CPRA vs. CCPA: What’s the Difference?
13 Jul 2022
Share this post
These Two California Laws Are Shaping the American Privacy and Data Security Environment – Here Is What You Should Know About Them
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are two California laws that were the first pieces of comprehensive privacy protection in the United States. Since their passage, they have inspired a number of similar laws around the country and are quickly becoming the standard for data privacy and protection in the United States.
But due in part to the laws’ similar abbreviations and their similar wording, many people are confused about what these two laws are and what they mean for both businesses and consumers. Let’s look at the two laws in more detail so we can understand what they are, how they may impact you, and what you can expect moving forward.
What Is the CCPA?
The California Consumer Privacy Act of 2018 was a law signed into effect in 2018 by then-California governor Jerry Brown. The law is a state statute that enhanced privacy rights and consumer protection for people living in California, and it means that California residents have the right to:
- Know what personal data are being collected about them
- Know whether their personal data are sold or revealed and to whom
- Say no to the sales of their personal data
- Access those personal data
- Request that a business delete any personal data that has been collected about them
- Not be discriminated against for doing any of the above in an effort to protect their privacy
This law applies to any business or for-profit organization that collects consumer data, does business in California, and has one of the following traits:
- Gross revenue in excess of $25 million
- Buys, receives, or sells the personal information of at least 50,000 consumers or households
- Earns more than half of its annual revenue from selling consumer data
A number of provisions aimed at accountability are included in the set of rules. For example, anyone collecting personal information must have a process to obtain parental or guardian consent for minors under 13 years, and affirmative consent for anyone 13 to 16 years.
A link must also appear on the website’s home page that says something to the effect of “Do Not Sell My Personal Information,” which directs to a web page that lets people opt out of the sale of the person’s personal information.
There also needs to be in place methods for people to submit data access requests – at a minimum, that must include a toll-free phone number. Finally, the data collector must not ask for opt-in consent from someone who opts out for at least 12 months.
Fines for failure to comply with the rule are notable. Companies that become victims of data theft or other security breaches can be ordered to pay damages of up to $750 per California resident and incident, or actual damages if those are higher. A fine of up to $7,500 for each intentional violation, and up to $2,500 for each unintentional violation, are also included.
There are two notable exceptions to the rule: personal health information and financial information.
What Is the CPRA?
The California Privacy Rights Act of 2020, also known as Proposition 24 and CPRA, was a ballot proposition approved by voters in California in 2020 by a vote of 56 percent to 44 percent. CPRA expanded the consumer privacy laws available to residents of the state and built on the foundation created by the CCPA. CPRA does not exactly replace CCPA – more precisely, it amends the law and adds new provisions. The CPRA took effect on Dec. 16, 2020, but most of the provisions are not fully operable until Jan. 1, 2023.
Among other things, CPRA establishes a new agency, the California Privacy Protection Agency, which has “full administrative power, authority, and jurisdiction to implement and enforce the CCPA. The agency will share consumer privacy oversight and enforcement of the law with the California Department of Justice. The law also requires businesses to obtain permission from consumers younger than 16 years before collecting their data.
Other provisions of the law allow consumers to prevent businesses from sharing their personal data and create a framework to prohibit the collection of inaccurate personal data. It also limits the ability of businesses to use sensitive personal information such as precise location, race, ethnicity, religion, genetic makeup, private communications, sexual orientation, and specific health information.
What Are the Impacts (So Far) of the New Privacy Laws?
So far, the privacy laws have had an impact on publishers and tech companies that needed to hire legal teams to review their operations as well as compliance software, though it has had little to no impact on ad revenues, ad prices, or inventory, according to one industry group. That stands in stark contrast to impacts seen in the wake of the law that inspired the California law — the Global Data Protection Regulation, which went into effect a few years earlier in Europe and had broad global ramifications.
The real impact, however, may not be seen for several years – that will come as more states invoke their own privacy laws, which will put more pressure on federal lawmakers to enact a comprehensive national law. A national law may be called for by those in the industry as well as consumer watchdogs since it will simplify compliance as opposed to having a variety of rules that apply to each state.
Are You Prepared for CPRA and CCPA?
CookieHub is cookie compliance made simple – a full-featured consent management platform that has everything you need to stay compliant with CCPA as well as a host of other rules both in the United States and around the world.