- Products
- Solutions
- Company
- Resources
California's evolution from the CCPA to the CPRA in a matter of years goes to show the unpredictable nature of data privacy regulation at large. If you're familiar with either one, give this article a read. It goes into detail explaining each law, how they relate to one another, the differences between them, and the implications for businesses and consumers alike.
What Is the CCPA?
The CCPA, or California Consumer Privacy Act, was a first-of-its-kind piece of legislation first introduced by California's state government in 2018. The final version established local residents' rights with respect to how their personal information is collected, handled, and managed by businesses online.
Spelled out, these include:
● The right to know what data companies collect from them and how that data is used.
● The right to request the deletion of personal data companies collect from them, with some exceptions.
● The ability to opt out of the sale or sharing of personal data.
● Protection against discrimination for exercising CCPA rights.
What Is the CPRA?
The CPRA, or California Privacy Rights Act for short, is a newer law that was approved by a public vote in November 2020. Intended to extend the original CCPA's level of protection, the framework's provisions gave citizens additional rights to correct any inaccurate personal data companies hold on them and the right to limit companies' use and disclosure of their sensitive personal data - more on these later.
Comparing CCPA v CPRA Rules
While the CCPA was already quite comprehensive, state lawmakers saw a need to update it in the face of evolving risks. With every year bringing more sophisticated data collection and usage techniques, it would only be a matter of time before the original framework's protections would become outdated. This newer version effectively replaced the first to give it the name most people refer to it by today – CCPA 2.0 or CPRA.
The biggest differences between the CCPA and its successor, the CPRA, are as follows.
More Consumer Rights
The CPRA gave California residents additional control over the accuracy and disclosure of their personal data while also making slight changes to existing rights to opt out of third-party sales, to know, and to delete. It further established consumers' right to access information about any forms of automated decision-making technology businesses use to handle their personal information.
Qualifying Criteria for Businesses
Lawmakers adapted the criteria organizations need to meet in order to qualify for the law, effectively doubling the CCPA's original earning threshold for consumer data purchase, sale, and sharing activities to $100,000 per year. That adds some breathing room for smaller organizations that would otherwise qualify at $50,000.
Protections for Highly Protected Data
The California Privacy Rights Act outlines special protections for Sensitive Personal Information (SPI), including new purpose limitation requirements and updated disclosure requirements.
GDPR Influences
California's data privacy laws are often compared to those of the European Union, which is well-known for its equally extensive General Data Protection Regulation (GDPR). The two started out completely unique, but have since influenced one another in several ways. The CPRA notably adopted three characteristic GPPR concepts - data minimization, purpose limitation, and storage limitation - in its amendments.
Legally Actionable Types of Data
The CPRA expands consumers' ability to take legal action against companies who fail to protect their personal information, adding login credentials to the sensitive types of data that consumers can sue over.
Privacy Enforcement Authority
The CPRA created the California Privacy Protection Agency (CPPA), an independent state agency responsible for enforcing consumer data privacy rights. The CPPA has broad authority to conduct investigations, issue orders, and impose fines on companies that violate CPRA regulations.
Conclusion
The California Privacy Rights Act surpasses the CCPA in terms of comprehensiveness, adding several key components to its predecessor's framework and strengthening consumer data privacy rights across the state. Despite having only been effective since January 1st, 2023, the CPRA has already had a major influence on other U.S jurisdictions as they look to update and improve their own data privacy regulations.
Stay ahead of compliance with iDox.ai Data Discovery platform. iDox.ai’s comprehensive data discovery platform streamlines your CPRA compliance journey, enabling you to protect consumer rights, enhance data privacy, and maintain customer trust.