Part 1: CPRA Vs CCPA – compare California’s privacy laws & get compliant

The CPRA is a substantial expansion of the CCPA, it provides new and broadened consumer rights to Californians — and a new set of obligations to the businesses that serve them. In this blog we’ll explore:

• What the CPRA is
• How CPRA enforcement will differ from CCPA enforcement
• How the CPRA expands consumer data rights
• How to best prepare for CPRA compliance

What is the CPRA?

The California Privacy Rights Act is a voter-led initiative that expands and enhances the California Consumer Privacy Act. The CPRA expands consumer data rights and the data rights of minors, along with extending CCPA’s data protections to employees, contractors, and B2B points of contact. The law also makes clear that businesses need to stop cross-context behavioral advertising when a California resident objects to it.

CPRA also creates a dedicated enforcement agency — the California Privacy Protection Agency, or CPPA — which has the power to create policy and impose annual audits and regular risk assessments. The CPRA goes into effect on January 1, 2023, with actual enforcement beginning on July 1, 2023.

Index of CPRA changes

The CPRA will:

• Create a new enforcement body, the California Privacy Protection Agency (CPPA)
• Expand consumer privacy rights granted by the CCPA
• Grant consumers new privacy rights
• Update coverage requirements for businesses
• Update coverage requirements for the service providers, third parties, and contractors who share information
• Place new obligations on covered businesses, and the entities that work with them

How will CPRA enforcement differ from CCPA enforcement?

Most CPRA matters will be handled by a dedicated agency, but the Attorney General retains authority over citizen-initiated actions.

The CCPA was enforced by the California Attorney General. It also had a provision that allowed consumers to initiate civil action in the case of a personal data breach. The CPRA slightly expands the rights of consumers to take legal action, allowing them to sue for breach of passwords and security questions, as well as data breaches.

More importantly, the CPRA creates the California Privacy Protection Agency as a dedicated enforcement body, which will handle rulemaking and most other CPRA compliance matters. However, the Attorney General will still retain authority over civil suits initiated by private citizens. The AG can ask for up to $2,500 for each CPRA violation, or up to $7,500 dollars “for each intentional violation and each violation involving the personal information of minor consumers.”

How does the CPRA expand consumer rights?

The CPRA expands all the consumer rights specified under the CCPA, and extends those rights to employees and contractors.

The CCPA provided consumers with six rights:

• The right to know what personal information a business is collecting, why they are collecting it, how they use it and dispose of it, and who they’ve shared it with
• The right to have personal information deleted
• The right to opt-out of having their data sold
• The right to not be penalized or discriminated against for exercising their data rights
• The rights of minors to not have their data shared, unless they opt-in
• The right for consumers to take legal action if their data is breached as a result of an organization failing to implement sufficient safeguards

Here’s how the CPRA expands those rights.

Right to know

What the CCPA says

Under the CCPA, consumers have the right to know what data a business has collected about them within the last 12 months, and to whom that data has been shared with. It also grants consumers the right to receive a copy of the personal data a company has collected about them.

More broadly, consumers have the right to know the company’s data policies, such as what data they routinely collect, how they use it, how long they retain it, and who they share it with.

What the CPRA adds

The most significant change imposed by the CPRA is extending CCPA data rights to workers. Employees, contractors, and business prospects now have the same right to know as consumers. This means that the CPRA will treat HR, B2B data, and personally identifiable information — in essentially the same way it treats consumer data.

So does that mean every piece of information you’ve ever recorded about any Californian employee or business partner must be disclosed on request? Not necessarily. The CPRA protects privileged material from disclosure, such as communications with legal counsel. It’s likely that the CPPA will issue more guidance on exactly what information is exempt.

The CPRA also extends data portability. Not only can consumers request a copy of the personal data you’ve collected — but they can also ask you to electronically transfer the data to a third party.

Right to delete

CCPA data deletion didn’t apply to partners and clients

Under the CCPA, consumers have a right to request businesses delete their personal information once it has been used for its designated purpose. However, if businesses sold that data to third-party vendors, they had no obligation to ensure that the vendors deleted the data.

CPRA data deletion applies to all third parties

The CPRA requires businesses to send deletion requests to any organizations they’ve shared the data with, and obligates those entities to delete that data when they receive a valid deletion request. To do this, businesses need to have contracts and mechanisms in place to ensure their partners and clients honor those deletion requests.

Right to opt-out

The CCPA left an opt-out loophole

The CCPA gave consumers the right to request businesses not sell their data. However, it was ambiguous as to whether selling data included conducting behavioral advertising. In practice, this meant only some companies honored user opt-out requests for targeted advertising under the CCPA.

The CPRA ties up any loose ends

The CPRA clears up this ambiguity, covering behavioral advertising and other third-party advertising practices, even if the data is technically not being “sold” to the advertiser. When a Californian asks you to stop selling or sharing their personal information, that means you can’t serve them targeted ads anymore, either.

Right to take legal action over data breaches

The CCPA grants the right to legal action

Under the CCPA, consumers have a right to take legal action if their personal data is breached.

The CPRA grants even more rights to legal action

The CPRA slightly expands this right. Consumers can now initiate an action over breached passwords and security questions, in addition to breaches of certain personal information.

Right to non-discrimination

CCPA prevents unfair consumer treatment

Under the CCPA, you cannot penalize consumers for exercising their data rights. For example, you can’t deny services to consumers who’ve requested data deletion, or charge an unreasonably high price when consumers opt-out of the sale of their personal information.

There is an exception for certain incentives, which essentially allows you to factor the value of the data into the transaction. For example, if you sell the data of every customer to an advertiser for 50 cents each, it is legal to charge consumers who opt out an extra 50 cents. However, to do this you need to obtain the customer’s consent for the extra charge, and explain how you calculate the value of the data and the price difference.

CPRA clarifies non-discrimination and applies it to workers

The CPRA extends this right to employment discrimination. Essentially, if an employee or contractor exercises their data rights, you’re not allowed to discriminate in any way, such as by refusing to hire them, paying them a lower wage, or retaliating.

The CPRA also clarifies the exceptions to non-discrimination. Under the law, you can offer premium features like loyalty programs and discount cards to reward consumers who agree to have their data sold or shared.

However, it also places limits to prevent companies from pressuring consumers to opt-in. Once a customer opts-out of an incentive program, you cannot ask them again for 12 months.

Data rights for minors

The CCPA required opt-in

The CCPA gave a special status to protecting the data of minors. Consumers under 16 must explicitly opt-in for a business to sell their personal information.

The CPRA limits repeatedly asking for opt-in

The CPRA expands this right, preventing businesses from repeatedly asking minors for data consent. If a consumer under 16 does not opt-in to the sale of their data or use of it for targeted advertising, the company must wait a full year before asking again. For minors under the age of 13, the company needs to get permission from the minor’s parent or guardian.

Additionally, the CPRA makes it explicit that ignorance of the customer’s age isn’t an excuse. Businesses are responsible for attempting to determine the age of the customer, and for providing the data protections required by the law.

As mentioned earlier, the CPRA also imposes tougher penalties for violating the data rights of consumers under the age of 16. The normal penalty for an unintentional CPRA violation is up to $2,500 per violation. For consumers under 16, the limit increases to $7,500.

How To comply quickly

By the time enforcement begins in 2023, you need to be able to track data throughout your business and partner network, and verify, provide, or delete that data upon valid requests. Additionally, you’ll need to be prepared to undergo audits and risk assessments, meeting requirements that are still under development.

There’s a lot to do, and not a lot of time to do it. Here’s how to get there.

Build out a proactive privacy program based on privacy-by-design

Privacy-by-design treats privacy as the default, safeguarding data everywhere without sacrificing functionality anywhere. While it requires an upfront investment, Privacy-by-design is the most cost-effective compliance strategy in the long run. Once you have strong protections in place, it becomes a lot easier to meet new requirements. That means you won’t have to rush through major remediations every time a new compliance law is passed, or an enforcement body imposes a new rule. 

Leverage a privacy automation platform to do the heavy lifting

The CPRA and other compliance regimes require extensive insight into your data collection and processing activities. Here are just a few of the things you need to know for each app and tool in your landscape:

• What data is being collected
• How is data being used
• What have data subjects agreed to (or opted-out of)
• Where is data stored
• Who has access to data
• How long is data retained for
• How can you verify and process valid CPRA requests

With TerraTrue, all your data is organized into a structured format — making the execution of your compliance strategy seamless. Project leads can document all relevant information in minutes, by filling out a Launch Review whenever new features or products are built, shipped, or sunsetted. This automated workflow initiates an alert for your privacy team, so they can quickly decide what reviews or remediations are required for compliance.

TerraTrue also serves as a data repository and audit log. By standardizing and organizing all your compliance documents, the software makes it much easier to pass third-party audits and assessments required by the CPRA (or any other relevant compliance regime).

TerraTrue learns from each project, saving you more time by anticipating your data practices and compliance priorities. The easy-to-use interface is completely customizable, enabling you to quickly integrate new compliance, privacy, and security priorities into product development. Teams can now collaborate in real-time to map what they’re building against compliance regimes — with TerraTrue you can embed privacy into everything you do.

Request a TerraTrue demo today, and see how we can help you get compliant with CPRA!