The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018 and went into effect on January 1, 2020. The CCPA is a sweeping data privacy regulation thatgrants a number of privacy rights to consumers, and compliance obligations to businesses with regard to the collection and sale of personal information.
The California Privacy Rights Act (CPRA) was a ballot measure that was approved by California voters on Nov. 3, 2020. It amends and expands the CCPA. The CPRA took effect on Dec. 16, 2020, but most of the provisions revising the CCPA won’t become “operative” until Jan. 1, 2023. CPRA is sometimes referred to as “CCPA 2.0.”
Comparing CCPA and CPRA
|Effective Date||Jan. 1, 2020||Dec. 16, 2020|
|Enforcement Date||July 1, 2021||Jan. 1, 2023 (this is when CPRA becomes ‘operative’)|
|Consumer Rights Provided||The CCPA addresses a number of consumer rights which are protected under the statute, including:|
(1) The right to know about the personal information a business collects about them and how it is used and shared;
(2) The right to delete personal information collected from them (with some exceptions);
(3) The right to opt-out of the sale of their personal information; and
(4) The right to non-discrimination for exercising their CCPA rights.
(5) The right to have businesses respond to consumer requests. Under CCPA, businesses must respond to consumer CCPA requests and must demonstrate compliance with requests.
(6) Private right of action, which allows consumers to bring claims and seek damages against businesses that violate their CCPA rights.
|The CPRA adds two consumer rights: (1) The right to correct personal information that is not correct. |
(2) The right to limit use and disclosure of sensitive personal information.
|Who Must Comply||In general, the CCPA applies to a business or organization that:|
(1) Does business in California;
(2) Collects personal information;
(3) Makes decisions about processing collected data; and
(4) Satisfies at least one of the following:
a. Annual gross revenue in excess of $25 million;
b. Buys, receives forcommercial purposes, sells, or shares for commercial purposes, the personal information of at least 50,000 consumers, households, or devices; or
c. Derives at least 50 percent of its annual revenues from selling consumers’ personal information.
|Under the CPRA a “business” is a for-profit entity that does business in California, and which collects, or has collected personal information about consumers, and meets one of the following:|
(1) As of January 1, had a gross revenue of $25 million in the preceding calendar year;
(2) Alone or in combination annually buys, sells, or shares the personal information of 100,000 or more consumers; or
(3) Derives 50% or more of its annual revenue from selling or sharing consumer’s personal information.
|Personal Information and Sensitive Personal Information||The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.||The CPRA created a subset of personal information known as sensitive personal information (“SPI”). SPI includes social security number, driver’s license, passport, financial account numbers, race, ethnicity, religion, union membership, personal communications, genetic data, biometric or health information, and information about sex life or sexual orientation. (SPI under CPRAbears similarities to the EU’s GDPR.)|
|Sale of Data vs. Sharing of Data||CCPA grants consumers the right to Opt-out of businesses selling their data to third parties.||CPRA grants the right to Opt-out of Third Party Sales and Sharing.|
|Vendor Management||The CCPA provides consumers the right to have their data deleted upon request.||CPRA requires businesses to notify third-parties to delete that same data upon request. CPRA also extends restrictions of SPI to third parties.|
|Decision Making Technology||Under CCPA, businesses must disclose the logic involved in automated decision-making technology as well as a description of the likely outcome of the process. However, the CCPA allows de-identified data to be used in certain circumstances. This opens the possibility that de-identified data could become re-identified personal data if an AI application is able to connect it with a particular consumer or household.||CPRA allows consumers to opt-out of automated decision-making technologies, which include profiling and analytical technologies. Such technologies are used to build digital profiles about consumers, with information such as geolocation, health status, work history, income, marital status, or other demographic indicators.|