On January 1, 2023, the California Privacy Rights Act (CPRA) took effect and replaced the California Consumer Privacy Act (CCPA). Have you made the shift?

Having the flexibility to transition your security stance quickly when privacy rights and regulations, like the CCPA and CPRA, are updated can keep you ahead of the compliance curve — and the competition. In this post, we’ll take a look at exactly what the CPRA is and how it differs from the CCPA so you’re prepared for the change and don’t get surprised with fines for failing to comply with the new law. Let’s dive in!

What’s the CPRA?

The California Privacy Rights Act, also known as Proposition 24, significantly amends and expands the CCPA. Sometimes referred to as “CCPA 2.0,” CPRA is a ballot measure that was approved by California voters on November 3, 2020.

Enforcement: the California Privacy Protection Agency

The California Privacy Rights Act established a new agency called the California Privacy Protection Agency to implement and enforce the law. The California Privacy Protection Agency is vested with “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA.

While some of the Attorney General’s responsibilities under the California Privacy Rights Act will transition over to the California Privacy Protection Agency effective July 1, 2021, the Attorney General will retain the authority to go to court to enforce CPRA.

How does the CPRA differ from the CCPA?

While the CPRA doesn't exactly replace the CCPA, it amends existing provisions of the CCPA and adds some new provisions as well: 

• Creates new consumer rights
• Clarifies existing threshold requirements of the CCPA
• Imposes additional obligations on businesses that collect personal information from California consumers
• Tightens enforcement

New consumer rights of the CPRA

In addition to the CCPA consumer rights, which give consumers more control over the personal information that businesses collect about them, the CPRA grants new and expanded rights to California consumers. These include:

• The right to opt out of certain uses and disclosures of “sensitive personal information”
• The right to opt out of the sharing of personal information
• The right to correct inaccurate personal information
• The right to enhanced transparency about a business’s information practices (including information about data retention periods)
• New rights related to the use of automated decision-making technology (including for profiling)

CCPA and CPRA threshold requirement differences

Let’s take a look at the threshold requirements of the CCPA and the CPRA.

The CCPA and its regulations apply to entities that meet the following criteria:

• Have an annual gross revenue of over $25 million USD
• Hold data containing personally identifiable information of 50,000 or more Californian consumers, households, or devices
• Derive 50% or more of annual revenue from selling consumers’ personal information

With the CPRA, threshold requirements have changed. If any of the following criteria are satisfied, the company will be considered a “business” under the CPRA:

• As of January 1 of the calendar year, the company exceeded $25 million USD in gross revenue in the preceding calendar year
• The company buys, sells, or shares the personal information of 100,000 or more consumers or households
• The company derives 50% or more of its annual revenue from selling or sharing consumers’ personal information

This means that most companies that met the CCPA’s annual revenue threshold will continue to fall under CPRA. But, many businesses that were subject to the CCPA because they collected the personal information of 50,000 or more Californians will now fall outside the scope of the CPRA’s increased 100,000 consumer or household threshold.

Additional obligations introduced in the CPRA

The CPRA introduces new requirements for businesses across a number of areas. Making sure you’re up to date on these additions will prevent fines down the road.

• Data retention: The CPRA sets limits on data collection, retention, and use. A business can’t retain personal or sensitive information for purposes other than initially collected or “longer than reasonably necessary for that disclosed purpose.”
• Processing sensitive data: The CPRA imposes a new set of responsibilities for processing sensitive data, which is any information that reveals a person’s geolocation, sexual orientation, race, religion, union membership, health, government ID (Social Security numbers, passports), finances (credit cards, access codes), genetic information, or communications (log-ins, etc.).

• Deletion requests: These requests must also be passed to service providers, contractors, and third parties to which the businesses have sold or shared information.
• Third parties: Businesses must include additional provisions in their contracts with service providers, contractors, and other third parties.

The CPRA’s tightened enforcement

When it comes to enforcement, the California Privacy Rights Act means business.

Enforcement of the CPRA will begin July 1, 2023, after a six-month grace period. After that date, businesses that are alleged to have violated the CPRA will have a 30-day "cure" period. Uncured violations may result in civil penalties of up to $7,500 per violation.

 The California Privacy Rights Act includes the following changes to enforcement:

• Expands the types of data breaches that are considered within the scope of the data breach private right of action
• Removes the mandatory 30-day cure period that existed under the CCPA
• Triples penalties for violations that involve minors under the age of 16

The time to prepare for the CPRA is now.

With the California Privacy Rights Act’s January 1, 2023 implementation date already in the past, it’s essential that companies shift their compliance efforts into alignment with the CPRA as soon as possible to avoid significant penalties. 

That said, the reality is this shift from CCPA to CPRA isn’t a one-off compliance challenge. Privacy rights and regulations are constantly shifting. Companies have to have the flexibility to shift their security stances quickly when necessary to avoid revenue loss. That’s where Strike Graph comes in.

Our multi-framework platform gets you prepared to quickly implement CPRA and paves the way for other certifications your company may require as you grow. If you’re not already CCPA certified, that’s the first step — and we can help.