On January 1, 2023, the California Privacy Rights Act (CPRA) took effect and replaced the California Consumer Privacy Act (CCPA). Have you made the shift?
Having the flexibility to transition your security stance quickly when privacy rights and regulations, like the CCPA and CPRA, are updated can keep you ahead of the compliance curve — and the competition. In this post, we’ll take a look at exactly what the CPRA is and how it differs from the CCPA so you’re prepared for the change and don’t get surprised with fines for failing to comply with the new law. Let’s dive in!
The California Privacy Rights Act, also known as Proposition 24, significantly amends and expands the CCPA. Sometimes referred to as “CCPA 2.0,” CPRA is a ballot measure that was approved by California voters on November 3, 2020.
The California Privacy Rights Act established a new agency called the California Privacy Protection Agency to implement and enforce the law. The California Privacy Protection Agency is vested with “full administrative power, authority, and jurisdiction to implement and enforce” the CCPA.
While some of the Attorney General’s responsibilities under the California Privacy Rights Act will transition over to the California Privacy Protection Agency effective July 1, 2021, the Attorney General will retain the authority to go to court to enforce CPRA.
While the CPRA doesn't exactly replace the CCPA, it amends existing provisions of the CCPA and adds some new provisions as well:
In addition to the CCPA consumer rights, which give consumers more control over the personal information that businesses collect about them, the CPRA grants new and expanded rights to California consumers. These include:
Let’s take a look at the threshold requirements of the CCPA and the CPRA.
The CCPA and its regulations apply to entities that meet the following criteria:
With the CPRA, threshold requirements have changed. If any of the following criteria are satisfied, the company will be considered a “business” under the CPRA:
This means that most companies that met the CCPA’s annual revenue threshold will continue to fall under CPRA. But, many businesses that were subject to the CCPA because they collected the personal information of 50,000 or more Californians will now fall outside the scope of the CPRA’s increased 100,000 consumer or household threshold.
The CPRA introduces new requirements for businesses across a number of areas. Making sure you’re up to date on these additions will prevent fines down the road.
When it comes to enforcement, the California Privacy Rights Act means business.
Enforcement of the CPRA will begin July 1, 2023, after a six-month grace period. After that date, businesses that are alleged to have violated the CPRA will have a 30-day "cure" period. Uncured violations may result in civil penalties of up to $7,500 per violation.
The California Privacy Rights Act includes the following changes to enforcement:
With the California Privacy Rights Act’s January 1, 2023 implementation date already in the past, it’s essential that companies shift their compliance efforts into alignment with the CPRA as soon as possible to avoid significant penalties.
That said, the reality is this shift from CCPA to CPRA isn’t a one-off compliance challenge. Privacy rights and regulations are constantly shifting. Companies have to have the flexibility to shift their security stances quickly when necessary to avoid revenue loss. That’s where Strike Graph comes in.
Our multi-framework platform gets you prepared to quickly implement CPRA and paves the way for other certifications your company may require as you grow. If you’re not already CCPA certified, that’s the first step — and we can help.