CCPA vs CPRA: A Guide to California’s Data Privacy Laws
Introduction to California’s Data Privacy Laws
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), a ballot measure approved in November 2020, are transforming the privacy and security landscape in the US.
As the first set of comprehensive data privacy regulations in the U.S., the CCPA and CPRA have inspired other states such as Virginia or Colorado to adopt their own privacy laws. These laws are providing consumers more insights and controls over their personal data, and changing the way companies manage personal information.
This guide will provide an overview of the origins of these regulations, the personal data in scope, key business obligations, and consumer rights, and information about enforcement, penalties, and data breach requirements.
What is CCPA?
CCPA was born from a consumer-driven ballot initiative to protect personal data privacy, much like Europe’s GDPR (though there are important differences). Rather than allow the original ballot initiative to proceed, the California legislature rushed to draft and pass CCPA, primarily because it is considerably easier to amend than a law enacted via the state’s initiative process.
CCPA was introduced on January 3, 2018 and signed into law on June 28, 2018. The CCPA was the first comprehensive data privacy law to be adopted in the US and governed:
- How companies should handle data privacy matters
- How consumers can exercise their data privacy rights
What is CPRA?
Alastair Mactaggart, a real-estate developer turned privacy activist was the driving force behind CCPA. Unsatisfied with the content and outcomes of CCPA, he decided to introduce the California Privacy Rights Act (CPRA), often referred to as CCPA 2.0, in the fall of 2019 via a 52-page document and pursued the collection of signatures to bypass the legislature. The CPRA expands on multiple provisions of the CCPA, including sensitive data, consumer rights, data minimization, purpose limitation, actionable data in a breach, or the creation of a new Privacy Enforcement Authority.
On November 3, 2020, Californians voted to approve Proposition 24, a ballot measure that created the CPRA. CPRA will amend and supersede CCPA when it goes into effect on January 1, 2023.
Both the CCPA and CPRA were inspired by the GDPR and while similar in the approach, there are some important differences. The applicability, the territoriality, the scope of the protected data, the data protection officer (DPO), or the data protection impact assessment (DPIA) requirements are some of the major ones.
Official CCPA & CPRA Text
Full text for CCPA and CPRA can be accessed directly from the California Office of the Attorney General’s website below:
Effective Dates for CCPA & CPRA
When did CCPA go into effect?
The CCPA went into effect on January 1, 2020.
When does CPRA go into effect?
CPRA will come into effect on January 1, 2023.
CCPA – Who does CCPA apply to?
The CCPA is currently applicable to for-profit entities that collect personal information from California residents and meet any of the following thresholds:
- At least $25 million in gross annual revenue,
- Buys, sells or receives personal information about at least 50,000 California consumers, householders or devices for commercial purposes or,
- Derives more than 50% of its annual revenue from the sale of personal information.
CPRA – Who does CPRA apply to?
CPRA is slightly changing the thresholds and the language and replaces the above:
- with “buys, sells or shares personal information of 100,000 or more California residents or households”,
- with “derives 50% or more of annual revenue from selling or sharing California personal information.
Covered Personal Information Under CCPA & CPRA
Under both Californian Data Privacy laws, the scope of personal information covered consists of the following:
“Information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Categories of Personal Information Under CCPA & CPRA
The CCPA established eleven categories of personal information:
- Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- Customer records information: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information
- Characteristics of protected classifications under California or federal law: Race, religion, sexual orientation, gender identity, gender expression, age
- Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric information: Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data
- Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information: Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
The CCPA does not consider publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records as personal information.
CCPA Sensitive Personal Information
Under the CCPA, the concept of Sensitive Data is not covered.
CCPA Sensitive Personal Information
Under the CPRA, the “Sensitive data” categories include:
- Social Security numbers (SSNs),
- Driver’s license,
- Financial account or card numbers,
- Precise geolocation,
- Racial and ethnic characteristics,
- Religious and philosophical beliefs,
- Union membership,
- Contents of mail, email, and text messages,
- Genetic and biometric data.
Anonymous, De-identified, Pseudonymous, or Aggregated Data
The California Consumer Privacy Act does not restrict currently a business’s ability to collect, use, retain, sell, or disclose consumer information that is de-identified or aggregated.
However, the CCPA establishes a high bar for claiming data is de-identified or Aggregated Pseudonymous data may qualify as personal information under the CCPA because it remains capable of being associated with a particular consumer or household. However, the statute does not clearly categorize or exclude pseudonymous data as personal information.
Children’s Data Requirements
CCPA & Children’s Data
Under the CCPA (Section 1798.120(c)), “a business shall not sell the personal information of consumers if the business has actual knowledge the consumer is less than 16, unless the consumer, in the case of consumers at least 13 and less than 16, or the consumer’s parent or guardian, in the case of consumers who are less than 13, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.”
This right may be referred to as the “right to opt-in.” Section 1798.120(d) further defines it by stating that “a business that has not received consent to sell the minor consumer’s personal information shall be prohibited from selling the personal information unless the consumer subsequently provides express authorization.”
CPRA & Children’s Data
Under the CPRA (Section 1798.120(c)), “a business shall not sell or share the personal information of consumers if the business has actual knowledge the consumer is less than 16, unless the consumer, in the case of consumers at least 13 and less than 16, or the consumer’s parent or guardian, in the case of consumers who are less than 13, has affirmatively authorized the sale or sharing of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.”
In addition, section 1798.120(d) states that “a business that has not received consent to sell or share the minor consumer’s personal information shall be prohibited from selling or sharing the personal information unless the consumer subsequently provides consent.”
Under both privacy regulations, businesses must inform consumers about:
- The personal information categories collected,
- The intended use purposes for each category.
In addition, further notice is required to:
- Collect additional personal information categories
- Use collected personal information for unrelated purposes
The CCPA requires that businesses provide specific information to consumers and establishes delivery requirements.
Third parties must also give consumers explicit notice and an opportunity to opt-out before re-selling personal information that the third party acquired from another business.
The CCPA introduced the following consumer rights:
- Right to know and access
- Right to deletion
- Right to opt-out of sale (more broadly defined as the exchange of personal information for monetary or other valuable consideration)
- Right to nondiscrimination
- Right to data portability
The CPRA introduced the following consumer rights:
- Right to rectification and correction
- Right to out out of sharing for cross-context behavioral advertising
- Right to limit use and disclosure of sensitive personal information
- Right to opt-out of the use of automated decision-making
CCPA Vendor Contracts
The CCPA introduced mandatory contracting requirements for “service providers” and “third parties” to whom the company does not sell data.
There are 3 specific scenarios that the CCPA covers:
- Business to Third Party:When a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure). The CCPA gives consumers the right to opt-out of such sales of their personal information to prevent these data flows. Selling a marketing list or sharing personal information with a third party would constitute a sale of personal information.
- Business to Service Provider:When a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt-out. The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract. Cloud computing, e-commerce platform or consulting services could be examples of “Service Providers”.
- Business to a Person Who Is Not a Third Party: The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party. This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms: (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.
CPRA Vendor Contracts
The CPRA Mandatory contracting requirements for “contractors” to whom the company makes available personal information for a business purpose.
In addition, the CPRA included three new terms:
- Combination of Personal Information: New contractual restrictions that limit how personal information from a business may be combined with personal information received from other businesses or directly from consumers.
- Contract Compliance Monitoring: Obligation on businesses to monitor contractors and service providers for compliance with CPRA contract terms.
- Sub-processor Obligations: Service providers and contractors must enter into similar CPRA contracts with any sub-processors that handle personal information, and provide notice to the business of each sub-processor.
Data Protection Assessments
CCPA DPIA Requirements
Under the CCPA, Data Protection Assessments were not a requirement.
CPRA DPIA Requirements
Under the CPRA, cybersecurity audits and risk assessments will be required for companies whose processing presents a significant risk to consumer privacy or security.
The CCPA is enforced by the Attorney General of California.
Private Right of Action
Under both data privacy laws, the private right of action allows consumers to initiate a legal case against a business that will be heard before California courts. Also important to note, these private rights of action can only be brought against a business and not service providers or other parties.
CCPA Private Right of Action
Under the CCPA, there are limited private rights of action for breach of unredacted or unencrypted personal information due to failure to maintain reasonable security practices.
CPRA Private Right of Action
Under the CPRA, private right of action will be available for breach of email address and password or security question and answer that would allow access to the account.
Penalties and Damages
CCPA Penalties & Damages
The California Consumer Privacy Act states that a maximum civil penalty is $2,500 for each unintentional violation and $7,500 for each intentional violation.
CPRA Penalties & Damages
In addition, the CPRA adds an automatic $7,000 fine per violation involving the personal information of minors.
The CCPA contains a private right of action, allowing for $100 to $750 in damages for each incident of breach.
CCPA Cure Period Requirements
Under the CCPA, the cure period is 30 days.
CPRA Cure Period Requirements
The CPRA removes the 30-day cure period and gives the Agency discretionary power to provide the business with a time period to cure.
Under both privacy frameworks, the current exemptions are the following:
- De-identified or aggregated data
- PHI governed by HIPAA
- GLBA regulated data
- FCRA regulated data
- B2B exemption – personal information collected by a business about an individual consumer, when the consumer is acting as an employee
Data Breach Notification Requirements
The definition of a data breach under CCPA covers scenarios where:
- (1) “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person,” or
- “(2) whose encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the agency that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or usable.”
Under CCPA and CPRA, businesses must notify any California resident whose personal information was compromised as a result of a data breach. Any business that is required to notify more than 500 California residents as a result of a single breach must also submit a single sample copy of that notification to California’s Attorney General.
The disclosure “shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
The CCPA regulation also provides a data breach notification template that organizations should follow (798.29). The security breach notification “shall be written in plain language” and should include the following sections:
- Title: Notice of Data Breach
- “What Happened”
- “What Information Was Involved”
- “What We Are Doing”
- “What You Can Do”
- “For More Information.”