With almost 40 million people living, surfing, and paying for goods and services in California, the chances that your company does business with residents in that state are very high, if not unavoidable.
It doesn't matter if you're a B2C or B2B company or if you're based in Guam or Kickapoo, Missouri. Your company may still be subject to California data privacy laws if you do business in the state and meet any of the qualifying criteria, which we’ll look at further in this post.
The main piece of legislation relevant for consumer data privacy and protection in the Golden State is the California Consumer Privacy Act (CCPA) and its California Privacy Rights Act (CPRA) amendment.
When the CCPA went into effect in 2020, the Californians for Consumer Privacy—a consumer privacy advocacy group—pushed to have it amended to feature stronger protections for the personal data and consumer rights of the state’s residents. This push led to the CPRA becoming a law in January 2023.
The only law that really matters now is the new CCPA as amended by the CPRA (also known as CCPA 2.0), but as people are still asking, “What is the difference between CCPA vs CPRA?” This post will go into more detail about what the two laws are, their differences, who they apply to, and how businesses need to adapt.
California has always been proactive in the fight for privacy, and it continues to set the standard for protecting people's personal and private information in the United States.
In fact, California was the first state to implement comprehensive privacy regulation, so let’s take a look at that legislation first:
Enforceable by the California attorney general, the purpose of the CCPA, as stated verbatim in AB 375, Title 1.81.5, The California Consumer Privacy Act of 2018, is to ensure the following rights:
When we use the word "business," do we mean the mom-and-pop shop that sells homemade sundries at farmers' markets, or do we mean multinational corporations with headquarters in LA?
A business, as defined in this law, is any company or organization that operates for profit, collects personal information from consumers (or has it collected on its behalf), and determines how that information is used.
To be subject to the CCPA, a company must do business in California and meet at least one of the following criteria:
If a business qualifies under CCPA, it has to make it easy for consumers to exercise their rights. Here's how:
Provide an Easy Opt-Out Link: Add a clear, noticeable link on the business's homepage labeled “Do Not Sell My Personal Information.” This link should lead to a page where consumers (or someone they authorize) can opt out of the sale of their personal information.
Consumers shouldn't have to create an account to make this request, and it should be easy for consumers to opt out.
Note that nowadays, these links read “Do Not Sell or Share My Personal Information.” If you’re wondering what that change in language is about, keep reading to learn more about how the CPRA addressed vagueness in the CCPA’s definition of a “sale.”
Provide a Separate Link to the “Do Not Sell My Personal Information” page: This should be included in any online privacy policy the business has, or any section of the site that specifically addresses California privacy rights.
Train Staff: All businesses should ensure that their employees who handle consumer questions about privacy practices or compliance understand the rules and can guide consumers on how to exercise their rights. For colleagues who work with systems that handle consumers’ personal information, it’s important they understand what they have to do to help fulfill subject rights requests and why.
Honor Opt-Out Requests: If a consumer opts out of the sale of their personal information, the business has to stop selling their data.
Respect Opt-Outs for 12 Months: After a consumer opts out, the business cannot ask them to opt back in for at least 12 months.
Use Data for Opt-Out Purposes Only: Any personal information collected as part of an opt-out request can only be used to process and comply with that request.
Now, let’s take a look at the CPRA, which updated the CCPA’s consumer data privacy protections.
In November 2020, California voters passed Proposition 24, also known as the California Privacy Rights Act, which introduced additional privacy protections effective January 1, 2023. With it, the California Privacy Protection Agency was granted the right to enforce the CCPA/CPRA alongside the attorney general.
The CPRA expands on the CCPA by granting consumers two new rights:
There are other changes as well. Let's take a look in more detail.
The main tweak to the CCPA compliance rules was that the threshold for data handling climbed from 50,000 people and households to 100,000.
This new threshold might mean that your business doesn't qualify when it did earlier, but we'd recommend complying with the law even if you don't.
Under the CCPA, many businesses believed they could exchange consumer data without “selling” it per se; this created a gap that businesses argued allowed for the exchange of data for the purpose of targeted advertising.
However, targeted advertising is very much against the intention of the law. The CPRA clarified this by including the “sharing” of data in its various requirements. The CPRA also explicitly calls out targeted advertising as a regulated activity.
With the CCPA, a consumer was someone who paid your business in exchange for products or services received. Under the CPRA, the definition of “consumer” has expanded to include employees, who had previously been left out.
The responsibility of making sure the consumer understands their privacy rights now rests on your shoulders. This means that you'll have to explain it to them and make sure they understand, usually by using a form at the time of collection.
The amendment to the CCPA says consumers have the right to object to your business sharing their personal data with third parties, and they must be able to quickly object via a "do not share” button on your website.
Under the CCPA, businesses had a 30-day grace period to fix their privacy violations, but under the CPRA, that grace period no longer exists.
The CPRA introduced limitations on what personal information businesses can collect. Now, only what is necessary, reasonable, and proportionate can be collected, used, and shared.
Under the CCPA, any data privacy rights violations were subject to penalties of up to $7,500 per violation or $2,500 per unintentional violation. The biggest change the CPRA made was to add the maximum fine for violations of minors’ data (children under the age of 16).
Both the CCPA and the CPRA define personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes names, email addresses, geolocation data, internet search history, purchase history of anything from personal property to goods and services.
Under the CPRA, consumers now have the right to stop you from using their sensitive personal information, which includes government-issued ID, account logins, financial information, specific geolocation, sexual orientation, biometric data, union membership details, contents of communication, racial origin, religious or political beliefs, or genetic data.
The CPRA established a set of privacy principles that companies must follow (some of which we've mentioned before):
At a glance, here are the differences between CCPA and CPRA (but as we've just been exploring the previous section, the CPRA goes into much greater detail about consumer privacy rights, third parties, etc.)
|
CCPA |
CPRA |
|
|
Effective Date |
January 1, 2020 |
January 1, 2023 (with enforcement starting July 1, 2023) |
|
Scope of Protection |
Protects personal information of California residents. |
Introduces additional protections for employees and heftier fines for violations against minors. |
|
Sensitive Personal Information |
Not specifically addressed. |
Creates a new category for sensitive data, including social security numbers, biometric data, and geolocation. Consumers can limit its use. |
|
Threshold for Applicability |
Applies to businesses that: - Have $25M+ revenue. - Handle data of 50,000+ consumers/devices. - Derive 50%+ revenue from selling data. |
Raises the threshold to businesses handling data of 100,000+ consumers or households annually. |
|
Consumer Rights |
Grants rights to access, delete, and opt out of data sales. |
Adds new rights: - Right to correct inaccurate personal data. - Right to limit the use of sensitive data. |
|
Data Retention |
Does not address data retention explicitly. |
Requires businesses to disclose retention periods and prohibits retaining data longer than necessary. |
|
Data Sharing |
Focuses on the sale of personal information. |
Expands to include sharing of personal data for targeted advertising purposes. |
|
Third-Party Obligations |
Requires contracts with third parties handling data but lacks detailed requirements. |
Imposes stricter rules on third-party agreements, including contractual obligations for data protection. |
|
Enforcement |
The California Attorney General. |
The attorney general and the newly established California Privacy Protection Agency. |
|
Employee and B2B Data |
Temporary exemptions for employee and B2B data, set to expire. |
Removes exemptions for employee and B2B data, requiring the same protections as consumer data. |
|
Penalties for Violations |
Fines up to $7,500 for intentional violations of children's privacy and $2,500 for others. |
Same fines as CCPA but explicitly includes data breaches involving sensitive data and adds maximum fines for violations against minors. |
If your company does business or deals with California residents' personal information, you should prioritize your compliance efforts and treat it like any other essential business activity. By complying with CPRA regulations, you're protecting your business from potentially significant fines, legal action, and damage to your brand.
Since every affected person in a violation counts as a separate offense, your fines can add up quickly. This was the case with Sephora, who failed to address their violations even after the CCPA granted a 30-day grace period and were fined $1.2 million.
If your business is covered under the CPRA and the CCPA, you'll need to ensure your current business practices align with data privacy compliance rules.
Under the CCPA and especially the CPRA, your data practices will need to be more transparent, ethical, and compliant, and you'll likely need to reevaluate how you collect, store, sell, and share personal information. You'll also likely need to update your privacy policies and ensure your marketing campaigns respect consumer rights. Refer to your legal team for advice.
While aligning with the CPRA may take some financial investment, complying with these laws builds trust with your consumers, builds brand authority, and reduces risk.
Under the CPRA, your business is obligated to conduct risk assessments before any "high-risk" personal information processing. You'll need to annually file your findings with the CPPA to explicitly show that you've understood the risks involved and have taken every measure possible to mitigate any potential harm to the consumer.
Establishing a procedure for carrying out these risk assessments will be necessary.
Though not explicitly stated in CPRA or CCPA, you should implement data mapping practices. These help you identify risk, fulfill subject rights requests, and take steps to minimize the fallout from a data breach. Data mapping ensures that your company knows where personal information is collected, processed, and sent, and whether or not it’s protected. If you don’t know where data is, you can’t be certain you’re handling it compliantly.
There are quite a few ways to approach data mapping, but the most cost-effective way is through data mapping software.
Laws surrounding data privacy are only going to get stricter, making compliance more difficult for businesses to consistently maintain. That's where Osano can help. Our simple CPRA compliance software helps you easily honor opt-out requests, manage consumer and employee DSARs, assess third-party vendor compliance, and more.
Schedule a demo of Osano today to see how it can help you reduce your risk.