The California Privacy Rights Act (CPRA) was passed at the end of 2020. It bolsters the California Consumers Privacy Act that is already being enforced across the state. Any company or organization with consumers or clients in California must meet the compliance standards of privacy acts’ compliance standards. When looking at CCPA vs. CPRA, it’s not always easy for businesses to understand its meaning.
In this article, you learn the differences between California’s privacy acts and how it could affect your business.
What is the California Consumers Privacy Act (CCPA)?
Consumers have specific rights that are outlined in the CCPA.
- They have the right to know what data is being collected and how it is used, shared, and sold by the company with whom they are doing business.
- Consumers have the right to request their personal information be deleted and no longer stored, shared, sold, or used.
- These rights extend to; consumers under 16 years of age, who must give explicit consent, anyone under the age of 13 who must have a parent or guardian give consent.
- The act also guarantees that consumers that opt-out of information sharing will not be penalized by the business with higher prices or decreased service.
Businesses Subject to CCPA Guidelines
Any company that meets one or more of the following three standards is subject to CCPA guidelines. They are:
- Any business with gross annual revenue of $25 million and higher
- Personal data sales account for more than 50% of annual revenue
- All organizations that receive sell or purchase personal information for 50,000 or more households, individuals, or devices
What is the California Privacy Rights Act (CPRA)?
The CPRA is an extension of the CPPA. Businesses still have to follow the same standards set down in the CCPA. However, the new consumer privacy rights act expands on the regulations set down by the first law. It closes some possible loopholes and strengthens weak points in the original act.
Some procedural nuances are still being revised by the California Attorney General and won’t be finalized until July 1, 2022. With the CPRA regulations going into effect on January 1, 2023, businesses have time to meet the new consumer privacy standards.
CCPA vs. CPRA: What Businesses Need to Know
The CPRA California privacy act does not replace the CCPA, but it does add to it and strengthen some of the act’s existing standards. The new consumer rights act includes additional provisions for third-party vendors, beefs up compliance standards enforcement, and requires companies to perform regular cybersecurity audits, along with risk assessments. Here’s a closer look at the differences between CCPA vs. CPRA.
Businesses That Must Meet Compliance Standards
Any for-profit organization with $25 million and more in annual gross revenue must follow CPRA standards. It hasn’t changed since the passage of the first consumer privacy protection act. Neither has the threshold for annual revenue from selling California residents’ personal data. It remains at 50% and up. What has changed is the CPRA now includes businesses that also share consumers’ personal information.
Businesses that meet one or more of these thresholds are liable for non-compliance issues under the CPRA.
Employee exemptions under CCPA expired January 1st, 2021, but the new act extends the deadline to January 1st, 2023. The extension is designed to give employers and employees more time to handle the details regarding the storage, handling, and use of workers’ personal data.
Businesses have the right to collect employee data that includes names, addresses, phone numbers, social security numbers, along with emergency contact information. While employees must provide the requested information, they cannot opt-out like consumers under either privacy act; they do have certain rights.
Employees can request employers to reveal how their information is being used. Employees also have the right under CPRA to request private action when a security breach involving their data occurs. With the extension, companies have more time to address these concerns and respond to employees in a cybersecurity breach.
The CCPA includes four consumer rights supported under the new CPRA guidelines that also come with two additional ones.
Both the CCPA and CPRA give consumers the right to:
- Know what information is stored and access it at any time
- The right to have their data deleted upon request without delay or other problems
- The right to opt-out of sharing their information during the sales process
- Consumers cannot be penalized for refusing to share their information
The two additional rights under CPRA are;
- The right to limit how their information is used and disclosed
- Consumers have the right to request any incorrect information be corrected promptly without incurring penalties by the company
Covered Personal Information
Both California privacy acts cover personal information, but the definitions differ. CPRA California takes it a step further. According to the CPRA, personal data is defined as any information linked to a person or household. Due to the original act’s relatively vague wording, companies can find potential loopholes in what is considered identifiable information.
CPRA provides a more definitive definition for personal information and also includes sensitive personal data that includes,
- Driver license numbers
- Social security numbers
- Racial and ethnic origins
- Precise geolocations
- Biometric data
Even though third-parties were included in the CCPA, it was limited to service providers. It included any vendor that processes personal data for the business, payment authorizers, along with product or service providers. Still, it did not cover all third-party organizations companies often do business with.
The California Privacy Rights Act includes third-party contractors. It effectively closes all loopholes regarding sharing consumer data with any organization under contract with the business. Consumers have the right to know who their data is being shared with or sold to, and can opt-out for any reason.
One of the areas with the most significant changes is the enforcement of the consumer privacy act. Previously, it was up to the California Attorney General to pursue violations. Businesses had 30 days to resolve the complaint before facing fines levied by the state’s AG. Consumers also have the right to take private legal action if their personal information was breached.
Consumers still have the right to take civil action, but the AG is no longer responsible for enforcing privacy act violations. The California Privacy Protection Agency has been created and will guide business, along with enforcing compliance violations. Another change, businesses no longer have a 30-day grace period. Instead, they can face fines immediately after the breach is reported.
Redefining Sell vs. Share
The CCPA and CPRA define selling data as an act for monetary or valuable gain. The California Privacy Rights Act also includes sharing information in its standards. When a business gives third-party access to data for advertising that benefits the company without money being exchanged, it is considered sharing.
Consumers have the right to know who the business is sharing or selling their information. They also have the right to opt-out of the practice.
Limiting Data Usage
The California Consumer Privacy Act did not limit data usage, but this changed with the passage of the CPRA. The new act limits the collection, storage, and use of identifiable consumer information to what is necessary to exchange goods or services successfully. Companies cannot gather, retain, or use data that is not necessary or no longer needed.
Consumers’ Private Right of Action
Consumers have the right under both California privacy acts to pursue a private right of action if the unencrypted or unredacted data is breached due to negligence on the company’s part. CPRA California gives consumers additional rights. They can employ civil actions against a business for not having or maintaining security measures for unencrypted/unredacted information and data pertaining to email addresses, passwords, and answers to security questions.
The CPRA covers all identifiable information that can lead back to the individual, household, or allow a hacker to access their accounts.
Personal Data on Minors
The passage of the CPRA simplifies the potential fines businesses can face to violate a minor’s personal information. CCPA penalties range from $2,500 for an unintentional security breach to $7,500 for an intentional one.
As of January 2023, there will be an automatic $7,500 for each violation, regardless of how it occurred, for each violation of a minor’s personally identifiable information.
Adding Risk Assessments and Audits
Businesses will notice the most significant changes when it comes to performing risk assessments and audits. Previously, these proactive tools used to prevent cybersecurity breaches were not a required part of the California Consumer Privacy Act. Due to the other cybersecurity acts in-place in the U.S., Canada, and Europe that require audits and assessments for compliance, California legislatures did not feel it was necessary to include the standard in its privacy act.
The passage of CPRA changed this. Annual cybersecurity audits are required by businesses that process data. The terms are vague. The standard only applies to companies whose practices may put protected data at risk. A CPPA risk assessment is also required of these businesses. The confusion over this provision stems from knowing if your security practices are putting protected data at risk.
Additional Consumer Rights Under CPRA
CCPA did not address automated decision-making or profiling, but CPRA has addressed it. Profiling is no longer allowed. Profiling is when an automated data processor uses a consumer’s information to determine specific characteristics like health, reliability, and job performance.
When automated profiling is used, companies must give consumers the option to opt-out without any recriminations.
Getting Ready for CPRA
Most businesses will notice that meeting the new compliance standards isn’t difficult if they follow CCPA guidelines. Though, there are some changes companies will need to implement.
The most noticeable is the inclusion of assessments and audits. A risk assessment will highlight your cybersecurity protocols’ problem areas, and the audit will ensure that your company complies.
Not every company performs annual assessments or audits, and this is where the experts at RSI Security can help. The dedicated team will also explain the differences between CCPA vs. CPRA and what it means to your business.