In 2018, the European Union passed the General Data Protection Regulation (GDPR), proving to businesses around the world that consumers are not going to stop demanding increased privacy rights.

California quickly followed suit with the California Consumer Privacy Act (CCPA). Soon after, California proposed a significant update to CCPA, the California Privacy Rights Act, or CPRA.

And while the CCPA set the standard for modern US privacy law, CPRA raised the bar even higher. GDPR, CCPA, CPRA, CPPA…if you’re feeling swamped by acronyms, keep reading.

Here’s what’s new

First and foremost, the CPRA is an amendment to the CCPA, not a replacement. In other words, California’s privacy law is (still) the CCPA, but now it has been amended by the CPRA.

Here are the key changes to the CCPA due to the CPRA:

  1. CPRA changed the threshold for businesses. (Small business owners, rejoice!)  It’s either:
    1. $25M in global revenue (this stayed the same from CCPA 1.0)
    2. OR 100,000 consumer/household/device records (this is an increase from 50,000)
  2. Fines are automatically $7,500 for violations involving minors.
  3. Businesses are now restricted from selling and sharing data with third parties instead of just from selling data, closing a loophole that had been used to circumvent notification requirements.
  4. Businesses are responsible for how third-parties use, share, or sell personal information collected.
  5. Businesses are required to have an obvious “Do Not Sell or Share My Personal Information” button on their website.
  6. CPRA eliminated the 30-day cure period before businesses can be fined.
  7. Enforcement shifted from the California Attorney General (AG) to the newly created California Privacy Protection Agency (CPPA).

Differences for consumers

The whole point of CPRA was to clarify vague sections of the CCPA and expand the protections available to consumers, including:

  • Expanding the categories of information eligible for private right of action after data breaches.
  • Adding the right to correct inaccurate information companies have on them, and the right to limit the use and disclosure of sensitive information to CCPA’s list of rights.
  • Adding protections for sensitive personal information like Social Security Numbers (SSNs), driver’s license numbers, biometric information, precise geolocation, and racial/ethnic information.
  • Granting consumers the right to deny both the sale and the sharing of their information.
  • Prohibiting businesses from profiling consumers in automated decision-making processes if they choose to opt-out of data collection/sharing.

What it all means

Some of these changes are a bigger deal than others. 

Whether or not you collect 100,000 records a year is pretty black-and-white. So is adding specific types of personally-identifying information (SSNs, driver’s licenses, precise geolocation, etc.) to the already CCPA-protected categories (cookie numbers, browser history, employment-related information, psychometric data, IP addresses, etc).

More complicated is that you’re now responsible for how your third-party vendors use the information you’ve collected. This means you need to go back and not only review how you handle data, but how your vendors handle it as well.

Another major change that CPRA introduced was the creation of the California Consumer Protection Agency (CPPA). Instead of relying on the already unwieldy, overburdened Attorney General’s office for enforcement, the CPPA dedicates significant resources, of both the financial and manpower varieties, to handling civil actions and enforcement. 

This increased oversight is a double-edged sword. On the one hand, businesses are likely going to be given very clear guidance to help them understand regulatory requirements. But on the other, companies can also expect robust auditing and enforcement, especially since CPRA adds liability if a data breach occurs and a consumer’s email address and either password or security question/answer is compromised.

Keep reading to learn how you can manage everything that is heading your way.

Regardless of the acronym, Red Clover Advisors is here to keep you moving towards compliance. We can help you with whatever part of the process feels like too much.

Drop us a line today and let’s get started.

Downloadable Resource

California Consumer Privacy Act (CCPA) Compliance Guide

 

Inside our CCPA Compliance Guide you’ll find: essential details about scope and enforcement, definitions, consumer privacy rights and obligations of organizations and more!

Learn More