy Notices. Starting from January 2023, organizations will be required to modify their privacy notices to include three additional categories of disclosure such as:

  • Disclose whether they share personal information about consumers along with details (the categories of PI shared and with whom).
  • Make disclosures related to their collection, processing, and disclosure of “sensitive personal information.”
  • Disclose the length of time they intend to retain each category of personal information or if that is not feasible, the criteria they will use to determine that retention period.

Creation of California Privacy Protection Agency (CPPA)

Unlike the CCPA, the CPRA creates an exclusive agency for the interpretation and enforcement of the law - the California Privacy Protection Agency (CPPA). Tasked with taking over rule-making power from the California Attorney General, the CPPA shall be the first US-based regulatory authority exclusively focused on data privacy issues.

It shall not only provide guidance on the enforcement of the CPRA but shall also have powers to investigate violations, conduct hearings and assign liability to covered entities for violations.

Cyber Security Audit and periodic Risk Assessment Requirements

Cyber Security audit requirement

The CPRA mandates that organizations that hold personal information that might “present a significant risk to its consumers’ privacy or security” perform an annual cybersecurity audit and submit it to the CPPA.

This audit must be independent and thorough according to the law. To determine the risk of PI processing operations, organizations need to consider the following factors:

  1. The size and complexity of data processing activities of the organization.
  2. The nature and scope of data processing activities.

Risk Assessment Requirement

The CPRA will also require organizations to conduct regular risk assessments to evaluate their processing activities. All assessments must weigh the privacy risks created by the processing activity against the benefits that are provided. One of the factors that can be used to evaluate a processing activity is the use of consumers’ sensitive personal data. This assessment then needs to be submitted to the CPPA.

Organizations need to start identifying higher risk processing activities now and build a robust risk assessment framework to meet this requirement. This process will allow the organization to conduct timely risk assessments and identify problem areas quickly.

Expanded Private Right of Action

Under the CCPA, consumers can bring a civil suit against a business for actual damages or $100 to $750 in statutory damages (whichever is higher) for failing to take reasonable and appropriate security measures to protect their unencrypted or unredacted personal information from being subject to a breach - under the CPRA the categories of PI for which they can sue has been increased to include, email addresses in combination with a password or security question and answer that would permit access to the account. Since most data breaches involve this category of PI, this is a significant change that could increase liabilities for businesses subject to a breach.

Incorporation of GDPR Principles

Data minimization

Organizations must limit their collection of PI to what is reasonably necessary for its disclosed intended purposes.

Purpose Limitation

Organizations that decide to use PI differently than previously disclosed must notify all data subjects before proceeding.

Storage Limitation

The CPRA mandates that organizations not retain PI for longer than “reasonably necessary” for each disclosed purpose. In addition, organizations must also inform their retention periods for each category of PI data at the time of collection. However, if that is not possible, the organization must at least provide the criteria used to determine the retention period.

Key Takeaways:

  1. Introduction of CPRA: The California Privacy Rights Act (CPRA) enhances consumer data privacy rights established by the California Consumer Privacy Act (CCPA) of 2018. It was approved by California voters in November 2020 and will take effect on January 1, 2023, with enforcement beginning on July 1, 2023.
  2. CCPA Overview: The CCPA, effective from January 1, 2020, is a groundbreaking law that allows consumers more control over their personal data, including the rights to know, delete, and opt-out of the sale of their personal information.
  3. CPRA's Amendments to CCPA: The CPRA amends and expands the CCPA, introducing new requirements, consumer rights, and enforcement mechanisms. It does not replace the CCPA but enhances it with additional protections and obligations for businesses.
  4. Key Features of CPRA: The CPRA increases the threshold for businesses to be covered, introduces a new category of Sensitive Personal Information (SPI), adds new consumer rights including the right to correct inaccurate data, and establishes the California Privacy Protection Agency (CPPA) for enforcement.
  5. Sensitive Personal Information Under CPRA: The CPRA introduces stricter requirements for handling SPI, including social security numbers, financial account information, precise geolocation data, and more, necessitating enhanced security measures.
  6. New Consumer Rights: The CPRA grants consumers additional rights, such as the right to limit the use of their SPI, the right to correct inaccuracies in their personal information, and the right to opt-out of automated decision-making technology.
  7. Expanded Obligations for Businesses: The CPRA requires businesses to provide detailed notices at the point of data collection, including the purposes for collecting SPI and the retention period of personal information.
  8. CPRA Compliance Checklist: Organizations can prepare for CPRA compliance by assessing their current practices, categorizing USML-covered items, understanding end-use and end-user, applying for necessary licenses, maintaining comprehensive records, and implementing an internal compliance program.
  9. Cybersecurity Audit and Risk Assessment: The CPRA mandates annual cybersecurity audits and regular risk assessments for organizations processing personal information that presents a significant risk to consumer privacy or security.
  10. Incorporation of GDPR Principles: The CPRA incorporates GDPR-like principles such as data minimization, purpose limitation, and storage limitation, requiring businesses to limit the collection, use, and retention of personal information to what is necessary for specified purposes.

Frequently Asked Questions (FAQs)

The CPRA builds upon the CCPA by adding new privacy rights, such as the right to correct inaccurate personal information, and by establishing the California Privacy Protection Agency (CPPA) for enforcement. It also introduces stricter requirements for businesses and service providers handling personal data.

CPRA, or the California Privacy Rights Act, enhances privacy protections compared to the CCPA. It introduces new rights for consumers, creates the CPPA for enforcement, and adds stricter regulations for businesses, including those related to sensitive personal information and data retention.

CPRA compliance involves adhering to the requirements outlined in the California Privacy Rights Act (CPRA) to protect consumer privacy and data rights.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You