CCPA 2.0: Key Differences with the CCPA
The California Consumer Privacy Act (CCPA), which took effect at the beginning of this year, protects the privacy of consumers of The Golden State by giving them greater control over businesses’ use of their personal information.
Specifically, the CCPA grants California consumers the rights to:
- Know what personal information businesses are collecting about them, whether the businesses are disclosing that information to third parties, and the businesses’ purposes for collecting and using the information, among other details about the business’ processing activities.
- Opt-out of the sale of their personal information.
- Request the businesses to delete their personal information.
- Not be subject to discrimination by businesses for exercising their privacy rights.
What is the California Privacy Rights Act (CPRA)?
Despite a set of amendments to the CCPA passed in 2019 and the California Attorney General’s Final Regulations, the coalition at Californians for Consumer Privacy placed the California Privacy Rights and Enforcement Act of 2020 (CPRA), commonly referred to as CCPA 2.0, on the November 2020 ballot to give Californians the opportunity to vote on updated privacy law.
Does CPRA replace CCPA?
In general, CCPA 2.0 (i.e. CPRA) amends the CCPA by expanding consumer rights, heightening privacy protections, and establishing an enforcement agency to protect consumers through vigorous enforcement of the law.
When does the California Privacy Rights Act (CPRA) go into effect?
The CPRA will enter into effect on January 1, 2023. However, the CPRA includes a “look-back” period meaning that many of its provisions will be applicable to personal information collected from January 1, 2022.
What are the differences between CCPA and CPRA?
CCPA 2.0 sets forth key differences with the current CCPA.
In particular, CCPA 2.0 would:
- Allow consumers to prevent businesses from sharing their personal information.
- Enable consumers to correct inaccurate personal information.
- Create a new category of sensitive personal information, such as race, ethnicity, religion, genetic information, sexual orientation, precise geolocation, and financial information, and give consumers the right to restrict businesses’ use of that information.
- Triple penalties for violating the rights of minors.
- Require businesses to be transparent about their use of automated decision-making and profiling.
- Prohibit businesses from retaining personal information for longer than is reasonably necessary.
- Establish the California Privacy Protection Agency to enforce the law and protect consumers’ privacy rights.
Change in scope: What data is now covered by CCPA 2.0?
CCPA 2.0 establishes a new classification for sensitive personal information (SPI) which includes information such as social security numbers, driver license numbers, and biometric information. CCPA 2.0 also extends several privacy rights to employees meaning that employee data will now fall under the scope of the law.
CPRA Consumer Rights
The CPRA grants consumers the following rights:
- The right to delete their personal information
- The right to correct inaccurate personal information
- The right to know what personal information the business is collecting about them
- The right to access their personal information
- The right to know if the business is using their personal information
- The right to know what personal information the business is selling and to whom
- The right to opt-out of the sale or sharing of their personal information
- The right to limit the business’s use of their sensitive personal information
- The right to not be subject to retaliation for exercising their rights
CCPA 2.0: Businesses’ Responsibilities
CCPA 2.0 would place additional obligations on businesses, including setting forth responsibilities that essentially amount to privacy principles, such as transparency, purpose and storage limitations, and data security.
In particular, the law would:
- Impose general duties on businesses that collect consumers’ personal information. This includes informing consumers of the collection of their sensitive personal information. The collection, use, retention, and sharing of this personal information must be “reasonably necessary and proportionate” to the purposes of processing and obligating businesses to implement reasonable security measures to protect the confidentiality, integrity, and availability of personal information.
- Mandate rules for the notice, disclosure, correction, and deletion requirements.
- Specify the methods for limiting the sale, sharing, and use of consumers’ personal and sensitive personal information, such as the provision of a clear and conspicuous link called Limit the Use of My Sensitive Personal Information.
CPRA “Do Not Sell or Share” Requirement
The CPRA removes the ambiguous interpretation of the CCPA’s “Do Not Sell” requirement by introducing “Do Not Sell or Share” opt-out obligations for organizations to comply with. Businesses are required to provide consumers with a “Do Not Sell or Share My Information” link on their websites.
Sensitive Personal Information under the CPRA
The CPRA defines Sensitive Personal Information as a new category of data that falls under its scope.
Sensitive Personal Information can include:
- A consumer’s social security or driver’s license number
- State identification card, or passport number
- A consumer’s account log-In details
- Financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
- A consumer’s precise geolocation
- A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership
- The contents of a consumer’s mail, email, and text messages, unless the business is the intended recipient of the communication
- A consumer’s genetic data
- The processing of biometric information for the purpose of uniquely identifying a consumer
- Personal information collected and analyzed concerning a consumer’s health
- Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation
Implementation & Enforcement of CPRA Compliance
The CCPA 2.0 calls for vigorous protection of consumers’ privacy rights.
To that end, it would create the California Privacy Protection Agency to implement and enforce the law. Comprised of appointed experts in privacy, technology, and consumer rights, the agency would provide guidance to businesses and consumers on their responsibilities and rights, respectively.
The agency would also have the authority to investigate alleged violations of the law, bring civil actions against violators, issues injunctions, and levy administrative fines.
In addition, recognizing that CCPA 2.0 must keep pace with changes, the law would require future amendments to further the law and privacy protections. Finally, CCPA 2.0 updates the CCPA’s definitions, such as the newly defined “profiling” and “sensitive personal information,” and revises exemptions.
CCPA 2.0: Timeline and Next Steps
The California Attorney General has issued a notice on the proposed CCPA 2.0.
CCPA 2.0 was voted into law by California voters on the California General Election ballot on November 3, 2020. The law will become effective on January 1, 2023.
How to be compliant with the California Privacy Rights Act (CPRA)
- OneTrust DataGuidance Blog: The Definitive Guide to California Privacy Laws
- OneTrust Whitepaper: Your Guide to California Privacy Law Compliance (CCPA & CPRA)
- OneTrust Infographic: CDPA vs CCPA: Comparing US Privacy Laws