CCPA vs CPRA: What\'s Changed for California Privacy Laws

Background: The CCPA

The California Consumer Privacy Act (CCPA), effective January 1, 2020, was a landmark piece of legislation granting California consumers new rights regarding their personal information. It required businesses to be more transparent about their data collection and sharing practices and gave consumers more control over their personal data.

Enter the CPRA: An Evolution of Privacy Rights

The California Privacy Rights Act (CPRA), also known as Proposition 24, was passed by California voters in November 2020. Most of its provisions became operative on January 1, 2023, with enforcement beginning July 1, 2023. The CPRA amends and expands the CCPA, introducing new consumer rights, new obligations for businesses, and establishing a new enforcement agency.

Key Differences and Changes Introduced by CPRA

1. New Consumer Rights

CPRA introduces several new rights for consumers:

• Right to Correct Inaccurate Personal Information: Consumers can request that businesses correct any inaccurate personal information the business holds about them.
• Right to Limit Use and Disclosure of Sensitive Personal Information (SPI): Consumers can direct businesses to only use their SPI for limited purposes, such as providing requested services or goods.

CPRA also strengthens existing CCPA rights, such as the right to opt-out, which now explicitly includes the right to opt-out of the "sharing" of personal information for cross-context behavioral advertising, not just "selling."

2. Sensitive Personal Information (SPI)

CPRA creates a new category of "Sensitive Personal Information." This includes:

• Social Security number, driver's license, state ID, or passport number
• Financial account information (account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account)
• Precise geolocation
• Racial or ethnic origin, religious or philosophical beliefs, or union membership
• Contents of mail, email, and text messages (unless the business is the intended recipient)
• Genetic data
• Biometric information processed for the purpose of uniquely identifying a consumer
• Health information
• Information about sex life or sexual orientation

Businesses face stricter requirements for collecting, processing, and disclosing SPI.

3. Expanded Scope and Thresholds

The CPRA modifies the applicability thresholds for businesses. A business is subject to CPRA if it meets one or more of the following criteria:

• Has annual gross revenues in excess of $25 million in the preceding calendar year. (This threshold remains the same as CCPA).
• Annually buys, sells, or shares the personal information of 100,000 or more California consumers or households. (This doubles the CCPA threshold of 50,000 and clarifies "sharing" for cross-context behavioral advertising).
• Derives 50% or more of its annual revenues from selling or sharing California consumers' personal information. (This also clarifies "sharing").

Notably, CPRA removed the CCPA threshold related to the number of devices.

4. Establishment of the California Privacy Protection Agency (CPPA)

CPRA establishes a new agency, the California Privacy Protection Agency (CPPA), dedicated to implementing and enforcing California's privacy laws. This agency takes over rulemaking authority from the California Attorney General and has investigative and enforcement powers.

5. Data Minimization and Purpose Limitation

CPRA codifies principles of data minimization and purpose limitation. Businesses should only collect consumers' personal information for specific, explicit, and legitimate disclosed purposes and should not further collect, retain, or use it for DPAincompatible purposes without consumer consent. The storage of personal information should be limited to what is necessary and proportionate to the purposes for which it was collected.

6. Expanded Data Breach Liability

CPRA expands the private right of action for data breaches. Consumers can sue businesses if their nonencrypted and nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures. CPRA adds email addresses in combination with a password or security question and answer that would permit access to an account to the list of data types that can trigger this private right of action if breached.

7. Employee and Business-to-Business (B2B) Data

The exemptions for employee data and B2B data under CCPA expired on January 1, 2023. This means that personal information collected in the employment context and B2B personal information are now fully covered by CPRA, requiring businesses to extend CPRA rights and protections to their California employees, job applicants, and B2B contacts.

What Businesses Should Do

• Update Privacy Policies: Reflect the new rights and definitions under CPRA, especially regarding SPI and data sharing for cross-context behavioral advertising.
• Review Data Inventories: Identify and map all personal information, paying special attention to SPI.
• Implement Processes for New Rights: Develop procedures to handle requests for correction and limitation of SPI use.
• Update Opt-Out Mechanisms: Ensure opt-out processes cover both "selling" and "sharing" for targeted advertising. Look for a "Limit the Use of My Sensitive Personal Information" link requirement.
• Vendor Contract Management: Review and update contracts with service providers, contractors, and third parties to ensure they comply with CPRA requirements.
• Employee and B2B Data: Extend CPRA compliance efforts to employee and B2B data.
• Data Minimization: Review data collection and retention practices to align with data minimization and purpose limitation principles.

Conclusion

The CPRA significantly strengthens California's privacy landscape, imposing new and more stringent obligations on businesses. It's crucial for businesses to understand these changes and take proactive steps to ensure compliance. While building on the foundation of the CCPA, the CPRA introduces new complexities that require careful attention to data handling practices, transparency, and consumer empowerment.