The CPRA is a privacy law in California that took effect at the start of 2023. How does it relate to the CCPA, which came into effect in 2020? Understand the key differences between CCPA vs CPRA and what they may mean for your data privacy practices.
In 2018, California became the first state to pass comprehensive data privacy legislation with the California Consumer Privacy Act (CCPA). However, just two years later, the state passed the California Privacy Rights Act (CPRA), which significantly amends and expands upon the CCPA.
Short on time? Jump to…
The CPRA builds on the protections provided by the CCPA, but it introduces new requirements for businesses. Here are a few key differences:
Let’s now dive into each point to get a better understanding of CCPA vs CPRA.
CCPA stands for California Consumer Privacy Act. It is a data privacy law that came into effect on January 1, 2020, in the state of California, United States. CCPA compliance is designed to enhance privacy rights and consumer protection for California residents. The CCPA grants various rights to California residents and regulates the actions of businesses that collect or sell personal information.
The CCPA was reviewed, and this prompted an amendment to the CCPA, which has come to be known as the California Privacy Rights Act (CPRA).
The California Privacy Rights Act (CPRA), which became effective in January 2023, expands on a few key elements of the existing California Consumer Privacy Act (CCPA) by further protecting consumers’ privacy. The CPRA supplements – but does not replace nor repeal – the existing framework provided by the CCPA.
No. The CPRA amends the CCPA, bringing in new requirements and rights, for example. It does not create a separate, new law. As a result, the California Privacy Protection Agency typically refers to the law as “CCPA” or “CCPA, as amended.” The CPRA amendments to the CCPA are in effect as of January 1, 2023. But, in easy terms, any part left unchanged from the CCPA still applies to businesses and consumers.
To put it shortly, the scope of the CPRA is broader than the CCPA.
The CCPA regulations only applies to businesses that meet certain criteria, such as those with annual gross revenue of over $25 million. While the CPRA (CCPA amendments) applies to businesses of all sizes that process personal data of California residents and meet certain thresholds.
The CPRA introduced a different category of protected data to the mix: sensitive personal information (SPI). This idea is quite similar to Article 9 of the General Data Protection Regulation (GDPR), which asks for a higher level of data protection for the sensitivity of personal information. New categories of sensitive personal information include:
👀 See here for everything you need to know about Sensitive personal information under the CPRA.
The CCPA amendments, the CPRA, enhances consumer rights.
While the CCPA regulations grants consumers the right to know what personal information businesses collect and the right to request deletion of that information, the CPRA adds new rights:
Some other rights such as the right to know, the right to delete or the right to data transfer have been expanded/updated.
👀 See here the full list of Consumer rights.
Another major change is the creation of a new enforcement agency, the California Privacy Protection Agency (CPPA), which will have more resources and power to enforce the privacy laws.
The CCPA regulation was enforced by the state attorney general’s office, while the CPRA gives the CPPA sole authority to enforce the law and impose fines for violations.
In terms of businesses’ obligations, the CPRA imposes additional requirements on businesses, such as:
The CPRA also establishes a new category of “contractors” who work with businesses and must comply with certain privacy requirements.
CCPA vs CPRA: Navigating the changing data privacy landscape in California can be daunting, but understanding the differences between the CCPA and the CPRA is crucial for protecting your personal data.
Businesses and consumers alike should have already familiarized themselves with the new legislation and have taken the necessary steps to comply with its requirements.