Legal writer at TermsFeed.
On this page
- 1. The CCPA: An Overview
- 1.1. Who the CCPA Applies to
- 1.2. What the CCPA Requires
- 1.3. What Rights the CCPA Grants
- 1.4. Penalties for Noncompliance with the CCPA
- 2. The CPRA: An Overview
- 2.1. Who the CPRA Applies to
- 2.2. What the CPRA Requires
- 2.3. What Rights the CPRA Grants
- 2.4. Penalties for Noncompliance with the CPRA
- 3. Key Differences Between the CCPA and CPRA
- 3.1. Who the Law Applies to
- 3.2. Addition of Sensitive Personal Information Under the CPRA
- 3.3. Amendment and Expansion of Consumer Rights
- 3.4. Contractors Must Comply
- 3.5. Privacy by Design and the CPRA
- 4.1. What Information You Collect
- 4.2. What You Do With the Information You Collect
- 4.3. Who You Share the Information You Collect With
- 4.4. How Long You Keep the Information You Collect
- 4.5. How Users Can Contact You
- 4.6. How You Keep the Information You Collect Secure
- 5.1. Website Footer
- 5.2. App Download Page
- 5.3. Checkout Page
- 5.4. Account Creation and Login Forms
- 6. Summary
The California Privacy Rights Act (CPRA) was voted into law in November 2020, and amends several parts of the California Consumer Privacy Act (CCPA), which is California's most comprehensive privacy law. The CPRA is also referred to as "CCPA 2.0" or "CCPA, as amended."
The primary differences between the CPRA and the CCPA that you need to be aware of are:
- To be defined as a qualifying business under the CPRA, companies must buy, sell, or share the personal information of 100,000 or more California consumers, devices, or households, doubling the amount required by the CCPA (50,000).
- The CCPA requires that businesses get 50% or more of their annual revenue from selling California consumers' personal information to fall under its scope. The CPRA expands that threshold so that companies must get 50% or more of their annual revenue from selling or sharing California consumers' personal information.
- The CPRA follows suit with the General Data Protection Regulation (GDPR), Europe's primary privacy legislation, and adds sensitive personal information to the types of data it protects.
- The CPRA amends and adds to the consumer rights outlined in the CCPA.
This article will take you through some of the key differences between the CPRA and the CCPA, and let you know what you need to do to make sure that your business is compliant with both laws.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
The CCPA: An Overview
The CCPA was created to protect California consumers' privacy rights and was signed into law in June 2018. The CCPA went into effect in January 2020, and was one of the first major privacy laws in the United States.
Who the CCPA Applies to
The CCPA applies to all for-profit California businesses or any businesses that sell products or services to residents of California that meet the following criteria:
- Handle the personal information of 50,000 or more California residents, households, or devices
- Make more than $25 million in annual revenue, or
- Get more than half of their income from selling the personal information of California residents
What the CCPA Requires
Businesses, service providers, and third parties that fall under the CCPA's scope must follow its rules. In order to comply with the CCPA, businesses must:
- Notify California consumers of their rights
- Make sure that their business practices are designed to respect consumers' privacy rights
- Let consumers know what information they collect and for what purposes, who they share the information they collect with, and how long they keep the information they collect
- Respond to consumer requests pertaining to their personal information
- Keep the information they collect secure
Section 1798.100 of the official text of the CCPA describes what businesses need to inform consumers about before collecting their personal information:
What Rights the CCPA Grants
The CCPA gives California residents several consumer rights pertaining to their personal information, including:
- The right to access their personal information from any business that collects it
- The right to delete their personal information
- The right to know whether their personal information is sold and to whom
- The right to opt out of the sale of their personal information to any third parties
- The right to exercise their privacy rights free of retaliation in the form of discrimination
- The right to limit the use or disclosure of their personal information
Section 1798.120 of the text of the CCPA explains California consumers' rights to opt out of the sale or sharing of their personal information:
Penalties for Noncompliance with the CCPA
The California Attorney General is the enforcing authority for the CCPA, and has the power to penalize non compliant businesses with fines in the amount of up to $2,500 per unintentional violation and $7,500 per intentional violation.
Businesses have a 30-day cure period under the CCPA, which is the amount of time they have to rectify a violation once they are made aware of it.
The CPRA: An Overview
The CPRA went into effect on January 1, 2023, but some of its provisions may apply to any personal information that businesses have collected from California residents since January 1st, 2022. The CPRA amends and adds new provisions to the CCPA.
Who the CPRA Applies to
The CPRA applies to the same businesses that the CCPA does, except that businesses must buy, sell, or share the personal information of 100,000 or more California residents, households, or devices to fall under its scope.
The CPRA does not apply to healthcare providers or individuals taking part in certain research studies.
What the CPRA Requires
The CPRA adds the category of contractors to the list of organizations that must follow its rules. It requires contractors, businesses, service providers, and third parties to meet the same obligations as required by the CCPA.
The CPRA further requires companies to only collect personal information that is essential to doing business.
The Responsibilities of Businesses section of the CPRA describes the steps businesses need to take in order to comply with the CPRA:
What Rights the CPRA Grants
The CPRA gives California residents all of the same rights as the CCPA, plus the right to edit their personal information and the right to limit the use and/or disclosure of their sensitive personal information.
The CPRA outlines the rights California consumers have under the law, including the right to be informed about what personal information businesses are collecting about them, for what purposes it is being used, and who it is shared with:
Penalties for Noncompliance with the CPRA
The California Privacy Protection Agency was created specifically to help the California Attorney General with the enforcement of the CPRA. Businesses have no cure period under the CPRA, and can be fined immediately for any violations, in the amount of up to $7,500 per violation.
Any violations having to do with minors' personal information receive an automatic $7,500 penalty under the CPRA.
Enforcement of the CPRA is set to begin July 1st, 2023, but the parts of the CCPA that the CPRA amends remain in effect until then.
Key Differences Between the CCPA and CPRA
There are a few key differences between the CCPA and the CPRA that you need to make sure that you are aware of if your company is based in California or if you do business with any California residents.
Who the Law Applies to
One of the requirements a company must meet to qualify as an applicable business under the CCPA is that they must buy, sell, or share personal information from 50,000 or more California consumers, households, or devices. The CPRA expands that number to 100,000.
This means that some small or medium-sized businesses that handle personal information from California consumers may no longer qualify as an applicable business under the CPRA's definition.
Another CCPA requirement is that businesses must get 50% or more of their revenue from selling California consumers' personal information. The CPRA requires that businesses get 50% or more of their revenue from selling or sharing California consumers' personal information.
This means that businesses that may not have qualified under the CCPA due to sharing but not selling California consumers' personal information may now need to comply with the CPRA.
Addition of Sensitive Personal Information Under the CPRA
While the CCPA limits the use and disclosure of personal information, the CPRA expands that category to include sensitive personal information.
Applicable companies must take special care with how they treat the sensitive personal information they collect, making sure that they only use sensitive personal information that is absolutely necessary for doing business and that they give consumers the chance to opt-out of the use and disclosure of their sensitive personal information.
Any business that collects sensitive personal information will need to include a link on its website titled "Limit the Use of My Sensitive Personal Information" that takes consumers to a page where they can choose how their sensitive personal information is handled.
Amendment and Expansion of Consumer Rights
The CPRA expands on the consumer privacy rights laid out by the CCPA as follows:
The CPRA also adds the following new rights:
- Right to Correct Information: Similar to the GDPR, the CPRA grants consumers the right to request that inaccurate personal information be corrected.
- Right to Limit Use and Disclosure of Sensitive Personal Information: The CPRA requires that companies only use and disclose sensitive personal information that is necessary for conducting business.
Businesses will need to make sure that they are able to respond to consumer requests concerning their privacy rights in a timely and effective manner.
Contractors Must Comply
The CPRA adds contractors to the types of organizations that must comply with its rules.
Under the CPRA, contractors, businesses, service providers, and third parties must all make sure that they inform California consumers of their privacy rights, let them know how they handle their personal information, respond to consumer requests in a timely manner, and make sure that they keep the information they collect secure.
Privacy by Design and the CPRA
The CPRA requires that applicable businesses take steps to ensure that they are protecting California consumers' privacy from beginning to end. This is a concept known as Privacy by Design, and it has been popularized since the GDPR came about.
The concept of Privacy by Design was not explicitly required by the CCPA, so this is an updated requirement.
Steps to enacting Privacy by Design include keeping the following concepts at the forefront of business:
- Informing consumers how you collect and use their personal information - Be transparent
- Only collecting information essential to doing business, and only keeping it for as long as is necessary for the same
- Giving consumers the ability to access, edit, or delete their personal information
- Giving consumers the chance to opt-out of the sale or sharing of their personal information
- Treating consumers fairly when they exercise their privacy rights
- Keeping the personal information you collect safe
- Being held accountable if you violate consumer privacy rights
- Paying higher penalties for violating the privacy rights of children
For example, Wells Fargo maintains a California Consumer Privacy Act Notice on its website that lets users know how it handles California residents' personal information:
Thomson Reuters' Privacy Statement contains a Supplemental Privacy Statement for California consumers under CCPA/CPRA clause that lets users know the steps it takes to honor California consumers' privacy rights:
What Information You Collect
This clause lets users know the types of information you collect, including personal and sensitive personal information.
Amazon's Privacy Notice describes the types of personal information it collects from its customers, including information customers give it directly, information collected through cookies and other information that is gathered automatically when customers use its site, and information from third parties:
Parsons uses its Privacy Notice to help it comply with the CCPA and the CPRA by informing users about the types of personal information it has collected in the previous 12 months:
What You Do With the Information You Collect
In order to comply with the CPRA and the CCPA, you need to make sure that you are only collecting information that you absolutely need in order to do business. This clause explains how you use the information that you collect.
The Information Use clause of Deloitte's Privacy Notice lets users know how it uses the personal information it collects:
Who You Share the Information You Collect With
How Long You Keep the Information You Collect
According to both the CPRA and the CCPA, You should only keep the information you collect for as long as you need it to conduct business, at which point you should have a process in place for securely destroying the data.
How Users Can Contact You
It's important to give users a means of contacting you with any questions or concerns they have about your data collection processes, or to submit any requests to access, edit, or delete their personal information.
How You Keep the Information You Collect Secure
The Data Security clause in the Infosys Privacy Statement lets users know that it employs administrative, physical, and technical security measures in order to keep the data it collects secure:
App Download Page
Account Creation and Login Forms
Cisco includes a link to its Privacy statement within its account login page:
The CPRA and the CCPA are comprehensive California privacy laws that give privacy rights to California consumers and require businesses to take steps to honor those rights.
The CCPA applies to any company based in California or that does business with California residents and meets the following criteria:
- Makes over $25 million in annual revenue
- Handles personal information from 50,000 or more California residents, households, or devices, or
- Gets over half of their income from the sale of California consumers' personal information
Businesses can be fined up to $7,500 per intentional violation under the CCPA.
The CPRA updates the CCPA and applies to the same businesses that the CCPA does, with the only change being that the businesses handle personal information from 100,000 or more California residents, households, or devices.
Remember: the primary differences between the CPRA and the CCPA are:
- The CPRA applies to companies that buy, sell, or share the personal information of 100,000 or more California consumers, devices, or households, doubling the amount required by the CCPA (50,000).
- The CPRA expands the CCPA's threshold so that companies must get 50% or more of their annual revenue from selling or sharing California consumers' personal information, rather than just from selling it.
- The CPRA adds sensitive personal information to the types of data it protects.
- The CPRA expands the CCPA-granted consumer rights to be more robust.