What Is The Difference Between CCPA And CPRA? What Has Changed?

Data is the fuel on which your business runs today. Without actionable data, standing out in this competitive market is nearly impossible. But what is more intimidating is the changing landscape of the global consumer data. 

Today’s digital consumers are more sensitive towards their data than ever. 

A recent Gartner study shows that 8 out of 10 customers show chances of abandoning a brand that uses their data without any prior consent. No wonder why there is a sea change in the data privacy policy landscape, both national and international, making complete knowledge of the most recent data privacy updates critical.

In this post, we are going to take a deeper look into two of the most recent privacy laws enforced on California state citizens.

By the end of this post, you would be confident to develop a strong action to keep your business legally squared against all data privacy laws.

CCPA vs CPRA: A brief overview

The CCPA and CPRA are both data protection laws for the consumers of California. This means they are the same yet different. Confused?

Let us explain.

While both the CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act) are data protection laws for the consumers of the state of California, they are completely different in their working mechanisms.

The CPRA operates on a much larger spectrum and has foundational policies while the CCPA is hyper-specific and customized.

CPRA ensures fundamental data privacy rights that every business entity in California needs to follow. On the contrary, the CCPA goes specifically to create laws for companies located inside the geography no matter with whom and where they operate.

What is CCPA?

Legally enforced on the 1st July 2018, the California Consumer Privacy Act, popularly known as the CCPA, is the first major privacy law giving consumers in the United States control over personal information. It is closely aligned with the European Union’s General Data Protection Regulation.

CCPA is California’s new data privacy law. It’s a state law that specifically addresses California’s ability to allow for data privacy from the entities that do business in the State of California, not a federal law as GDPR.

The California Privacy Law ensures that consumers can know what personal information is collected and shared with third parties. It allows them to access and delete their information. 

 

What is CPRA?

The CPRA, on the contrary, deals with the privacy rights that are enforced on all business entities running in California.

Although not the first privacy law enforced on the businesses operating in California, this law has definitely taken the businesses in California by a whirlwind.

In fact, California has been working on privacy legislation for almost 20 years. As early as 1998, California began to pass privacy legislation that included the sale of any type of personal information without the customer’s consent. The CPRA becomes effective in 2023, with a lookback period from 2022. Interested to know all about this law?

Here’s a handy California Privacy Rights Act guide that can give you a comprehensive idea of this data privacy law.

 Who enforces the CCPA and CPRA?

The California attorney general’s office is responsible for enforcing both CCPA and CPRA.

The attorney general of California is the chief legal counsel for the State of California. The attorney general is the chief legal officer for the state government. The attorney general is the chief legal counsel for the state government.

The attorney general of California provides legal counsel for the state government on a broad range of issues. The attorney general’s office is also responsible for enforcing state criminal laws.

What is the difference between CCPA and CPRA?

The biggest difference between CCPA and CPRA is in the scope and enforcement mechanisms of the two laws.

California’s CPRA is blanket privacy legislation that applies to nearly all entities doing business within the state of California. The law is designed to ensure basic privacy rights for consumers of the state of California.

On the contrary, California has a privacy law (CCPA), that is not a privacy law that specifically addresses data protection and security. The California Consumer Privacy Act is California’s new privacy law.

The California Privacy Act, also known as the CPRA, is a state law that peculiarly addresses California’s ability to empower data privacy from the entities that do business in the State of California.

The California Consumer Privacy Act came after the California Attorney General’s Office received an unusually high degree of consumer complaints about the mishandling and misuse of personal data.

The CCPA is more specific as it is about how to handle consumer data. It applies to all companies that are based in California. However, the CPRA only applies to businesses that do business in the State of California.

The CCPA will apply to all companies who are located in California, even if they maintain systems outside of California. Companies that are not based in California will not be subject to the CCPA. However, they may still be subject to the CPRA. 

What can you expect to change under CCPA?

As an implementation of CCPA, there are going to be drastic changes in the lives of residents.

The CCPA will affect California residents in three different ways:

Companies will be required to clearly describe how data will be used and shared with third parties:

The CCPA requires companies to tell their customers exactly what data they collect, how they use it, and for what purposes. The CCPA will also require any third party that receives consumer data to be named and address the consumer’s right to opt-out.

Companies will be required to obtain consent from customers before sharing their data with third parties: Companies will be required to obtain a customer’s affirmative consent before sharing their data.

Companies will be required to clearly describe how long their data will be stored: Companies will be required to store their consumers’ data for only as long as is necessary to fulfill the purposes for which the information was collected or disclosed.

How long do the CCPA and CPRA take to enforce?

The CCPA and CPRA will enter into effect on July 1st. However, companies that are targeted with enforcement action before the enforcement date may have five years to comply with the CCPA and CPRA.

The California Attorney General’s Office can enforce the CCPA and CPRA through a broad array of enforcement options that include:

  • Public education: The Attorney General can issue public advisories and guidance to provide information and assistance on the CCPA and CPRA.
  • Injunctive relief: The Attorney General can seek a court order requiring the company or other party to take specific actions to prevent further misuse of the consumer’s personal information.
  • Civil penalties: The Attorney General can seek civil money penalties against companies and individuals who violate the CCPA and/or CPRA. The Attorney General can also apply for an injunction requiring a company to comply with the CCPA and/or CPRA.

What are the exemptions?

The CCPA and the CCPA have exemptions for companies like small businesses, nonprofits, and government agencies. According to the CCPA exemption protocol, any business that is one of the following are exempted.

  • A small business as defined by California Code of Civil Procedure Section 168.5(b).
  • A nonprofit or a nonprofit health entity as defined by California Code of Civil Procedure Section 168.5(h).
  • A governmental agency or a public agency.

 

These exemptions in the law are meant to give companies a way out of complying with the CCPA and CPRA. However, the Attorney General can issue public advisories and guidance to provide information and assistance on the CCPA and CPRA.

What rights are granted to the consumers?

The CCPA and CPRA provide several rights to the consumers, the main concern area for consumers is their privacy considering that as a priority business needs to follow some guidelines. 

The CCPA and CPRA grant consumers the following rights 

  • The right to know what personal information a company collects from them and how they collect it.
  • The right to access and review the information that a company has collected about them.
  • The right to correct any inaccuracies in their personal information.
  • The right to determine what type of data they share with third parties.

 

However, the CCPA and CPRA do not grant consumers the right to opt out of receiving marketing communications. Additionally, the CCPA and CPRA do not grant California consumers the right to port their data from an entity that has violated the CCPA or CPRA.

 Many other important consumer rights are not addressed by the CCPA nor the CPRA. These include:

The right to sue for damages for any harm associated with the mishandling or misuse of their personal information.

The right to sue for a company’s failure to notify a consumer about changes to their privacy policies. 

Conclusion

The landscape of data policies is very dynamic.  What is new today becomes old tomorrow.

This makes keeping yourself updated with the newest policy development critical.

Sure, the above understanding of today’s newest policies will give you an edge but is it sustainable? The worst part is keeping up with these changes can become toilsome and take away some significant chunk of your productive time.

 

A pro tip here would be to collaborate with an expert. This will not only keep you legally updated but create stress-free room for your business innovation.

 

Now all you have to do is take the leap.