The California Consumer Privacy Act (CCPA) is a US privacy law that came into effect in January of 2020. It was created after the GDPR, a sweeping European Union law governing data protection and privacy. As an addendum to the CCPA, the California Privacy Rights Act (CPRA) goes into effect in January 2023. As the most populated state, with nearly 40 million residents, this means many businesses may find themselves scrambling to understand how to maintain their customer base in California under the new privacy rules.
The CCPA and CPRA are the frontier of privacy regulation in the United States, and come 2023; they will function as one law. Here we look at how they work together and why this is important to start treating the two as a single law now.
The California Privacy Rights Act was added as an addendum to the CCPA in late 2020, establishing a lookback period to January 2022. Therefore data collected from that date is liable for compliance. It is important to understand now what the CPRA is, how it affects you, and how you can become compliant before 2022.
As the frontier of US privacy regulations, other states are starting to create privacy laws that match the CCPA/CPRA (and the GDPR) to protect consumers from having their private data tampered with in any way. Some of the states following suit include Washington, Virginia, and New York. It might make sense for businesses to treat all consumers as the same (regardless of residency) and create policies that establish a robust data protection compliance approach.
More often than not, consumers feel that their personal data is not adequately protected and is falling into the wrong hands. Data is a profitable resource, and consumers would rather not have their private data collected, bought, and sold without their permission. For this reason, data privacy has become a primary topic in protecting the rights of consumers online and off.
Businesses need to meet one of these three thresholds to be subject to the CPRA:
Even if you maintain an e-commerce website or online business that operates outside of California, you will need to be aware of the CPRA because it is possible that your business still handles the personal information of California residents.
The CPRA also regulates the selling and sharing of personal information to third parties for targeted behavioral advertising, a major part of the new addendum that could cover many more businesses. For these reasons, you may need to consult your attorney to determine whether or not you are required to be CCPA/CPRA compliant.
Personal information identifies consumers with their name and address, even their political opinions, and any records kept on them. The CCPA further expands the definition of personal information by including any tracking information such as geographical location and “cookie” tracking information on websites. It also includes any information that can be linked to the consumer’s devices or household. This creates a broad definition of consumer (differing from the GDPR, which identifies only information that links to natural persons, not including their devices or household).
The addendum of CPRA also added a new category of Sensitive Personal Information. This category includes things like a consumer’s social security number, state identification card, passport number, biometric data, and more. Religious and philosophical belief as well as sexual orientation also fall under the purview of sensitive personal information. This information is regulated separately from regular personal information with expanded rights thereof.
The California Privacy Protection Agency (CPPA) is the data protection authority that will be established under the CPRA as of July 1, 2023. The new agency will replace the California attorney general as the enforcement authority for the CPRA.
The agency will have the authority to investigate and collect fines for compliance violations and have a grant fund for educational purposes. Starting in 2023, the CPPA can fine organizations $2,500 for violations pertaining to individuals or $7,500 for violations pertaining to minors.
Much like the GDPR, the CPRA sets out several rights for consumers regarding their personal data. Businesses subject to the CPRA will need to become familiar with these rights and how to uphold them.
With the addition of the CPRA, California’s privacy legislation now bears a stronger resemblance to the GDPR. They both outline a number of rights for individuals to control their own data and privacy. Both laws established new entities to act as an enforcement authority.
Also, starting in 2023, the CPRA aims to modify data privacy to look a little more like the GDPR by adding three additional requirements:
Many CCPA compliance requirements overlap with popular security frameworks and best practices for data protection. If you’re just getting started, these are some essential items to have at the top of your checklist:
Securicy’s all-in-one information security management platform helps teams develop, implement and maintain a robust security program to prove their compliance with industry security frameworks like CCPA, HIPAA, SOC 2, GDPR, and more. Talk with our team to learn how we can help you get started on your path to CCPA compliance and prepare a strong security foundation you can build your business on, no matter what laws and regulations come down the pipeline.