CPRA vs CCPA: What are the Differences?

In 2018, California passed the California Consumer Privacy Act (CCPA), which was considered a landmark privacy law that gave Californians more control over their personal data. However, on November 3, 2020, Californians approved Proposition 24, also known as the California Privacy Rights Act (CPRA), which modifies and expands the CCPA.

If you’re a business owner or marketer, it’s crucial to understand the differences between CPRA and CCPA, as failure to comply with these laws can result in severe penalties. In this article, we’ll take a closer look at CPRA and CCPA and their key differences.

What is CCPA?

The California Consumer Privacy Act (CCPA) is a privacy law that went into effect on January 1, 2020. The CCPA is designed to give Californians more control over their personal data and requires businesses to disclose what personal data they collect, sell, or share with third parties.

Under CCPA, consumers have the right to request businesses to delete their personal information, opt-out of the sale of their personal information, and access their personal information. Businesses that fail to comply with CCPA can face significant fines and legal action.

What is CPRA?

The California Privacy Rights Act (CPRA) is an expansion of CCPA that modifies and adds new privacy rights for Californians. CPRA provides additional privacy protections for consumers, such as the right to correct their personal information and limit the use of sensitive personal information.

CPRA also creates a new state agency, the California Privacy Protection Agency, responsible for enforcing the privacy rights of Californians. The agency has the power to investigate and enforce privacy violations and impose penalties for non-compliance.

Key Differences Between CPRA and CCPA

Scope
CCPA applies to businesses that collect or sell the personal information of California residents and meet certain revenue or data processing thresholds. CPRA expands the scope of CCPA by applying to businesses that collect or share the personal information of California residents and process the personal information of 100,000 or more consumers annually.

Sensitive Personal Information
CPRA adds a new category of personal information called sensitive personal information, which includes government-issued identification numbers, account log-in credentials, race, ethnicity, religious beliefs, and precise geolocation data. Consumers have the right to limit the use of their sensitive personal information.

Enforcement
CPRA creates a new state agency, the California Privacy Protection Agency, responsible for enforcing the privacy rights of Californians. The agency has the power to investigate and enforce privacy violations and impose penalties for non-compliance.

Right to Correct Personal Information
CPRA provides consumers with the right to correct inaccurate personal information held by businesses.

Duration of Opt-Out
CPRA extends the duration of the opt-out period for the sale of personal information from 12 months to until the consumer opts back in.

Conclusion

CPRA is more than just an amendment to CCPA. It adds significant changes and expansions to the current privacy law, such as new categories of personal information and the creation of a new enforcement agency. Businesses that collect or share the personal information of Californians should take the necessary steps to comply with CPRA and avoid penalties for non-compliance. By understanding the differences between CPRA and CCPA, you can ensure that your business is on the right track to protecting the privacy rights of Californians.

Privacy and Trust News

Helping your business exceed the compliance standard.

Our team of experienced privacy attorneys & certified privacy professionals have a proven track record of delivering privacy frameworks and data privacy solutions, tailored to your business needs.