CCPA vs CPRA: What Is the Difference?

The California Consumer Privacy Act (CCPA) and The California Privacy Rights Act (CPRA) are two state legislations intended to strengthen data privacy rights and consumer protection. Two privacy laws passed by the State of California have profoundly altered the privacy landscape. 

The CCPA was signed in 2018 and went into effect on January 1, 2020. The CPRA, on the other hand, was approved on November 2020 and is expected to start being effective on January 1, 2023, while the final regulations are expected to take effect around April 2023.

What is the CCPA?

The CCPA is a privacy legislation that grants California residents more consumer rights and more control over their personal data. It is mainly characterized by two aspects:

1. Consumers’ rights
2. Business regulations

According to the CCPA regulations, among many rights, consumers have:

• The right to know what personal information organizations collect, how it is used, and how they are shared. 
• The right to delete their collected personal data.
• The right to refuse their personal data sale.
• The right to non-discrimination. 

The CCPA also applies to businesses that operate in California, have annual gross revenues in excess of US $25 million, manage the personal information of 50,000 or more consumers, and earn more than half of their annual revenue from selling their consumers’ personal information.

According to the CCPA regulations, businesses are required to inform consumers about their privacy practices through certain notices. 

What is the CPRA?

The CPRA, sometimes known as Proposition 24, is a California state legislation that intends to protect the privacy of its residents and strengthen their rights.  

Similar to the CCPA, the implementation of the CPRA will address:

• Consumer rights
  • The right to know who is collecting their personal information, how it is used, and to whom it is disclosed.
  • The right to limit the use of their sensitive personal information.
  • The right to correct, delete, and take their sensitive personal information from one organization to another.
  • Consumers should be able to exercise these rights through easy-accessible tools and without being penalized for doing so.
  • Consumers can hold an organization accountable for failing to protect their sensitive personal information.
  • Consumers should benefit from the use of their personal information.
  • The privacy of employees and contractors should also be protected.
• The responsibilities of businesses
  • Organizations should inform consumers about how their personal information is collected and processed, as well as how they can exercise their choices and rights.
  • Organizations should only collect their consumers’ personal information for legitimate disclosed purposes.
  • Organizations should only collect their consumers’ personal information to a relevant extent.
  • Organizations should allow their consumers to obtain, delete, correct, opt out of sales, and share their personal information.
  • Organizations should not penalize their consumers for exercising their legal rights.
  • Organizations should take precautions to protect their consumers’ personal information.
  • Organizations should be held accountable and penalized if they violate their consumers’ privacy rights. 

The CPRA applies to organizations with gross annual revenue over US $25 million, those that buy, sell, or share personal data for at least 100,000 California residents, and who derive 50% or more of their annual revenue from sharing or selling personal data.

Differences between CCPA and CPRA

The CCPA and the CPRA are two legislations that often get compared with each other, however, it is important to clarify that they are not fully separated and that they do not replace each other. Rather than being described as different, it is more accurate to refer to the CPRA as an amendment of the CCPA. In fact, the CPRA is sometimes referred to as “CCPA 2.0”, and it is the strictest privacy law in California.

The main differences between CCPA and CPRA are:

• Scope – The difference between CCPA and CPRA is that on one hand CCPA applies to organizations that collect personal information from more than 50,000 consumers, and on the other hand, CPRA applies to organizations that collect data from more than 100,000 consumers. Another similar difference is that CCPA applies to organizations that derive 50% or more of their annual revenues from selling personal information, while CPRA expands this criterion to not only selling but also sharing personal information.
• Sensitive personal information – The CPRA includes sensitive personal information as a new category, which is similar to the “processing of special categories of personal data” covered by the General Data Protection Regulation (GDPR) and varies from its classification in CCPA. 
• Sensitive personal information includes consumers’ social security, driver’s licenses, IDs, passport numbers, log-in accounts, financial accounts and credentials, precise geolocation, data related to one’s origin and beliefs, etc. Under CCPA, these data are classified as personal information. 
• Penalties – Under CCPA, violations of minors, persons under 16, and personal information are fined US $2500 per violation, the same as for adults’ personal information violations. Under CPRA, this fine is US $7500 per violation.
• Consumer requests – CPRA broadens the range of information that consumers can request from businesses, which includes categories of personal information, categories of collection sources, collection purpose, third-party access, and the specific information collected.
• Consumer rights – CPRA has added four new consumer rights, such as the right to correction, the right to limit sensitive personal information, the right to access and opt-out, and the right to data portability.
• Right to delete – CPRA has increased the power of this right and requires that whenever a deletion request is received, organizations must notify third parties with whom they have shared the consumer’s personal information, and instruct them to comply with the request.

California Privacy Protection Agency 

The California Privacy Protection Agency (CPPA) is a state government agency created by the CPRA which implements and enforces CPRA and CCPA. CPPA is also responsible for initiating public campaigns to increase awareness and understand privacy rights. 

Overall, CPPA is responsible to protect the privacy rights of California residents, and it has four main functions: education, rulemaking, enforcement, and certification.

Consequences for Non-Compliance

All organizations that may fail to comply with CCPA and CPRA will face consequences like civil penalties, damages, and non-monetary relief.

Why is Data Privacy Important?

As a lot of personal information is processed online and is collected by organizations for various reasons, the risk of such data being compromised and included in malicious activities like hacking, data breaches, phishing, identity thefts, etc., has increased. That is why it is important for organizations to implement data privacy measures and comply with laws and standards which ensure data protection.

If such information is not well-protected, it can harm the personal integrity, physical safety, and financial security of the consumers. Providing data privacy not only prevents damaging consequences but also presents many benefits, such as increasing trust, credibility, and integrity, enhancing data management, protecting reputation, staying ahead of the competition, reducing costs, managing threats, and meeting relevant standards, to name a few.

Data Privacy and ISO/IEC 27701

ISO/IEC 27701 Privacy Information Management System (PIMS) is a standard that provides organizations with requirements and guidance on how to establish, maintain, and continually improve their PIMS. It helps them protect private information assets and comply with privacy and data protection regulations.

ISO/IEC 27701 is an extension of the requirements of ISO/IEC 27001 and guidance of ISO/IEC 27002, two standards that focus on information security.

About the Author

Vlerë Hyseni is the Digital Content Officer at PECB. She is in charge of doing research, creating, and developing digital content for a variety of industries. If you have any questions, please do not hesitate to contact her at: content@pecb.com