What is the CPRA and how is it different from the CCPA?

Proactive management of data privacy compliance to handle strict CPRA requirements

CYTRIO - California CPRA

What is the CPRA?

The California Privacy Rights Act (CPRA) was voted in by the majority of California residents on November 3, 2020 as a proposition to expand and build on the California Consumer Privacy Act (CCPA) extending consumer rights with stronger protections and other provisions. CPRA adds enforcement beyond the Attorney General, with the California Privacy Protection Agency (CPPA) to regulate, enforce, and inform privacy rights. The CPRA will go into effect on January 1, 2023.

CCPA vs. CPRA

CCPA CPRA
Rights
  • Right to Know
  • Right to Delete
  • Right to Opt-Out
  • Right to Non-Discrimination
  • Right to Know
  • Right to Delete
  • Right to Opt-Out
  • Right to Non-Discrimination
  • Right to Correct
  • Right to Limit the Use and Disclosure of Sensitive Personal Information
  • Right to Opt-Out of automated decision-making technology
Who must comply?
  • Gross Revenue >$25M
  • Buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes
  • Derives 50% or more of its annual revenues from selling consumers’ personal information
  • Gross Revenue >$25M
  • Buys, receives, sells, or shares the personal information of more than 100,000 consumers, households, or devices for commercial purposes
  • Derives 50% or more of its annual revenue from selling or sharing consumers’ personal information
Links Websites must have “Do not sell my personal information” link Websites must have “Do not sell my personal information” link, and “Limit the use of my personal information” link
Enforcement California Attorney General California Attorney General & California Privacy Protection Agency
Sensitive PI Subcategory of Personal Information that includes sensitive data such as social security, driver’s license, state identification card, or passport number
Data Minimization Personal information that is collected shall be reasonable and necessary for a business purpose
Risk Assessments Organizations must conduct risk assessments with respect to their processing and collection of personal information
Limited Storage Reasonable length of time a business intends to retain each category of personal information, including sensitive personal information
Minors Organizations must notify minors under 16 years of age if they intend to sell or share their personal data
Cure Period (Fines) 30-day cure period after receiving notice from the Attorney General before it takes further enforcement measures 30-day cure period is removed
Minor Fines Automatic $7,500 fine per violation involving the personal information of minors.

Key Additions to CPRA from CCPA

Aligning more closely with the GDPR requirements, the CPRA adopts similar principles:
  1. Sensitive Personal Information (SPI)
    • A consumer’s social security, driver’s license, state identification card, or passport number
    • A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
    • A consumer’s precise geolocation
    • A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership
    • The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication
    • A consumer’s genetic data
  2. Data Minimization
    • The business’ collection, use, retention and sharing of a consumer’s personal information is reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed
  3. Risk Assessments
    • Submit a Data Protection Risk Assessment to the CPPA on a regular basis with respect to the processing of personal information
  4. Storage Limitations
    • Ensuring that the storage of personal information in not stored for longer than absolutely necessary for each disclosed purpose of the collection initially
  5. Enforcement
    • An independent organization, the California Privacy Protection Agency will be in charge of enforcing CPRA

Frequently Asked Questions

California Attorney General and California Privacy Protection Agency
Any individual who has their permanent address in California
Customers of household goods and services, employees, business-to-business transactions
Yes, if you have a consumer who resides in California
Consumers may only make most information requests twice a year and only for a 12-month lookback
An analysis of how personally identifiable information is collected, used, shared, and maintained
A process designed to identify risks arising out of the processing of personal data and to minimize these risks as far and as early as possible
An individual whose data is collected and processed
An organization that collects data from one or more sources, provides some value-added processing, and repackages the result in a usable form
The process of matching fields from one database to another
A person who determines the purposes and means of the processing of personal data
A third-party who processes personal data on behalf of the controller
A business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship
For monetary or other valuable consideration
Share by a business to a third-party for cross-context behavioral advertising for the benefit of a business where no money is exchaged
The California Consumer Privacy Act (CCPA) is a law that provides California consumers that engage with businesses with specific rights, including the ability to request how private data is used. CCPA helps ensure companies protect personal information from misuse. The CCPA was signed into law in June 2018, setting the stage for additional regulation introduced by subsequent California law, called the California Privacy Rights Act (CPRA). CCPA went into effect in January 2020, with enforcement starting on July 1st, 2020. CPRA will go into effect on January 1st, 2023. CCPA and CPRA have meaningful enforcement mechanisms in place, including significant fines and penalties for non-compliance.

All-in-one Data Privacy Compliance Platform