Legislative Updates

The CCPA and CPRA – Privacy Law Impact on Employers

07.14.2021

Emptech's founder, Jeff Aleixo

Author

Jeff Aleixo

CCPA CPRA privacy law compliance

The California Privacy Rights Act (CPRA), also referred to as CCPA 2.0, is a new state-wide data privacy bill passed into law on November 3, 2020. As it makes a variety of amendments to the requirements set by the California Consumer Privacy Act (CCPA), CPRA represents a significant addition to data privacy legislation.

While the majority of provisions in the CPRA do not go into effect until January 1, 2023, it is necessary for businesses to consider the new requirements since changes to privacy practices can take time. To do this effectively and create conditions for privacy law compliance, it is critical to understand the key differences between the CCPA and CPRA, what areas of the CCPA will be amended with the passage of the CPRA, and what steps organizations should take to prepare for these changes.

The Origins of the CPRA

When the CCPA was drafted by the California legislature in 2018, it was based on an original California ballot initiative created by the Californians for Consumer Privacy. While the ballot proposition took an aggressive approach to data protection, the California legislature ultimately designed the CCPA to be less restrictive.

In 2020, one of the CCPA’s original proponents filed the CPRA ballot initiative, or Proposition 24, to further enhance consumer privacy in California. The ballot initiative included a provision limiting legislative amendments that might weaken its provisions in order to preserve the full strength of the CPRA.

CPRA moves California’s data protection laws closer to the EU’s GDPR standard. When it becomes legally enforceable in 2023, California residents will have a right to know where, when, and why businesses use their personally identifiable data. In the meantime, only the administrative provisions of the CPRA, which establish the California Privacy Protection Agency and call for new regulations, will become immediately effective. 

Despite having some similarities, the CCPA and the GDPR also differ significantly on a number of issues. Find out how is the CCPA different from the GDPR to achieve compliance and prevent penalties.

Comparison Between the CCPA and CPRA

Since the CCPA has been criticized for its ambiguous language, complex advertising, and sale rules, the CPRA attempts to clarify these confusions, while strengthening and expanding the existing regulations. As a result, CCPA and CPRA are based on the same foundation. Whether expanding existing provisions or adding entirely new ones, CPRA always refers back to the original CCPA law text itself.

With many of the world’s leading tech companies based in California, both the CCPA and CPRA will have national and potentially global repercussions. Therefore, companies need to update their privacy programs in order to comply with a rigorous set of data protection requirements. To do this effectively, it is necessary to understand the differences between the CCPA and CPRA.

Scope

One of the main differences between the CCPA and CPRA is the new definition of covered businesses. The preexisting CCPA law applied only to businesses that:

  1. had more than $25 million in gross revenue,
  2. derived 50% or more of their annual revenue from selling consumers’ personal information, or
  3. bought, sold, or shared for commercial purposes the personal information of 50,000 or more consumers, households, or devices.

According to the CPRA, a company must have made $25 million in gross revenue in the previous calendar year to become subject to the law. Also, while the CCPA applied to businesses that made more than half their revenue from selling data, the CPRA now also applies to companies that make half their revenue from sharing personal information with third parties. Finally, the threshold for personal information-based businesses raised from 50,000 consumers, households, or devices to 100,000.

Sensitive Personal Information

The CPRA introduces the concept of sensitive personal information as a new legal definition. It encompasses race and ethnic origin, health information, religious beliefs, sexual orientation, Social Security number, biometric or genetic information, and personal message contents.

In addition to the right to correct their personal information and know for how long a company might store it, the CPRA enables consumers to opt-out of geolocation-based ads and of allowing their sensitive personal information to be used.

Enforcement

There are differences when it comes to the enforcement of the CCPA and CPRA. While the CCPA is enforced by the office of California’s Attorney General, the CPRA establishes the California Privacy Protection Agency (CPPA). The agency is vested with full administrative power, authority, and jurisdiction to implement and enforce CPRA.

Violation of Minors’ Personal Information

Under the CCPA, violations involving the personal information of those under 16 years of age would incur fines of $2,500 per violation, the same amount as violations of adult personal information. On the other hand, the CPRA increases these fines to $7,500 per violation.

Cure Period

Under the CCPA, certain actions can be pursued only after a consumer has provided a business 30 days to cure the alleged noncompliance violation. Another difference between the CCPA and CPRA is that the CPRA eliminates the cure period. According to this law, the implementation and maintenance of reasonable security procedures and practices after a breach is not a suitable remedy for noncompliance violations.

Implementation of Reasonable Security Procedures and Practices

The CPRA includes an affirmative requirement for businesses that collect consumers’ personal information to implement reasonable security procedures and practices. Therefore, businesses need to identify and implement procedures and practices that are appropriate to the nature of the personal information processed and the potential risks. Also, businesses may face administrative fines if they fail to maintain reasonable security to protect consumers’ personal information, even in the absence of a data breach.

Definition of Sale

Currently, businesses that sell the personal information of California consumers need to provide consumers with certain disclosures and the right to opt-out of the sale by posting a “Do Not Sell My Personal Information” link on their website.

Apart from this, the CPRA allows consumers to also opt-out of the sharing of personal information with third parties. Consequently, companies that engage in targeted advertising need to place a link titled “Do Not Sell or Share My Personal Information” on their website.

Privacy Law Compliance

Although the new and modified obligations under the CPRA will not enter into force until January 1, 2023, these new regulations and requirements will take significant time to implement. This is why businesses need to take the necessary measures to keep pace with a constantly changing privacy landscape and give consumers back control over their personal information.

Both the CCPA and CPRA are likely to drive further legislation across the US. Therefore, achieving compliance will be a significant preparation for possible federal-level data protection regulations, which will have similar rules, requirements, and penalties for businesses, regardless of where their customers are. Furthermore, implementing proper technology can help businesses ensure the proper policies and procedures are in place and the appropriate measures are taken to safeguard consumer information. Such practices help strengthen the existing privacy program and streamline compliance with both the CCPA and CPRA.

Use a range of industry-leading solutions designed to ensure compliance with different regulations, eliminate costs, and prevent potential non-compliance penalties.
The information contained within this document is general in nature and is not intended and should not be construed as legal, HR, or opinion by Emtpech. Please contact Emptech or another subject matter professional prior to acting on any information provided in this document. We recommend caution when contemplating acting on any information provided in this document as it may not be applicable or suitable for the specific viewer’s needs. Emptech assumes no obligation to update any viewer of any changes in law, rule, or regulation that could affect the information contained herein. Without express written permission from Emptech, no part of this document may be reproduced, retransmitted, or otherwise redistributed in any form or by any means, including, but not limited to photocopying, electronic, facsimile transmission, or using any other information storage and retrieval system.