In this article

Sign up for our newsletter

Share this article

With almost 40 million people living, surfing, and paying for goods and services in California, the chances that your company does business with residents in that state are very high, if not unavoidable. 

It doesn't matter if you're a B2C or B2B company or if you're based in Guam or Kickapoo, Missouri. Your company may still be subject to California data privacy laws if you do business in the state and meet any of the qualifying criteria, which we’ll look at further in this post.

The main piece of legislation relevant for consumer data privacy and protection in the Golden State is the California Consumer Privacy Act (CCPA) and its California Privacy Rights Act (CPRA) amendment.

When the CCPA went into effect in 2020, the Californians for Consumer Privacy—a consumer privacy advocacy group—pushed to have it amended to feature stronger protections for the personal data and consumer rights of the state’s residents. This push led to the CPRA becoming a law in January 2023.

The only law that really matters now is the new CCPA as amended by the CPRA (also known as CCPA 2.0), but as people are still asking, “What is the difference between CCPA vs CPRA?” This post will go into more detail about what the two laws are, their differences, who they apply to, and how businesses need to adapt. 

What Are the CCPA and CPRA?

California has always been proactive in the fight for privacy, and it continues to set the standard for protecting people's personal and private information in the United States. 

In fact, California was the first state to implement comprehensive privacy regulation, so let’s take a look at that legislation first:  

The CCPA

Enforceable by the California attorney general, the purpose of the CCPA, as stated verbatim in AB 375, Title 1.81.5, The California Consumer Privacy Act of 2018, is to ensure the following rights:

  1. The right of Californians to know what personal information is being collected about them
  2. The right of Californians to know whether their personal information is sold or disclosed and to whom
  3. The right of Californians to say no to the sale of personal information
  4. The right of Californians to access their personal information
  5. The right of Californians to equal service and price, even if they exercise their privacy rights

Which California Businesses Must Comply with the CCPA?

When we use the word "business," do we mean the mom-and-pop shop that sells homemade sundries at farmers' markets, or do we mean multinational corporations with headquarters in LA? 

A business, as defined in this law, is any company or organization that operates for profit, collects personal information from consumers (or has it collected on its behalf), and determines how that information is used.

To be subject to the CCPA, a company must do business in California and meet at least one of the following criteria:

  1. Make over $25 million in yearly revenue
  2. Buy, sell, or share personal information of 50,000 or more consumers, households, or devices every year
  3. Earn 50% or more of its annual revenue from selling personal information

How to Help Consumers Exercise Their Privacy Rights Under CCPA

If a business qualifies under CCPA, it has to make it easy for consumers to exercise their rights. Here's how:

Provide an Easy Opt-Out Link: Add a clear, noticeable link on the business's homepage labeled “Do Not Sell My Personal Information.” This link should lead to a page where consumers (or someone they authorize) can opt out of the sale of their personal information.

Consumers shouldn't have to create an account to make this request, and it should be easy for consumers to opt out.

Note that nowadays, these links read “Do Not Sell or Share My Personal Information.” If you’re wondering what that change in language is about, keep reading to learn more about how the CPRA addressed vagueness in the CCPA’s definition of a “sale.”

Provide a Separate Link to the “Do Not Sell My Personal Information” page: This should be included in any online privacy policy the business has, or any section of the site that specifically addresses California privacy rights.

Train Staff: All businesses should ensure that their employees who handle consumer questions about privacy practices or compliance understand the rules and can guide consumers on how to exercise their rights. For colleagues who work with systems that handle consumers’ personal information, it’s important they understand what they have to do to help fulfill subject rights requests and why.

Honor Opt-Out Requests: If a consumer opts out of the sale of their personal information, the business has to stop selling their data.

Respect Opt-Outs for 12 Months: After a consumer opts out, the business cannot ask them to opt back in for at least 12 months.

Use Data for Opt-Out Purposes Only: Any personal information collected as part of an opt-out request can only be used to process and comply with that request.

Now, let’s take a look at the CPRA, which updated the CCPA’s consumer data privacy protections.

RECOMMENDED CHECKLIST CPRA Compliance Checklist   Priortize and learn what activities will have the biggest impact on your California compliance posture.

The CPRA: What's New?

In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act, which introduced additional privacy protections effective January 1, 2023. With it, the California Privacy Protection Agency was granted the right to enforce the CCPA/CPRA alongside the attorney general.

The CPRA expands on the CCPA by granting consumers two new rights:

  • The right to correct any inaccurate personal information held by a business
  • The right to know what personal information you're sharing and the right to limit the use and sharing of sensitive personal information collected about them
  •  

There are other changes as well. Let's take a look in more detail.

Who Must Comply with the CPRA

The main tweak to the CCPA compliance rules was that the threshold for data handling climbed from 50,000 people and households to 100,000. 

This new threshold might mean that your business doesn't qualify when it did earlier, but we'd recommend complying with the law even if you don't.  

Clarified Definition of Selling and Sharing Data

Under the CCPA, many businesses believed they could exchange consumer data without “selling” it per se; this created a gap that businesses argued allowed for the exchange of data for the purpose of targeted advertising.

However, targeted advertising is very much against the intention of the law. The CPRA clarified this by including the “sharing” of data in its various requirements. The CPRA also explicitly calls out targeted advertising as a regulated activity.

An Expansion on the Definition of Consumer

With the CCPA, a consumer was someone who paid your business in exchange for products or services received. Under the CPRA, the definition of “consumer” has expanded to include employees, who had previously been left out. 

Requiring an Explanation of Consumer Rights in Privacy Policies

The responsibility of making sure the consumer understands their privacy rights now rests on your shoulders. This means that you'll have to explain it to them and make sure they understand, usually by using a form at the time of collection.

The New Right to Object to Sharing their Personal Information

The amendment to the CCPA says consumers have the right to object to your business sharing their personal data with third parties, and they must be able to quickly object via a "do not share” button on your website.  

The End of the CCPA's Grace Period

Under the CCPA, businesses had a 30-day grace period to fix their privacy violations, but under the CPRA, that grace period no longer exists.

Stronger Limits on Data Collection

The CPRA introduced limitations on what personal information businesses can collect. Now, only what is necessary, reasonable, and proportionate can be collected, used, and shared.  

Stricter Penalties

Under the CCPA, any data privacy rights violations were subject to penalties of up to $7,500 per violation or $2,500 per unintentional violation. The biggest change the CPRA made was to add the maximum fine for violations of minors’ data (children under the age of 16). 

A New Sensitive Personal Information Category

Both the CCPA and the CPRA define personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes names, email addresses, geolocation data, internet search history, purchase history of anything from personal property to goods and services.

Under the CPRA, consumers now have the right to stop you from using their sensitive personal information, which includes government-issued ID, account logins, financial information, specific geolocation, sexual orientation, biometric data, union membership details, contents of communication, racial origin, religious or political beliefs, or genetic data.

New Privacy Principles

The CPRA established a set of privacy principles that companies must follow (some of which we've mentioned before):

  • You can only use personal data for the purpose for which it was originally collected.
  • Your fines triple where privacy violations against children under 16 are concerned; the child's guardian must also grant permission for the data collection, and you must also wait 12 months before you can ask for consent if it was not granted the first time. 
  • You should destroy/delete data once it has been used for its collected purposes.
  • You need to provide an adequate and appropriate level of security based on the data's sensitive nature and the potential harm if it were to be accessed by an unauthorized party. 

CPRA vs CCPA: Key Differences Between California's Data Privacy Laws

At a glance, here are the differences between CCPA and CPRA (but as we've just been exploring the previous section, the CPRA goes into much greater detail about consumer privacy rights, third parties, etc.) 

 

CCPA

CPRA

Effective Date

January 1, 2020

January 1, 2023 (with enforcement starting July 1, 2023)

Scope of Protection

Protects personal information of California residents.

Introduces additional protections for employees and heftier fines for violations against minors.

Sensitive Personal Information

Not specifically addressed.

Creates a new category for sensitive data, including social security numbers, biometric data, and geolocation. Consumers can limit its use.

Threshold for Applicability

Applies to businesses that:

- Have $25M+ revenue.

- Handle data of 50,000+ consumers/devices.

- Derive 50%+ revenue from selling data.

Raises the threshold to businesses handling data of 100,000+ consumers or households annually.

Consumer Rights

Grants rights to access, delete, and opt out of data sales.

Adds new rights:

- Right to correct inaccurate personal data.

- Right to limit the use of sensitive data.

Data Retention

Does not address data retention explicitly.

Requires businesses to disclose retention periods and prohibits retaining data longer than necessary.

Data Sharing

Focuses on the sale of personal information.

Expands to include sharing of personal data for targeted advertising purposes.

Third-Party Obligations

Requires contracts with third parties handling data but lacks detailed requirements.

Imposes stricter rules on third-party agreements, including contractual obligations for data protection.

Enforcement

The California Attorney General.

The attorney general and the newly established California Privacy Protection Agency.

Employee and B2B Data

Temporary exemptions for employee and B2B data, set to expire.

Removes exemptions for employee and B2B data, requiring the same protections as consumer data.

Penalties for Violations

Fines up to $7,500 for intentional violations of children's privacy and $2,500 for others.

Same fines as CCPA but explicitly includes data breaches involving sensitive data and adds maximum fines for violations against minors.

Why California Privacy Laws Matter for Businesses

If your company does business or deals with California residents' personal information, you should prioritize your compliance efforts and treat it like any other essential business activity. By complying with CPRA regulations, you're protecting your business from potentially significant fines, legal action, and damage to your brand.

Since every affected person in a violation counts as a separate offense, your fines can add up quickly. This was the case with Sephora, who failed to address their violations even after the CCPA granted a 30-day grace period and were fined $1.2 million.

How the CPRA and CCPA Impact Businesses

If your business is covered under the CPRA and the CCPA, you'll need to ensure your current business practices align with data privacy compliance rules.

Changes in Marketing Efforts

Under the CCPA and especially the CPRA, your data practices will need to be more transparent, ethical, and compliant, and you'll likely need to reevaluate how you collect, store, sell, and share personal information. You'll also likely need to update your privacy policies and ensure your marketing campaigns respect consumer rights. Refer to your legal team for advice.

While aligning with the CPRA may take some financial investment, complying with these laws builds trust with your consumers, builds brand authority, and reduces risk.

New Risk Assessments

Under the CPRA, your business is obligated to conduct risk assessments before any "high-risk" personal information processing. You'll need to annually file your findings with the CPPA to explicitly show that you've understood the risks involved and have taken every measure possible to mitigate any potential harm to the consumer.

Establishing a procedure for carrying out these risk assessments will be necessary.

Data Mapping

Though not explicitly stated in CPRA or CCPA, you should implement data mapping practices. These help you identify risk, fulfill subject rights requests, and take steps to minimize the fallout from a data breach. Data mapping ensures that your company knows where personal information is collected, processed, and sent, and whether or not it’s protected. If you don’t know where data is, you can’t be certain you’re handling it compliantly.

There are quite a few ways to approach data mapping, but the most cost-effective way is through data mapping software.

How Osano Can Help You Comply With CPRA

Laws surrounding data privacy are only going to get stricter, making compliance more difficult for businesses to consistently maintain. That's where Osano can help. Our simple CPRA compliance software helps you easily honor opt-out requests, manage consumer and employee DSARs, assess third-party vendor compliance, and more.

Schedule a demo of Osano today to see how it can help you reduce your risk.
Schedule a demo of Osano today

CPRA Survival Guide

Want to know how to survive and thrive in California's data privacy landscape? Download our guide to find out what compliance activities you should prioritize.

Download Now
CPRA Survival Guide Cover Image-1

Osano Staff

Osano Staff

Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.

Share this article