On November 4, 2020, California voters passed the California Privacy Rights and Enforcement Act (CPRA or CCPA 2.0). The CPRA amends various parts of the existing California Consumer Privacy Act (CCPA), with the changes going into effect on January 1, 2023. Many businesses have wondered what differences there are between the CCPA and the CPRA. Below, some of the differences between the two are described.
Want to take a deeper dive? Register for the webinar CPRA vs. CCPA: What You Need to Know
| CCPA | CPRA | |
| Threshold Application | For-profit businesses that collect personal information from California residents, determines the purposes in California and meet any of the following:
| For-profit businesses that collect personal information from California residents, determines the purposes in California and meet any of the following:
|
| Employee and B2B Exemption | Expires on Jan. 1, 2021 | Expires on Jan 1, 2023 |
| Consumer Rights |
| All rights under the CCPA, plus:
|
| Covered Personal Information | “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. | Personal information, as well as “Sensitive Personal Information” which includes information such as SSN, driver license numbers, biometric information, precise geolocation, and racial and ethnic origin. |
| Third Parties | “Service Provider” – an entity that processes personal information on behalf of a business pursuant to a written contract. | Also includes “Contractor” – an entity ‘to whom a business makes available a consumer’s personal Information for a business purpose pursuant to a written contract with the business’ |
| Enforcement |
|
|
| Definition – Sell vs. Share | “Sell” – for monetary or other valuable consideration. |
|
| Use Limitation | N/A | Collection, retention, and use should be limited to what is necessary to provide goods or service. |
| Private Right of Action | Available when a consumer’s unredacted or unencrypted personal information has been breached due to a lack or maintenance of reasonable security measures. | In addition to unredacted and unencrypted personal information, a private right of action is available if an email address and password or security question and answer that would allow access to the account is breached. |
| Personal Information of Minors | Fines for violations of the personal information for minors is the same as the fines for other types of personal information – $2,500 for each unintentional and $7,500 for each intentional violation | Automatic $7,500 fine for a violation involving the personal information of minors |
| Required Cybersecurity Audits | N/A | Annual cybersecurity audit required for businesses whose processing presents a significant risk to consumer privacy or security |
| Required Risk Assessments | N/A | Businesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA |
| Profiling and Automated Decision Making | N/A | “Profiling” – any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person, such as work performance, health, reliability, etc. Regulations are expected to give additional information on access and opt-out rights for the use of automated decision making. |
