Summary of the CCPA
The California Consumer Privacy Act (CCPA) grants consumers rights related to the collection, use, and sale of their personal data—and prevents businesses from discriminating against them for exercising those rights.
Signed into law in June 2018, the new regulation comes as a response to a multitude of businesses, targeting Silicon Valley firms that are making headlines for mishandling or exploiting private data. The CCPA focuses on making sure organizations have a business purpose for why they need personal information while enabling Californians to readily request, delete, or protect their personal information (PI) collected and governed by a business.
Summary of the CPRA
The California Privacy Rights Act (CPRA) is a new state-wide data privacy bill passed into law on November 3, 2020.
It underscores California’s position as the US frontier in data privacy legislation, as it significantly expands upon the existing California Consumer Privacy Act (CCPA) that took effect on January 1, 2020.
In short, the California Privacy Rights Act (CPRA) works as an addendum to the CCPA – strengthening rights of California residents, tightening business regulations on the use of personal information (PI), and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA), among key changes to the Golden State’s data privacy regime.
How do the CCPA and CPRA differ from each other?
The first thing to establish is that the California Privacy Rights Act (CPRA) is a ballot measure that was approved by California voters on Nov. 3, 2020. It significantly amends and expands the CCPA, and it is sometimes referred to as “CCPA 2.0.
Consumer Rights Differences
In the CCPA consumer rights are as stated:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
The CPRA creates four new rights and modifies five existing rights for California residents.
The four new CPRA rights are:
- Right to correction, meaning that users can request to have their PI and SPI corrected if they find them to be inaccurate.
- Right to opt-out of automated decision making, meaning that California residents can say no to their PI and SPI being used to make automated inferences, e.g. in profiling for targeted, behavioral advertisement online.
- Right to know about automated decision making, meaning that California residents can request access to and knowledge about how automated decision technologies work and what their probable outcomes are.
- Right to limit use of sensitive personal information, meaning that California residents can make businesses restrict their use of this separate category of personal information, particularly around third-party sharing.
The five modified CPRA rights are:
- Right to delete, where California residents can request deletion of PI and business now have to notify third parties to delete this as well.
- Right to know, where California residents can now request access to PI collected beyond the original 12-month limit in the CCPA.
- Right to opt-out, where California residents can now opt out of businesses sharing their PI specifically for behavioral advertisement, and not only of the sale of PI, as in the CCPA.
- Rights of minors, where the opt-in requirement for businesses when dealing with minors is extended to include the sharing of PI for behavioral advertising.
- Right to data portability, where California residents can request to have their PI transported to other businesses or organizations.
Consumer Information Differences
The CCPA defines Personal Information as information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.
The CPRA creates a new category of personal information – the so-called sensitive personal information (SPI).
Sensitive personal information (SPI) includes:
- Data on race and ethnicity
- Religious beliefs, political and philosophical convictions
- Data on sex life or sexual orientation
- Genetic and biometric data
- Health data
- Geolocation
- Social security number and driver’s license
- Financial information
Sensitive personal information (SPI) is regulated separately from normal personal information with users having expanded rights over how their SPI is used, including the right to have collected SPI disclosed, to opt-out of SPI use, and subsequent consent to use SPI if users already opted out.
Personal Information Link Updates
The CCPA requires a “Do Not Sell My Personal Information” link on the home page of the website of the business, that will direct users to a web page enabling them, or someone they authorize, to opt-out of the sale of the resident’s personal information.
The CPRA amends the CCPA’s Do Not Sell-button, so that a website will have to provide a link titled “Do Not Sell Or Share My Personal Information” – adding or share, as the CPRA does in many other places.
The CPRA also creates a new, similar requirement for a website to provide a link titled “Limit The Use Of My Sensitive Personal Information” that enables California residents to limit the use and disclosure of their SPI.
In addition, the CPRA encourages businesses to make “a single, clearly-labeled link” that easily allows a consumer to simultaneously opt-out of sale or sharing of PI and limit the use or disclosure of the consumer’s SPI.
The Types of Business Impacted Changes
The CPRA amends the CCPA’s definition of business to be a website, company or organization that (changes in bold) –
- has an annual gross revenue exceeding $25 million
- derives 50% or more of its annual revenues from selling or sharing consumers’ personal information
- buys, sells or shares the personal information of more than 100,000 consumers or households per year
These changes are likely to tilt compliance from smaller companies to larger ones, whose businesses are more heavily reliant on the collection and sharing of personal information, both in scope (from 50,000 to 100,00) and in method (from only covering selling to include sharing).
Adverstising Rules Differences
The California Privacy Rights Act (CPRA) amends the CCPA to specifically regulate behavioral advertising that uses personal information to target California residents with marketing based on profiling.
Where the CCPA defined the right to opt-out as restricting the use, selling and sharing of personal information for advertising purposes in exchange for money, the CPRA creates two separate types of advertising – cross-context behavioral advertising and non-personalized advertising.
CPRA New GPDR-Like Requirements
the CPRA introduces three additional requirements for business that are closely modeled after the EU’s GDPR regime:
- data minimization
- purpose limitation
- storage limitation
Under the CPRA-amended data privacy regime in California, a website or business can only collect, use and share Californians’ personal information if it’s in accordance with what is reasonably necessary and proportionate to the collection purpose (data minimization).
In other words, you’re not allowed to collect or share more data than what is strictly necessary for your stated purpose of collection.
Likewise, a website or a business is not allowed to collect, use or share Californians’ personal information for a new purpose without first stating so, just like you’re not allowed to collect or share data without any stated purpose at all (purpose limitation).
The CPRA also amends the CCPA so that a website or business will be required to notify (at the point of collection) Californian residents about the retention time of each collected category of personal information, meaning that users have a right to know for how long their data will be stored after collection (storage limitation).
The California Privacy Rights Act (CPRA) also expands the CCPA’s current consent requirements, which are the most GDPR-like feature of California’s data privacy law, to include:
- Consent needed for the selling or sharing personal information after a user has already opted out
- Consent needed when selling or sharing the personal information of minors
- Consent needed for secondary use, selling or sharing of sensitive personal information after a user has opted out
- Consent needed for research exemptions
- Consent needed to opt-in to financial incentive
Read more about the differences between the CCPA and CPRA here