California’s Data Privacy Laws (CCPA & CPRA) Explained

The 2018 California Consumer Privacy Act (CCPA) is the first U.S. data privacy law to focus on consumers. A year after it took effect, California approved the California Privacy Rights Act (CPRA), an expansion on the original, providing Californians with additional rights and restrictions over how businesses handle their data. Businesses should be aware of the changes in the CPRA to stay compliant when it goes into force in 2023 and enjoy the benefits of privacy laws for e-commerce. However, before proceeding further, remember not to be confused between data security vs. data privacy.

California Consumer Privacy Act (CCPA)

The CCPA was signed in 2018 and came into effect on January 1, 2020. It was enforced by the Office of the Attorney General until the CPRA was created. It’s a state-wide data privacy legislation that necessitates e-commerce data privacy consent management. It acts as an e-commerce data privacy guide, regulating how businesses handle the personal information (PI) of California residents and protecting this information against third-party sales or disclosure.

Section 1798.140 of the CCPA defines the sale of PI as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

The CCPA also grants residents of California (consumers) the right to access, modify, or delete their data. If a business shares a name, service mark, or trademark with another CCPA-covered entity, both must comply. A business that violates the CCPA might face fines of up to $7,500 per violation or $750 per person whose data was compromised. You might compare it to the EU’s GDPR, but the difference between GDPR and CCPA is that the GDPR reprimands firms proactively, whereas the CCPA is reactive.

California Privacy Rights Act (CPRA)

California voters enacted CPRA on November 3, 2020, updating several provisions in the CCPA and introducing new rights.

CPRA amendments take effect on January 1, 2023, with enforcement slated for July. Some of the most notable changes are the transition of enforcement to the new California Privacy Protection Agency, a $7,500 punishment for minors’ data infractions, and the “limit the use of my personal information” link requirement.

Additionally, it limits data collection, storage, and use. Businesses cannot retain personal or sensitive information “longer than is necessary for that disclosed purpose”. There are also new restrictions on data sharing that allow consumers to opt-out of behavioral advertising.

Which Rights Are Granted to Consumers Under CCPA & CPRA?

The CCPA grants the citizens of the Golden State the following rights:

• The right to know what personal information a business is collecting about them and how it’s being used and shared
• The right to ask that any personal information collected from them is deleted
• The right to opt-out of the sale of their personal information to third parties
• The right to nondiscrimination for exercising their CCPA rights

Bulleted List

Meanwhile, the new rights under the CPRA include:

• Right to Correct Information. Consumers can ask businesses to rectify incorrect personal information. Covered businesses must notify consumers of this new right and take “commercially reasonable efforts” to update their PI upon request.
• Right to Limit Sensitive Personal Information. There is a new “sensitive personal information” subcategory that allows consumers to limit the use and disclosure of sensitive information to those required to perform the services or deliver the goods only.
• Right to Access Information About Automated Decision-Making. Consumers can ask about the basis behind automated decision-making and the expected outcome of processes.
• Right to Opt-Out of Automated Decision-Making Technology. Consumers can choose not to have certain information taken into account by automated decision-making technology.

Bulleted List

It also expands consumer rights as specified in the CCPA, such as:

• Right to Know. Requests for personal information can go beyond the CCPA’s 12-month look-back period for data collected from January 1, 2022, onwards.
• Right to Opt-Out. The opt-out provision will now cover both the sale and “sharing” of personal information.
• Right to Delete. Businesses that receive a consumer deletion request must notify any third parties who bought or acquired the customer’s personal information, with some exceptions.
• Right to Data Portability. Customers can request that businesses transmit their PI to another organization if technically viable.
• Opt-In Rights for Minors. Businesses must wait a year before asking again if a minor (under 16 years old) refuses to supply their PI.

Bulleted List

CCPA & CPRA Compliance Criteria

The CCPA applies to any for-profit organization operating anywhere in the world that buys, sells, and receives the personal information of more than 50,000 California residents each year, makes more than $25 million in yearly gross sales, or gets more than half of its annual income from doing so.

The CPRA applies similar standards as the CCPA, the key difference being that the threshold has been raised from 50,000 to 100,000.

Businesses Must Start Taking Appropriate Steps

Every company that does business with Californians will be affected by the CPRA, irrespective of whether it is located in the United States or in any other part of the world. Businesses should start taking appropriate steps toward meeting CPRA data retention requirements to prevent penalties and fines when it comes into effect on January 1, 2023.