California Privacy Law: CCPA, CPRA, and Beyond

  • by Sam Pfeifle
  • · posted on August 24, 2022
  • · 12 min read
California Privacy Law: CCPA, CPRA, and Beyond

For a long time, California has been a leader in making sure its citizens’ privacy is protected. In the early days of the modern Internet, it was California that led the charge in making sure websites didn’t deceive visitors or otherwise use deceptive practices by collecting data without a privacy notice. Today, it is California, too — with the California Privacy Rights Act (CPRA) building on the California Consumer Privacy Act (CCPA) — that is leading the way in making sure consumers have control over how businesses collect and share their personal data. 

As more states — like Virginia, Connecticut, Colorado, and Nevada — join California in implementing comprehensive privacy legislation, it is vital to understand the requirements of California’s privacy regime. Not only will it allow you to continue to access what amounts to the world’s 5th largest economy, but it will also put you in good standing with the rest of the U.S. states and get you in good shape for complying with stricter global privacy laws, like the EU’s GDPR or China’s PIPL.

In this blog, we’ll take a look at:

  • Where the law stands in California right now.
  • How CPRA builds on CCPA.
  • What steps to take to comply and avoid penalties and reputational harm.
  • What to look for in the future to remain in compliance.
Let’s get started.

Table of Contents

What are the CCPA and CPRA?

Who has to comply with the CCPA and CPRA?

What are the consequences of non-compliance?

What's changed between the CCPA and CPRA?

How do you ensure your organization is compliant?

Protecting California's consumers' privacy

What are the CCPA and CPRA, how are they different, and why do you need to know about them?

It’s best to think of the California Consumer Protection Act (CCPA) and the California Privacy Rights Act (CPRA) as essentially the same thing. 

The CCPA passed through the California legislature and was signed by the governor in 2018, with an effective date of Jan. 1, 2020. However, the Californians for Consumer Privacy (the group that pushed hardest for the CCPA) almost immediately felt it wasn’t strong enough. They started a campaign to make it stronger and more protective of consumer rights to control the collection and use of personal information. 

This led to a citizen’s initiative ballot question in 2020, called the CPRA, which built upon the CCPA, changing some of the text, adding other text, and clarifying some questions around enforcement and who’s actually covered by the law. 

At this point, for all intents and purposes, the CPRA is the only law you need to worry about, as it’s like the CCPA+, or CCPA 2.0, and it covers the entirety of the text you need for understanding the California privacy law. 

Further, the vast majority of it comes into force on Jan. 1, 2023, so it’s barreling toward you, whether you’re ready for it or not, and the CPRA covers data collected starting Jan. 1, 2022, so in many ways, we’re already in the CPRA era. 

If you want the TLDR version, it’s this:

The California Consumer Protection Act of 2018 is already in force, and now it is being updated by the California Privacy Rights Act, which will come into force on January 1 of 2023, with enforcement beginning on July 1, 2023. This home page created by the drafters of the CPRA is an excellent resource if you’d like to really dive into the text changes and law updates.

How do you know if you have to comply with the CCPA and CPRA? Do the CCPA and CPRA only apply to California residents?

The CPRA changed the rules for who has to comply only slightly. As of Jan. 1, 2023, the CPRA applies if you are a for-profit organization that “does business” in the state of California, collects the personal data of Californians or has it collected for you, and fits one or more of these criteria:

  • Buys, sells, or shares the personal information of 100,000 people or households. The “shares” part was added with the CPRA, and the number of people was doubled.
  • Creates 50% or more of your revenue through the sale or sharing of personal information.
  • Had $25 million in gross revenue in the preceding calendar year (so January 1, 2022, to December 31, 2023, to start, and then from Jan. 1 to Jan. 1 after that). The “preceding calendar year” part was added with the CPRA to make it clear what they meant by $25 million in annual gross revenues. 
In theory, you could have to comply with CPRA one year and not the next, depending on your revenue mix and business initiatives, but the CPRA is in line with many laws around the country and the world, and most of what it requires will likely soon be considered general best practice, so it doesn’t make a lot of sense to try to figure out each year whether you can get out of it.

What happens if you don’t comply with the CCPA and CPRA?

The penalties for not complying with the law haven’t changed much from CCPA to CPRA. However, the new CPRA empowers the Attorney General, California’s 62 different district attorneys, and a brand-new California Privacy Protection Agency to enforce it, with those powers coming into force on July 1, 2023. 

That means there are a lot more “cops on the beat,” so to speak, with the ability to investigate business practices and bring actions to penalize those organizations that are not in compliance.

CPRA Penalties include:

  • $2000 per offense for mistakes. 
  • $2500 per offense for negligent mistakes. 
  • $7500 per offense for willful offenses. 
Each person affected in a violation constitutes an “offense,” so the fines can add up quickly, especially if you are willfully negligent. And, the bad news: If you’re reading this, and then decide not to bother with compliance, you’re being willfully negligent. Oops.

Is it likely that California enforcers will look kindly on businesses that make small mistakes or have small oversights in their compliance plans, especially in the first few years? Absolutely. 

Is it likely that “I had no idea I had to comply with this law,” will work as an excuse when a regulator comes calling? Absolutely not. 

How serious is California? In the CCPA, there was a 30-day grace period where you were offered a chance to fix your violations. In the CPRA, there is no such grace period.

What’s really changed between the CCPA and the CPRA? How do I comply with the CPRA?

First, and most importantly, you need to make sure “consumers” (which with the CPRA now includes your employees if they are California residents) can exercise their new rights to control the collection and use of their personal data, many of which have been augmented in some way. 

Remember: “Personal data” or “personal information” is defined broadly in both the CCPA and the CPRA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Unless you take steps to de-identify data after you collect it, much of the data you collect from customers and employees is personal data by law in California.

The CPRA also now puts the onus on you to make sure consumers (and employees) know their privacy rights, which means explaining their rights at the point of collection as part of the notice provided to people right when they’re giving you their data. 

Here’s a rundown of those rights and how they’ve changed with the CPRA:

  • Right to Access, Deletion, and Correction: Consumers must be able to obtain and delete their own personal information at any time and have it corrected if it is incorrect. If they ask you to delete it, you have to make anyone you’ve shared it with or sold it to delete it as well. The right to correction is new, as is the requirement to pass along deletion requests to third parties.

    As part of sharing their personal data with them, and in addition to the actually data you possess, you must provide consumers with a list of: 
    • Categories of personal information you have collected.
    • Categories of sources from which you collected their personal information.
    • The business purpose for which you collected their data. 
    • Categories of third parties to which you sell or share their data. The “share” portion of this is new.
  • Right To Object to Sale or Share: Consumers can prevent the sale or sharing of their information (and you need a “do not share” button on your website to make this easy). The right to object to simple sharing is new.
  • Right To Opt-Out of Behavioral Profiling and Automated Decision-Making: Consumers can ask you to stop profiling and serving ads based on behavior and they can ask you not to use automated decision-making to provide them with offers, products, services, etc. This entire right is new with the CPRA.
  • Right To Object to the Use of Sensitive Personal Information: For certain data, including data surrounding race, precise geolocation, religion, union membership, genetics, biometrics, sexual orientation, and the contents of communications, consumers can stop you from using that data at all. This new piece in the CPRA also requires you to have a prominent button or link people can use to “limit the use of my sensitive personal information.”
  • Right to Data Portability: If asked, you must transfer any personal data you hold about a person to another organization, “to the extent technically feasible, in a structured, commonly used, machine-readable format.” This is new with the CPRA.

    Download the Guide - Break down the major tasks you need to complete for CPRA  compliance.

Introduction of new privacy principles:

You also need to abide by a new set of “privacy principles” in all of your data-handling practices, many of which are new with the CPRA:

  • Purpose Limitation: You can only use personal data for the purpose for which it was originally collected. This is new with the CPRA.
  • Protection of Children’s Data: Fines are tripled, thanks to the CPRA, when violating the privacy of children under 16 and permission from a guardian is needed for the collection of that child’s data in the first place. Another new piece here is that if you don’t receive consent to collect a child’s data, you have to wait 12 months before asking again.
  • Storage Limitation: Data should be destroyed or deleted once the data has been used for its collected purpose.
  • Reasonable and Appropriate Security: Security for personal data must be appropriate for how sensitive it is and the harm that would result because of unauthorized access. 

And there are more changes to come with CPPA rule-making!

The brand-new California Privacy Protection Agency (known as the CPPA, which isn’t confusing at all, surely) is tasked by the CPRA to create a number of “rules” after consultation with stakeholders. These rules were supposed to be issued by July of 2022, but they have still yet to issue final rulemaking. 

Try Osano Free!

As of late-August, 2022, these were the proposed regulations from the CPPA, which were not yet final. At 66 pages, this additional rule-making adds considerable complexity. Make sure to keep tabs on it. Perhaps most helpful, you’ll find in the draft regulations from the CPPA a number of examples and scenarios that help you understand how to comply with some of the rules and consumer rights. 

One rule that you can certainly expect to come through, as the CPRA instructs the CPPA to create regulations, is that certain collections and uses of personal information will trigger mandatory “risk assessments,” which must be filed with the CPPA to prove you’ve considered the dangers surrounding the data collection and mitigated the risk of harm to the consumer. 

Be prepared to create a process in your organization for conducting these risk assessments. 

For a quick, at-a-glance look at other changes from CCPA to CPRA, here’s a handy chart:

What’s Changed Between CCPA and CPRA?

 

CCPA

CPRA

Enforcement

California Attorney General’s Office 

Newly created California Privacy Protection Agency, plus the AG and District Attorneys

Profiling 

N/A

Consumers can opt out of automated decision-making. 

Sensitive data 

N/A

New definition of some data as “sensitive.”


Businesses must disclose how they collect, use, sell, and share sensitive data.


Consumers may opt out of the use, entirely, of their sensitive data.

Data minimization 

N/A

Businesses must only collect and retain what’s “reasonably necessary” and “proportionate” to the intended purpose.

Consumer remedies

Consumers may file a private right of action when a lack of reasonable security leads to a breach.

Expands the private right of action to include remedy for breached data that includes consumers' email address and password or security question.

Risk Assessments

N/A

For certain collection and use of personal information, organizations will have to conduct risk assessments before beginning the collection or use process.

Deletion

Businesses must fulfill validated consumer requests to delete their data.

Companies fulfilling legitimate deletion requests must also notify third parties to delete such information.

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

Third parties

Not defined.

Third-parties defined, excludes service providers and contractors.


Businesses must impose CPRA-level contractual obligations on third parties before sharing, selling, or disclosing personal data.

Opt-out links on websites

Businesses must have a “Do not sell my personal information” link.

Companies must have a “Do not share my personal information” link and a “Limit the use of my personal information” link. 

Fines

Up to $7,500 per violation or $2,500 per unintentional violation.

Automatic $7,500 fine for violations of minors’ data (children under the age of 16).

How do you ensure your organization is compliant with the CCPA and CPRA? How should you organize compliance?

CCPA and CPRA compliance is an all-hands-on-deck sort of thing, but will look different at every organization, depending on the type of personal information you’re collecting and your business plan. CEOs and CIOs often lead the charge, but because so many departments collect and use consumer data, they all must understand the new data privacy law and take responsibility for what they do with personal information.

Often, organizations appoint a chief privacy officer (CPO) or a privacy director of some kind, often in the legal or compliance team, who is tasked with establishing and overseeing a privacy compliance program, which is ongoing and regularly audits how personal information is being collected and used. 

For example, marketers consistently rely on consumer data to influence their campaigns. Consumer data is precisely what makes companies able to effectively target their marketing efforts to the right people at the right time to increase sales. Every time a consumer is tracked with a website cookie, fills out a form, or makes a purchase online, they are giving the company their personal information, which is now protected by the CCPA and the CPRA.

These marketers need to be trained in how to comply with the law and systems need to be put into place to make sure they follow policy. 

The same goes for your sales department. All of that customer data that's stored in systems such as Salesforce must be protected and only used appropriately. If it's shared with other departments, those departments now have some ownership. You can see how quickly and easily consumer data spread across the organization.

Of course, many large companies will be using third parties that do things like perform sophisticated data analytics, fill in profiles for people with only partial records, and more potentially privacy-invasive activities. These third-party relationships must be managed via contracts and audits, as you’ll be responsible for how they handle the data supplied to you by your customers and employees. 

For this reason, companies should establish a systematic way to adhere to CCPA and CPRA requirements. That means cleansing and reviewing all databases to ensure the organization can identify consent. It means putting consent pop-ups and policies front and center on your website. It means notifying consumers of how their personal data is collected, stored, used, and shared. Being proactive is the best way to minimize the risk of non-compliance.

Make sure you don’t try to do it alone

Does compliance sound difficult? It is. The CPRA, especially, represents a step-change in the responsibilities many American companies have in regard to handling personal data. 

Luckily, many companies, like Osano, have created software packages that allow you to:

  • Track and document consent.
  • Manage your contracts and third-party data sharing in a dashboard-like environment.
  • Manage and document consent for cookie placement.
  • Conduct and manage risk assessments.
  • Quickly respond to requests for access, deletion, and correction. 
  • Quickly produce privacy notices that are targeted toward the type of information you’re collecting.

Wait. Cookies?!? Does the CPRA change the rules around cookies?

Well, yes and no. The CCPA and CPRA don’t focus on the mechanisms involved with how personal data is collected and used, they just focus on the fact that personal data is actually being collected and used. 

Thus, if your cookies don’t collect personal information, California privacy law isn’t particularly worried about them. But, if your cookies do pass along personal information to your organization or others, then all of the CCPA and CPRA rules apply. 

Got it? Luckily, there are plenty of cookie consent managers out there to help make sure you know the difference between essential cookies and those that collect data (and those that do both). 

Protecting California's consumers' privacy

The people behind the CCPA and the CPRA, and now the staff of the newly created California Privacy Protection Agency are first and foremost concerned with protecting the privacy of California consumers. They are very likely to prioritize enforcement against the most egregious violators of the law. 

However, that does not mean they don’t care about the little guys. While how the CPPA will act is somewhat unpredictable, you should expect audits of classes of websites, round-ups of certain types of violations that include large groups of companies, and other enforcement action that seeks to prod large sections of the California marketplace into compliance.

Most especially, you don’t want to be caught looking like you don’t care. Good faith efforts will result in kind attention from the regulators; pleas of ignorance will result in much harsher treatment, indeed.

 

New call-to-action

 

 

About The Author · Sam Pfeifle

Sam is a journalist and head of West Gray Creative, a content services firm based in Maine. In a former life, he was director of content at the IAPP and has run publications in the security, workboat, and 3D reality capture spaces. Currently, he serves as the chair of his local school board, fronts the World Famous Grassholes, and would like to be a professional baseball player when he grows up.