CCPA vs. CPRA: Upcoming Changes to the Law 

Discover what updates CPRA will bring to CCPA’s data privacy requirements and realize their implications for your organization. 

Within the year after CCPA took effect, another privacy legislation was passed in California. In November 2020, Californians approved Proposition 24, creating the California Privacy Rights Act (CPRA) of 2020. Both laws profoundly impact data privacy and security in California, with CCPA setting the data privacy rule and CPRA updating and strengthening them.  CPRA will come into effect on January 1, 2023, and is expected to extend CCPA. By this time, businesses operating in California must be ready to comply with new rules and requirements.  

As for now, many businesses are wondering how CPRA and CCPA differ. Continue reading to discover the critical updates CPRA brings to data privacy. 

Increasing Threshold Criteria for Businesses

The first change in the upcoming CPRA is increasing threshold criteria regarding covered businesses. According to the current CCPA, an entity can classify as a business if it is a for-profit organization that operates in California and meets any of the following: 

  • Has annual revenue exceeding $25 million;
  • Makes transactions with the personal information of 50,000 or more consumers (annually).
  • Derives at least half of the annual income from selling consumers’ personal information.

Re-evaluating the speed and amount of the data transactions, CPRA increases the CCPA’s threshold criteria to 100,000 or more consumers, thereby relaxing statutory conditions and excluding some entities from the list of CPRA-covered businesses. One more relaxation regards what is considered to be personal information.

Updating the List of Personal Information 

Personal information under CCPA is defined as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. As the definition is intentionally made vague to cover the ever-growing stream of data, there is nothing to add. However, the upcoming CPRA broadens the list of information, which is NOT considered to be personal. Specifically, the updates are related to the information which is made publicly available from federal, state, or local government records. The CPRA broadens this concept by including information from other sources besides governmental records. As such, information that is not considered to be personal will also include: 

  • Lawfully obtained information which is a public concern.
  • Information, lawfully made available to the general public by the consumer or from widely distributed media, or information made available by a person to whom the consumer has disclosed the information. If the consumer has not restricted the information to a specific audience.

By setting the first update, CPRA aims to cover the First Amendment’s freedom of speech. The second one has an important implication for businesses that will no longer need to disclose the collection of personal data from widely available media.

The above relaxing conditions are rather an exception than the general direction of CPRA. The following updates strengthen the data privacy requirements for businesses and grant consumers a broader spectrum of rights.

Adding a New Category of Information

CPRA introduces a new category of protected data: sensitive personal information (SPI). Those familiar with the matter of personal data privacy already noticed similarity with Article 9 of GDPR ”Processing of special categories of personal data,” which demands a greater level of personal data protection due to this sensitivity. Follow this link to check what is considered sensitive personal information under the CPRA. 

SPI requires businesses to implement additional technical and operational controls for processing. More specifically, organizations will have more strict opt-out requirements regarding SPI use and disclosure as well as will be obligated to get an opt-in consent after previously selected opt-out. 

Adding a New Category of Stakeholders 

CPRA makes important changes to classifying outside parties that businesses cooperate with. Specifically, it makes some updates regarding service providers and adds a new stakeholder category – contractors. 

Thus, in terms of CPRA, a “service provider” is no longer a legal entity, but a  person that processes personal information on behalf of a business and receives from or on behalf of the business a consumer’s personal information for a business purpose.  As opposed to a service provider who “processes information,” a “contractor” means a person to whom the business makes available a consumer’s personal information for a business purpose. 

For both the service provider and the contractor, CPRA imposes similar prohibitions, which must be clearly written in a contract with the business. Thus, the service providers and contractors must be prohibited from: 

  • Selling or sharing personal information;
  • Retaining, using, or disclosing the information outside of the direct business relationship between the contractor/service provider and the business or for any purpose other than for the business purposes specified in the contract;
  • Combining the personal information which the contractor/service provider receives according to a written contract with the business with personal information which it receives from or on behalf of another person or persons, or collects from its interaction with the consumer

The changes classifying stakeholders have significant implications for businesses. First, as same as service providers, contractors will not be affected by opt-out requests. Second, a business’s contracts with contractors must meet similar requirements as those of service providers.

New and Extended Privacy Rights for Consumers

Right to Know 

The CCPA grants consumers the right to know what personal information businesses are collecting and how that information is being used. To exercise this right, Californians can make a request to know what data has been collected in the prior 12-month period. The CPRA extends this timeline, enabling consumers to request personal information collected beyond the 12 months. Additionally, under the CPRA, consumers can request  businesses to transfer specific personal information to another entity “to the extent technically feasible, in a structured, commonly used, machine-readable format.” 

The right to know will be also expanded to the right to access personal information. It does not grant any new rights but refers to a consumer’s right to know what specific pieces of personal information a business has collected. In this context, consumers can request “meaningful information about the logic involved in decision-making processes, including profiling, as well as a description of the likely outcome of the process with respect to the consumer.” Consumers will also be granted opt-out rights for the use of automated decision-making. Clarifications and additional information about the right to access are still awaiting. 

Right to Opt-Out

CCPA  grants consumers the right to non-sale of their personal information and requires businesses to respond to consumers’ opt-out requests. According to this requirement, businesses that sell consumers’ personal information must include a “Do Not Sell My Personal Information” link on their homepage to inform consumers how to submit the request. However, Californians often received a denial of their requests due to the ambiguousness of what is called “selling” of personal information.

“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

Such a definition was controversial because businesses often disclose customers’ personal information in exchange for services, including interest-based advertising. For instance, businesses commonly use a browser or social media ads for retargeting consumers in exchange for sending personal information of their customers to those platforms. Making such an exchange, some businesses have taken the position that the disclosure of consumer data for purposes of interest-based advertising or retargeting does not qualify as a sale under the original CCPA.  To avoid this confusion, CPRA included a category of “sharing” personal information. 

Sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

By adding the category of sharing, СPRA expands the consumers’ right to opt-out. For most CCPA compliant businesses, the new category of data transaction should involve changing the “Do Not Sell My Personal Information” link to “Do Not Sell or Share My Personal Information.”

Right to Delete 

Under CCPA, consumers are granted the right to delete personal information that businesses hold about them. To ensure the exercising of this right, businesses are required to designate at least two ways for making deletion requests and notify service providers about the deletion. CPRA strengthens this requirement by obligating businesses to notify not only service providers but all third parties to whom they have sold or shared a consumer’s personal information. 

In addition to the existing privacy rights, the CPRA also represents the new rights to Californian consumers. 

Right to Correct Inaccurate Personal Information

New to the CPRA is the consumer’s right to correct inaccurate personal information. Practically, the right to correct is aimed to balance consumer rights with the burden placed on businesses regarding the correction of consumers’ information. After receiving the request to correct information, organizations should use “commercially reasonable efforts” to correct inaccurate information. The main implication for businesses is to make changes in their privacy policy to inform consumers about their right to correct inaccurate information that business holds about them.

 Right to Limit Use and Disclosure of Sensitive PI

The CPRA also grants consumers the right to limit the use and disclosure of their SPI “to the extent which is necessary to perform the services or provide the goods.”  Such a new right has an important implication for businesses that will need to add the link “Limit the use of my Sensitive Personal Information” on their homepage.

This addition brings the California law closer to the data privacy protections contained in GDPR. It involves such important concepts as data minimization, storage limitation, and purpose limitation for collection, use, storing, and sharing consumers’ data. As such, businesses operating in California must limit the use of consumers’ personal information unless they want to be penalized. 

Updating Enforcement Practices

Like CCPA, CPRA grants consumers the right of legal actions if their nonencrypted or nonredacted personal data becomes exposed due to a businesses’ failure to implement reasonable security procedures and practices. CPRA fines for violations of all types of personal information will remain unchangeable and contain $2,500 for each unintentional and $7,500 for each intentional violation. However, businesses will no longer have a 30-day cure period before being fined for a violation under CPRA. The new statute also makes a significant exception for violations of the personal information of minors and declares a $7,500 fine for all kinds of such violations. Finally, it adds consumer login credentials to the list of personal data that may be actionable under the law. 

One more important difference is related to the enforcement authority. The enforcement of CCPA was originally imposed on the California Office of the Attorney General (OAG). The CPRA  shifts this authority to the California Privacy Protection Agency (CPPA), a newly established agency that will be granted investigative, rulemaking, and enforcement power. The creation of the new enforcement entity will probably increase the number of investigations and enforcement actions taken by the CPPA. 

Requiring Audits and Risk Assessments

An exceptional difference between CCPA and CPRA is that the last one sets cybersecurity audits and risk assessments requirements. Specifically, CPRA will contain a regulation requiring businesses to perform a thorough and independent cybersecurity audit annually. The size and complexity of a business and the scope of data processing activities will be the main factors in determining the level of risk to personal data security. 

CPRA will also require businesses to perform a risk assessment concerning the scope of personal information processed. The risk assessment will determine whether the processing of personal data involves SPI and identify benefits resulting from the data processing to the business, the consumer, and outside parties against the potential risks to the consumer’s rights associated with such processing. 

Preparing for CPRA Compliance

Although CPRA will take effect from January 1, 2023, businesses operating in California should start preparing well in advance. To prepare for the CPRA, organizations should make the following: 

  • Conduct data mapping to identify what CPRA will cover personal information.
  • Update business’s privacy policy and notices to display new and updated consumer privacy rights.  
  • Reviewing existing contracts with outside parties to change or update their status and inform them they may be required to comply with new regulations. 
  • Perform a risk assessment and prepare for the data security audit.  

Those who already made efforts to comply with CCPA should not have difficulties with CPRA compliance since all necessary measures are in place. These measures, however, should be revised and updated according to CPRA demands. 

If you have any questions regarding the upcoming CPRA compliance and data privacy security, consult our Planet9 team. We’ll be happy to assist. 



Phone:  888-437-3646


Related Articles 

Data Security in Context of CCPA Compliance 

Core Aspects of California Consumers Privacy Act (CCPA)

Answering Key Questions about Security Risk Assessment 

How to Conduct Security Risk Assessment


Leave a Reply