What is the difference between the CCPA and the CPRA?
The California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”) grant California residents the most comprehensive privacy rights, arguably, in the United States. The CCPA was enacted in 2018, and the CPRA was passed in 2020 as an amendment to the CCPA. In other words, the CPRA does not replace the CCPA; it expands it. Accordingly, the CPRA is often referred to as “CCPA 2.0.”
The scope of data protection is a significant difference between the CCPA and CPRA. The CCPA covers businesses with an annual gross revenue of $25 million, collect data on at least 50,000 households, or obtain at least 50% of their revenue from selling personal information. The CPRA, extends the coverage to businesses that have an annual gross revenue of $25 million, collect data on at least 100,000 households, or obtain at least 50% of their revenue from sharing personal information.
The CPRA also addresses what many saw as significant limitations of the CCPA; one, the absence of a specialized enforcement authority; and two; detailed guidance advising businesses on how to comply with the law. In response, the CPRA created a new agency, the California Privacy Protection Agency (“CPPA”), to replace the California Attorney General’s Office, which was previously responsible for enforcing the law. The CPPA will be responsible for providing compliance guidance as it is expected to have more privacy expertise and resources than the Attorney General’s Office. Moreover, the CPPA will have the authority to pass further regulations, conduct investigations, and impose fines for violations of the CPRA.
What is “personal information?”
The CCPA was passed to provide California residents with certain rights regarding their personal information. It defines personal information as information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes the following categories:
1. Identifiers: such as name, address, email address, social security number, driver’s license number, passport number, and IP address.
2. Customer records: This refers to any personal information that is obtained from a customer, such as purchase histories, customer service inquiries, and account information.
3. Commercial information: This includes any information that is used in the course of conducting business, such as transaction histories, product preferences, and purchase histories.
4. Protected classifications: This includes any information that pertains to characteristics that are protected under state or federal law, such as race, ethnicity, gender, and disability status.
5. Internet or other electronic network activity: This includes any information collected through a consumer’s use of the internet or other electronic networks, such as browsing histories and search histories.
What is “sensitive personal information?”
A significant addition to the above is the CPRA’s inclusion of “sensitive personal information,” which is defined as information that reveals a consumer’s social security number, driver’s license number, passport number, financial account information, precise geolocation, race or ethnicity, religious or philosophical beliefs, union membership, personal communications, genetic data, biometric information, or health information.
Individual Privacy Rights.
The CPRA also expands the CCPA to provide additional rights to California residents regarding their personal information, such as the right to opt out of the sale of sharing their personal information, the right to access their personal information, and the right to request that their personal information be deleted.
Notice at Collection
The CPRA introduces a new requirement for businesses to provide consumers with a “notice at collection” that includes more detailed information about the categories of personal information collected, the purposes for which the information will be used, and the categories of third parties with whom the information will be shared. This notice must be provided at or before the time of collection and must be easily accessible to consumers.
This notice at collection requirement is designed to provide consumers with more transparency about how their personal information is being collected and used and to allow them to make informed decisions about whether to share their information with a business. Businesses must ensure that their notice at collection is clear and concise and provides consumers with all the information they need to make an informed decision.
The Right to Know
The Right to Data Deletion
Under the CCPA, businesses are required to provide California residents with the right to request that their personal information be deleted. This right is also known as the “right to be forgotten.” The CPRA builds upon this right and expands it to cover the sensitive personal information category described above.
However, this right to personal information deletion is not absolute. For example, businesses may legally retain certain personal information where the business is legally required to do so. Additionally, businesses may be able to deny a deletion request if the personal information is necessary for the business to provide its products or services to the consumer.
The Right to Opt-Out
The CPRA also addresses the issue of data sharing and selling. The CCPA allows businesses to sell and sharepersonal information under certain circumstances, but does not require them to obtain opt-in consent from consumers. The CPRA changes this significantly as it now requires businesses to obtain opt-in consent from consumers before selling or sharing their personal information.
Accordingly, businesses must provide a clear and conspicuous link on their website titled “Do Not Sell or Share My Personal Information” that directs consumers to the opt-out mechanism. Once a consumer submits an opt-out request, the business must stop selling or sharing the consumer’s personal information with third parties. The business must also inform any third parties that received the consumer’s personal information that the consumer has opted out. The third parties must stop using the information for commercial purposes upon such notice.
The Right to Correct
Under the CPRA, California residents now have the right to request that businesses correct inaccurate or incomplete personal information the business may hold on them. Moreover, if the business has shared any incorrect personal information with third parties, it must inform these parties of the correction request and take steps to correct the information with them as well.
The Right to Limit
Under the CPRA, California residents have the right to request that businesses restrict the use of their sensitive personal information. Businesses must also ensure that third-party service providers with access to personal information comply with any restriction request.
Overall, the CPRA represents a significant expansion of the privacy protections provided by the CCPA. With its broader scope of coverage, enhanced enforcement, and additional privacy rights, the CPRA is likely to have a more profound impact on the privacy practices of businesses operating in California. As such, businesses operating in California should carefully review their privacy practices and ensure compliance with the new requirements introduced by the CPRA to avoid potential fines and legal liability.
Some key measures that businesses can take to comply with the CCPA include:
1. Updating privacy policies: Businesses should update their privacy policies to ensure that they are in compliance with the CCPA’s requirements for transparency and disclosure.
2. Implementing opt-out mechanisms: Businesses must provide California residents with the option to opt out of the sale of their personal information.
3. Establishing data security protocols: Businesses must implement reasonable security measures to protect personal information from unauthorized access or disclosure.
4. Responding to consumer requests: Businesses must be prepared to respond to consumer requests regarding their personal information, including providing access to personal information and deleting personal information upon request.