CCPA vs. CPRA: New rules for data subject access requests

  • by Osano Staff
  • · posted on April 15, 2022
  • · 4 min read
CCPA vs. CPRA: New rules for data subject access requests

In 2018, Californians voted for the California Consumer Privacy Act (CCPA), the USA's first broad data privacy law. The CCPA came into effect in January 2020, enhancing California residents' privacy rights and consumer protections. Eleven months later, residents of The Golden State voted for the California Privacy Rights Act (CPRA) to add even more privacy protections for consumers. 

What is a DSAR?

Your role in protecting a consumer's privacy doesn't end once you achieve consent. After you collect a user's data, they can submit a data subject access request (DSAR) to discover the personal information your organization has collected and for what purpose. 

When a data subject submits a DSAR, you must respond promptly with the requested information. As governments worldwide pass privacy laws, consumer data privacy regulations make it easier than ever for individuals to request access to their data. 

The CPRA goes into effect on January 1, 2023, and most businesses will need to make adjustments to avoid penalties. We'll look at the CCPA and CPRA regulations and requirements to help you appropriately handle DSARs and build consumer trust through transparency. 

DSARs in the CCPA

When America's first broad data privacy law went into effect in 2020, consumers acquired more rights over their data. More specifically, they received the right to:

  • Know about the personal information collected and used by a business.
  • Delete personal data.
  • Opt-out from the sale of their personal information.
  • Provide opt-in consent for selling the personal data of a child under 16.
  • Avoid discrimination upon exercising the rights granted by the CCPA.
 

Here's what you need to know about the current rules under the CCPA: 

Who?

The CCPA affects for-profit entities that do business in California which meet one or more of the following requirements:

  • Have a gross annual revenue of over $25 million;
  • Buy, sell, receive, or share the personal information of 50,000 or more California residents;
  • Earn more than half of their annual revenue by selling the personal information of California residents.
 

Nonprofits and government entities are not subject to the CCPA. 

Try Osano Free!

What?

Eligible individuals may submit a DSAR CCPA. Californians can ask businesses to:

  • Disclose the personal information they have collected.
  • Share how the data is used.
  • Delete their personal information.
  • Refrain from selling their personal information.
 

Personal information refers to the defining characteristics of an individual. This data, which companies use to build a consumer profile, includes, but is not limited to: a person's name, birth date, social security number, email address, records of products purchased, internet browsing history, phone number, and geolocation data.

When?

Once a DSAR is received, CCPA requires organizations to provide the requested information within 45 days. A business can extend for up to 90 days. Data mapping can help speed up this process.

Where?

California residents are covered by the CCPA, even those temporarily outside the state. The CCPA does not protect residents of any other US state, but some companies choose to extend those rights to all Americans.

How can you stay compliant with the CCPA?

When a business receives a DSAR, it must verify the user's identity and complete the request within the allotted 45-day period. 

DSAR CPRA: changes you need to know

Less than one year after CCPA took effect, Californians voted for CPRA. The new initiative augments the initial legislation to expand individual rights. 

Some have given CPRA a nickname– CCPA 2.0. The new legislation maintains the original intent of CCPA while expanding, modifying, and updating the rules to protect consumer privacy. Despite the expanded rules, businesses must comply within a 45-day window, with the option of a 45-day extension.

The new legislation revises the scope of qualifying businesses:

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

  • Clarifying that the gross annual revenue of $25 million or more refers to the previous year's activities;
  • Increasing the processing to 100,000 consumers; and
  • Including those that earn more than half of their annual revenue by sharing personal information of California residents.
 

The new legislation identifies sensitive personal information in a new category of highly protected data. CPRA places limitations on how businesses use data and how long they can keep it. These restrictions kick in when companies use sensitive personal information to infer characteristics about a consumer (instead of using it to provide necessary services). At this point, the business must inform the consumer of their right to limit the business's use of the data. 


CPRA expands on the five rights afforded by the CCPA and adds the rights to:

  • Correct inaccurate information.
  • Limit use and disclosure of sensitive personal data.
  • Share personal information.
  • Gain expanded access.
 

CPRA introduces an enforcement element with the creation of the California Privacy Protection Agency. The civil and administrative enforcement will begin on July 1, 2023.

How can your business prepare for CPRA?

July 2023 will be here before we know it. To prepare your business for DSARs under new CPRA regulations, you should:

  • Understand what kind of information your organization collects.
  • Know where the data is stored.
  • Adequately disclose all data collection in a privacy policy.
  • Have a plan to respond to DSARs under CPRA rules within the allotted 45-day period.

Trust Osano to protect consumers and stay compliant

Manually digging through user data is time-consuming and leaves room for human error. Sending too little information or accidentally sharing another user's information opens your business to penalties. 

Osano's Data Discovery uses AI to map the data you need to comply with CCPA and CPRA DSARs. Once you receive a DSAR, Osano's Subject Rights Management software verifies a data subject's identity, assigns inbound requests to the correct person, and delivers results to the data subject within the required timeframe. Schedule a demo or sign up for a free trial today to see how easy it is to manage DSAR privacy requirements with Osano.

About The Author · Osano Staff

The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”