On November 4, 2020, California voters passed the California Privacy Rights and Enforcement Act (CPRA or CCPA 2.0). The CPRA amends various parts of the existing California Consumer Privacy Act (CCPA), with the changes going into effect on January 1, 2023. Many businesses have wondered what differences there are between the CCPA and the CPRA. Below, some of the differences between the two are described. 

Want to take a deeper dive? Register for the webinar CPRA vs. CCPA: What You Need to Know 

  CCPA  CPRA 
Threshold Application  For-profit businesses that collect personal information from California residents, determines the purposes in California and meet any of the following: 

  • Have a gross annual revenue of over $25 million; 
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or 
  • Derive 50% or more of their annual revenue from selling California residents’ personal information. 

 

For-profit businesses that collect personal information from California residents, determines the purposes in California and meet any of the following: 

  • Have a gross annual revenue of over $25 million; 
  • Buy, sell, or share the personal information of 100,000 or more California residents or households; or 
  • Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information. 

 

Employee and B2B Exemption  Expires on Jan. 1, 2021  Expires on Jan 1, 2023 
Consumer Rights 
  • Right to Know/Access 
  • Right to Delete 
  • Right to Opt-out of Sale 
  • Right to Non-Discrimination 
All rights under the CCPA, plus: 

  • Right to Rectification 
  • Right to Limit Use and Disclosure of Sensitive Personal Information 
Covered Personal Information  “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  Personal information, as well as “Sensitive Personal Information” which includes information such as SSN, driver license numbers, biometric information, precise geolocation, and racial and ethnic origin. 
Third Parties  Service Provider – an entity that processes personal information on behalf of a business pursuant to a written contract.  Also includes “Contractor” – an entity to whom a business makes available a consumer’s personal Information for a business purpose pursuant to a written contract with the business’ 
Enforcement 
  • Attorney General can pursue violations 
  • Consumers have a private right of action for a breach of certain information 
  • Businesses have a 30day cure period before being fined for a violation by the AG 
  • Creation of the California Privacy Protection Agency for enforcement and guidance 
  • Consumers have a private right of action for a breach of certain information 
  • Businesses no longer have a 30day cure period before being fined for a violation by the CPPA 
Definition – Sell vs. Share  “Sell” – for monetary or other valuable consideration. 
  • “Sell” – for monetary or other valuable consideration 
  • “Share” – share by a business to a third party for cross-context behavioral advertising for the benefit of a business where no money is exchanged. 
Use Limitation  N/A  Collection, retention, and use should be limited to what is necessary to provide goods or service. 
Private Right of Action  Available when a consumer’s unredacted or unencrypted personal information has been breached due to a lack or maintenance of reasonable security measures.   In addition to unredacted and unencrypted personal information, a private right of action is available if an email address and password or security question and answer that would allow access to the account is breached. 
Personal Information of Minors  Fines for violations of the personal information for minors is the same as the fines for other types of personal information – $2,500 for each unintentional and $7,500 for each intentional violation  Automatic $7,500 fine for a violation involving the personal information of minors 
Required Cybersecurity Audits  N/A  Annual cybersecurity audit required for businesses whose processing presents a significant risk to consumer privacy or security 
Required Risk Assessments  N/A  Businesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA 
Profiling and Automated Decision Making  N/A  “Profiling” – any form of automated processing of personal information to evaluate certain personal aspects relating to a natural person, such as work performance, health, reliability, etc. 

Regulations are expected to give additional information on access and opt-out rights for the use of automated decision making.  

 

Some of these changes are dependent on future regulations, which will be released by the soon-to-be-created California Privacy Protection Agency. Therefore, we can expect additional changes before the CPRA’s effective date of January 1, 2023.  

Want to learn more about the CPRA and how it will impact your privacy program? Find out here