In today’s modern age, where concerns surrounding data privacy and security abound aplenty, California has emerged as a leader in implementing comprehensive legislation to protect the personal information of digital consumers. 

In 2018, the California Consumer Privacy Act (CCPA) was released, which changed how consumer privacy was treated in the US, establishing new guidelines for business obligations and consumer rights around data privacy. However, with the passage of the California Privacy Rights Act (CPRA) in 2020, the environment has changed again. The CPRA replaces the CCPA and makes important improvements and reforms to safeguard consumer privacy rights. 

In this blog, we will examine the fundamental distinctions between CCPA and CPRA and how these modifications affect businesses and consumers. Whether you live in California, own a business, or are just concerned about data privacy, this article will help shed some light on how you must navigate these two new legislations to ensure that your company is best positioned to protect your consumers in the face of any unforeseen data security disasters. 

But first, let’s understand what the CCPA and CPRA laws are about.

What is the California Consumer Privacy Act (CCPA)?

Businesses are required by law to make public the types of personal information they gather, why they do so, and with whom they share it. Companies must also allow customers not to have their personal information sold. The CCPA became active on January 1, 2020.

The CCPA is California’s response to the General Data Protection Regulation (GDPR) of the European Union. Both regulations offer consumers the right to be informed about the personal information used to collect data about them and the right to refuse the sale of such information. 

What is the California Privacy Rights Act (CPRA)?

The California Consumer Privacy Act (CCPA) is strengthened and expanded upon by the California Privacy Rights Act (CPRA), a statute exclusive to California. The CPRA grants the California Attorney General increased enforcement authority and confers new rights on Californians. The CPRA, also known as CCPA 2.0 or Proposition 24, was placed on the ballot for the general election on November 3, 2020, and was overwhelmingly endorsed by California voters.

Like the CCPA rulemaking, the CPRA is based on the opt-out cookie consent framework, which implies that as long as data subjects can object, no consumer consent is necessary to use cookies.

Concerns that the CCPA did not go far enough to protect consumers’ privacy rights led to the enactment of the CPRA. The CPRA introduces new provisions and alters various sections of the CCPA, including:

• Establishing a right to know what personal data about you is being gathered;
• providing the consumer with the option to decline the sale of their data (as opposed to accepting it);
• granting the consumer the ability to ask for the deletion of their data;
• Preventing companies from treating the consumer unfairly if they exercise their right to privacy; and,
• Enabling the creation of a new and more powerful law enforcement organization called the California Privacy Protection Agency (CPPA).

Now, let’s see how the CCPA and the CPRA are similar.

What are the Similarities Between CCPA and CPRA?

Both the CCPA and the CPRA are data privacy rules that control how companies handle the personal data of California residents. They are similar in many ways, including:

• Both statutes guarantee Californians the right to know what personally identifying information is being gathered about them, why, and for what purposes.
• Californians can ask for the deletion of their data under both legislations.
• Californians can prevent selling their personal information to outside parties under both laws.
• Both regulations demand that companies provide a prominent link on their homepage that reads “Do Not Sell My Personal Information.”

CCPA Vs. CPRA: Who Does it Impact?

Coming to who these laws apply to in particular, here are the thresholds to adhere to in the case of either legislation:

For CCPA:

If one or more of the following apply, a business is covered by the CCPA regulations:

• has a gross income of more than $25 million annually;
• Buys receives, sells, or distributes the personal information of at least 50,000 customers; and,
• Generates at least 50% of its yearly revenue from selling or exchanging personal data.

For CPRA:

If one or more of the following apply, a business falls under the purview of the CPRA legislation: 

• has a gross income of more than $25 million annually;
• Purchases, receives, sells, or shares the personal information of at least 100,000 consumers; and, 
• Generates at least 50% of its yearly revenue from selling or exchanging personal data. 

Differences Between CCPA and CPRA

Now that you are aware of the similarities between CCPA and CPRA and what kind of businesses these two laws apply to, let’s delve into their differences:

1. Opt-Out Requirements

The CPRA goes much beyond the CCPA’s regulations regarding consumer protection when it comes to opt-out requirements. The CPRA grants customers the right to stop businesses from disclosing their personal information to the aforementioned providers of targeted advertising services. In contrast, the CCPA merely permits consumers to opt out of selling their personal information. But what exactly falls under consumer data sharing? 

The CPRA defines data sharing as giving out personal data that can be used for the following:

• behavioral profiling of a user across websites, apps, and devices; and,
• Using advertising based on behavior or interest to reach specific consumers.

The CPRA is also expected to create regulations that forbid companies from gathering information beyond what is required to handle an opt-out or consumer privacy request.

2. Consumer Requests

The CPRA expands the types of information that customers can seek from businesses, further enhancing the standards established by the CCPA. Consumers can make five main types of information requests under the CPRA from enterprises that gather and store their data. These consist of:

• Categories of personal information – Consumers have a right to know what categories of personal information, such as race or ethnicity, citizenship status, and religious beliefs, may be gathered from different organizations.
• Categories of collection sources – The CPRA enables consumers to inquire about the locations from which their data was collected.
• Collection purposes – Consumers have the right to ask businesses what reason(s) they have for gathering, selling, or disclosing their personal information.
• Third-party access – Consumers have a right to know the types of third parties to which a company discloses their personal information.
• Precise data gathered – The CPRA gives consumers the right to know the accurate personal data that businesses are collecting.

3. Right to Delete

By allowing consumers to decide what personal information they want businesses to retain, using the right-to-delete capability, the CPRA further sets itself apart from the CCPA. They have the right to ask that any information a company has about them be fully erased.

In addition, the CPRA mandates that when a business receives a deletion request, it must: 

• inform all parties with whom it has exchanged customer data; and,
• charge others with following the deletion request and verify on completion.

Similar requirements apply under the CCPA, which requires organizations to remove data from “its existing systems.” But the CPRA makes this clear and emphasizes it as a crucial component of a deletion request.

4. Audit Risk Assessments

The CPRA imposes new rules on audits and risk evaluations for businesses. To lessen the risks to the privacy and security of consumer data, this provision would mandate that companies that process consumers’ personal information undergo yearly cybersecurity audits and risk assessments.

Within 2024, the California Privacy Protection Agency plans to decide on the precise standards for firms and the scope of their reviews. The organization will also create more guidelines on what risk assessment and cybersecurity imply in a certain business. The risk assessments must be submitted to the agency for approval. They must include information about the data, including—what is inside, where it is retained, and how it is stored.

Some other significant change of provisions under the CPRA law include:

1. Contractual Agreements: 

Under the CPRA, businesses must have suitable contractual clauses with service providers, contractors, and third parties. Such agreements prohibit the storage, use, or disclosure of personal data for any reason other than those laid out in the agreement. Contracts may also enable businesses to perform manual reviews, automated scans, recurring assessments, and audits at least once a year.

2. Data reduction

The CPRA introduces the idea of data reduction and purpose limitation, which are fundamental GDPR concepts. The CPRA requires businesses only to gather the personal data required for the purposes for which it is being gathered. Additionally, companies are only allowed to hold customer information for as long as it is required to fulfill the original purpose for which it was gathered.

3. Rights of children

The CPRA enhances the rights of minors to opt in. Before selling or distributing a customer’s personal information under 16, a firm must get that customer’s opt-in authorization. According to the CPRA, “technical specifications for an opt-out preference signal that allows the minor or their parent to specify that the consumer is less than 13 or between 13 and 16 years of age” should also be established.

4. Rights to data access and portability

Consumers can now ask for personal data gathered over a year ago. Businesses may only give information up to a 12-month look-back period if it costs excessive effort. This applies to information gathered on or after January 1, 2022.

Consumers can also request businesses to send certain personal information to another organization using the CPRA. Data should be presented in a format that is machine-readable and understandable to the typical customer, according to the CPRA.

CCPA Compliance Readiness with Akitra!

Establishing trust is a crucial competitive differentiator when courting new SaaS businesses in today’s era of data breaches and compromised privacy. Customers and partners want assurances that their organizations are doing everything possible to prevent disclosing sensitive data and putting them at risk, and compliance certification fills that need.

Akitra offers an industry-leading, AI-powered Compliance Automation platform for SaaS companies. Using automated evidence collection and continuous monitoring, together with a full suite of customizable policies and controls as a compliance foundation, our compliance automation platform and service help our customers prepare readiness for the CCPA compliance standard, along with other security frameworks like SOC 1, SOC 2, HIPAA, GDPR, PCI DSS, ISO 27001, ISO 27701, ISO 27017, ISO 27018, NIST CSF, NIST 800-53, NIST 800-171, FedRAMP, CCPA, CMMC, and more such as CIS AWS Foundations Benchmark, etc. In addition, companies can use Akitra’s Risk Management product for overall risk management for your company, Trust Center, and AI-based Automated Questionnaire Response product to streamline and expedite security questionnaire response processes delivering huge cost savings. Our compliance and security experts will provide customized guidance to navigate the end-to-end compliance process confidently. 

The benefits of our solution include enormous savings in time, human resources, and cost savings, including discounted audit fees with our audit firm partners. Customers achieve compliance certification fast and cost-effectively, stay continuously compliant as they grow, and can become certified under additional frameworks using a single compliance automation platform.

Build customer trust. Choose Akitra TODAY!‍
To book your FREE DEMO, contact us right here.