While Californian businesses are still coping with becoming compliant with the California Consumer Privacy Act (CCPA), the government has implemented another privacy law – California Privacy Rights Act. And this new law is said to be the strictest privacy law the state has seen till date. Does this mean more work and stricter compliance laws for the organisations dealing with personal data in California? What happens to the CCPA? How do the two laws compare? Let’s find out.

Decoding the CPRA – What Makes it the Ultimate Privacy Law?

To begin with, we need to understand that CPRA is not a different law, it is an extension of the CCPA, which aims to introduce stronger consumer protection practices and clarify some of the unclear aspects of the law for the organisations. The CCPA was designed with a less restrictive approach. The absence of certain consumer rights in the law bothered some privacy advocates, which led to the introduction of CPRA. The idea was to supplement the privacy protections found in the CCPA and address issues within the existing law.

The CPRA favors the creation of a new government agency to handle the compliance and enforcement of new privacy regulations. It means companies will now be responsible for any action other companies take using the personal data of California residents, collected by the former and shared with the latter. It would not be wrong to say that California will now see more compliant businesses in the near future, and stricter enforcement penalties. 

CCPA Vs CPRA – How Do the Two Compare?

Even though CPRA is just an expansion of CCPA, the two do have some definitive distinctions. Let’s understand those in detail.

Scope

Under CCPA, the following three thresholds determine if a for-profit entity is a business –

  • Has $25M+ revenue.
  • Collects personal information from more than 50,000 consumers, households, or devices.
  • More than half of revenue is from third-party disclosure of personal information.

As part of the CPRA, the revised threshold for collection of personal data will be 100,000 consumers. The idea is to target the large corporations and take the burden off smaller organisations. In CPRA there is also provision for a new ‘business’ category, which includes entities that voluntarily certify to the California Privacy Protection Agency, the CPRA’s enforcement agency. Thanks to this provision, small businesses which otherwise don’t fall under the scope of CPRA can now self-certify to align with the law and use it as a business differentiator. 

Sensitive Personal Information

The classification of personal information varies in both CCPA and CPRA. While under CCPA indirect and direct identifies, geolocation data, biometric data, sensitive information, and internet activity are classified as personal information, CPRA categorizes all of these as ‘sensitive personal information’. And this sensitive information is subject to stricter privacy requirements under CPRA. For instance, consumers have the right to limit the processing of sensitive personal information and organisations must provide consumers with the opt-in link to ‘Limit the Use of My Sensitive Personal Information’. Besides, organisations cannot use sensitive personal information for any purpose other than providing the requested good or service, unless consented by the consumer. 

Enforcement Agency

Under the CPRA, there is a provision for a new enforcement agency – the California Privacy Protection Agency (CPPA) – that will have the power to audit privacy practices of covered entities and issue new regulations. Currently, the California Attorney General regulates the CCPA.

Penalties for the Violation of Minors’ Personal Information

The CCPA provisions for a fine of $2500 per violation for violations involving personal information of minors – this is the same as the penalty charged for violation of adult personal information. Under CPRA, this fine is set for $7500 per violation. 

Private Right of Action

CCPA allows for consumers to take civil action in case their personal information is subject to unauthorized access, theft, or disclosure. Under CPRA, this private right to action is strengthened with a provision of statutory damages for any breach that falls in the confines of California law. There is no change in the proposed fine of $750 per consumer for damages.

Cure Period

The CPRA eliminates the 30-day ‘cure’ period that was proposed in CCPA to pursue any actions on the alleged non compliance violation. This is because according to CPRA the implementation and maintenance of reasonable security procedures and practices after a breach is not a remedy enough. 

Definition of Sale

CCPA has the mandate for organisations to provide consumers certain disclosures and the right to opt-out of the ‘sale’ of their personal data, when they ‘sell’ consumers’ personal data. CPRA provides some more clarity on these lines. It empowers the consumers by giving them the ability to also opt-out of the “sharing” of personal information with third parties. Also, as a provision in the CPRA, companies will now need to place a link titled “Do Not Sell or Share My Personal Information” on their website, when running targeted advertising campaigns. 

Consumer Privacy Rights

Right to Access Personal Information: While under CCPA organisations were commissioned to share with consumers their information of preceding 12 months, in CPRA they are required to provide consumers access to their information from beyond 12 months, unless it is impossible or would need strenuous effort on part of the organisation.  

Right to Delete Personal Information: This right remains the same even in CPRA – businesses must delete the personal information of consumers and direct service providers, as and when requested. 

In addition to the above, CPRA enlists a few more new consumer rights. These are as follows – 

Right to Information about Automated Decision-Making: Consumers have the right to opt out of the use of automated decision-making technology and profiling by a business.

Right to Correct: Under CPRA consumers have the right to correct inaccurate personal information stored by a business. Upon receiving a correction request, businesses must use “commercially reasonable efforts” to correct the inaccurate personal information.

Right to Limit Use and Disclosure of Sensitive Personal Information: Consumers can ask businesses to use and/or their sensitive personal information in a limited way. This means businesses can only use consumers’ personal information in the way they have consented for. 

How Can You Prepare for the CPRA?

The CPRA gives consumers a greater right over their personal data and its use, while modifying enforcement provisions and bringing into picture a lot more requirements and obligations, and uncertainties for organisations. Achieving compliance might be a completely different feat now. However, the good news is that CPRA will officially take effect only in two years from now. This gives organisations time to prepare for compliance. Here are a few things you can consider doing to become compliant in the future –

  1. Take a stock of your current privacy program and identify any gaps. CPRA being one of the strictest privacy laws out there, performing a privacy assessment and understanding the maturity of your current program would be a great first step in becoming compliant. 
  2. Ensure you fall in the scope of CPRA by reassessing the applicability of the CCPA. CCPA covers organizations that collect the personal data of more than 50,000 consumers, households, or devices, the CPRA broadens that scope to 100,000.
  3. Rethink your data mappings and data inventories. Identify how your organisation collects, uses, stores, and transfers consumer data. While performing this analysis, keep your focus on sensitive information (as defined by the CPRA), business-to-business data, employee data, and data flows between third-party vendors. 
  4. Stay up-to-date with the developments around CPRA. Staying on top of the developments will help you prepare better. 

Further, keep building on your compliance program to ensure that you have proper procedures and policies in place to comply with CPRA. These practices will help strengthen your existing privacy program and streamline compliance with the CPRA.

Read More
November 7, 2020 0 Comments

RegulationGDPRCCPA
Enforcement DateMay 25th, 2018Jan 1st, 2020
Who needs to complyAny Business that collects or processes the data of EU citizens and residentsAny business storing or processing California residents’ information
PenaltiesUpto 4% of the Company Annual Gross Revenue or 20M euros$7500 per incident, per person
Opt-out Right for Personal Information SaleGDPR does not include a specific right to opt-out of personal data salesMust include a “Do not sell my personal information” link in a clear and conspicuous location on a website homepage.
Must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out
ChildrenGDPR default age for consent is 16, although individual member state law may lower the age to no lower than 13Children aged 13-16 can directly provide consent. Children under 13 require parental consent.
Children’s Online Privacy Act (COPPA) still apply on top of the CCPA’s requirement
Right to DisclosureData Subjects have a right to access their personal data, including receiving a copy and to obtain certain information about the data controller’s processingConsumers have a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information
Right to Deletion/EraseData Subjects have the right to request erasure of personal dataA consumer has the right to deletion of personal information a business has collected, subject to certain exceptions
Right to Restrict ProcessingRight to restrict processing of personal data, under certain circumstancesNone, other than right to opt-out of personal information sales

Read More
August 2, 2020 0 Comments

California Consumer Privacy Act (CCPA) came into implementation from Jan 1st 2020. In this blog post, we will talk about history of CCPA and How is CCPA Applicable to your Business.

What is CCPA?

CCPA applies to any global business, including any for-profit entity that collects consumers personal data, which does business in California, and satisfies at least one of the following thresholds:

  1. Have $25 million or more in annual revenue; or
  2. Possess the personal data of more than 50,000 “consumers, households, or devices” or
  3. Earn more than half of its annual revenue selling consumers’ personal data

CCPA History

For 2 years (2016-2018) Alastair Mactaggart, a real estate developer, created and led a ballot initiative for a privacy law that led to CCPA (Assembly Bill (AB) 375). On June 28th, 2018, the governor of California signed AB 375 into effect, establishing the most extensive consumer privacy legislation ever passed in the United States

Timeline:

June 28th, 2018AB 375 signed into law
September 23rd, 2018Senate Bill No. 1121 signed into law, modifying CCPA
October 10th, 2019California Attorney General released the proposed text for CCPA regulation
October 11th, 2019California Governor Signs CCPA Amendments into Law
January 1st, 2020CCPA goes into effect
July 1st, 2020Enforcement begins

California Residents Rights under CCPA

CCPA grants California residents, who are consumers, specific rights regarding their personal information businesses maintain. If you are a California resident, you have the right to request that a business inform you about its processing activities with respect to your personal information, to delete your personal information and to opt-out of the sale of your personal information.

Summary

Companies preparing for CCPA or are planning to implement must remember that a privacy program needs to adapt and change accordingly to applicable privacy law. If you are looking to build a privacy program it’s not too late to start preparing for CCPA compliance. To request a CCPA privacy software demo email us at info@secuvy.com or visit Secuvy.ai

Read More
April 2, 2020 0 Comments