CCPA Vs CPRA: What’s changing?

Virgil

Virgil

Oct 30, 2024

The CCPA laid the groundwork, but the CPRA is genuinely raising the stakes in data privacy. When compared to the CCPA, the California Privacy Rights Act (CPRA) introduces stricter privacy measures, including the creation of a dedicated enforcement agency, enhanced controls over sensitive data, and new rights for consumers to correct their information. 

However, the CPRA isn’t a complete overhaul but an evolution of the CCPA, building upon its foundational principles to address emerging privacy concerns. 

Yet, businesses are left grappling with key questions: Does my business fall under CPRA or CCPA? What are the fundamental differences between the two? And most importantly, what steps must I take to ensure compliance with these new regulations? 

In this blog, we deeply dive into the differences, qualification criteria, and the actions qualified organizations must take to comply with new requirements. Let’s dive in:

TL;DR 

CPRA is an additional set of rules and policies laid out by the Californian legislative body to require businesses that handle user data to protect customer data’s security and integrity.
CPRA adds a layer of requirements by expanding the scope of user rights and creating a new category of personal data called ‘Sensitive Personal Information’.
CPRA has also updated the eligibility criteria to determine applicability.

Now that we have the context. Let’s settle the CCPA VS CRPA debate all for once. 

What’s CCPA? 

The California Consumer Privacy Act (CCPA), launched in 2018, was a law aimed at giving Californians some degree of control over how businesses collect and process their data. Thus, the law mandated businesses to not only disclose how they collect data, what they do with it, and whom they share and sell it to but also give consumers the power to opt-out. 

It came into effect in 2020 and was revered as an answer to the EU’s General Data Protection Regulation (GDPR). 

Who is required to be CCPA Compliant?

The CCPA privacy law clearly states the eligibility criteria for businesses to assess if they fit the bill and are required to become CCPA compliant. A business comes under the purview of CCPA if it meets one or more of the criteria mentioned below:

1) If the annual revenue of a business is $25 million or higher

2) If a business buys/sells/shares data of more than 50,000 California residents/households/devices

3) If a business makes 50% or more of its revenue by selling information about the residents of California

So, if your business checks one or more boxes, it is subject to the CCPA, and noncompliance could result in heavy administrative penalties or criminal charges.

What’s CPRA?

CPRA is built on the principles and vision of CCPA. It aims to ensure the security, privacy, and integrity of California citizens’ user data by setting guidelines and consequences for businesses that process it. 

The regulatory law also aims to offer users control of how their data is processed through user rights. The framework also sets guidelines to enable users to use their data rights. Certain new requirements that were added will require businesses to step up their security game, processing activities, and overall interactions with users.

When does CPRA come into effect?

The California Privacy Rights Act (CPRA) officially took effect on January 1, 2023. However, enforcement of the regulations has been delayed. Originally set for July 1, 2023, the enforcement date has been postponed to March 29, 2024, due to a court decision. 

CCPA vs CPRA: What’s new?

Despite the common notion, CPRA is not a replacement for CCPA but an amendment. Some new rules and guidelines have been added to CCPA to ensure consumer data privacy. 

In a nutshell, here are the categories affected by the CPRA update:

CCPA VS CPRA: What’s considered data sharing?

Sharing information is now a key aspect of data protection law, defined by several conditions:

  • Renting or transferring consumer data
  • Disclosing or distributing personal information
  • Making data publicly available
  • Communicating details verbally, in writing, or electronically

CPRA further clarifies sharing by including instances like third-party behavioral advertising, even without financial exchange. Sharing for targeted advertising remains within the law, as it’s not classified as selling when no monetary compensation is involved. This broader definition addresses widespread business practices of data sharing without financial transactions.

What does the update mean for your business?

30-day patchwork won’t work

Previously, the CCPA allowed businesses a 30-day period to remediate violations and breaches–a damage control ideology that permitted companies to sideline security until necessary. 

With updated guidelines under CPRA, you don’t automatically get the 30-day cure period; instead, it now depends on the sole discretion of the regulatory body. This means businesses can no longer dodge accountability with vague statements like “reasonable security measures” if a violation occurs. They must prove that their security standards meet or exceed legal expectations and industry norms, knowing that waiting to address issues could immediately trigger fines or legal actions.

The writing on the wall is clear – now businesses must be proactive in ensuring compliance at all times or face penalties.

Security is no longer on the sidelines; it’s in the spotlight

California Consumer Privacy Act (CCPA) was largely managed by the California Attorney General’s office. This arrangement meant that privacy law enforcement was one of many responsibilities of the office – giving way to lax implementation and less intense scrutiny.

With the creation of the CPPA, there is now a dedicated agency solely focused on privacy protection. This means businesses need to make data privacy a priority of the board and establish it demonstrably.  

Compliance is about to get challenging

Importantly, cybersecurity audits and risk assessments are now mandatory, meaning businesses must regularly evaluate and document their security measures to ensure they meet CPRA standards. This new requirement adds a significant layer to compliance efforts, as organizations must thoroughly evaluate their data handling practices. The CPRA’s broadened definition of personal information—including new categories like ‘sensitive personal information’—compels businesses to reassess the data they collect, process, and store.

Immediate action points for businesses under the scope

The shift from the CCPA to the CPRA brings significant changes that businesses must address promptly. The CPRA not only expands consumer rights but also introduces new compliance obligations for organizations handling personal data. To navigate these changes effectively, businesses under the scope of the CPRA should focus on immediate action points that ensure compliance and build consumer trust. Below are key areas that require immediate attention

Enhance Opt-Out Options

  • ‘Do Not Sell or Share My Personal Information’ Link: Ensure this link is prominently displayed on your website, allowing consumers to opt out easily.
  • Recognize and honor GPC signals from consumers’ browsers or devices as valid opt-out requests.

Revise Cookie Management Practices

  • Implement or update your Consent Management Platform (CMP) to allow consumers to manage their cookie preferences, including opting out of non-essential cookies.
  • Provide clear information about the types of cookies used, their purposes, and the data collected, ensuring consumers can make informed decisions.

Appoint Security Teams/CISO/DPO

One of the significant changes is the introduction of requirements for regular cybersecurity audits and risk assessments, particularly for businesses whose processing activities present a heightened risk to consumers’ personal information. Appointing a Chief Information Security Officer (CISO) or Data Protection Officer (DPO) is now more critical than ever for the following reasons:

  • Businesses that process personal information in a way that poses a significant risk to consumers’ privacy or security are required to perform annual cybersecurity audits and risk assessments (and these can only be designed and verified by a designated security officer). 
  • The CISO/DPO acts as a central point of contact within the organization with the regulatory body. This includes replying to notices and taking a point on updates and circulars.  

How to determine if CPRA applies to you? 

The threshold determining whether businesses fall under the jurisdiction of CRPA has now been updated. It is important to remember that the CRPA thresholds also apply to CCPA.

So if you conduct business in California and meet any of the listed criteria, you fall under the purview of both CCPA and CRPA. 

Here are the updated thresholds that determine the applicability of CRPA.

1) If a business has earned $25 million or more from the beginning of the calendar year (2024-25) till the 1st of January 2024.

2) If personal/household/device information of more than 100,000 residents of California is brought/sold/shared by a business.

3) If a business makes 50% or more of its revenue by selling, distributing, or sharing consumer data.

What are the penalties for non-compliance to CPRA?

Under the California Privacy Rights Act (CPRA), any entity that violates the law may face significant consequences, including an injunction and administrative fines of up to $2,500 for each violation. If the violation pertains to the rights of minors (individuals under the age of 16), the fines can escalate to $7,500 for each instance.

Simplify and fast-track CCPA/CPRA with Sprinto 

Sprinto comes packed with pre-built policy templates and control-policy mapping, so you can plug Sprinto into your cloud systems, carry out guided control implementation, and get started monitoring and remediating your systems for anomalies. 

Sprinto’s automation continuously tests control and triggers remediation workflows to curb compliance drift. Automated evidence collection helps you demonstrate compliance posture with confidence during audits.

The best part is that Sprinto’s customizability makes it easy to deploy tests and monitor custom/new security frameworks and unique controls tailored to your business or certain regulatory updates. You enjoy the same level and depth of automation for these frameworks as you would with any standard security framework.

Want to see Sprinto in action? Book your demo today.

FAQ

What’s the difference between CCPA and CPRA?

Even though CCPA and CPRA aim to solve a similar problem, CPRA is more nuanced and detailed. It tightens protocols for collecting and processing sensitive information, sharing data, and expanding consumer privacy rights. CPRA also introduced new bodies like CPPA and updated the threshold of businesses that fall under its purview. 

Does CPRA replace CCPA?

No, CPRA is an amendment that builds on CCPA to update certain areas and introduce new guardrails and obligations for businesses to help consumers protect their data privacy. 

Who is affected by this update?

The new CPRA thresholds affect businesses with over USD 25M in revenue or derive 50% of their revenue from selling customer data or collecting or processing information on more than 50,000 consumers. 

Does CPRA mandate annual cybersecurity audits?

Yes, as per the recent guidelines by CPRA privacy policy, businesses are required to undergo not only annual cybersecurity audits but also conduct regular risk assessments to provide assurance of reasonable security procedures against privacy risks.

Virgil
Virgil is a marketer at Sprinto who combines his media savvy with his cybersecurity expertise to craft content that truly resonates. Known for simplifying complex cybersecurity and GRC topics, he brings technical depth and a storyteller’s touch to his work. When he’s not busy writing, he’s likely exploring the latest in cybersecurity trends, debating geopolitics, or unwinding with a good cup of coffee.

How useful was this post?

5/5 - (1 votes)