The California Privacy Rights Act (CPRA) was voted into law in November 2020, and amends several parts of the California Consumer Privacy Act (CCPA), which is California's most comprehensive privacy law. The CPRA is also referred to as "CCPA 2.0" or "CCPA, as amended."

The primary differences between the CPRA and the CCPA that you need to be aware of are:

  • To be defined as a qualifying business under the CPRA, companies must buy, sell, or share the personal information of 100,000 or more California consumers, devices, or households, doubling the amount required by the CCPA (50,000).
  • The CCPA requires that businesses get 50% or more of their annual revenue from selling California consumers' personal information to fall under its scope. The CPRA expands that threshold so that companies must get 50% or more of their annual revenue from selling or sharing California consumers' personal information.
  • The CPRA follows suit with the General Data Protection Regulation (GDPR), Europe's primary privacy legislation, and adds sensitive personal information to the types of data it protects.
  • The CPRA amends and adds to the consumer rights outlined in the CCPA.

This article will take you through some of the key differences between the CPRA and the CCPA, and let you know what you need to do to make sure that your business is compliant with both laws.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



The CCPA: An Overview

The CCPA: An Overview

The CCPA was created to protect California consumers' privacy rights and was signed into law in June 2018. The CCPA went into effect in January 2020, and was one of the first major privacy laws in the United States.

Who the CCPA Applies to

The CCPA applies to all for-profit California businesses or any businesses that sell products or services to residents of California that meet the following criteria:

  • Handle the personal information of 50,000 or more California residents, households, or devices
  • Make more than $25 million in annual revenue, or
  • Get more than half of their income from selling the personal information of California residents

What the CCPA Requires

Businesses, service providers, and third parties that fall under the CCPA's scope must follow its rules. In order to comply with the CCPA, businesses must:

  • Notify California consumers of their rights
  • Make sure that their business practices are designed to respect consumers' privacy rights
  • Let consumers know what information they collect and for what purposes, who they share the information they collect with, and how long they keep the information they collect
  • Respond to consumer requests pertaining to their personal information
  • Keep the information they collect secure

Section 1798.100 of the official text of the CCPA describes what businesses need to inform consumers about before collecting their personal information:

California Legislative Information: CCPA Section 1798 100 section a

What Rights the CCPA Grants

The CCPA gives California residents several consumer rights pertaining to their personal information, including:

  • The right to access their personal information from any business that collects it
  • The right to delete their personal information
  • The right to know whether their personal information is sold and to whom
  • The right to opt out of the sale of their personal information to any third parties
  • The right to exercise their privacy rights free of retaliation in the form of discrimination
  • The right to limit the use or disclosure of their personal information

Section 1798.120 of the text of the CCPA explains California consumers' rights to opt out of the sale or sharing of their personal information:

California Legislative Information: CCPA Section 1798 120 - Consumers Rights to Opt Out of Sale or Sharing of Personal Information

Penalties for Noncompliance with the CCPA

The California Attorney General is the enforcing authority for the CCPA, and has the power to penalize non compliant businesses with fines in the amount of up to $2,500 per unintentional violation and $7,500 per intentional violation.

Businesses have a 30-day cure period under the CCPA, which is the amount of time they have to rectify a violation once they are made aware of it.

The CPRA: An Overview

The CPRA: An Overview

The CPRA went into effect on January 1, 2023, but some of its provisions may apply to any personal information that businesses have collected from California residents since January 1st, 2022. The CPRA amends and adds new provisions to the CCPA.

Who the CPRA Applies to

The CPRA applies to the same businesses that the CCPA does, except that businesses must buy, sell, or share the personal information of 100,000 or more California residents, households, or devices to fall under its scope.

The CPRA does not apply to healthcare providers or individuals taking part in certain research studies.

What the CPRA Requires

The CPRA adds the category of contractors to the list of organizations that must follow its rules. It requires contractors, businesses, service providers, and third parties to meet the same obligations as required by the CCPA.

The CPRA further requires companies to only collect personal information that is essential to doing business.

The Responsibilities of Businesses section of the CPRA describes the steps businesses need to take in order to comply with the CPRA:

Californians for Consumer Privacy Annotated text of the CPRA: Responsibilities of Businesses section

What Rights the CPRA Grants

The CPRA gives California residents all of the same rights as the CCPA, plus the right to edit their personal information and the right to limit the use and/or disclosure of their sensitive personal information.

The CPRA outlines the rights California consumers have under the law, including the right to be informed about what personal information businesses are collecting about them, for what purposes it is being used, and who it is shared with:

Californians for Consumer Privacy Annotated text of the CPRA: Consumer Rights section

Penalties for Noncompliance with the CPRA

The California Privacy Protection Agency was created specifically to help the California Attorney General with the enforcement of the CPRA. Businesses have no cure period under the CPRA, and can be fined immediately for any violations, in the amount of up to $7,500 per violation.

Any violations having to do with minors' personal information receive an automatic $7,500 penalty under the CPRA.

Enforcement of the CPRA is set to begin July 1st, 2023, but the parts of the CCPA that the CPRA amends remain in effect until then.

Key Differences Between the CCPA and CPRA

Key Differences Between the CCPA and CPRA

There are a few key differences between the CCPA and the CPRA that you need to make sure that you are aware of if your company is based in California or if you do business with any California residents.

Who the Law Applies to

One of the requirements a company must meet to qualify as an applicable business under the CCPA is that they must buy, sell, or share personal information from 50,000 or more California consumers, households, or devices. The CPRA expands that number to 100,000.

This means that some small or medium-sized businesses that handle personal information from California consumers may no longer qualify as an applicable business under the CPRA's definition.

Another CCPA requirement is that businesses must get 50% or more of their revenue from selling California consumers' personal information. The CPRA requires that businesses get 50% or more of their revenue from selling or sharing California consumers' personal information.

This means that businesses that may not have qualified under the CCPA due to sharing but not selling California consumers' personal information may now need to comply with the CPRA.

Addition of Sensitive Personal Information Under the CPRA

While the CCPA limits the use and disclosure of personal information, the CPRA expands that category to include sensitive personal information.

Applicable companies must take special care with how they treat the sensitive personal information they collect, making sure that they only use sensitive personal information that is absolutely necessary for doing business and that they give consumers the chance to opt-out of the use and disclosure of their sensitive personal information.

Any business that collects sensitive personal information will need to include a link on its website titled "Limit the Use of My Sensitive Personal Information" that takes consumers to a page where they can choose how their sensitive personal information is handled.

Airbnb maintains a Privacy Policy Supplements page specifically for residents of California that includes a section on how users can request that the use of their sensitive personal information is limited:

Airbnb Privacy Policy Supplements for California with the Limited Use and Disclosure of Sensitive Personal Information section highlighted

Amendment and Expansion of Consumer Rights

The CPRA expands on the consumer privacy rights laid out by the CCPA as follows:

CCPA CPRA
  • Right to Opt Out: The CCPA gives consumers the right to opt out of the sale of their personal information to third parties.
  • Right to Know: The CCPA gives consumers the right to request information about whether their personal information was collected by a business within the previous 12 months.
  • Right to Delete: The CCPA allows consumers to request that businesses delete their personal information.
  • Right to Opt Out: The CPRA gives consumers the right to opt out of the sale or sharing of their personal information.
  • Right to Know: The CPRA allows consumers to request information about whether their personal information was collected over the last 12 months or longer depending on the circumstances.
  • Right to Delete: The CPRA requires businesses to forward requests to delete to any third parties that have received the requester's personal information, under certain circumstances.

The CPRA also adds the following new rights:

  • Right to Correct Information: Similar to the GDPR, the CPRA grants consumers the right to request that inaccurate personal information be corrected.
  • Right to Limit Use and Disclosure of Sensitive Personal Information: The CPRA requires that companies only use and disclose sensitive personal information that is necessary for conducting business.

Businesses will need to make sure that they are able to respond to consumer requests concerning their privacy rights in a timely and effective manner.

Here's another excerpt from Airbnb's Privacy Policy Supplements page for California that discusses these rights and how individuals can exercise them:

Airbnb Privacy Policy Supplements for California: User rights excerpt

Contractors Must Comply

The CPRA adds contractors to the types of organizations that must comply with its rules.

Under the CPRA, contractors, businesses, service providers, and third parties must all make sure that they inform California consumers of their privacy rights, let them know how they handle their personal information, respond to consumer requests in a timely manner, and make sure that they keep the information they collect secure.

Privacy by Design and the CPRA

The CPRA requires that applicable businesses take steps to ensure that they are protecting California consumers' privacy from beginning to end. This is a concept known as Privacy by Design, and it has been popularized since the GDPR came about.

The concept of Privacy by Design was not explicitly required by the CCPA, so this is an updated requirement.

Steps to enacting Privacy by Design include keeping the following concepts at the forefront of business:

  • Informing consumers how you collect and use their personal information - Be transparent
  • Only collecting information essential to doing business, and only keeping it for as long as is necessary for the same
  • Giving consumers the ability to access, edit, or delete their personal information
  • Giving consumers the chance to opt-out of the sale or sharing of their personal information
  • Treating consumers fairly when they exercise their privacy rights
  • Keeping the personal information you collect safe
  • Being held accountable if you violate consumer privacy rights
  • Paying higher penalties for violating the privacy rights of children

How to Write a CPRA- and CCPA-Compliant Privacy Policy

How to Write a CPRA- and CCPA-Compliant Privacy Policy

One of the best ways to ensure compliance with both the CPRA and the CCPA is to maintain a comprehensive Privacy Policy on your website and apps.

Whether you're starting from scratch or updating your CCPA Privacy Policy for the CPRA, your Privacy Policy needs to contain a few specific components.

Your Privacy Policy should inform consumers of their rights and let them know how you handle their personal information. It also needs to convey California consumers' privacy rights and describe the steps your business takes to honor those rights.

Your Privacy Policy should also let users know what information you collect and what you do with it, as well as who you share their information with and how long you keep their information. It should provide users a way to contact you, and let users know how you keep their personal information secure.

Some companies opt to have a supplemental Privacy Policy specifically for California consumers, where applicable laws can be directly addressed and complied with.

For example, Wells Fargo maintains a California Consumer Privacy Act Notice on its website that lets users know how it handles California residents' personal information:

Wells Fargo California Consumer Privacy Act Notice: Intro section

Thomson Reuters' Privacy Statement contains a Supplemental Privacy Statement for California consumers under CCPA/CPRA clause that lets users know the steps it takes to honor California consumers' privacy rights:

Thomson Reuters Privacy Statement: Supplemental Privacy Statement for California consumers under CCPA CPRA - Intro clause

Now we'll look at some general information that should be included in every Privacy Policy.

What Information You Collect

This clause lets users know the types of information you collect, including personal and sensitive personal information.

Amazon's Privacy Notice describes the types of personal information it collects from its customers, including information customers give it directly, information collected through cookies and other information that is gathered automatically when customers use its site, and information from third parties:

Amazon Privacy Notice: What Personal Information About Customers Does Amazon Collect clause

Parsons uses its Privacy Notice to help it comply with the CCPA and the CPRA by informing users about the types of personal information it has collected in the previous 12 months:

Parsons Privacy  Notice to California Residents: Information We Collect clause excerpt

What You Do With the Information You Collect

In order to comply with the CPRA and the CCPA, you need to make sure that you are only collecting information that you absolutely need in order to do business. This clause explains how you use the information that you collect.

The Information Use clause of Deloitte's Privacy Notice lets users know how it uses the personal information it collects:

Deloitte Privacy Notice: Use of Personal Information for our Website clause

Who You Share the Information You Collect With

Your Privacy Policy needs to inform users of any third parties with whom you share the information you collect.

Google's Privacy Policy lets users know the circumstances in which it shares their personal information, and with what parties the information will be shared. (Note that this is just an excerpt and one section of a longer clause that addresses sharing with other parties such as sharing of personal information with Google affiliates, with domain administrators, law enforcement and others.):

Google Privacy Policy: When Google Shares Your Information clause - Consent excerpt

How Long You Keep the Information You Collect

According to both the CPRA and the CCPA, You should only keep the information you collect for as long as you need it to conduct business, at which point you should have a process in place for securely destroying the data.

Qualcomm's Privacy Policy includes a Retention clause that informs users that it only keeps the personal information it collects as long as the user has an active account, or as long as it needs to be able to provide the user with its Services or comply with legal or other obligations:

Qualcomm Privacy Policy: Retention clause

How Users Can Contact You

It's important to give users a means of contacting you with any questions or concerns they have about your data collection processes, or to submit any requests to access, edit, or delete their personal information.

Apple's Privacy Policy provides users with a link to its Privacy Enquiries page as well as a link to its Apple Support phone number:

Apple Privacy Policy: Privacy Questions clause

How You Keep the Information You Collect Secure

You must keep the information you collect from consumers safe, and your Privacy Policy should include a clause that lets consumers know about the data collection security measures you have in place.

The Data Security clause in the Infosys Privacy Statement lets users know that it employs administrative, physical, and technical security measures in order to keep the data it collects secure:

Infosys Privacy Statement: Data Security clause

After you create a Privacy Policy that's compliant with California law, you need to display it for the public to view at any time. Here are some tips for doing so.

Where to Display Your CPRA/CCPA Privacy Policy

Where to Display Your CPRA - CCPA Privacy Policy

It's important to put your Privacy Policy somewhere where users can easily find it. Common places to place a link to a Privacy Policy include within your website footer, on your app download page, on your ecommerce checkout page, or on your account login page.

Most people know to scroll to the bottom of a website to find a business's legal information, making your website footer a great place to put a link to your Privacy Policy.

Target includes links to not only its Privacy Policy, but also links to its California Residents Privacy Policy and its California Privacy Choices request form:

Target website footer with CA Privacy Rights and CA Privacy Choices links highlighted

App Download Page

Putting a link to your Privacy Policy on your app download page ensures that users have a chance to read your Policy before downloading your app or sharing any personal information with you.

When users go to download the Snapchat app from Apple's App Store, they are provided with information about its privacy practices, as well as a link to its Privacy Policy:

Snapchat Apple App Store listing with Privacy Policy link highlighted

Checkout Page

It's a good idea to put a link to your Privacy Policy within your checkout page so that users can access it before making a purchase, and thus sharing personal information with you to complete that purchase.

Here's an example of this from Eventbrite that also implements a checkbox to obtain consent from the user to accept the Privacy Policy:

Eventbrite checkout page with I accept Terms of Service Community Guidelines and Privacy Policy checkbox highlighted

Account Creation and Login Forms

When users create an account, they will be sharing personal information with you, which means it's a great time to display your Privacy Policy.

Here's how Walmart links to its Privacy Policy when users create an account with the company:

Walmart Create Account form with Privacy Policy link highlighted

Putting a link to your Privacy Policy on your account login page helps to ensure that users can read your terms whenever they use your site.

Cisco includes a link to its Privacy statement within its account login page:

Cisco Account Login form with Privacy link highlighted

Summary

The CPRA and the CCPA are comprehensive California privacy laws that give privacy rights to California consumers and require businesses to take steps to honor those rights.

The CCPA applies to any company based in California or that does business with California residents and meets the following criteria:

  • Makes over $25 million in annual revenue
  • Handles personal information from 50,000 or more California residents, households, or devices, or
  • Gets over half of their income from the sale of California consumers' personal information

Businesses can be fined up to $7,500 per intentional violation under the CCPA.

The CPRA updates the CCPA and applies to the same businesses that the CCPA does, with the only change being that the businesses handle personal information from 100,000 or more California residents, households, or devices.

Remember: the primary differences between the CPRA and the CCPA are:

  • The CPRA applies to companies that buy, sell, or share the personal information of 100,000 or more California consumers, devices, or households, doubling the amount required by the CCPA (50,000).
  • The CPRA expands the CCPA's threshold so that companies must get 50% or more of their annual revenue from selling or sharing California consumers' personal information, rather than just from selling it.
  • The CPRA adds sensitive personal information to the types of data it protects.
  • The CPRA expands the CCPA-granted consumer rights to be more robust.

Both the CCPA and the CPRA require businesses under its scope to maintain a Privacy Policy. Once you have your Privacy Policy written, you should make sure that it is easily accessible on your website and within your apps.