CCPA, CPRA – there sure are a lot of acronyms in the world of data privacy nowadays. This article will explore one of the biggest topics of confusion – California’s laws – and explain what you need to know about them going into 2023.
What you need to know about the CCPA / CPRA in 2023
What Is the CCPA?
The California Consumer Protection Act – or CCPA for short – was a law designed to regulate how California residents’ personal information is used online. Despite only protecting those living in the state, it applied to businesses around the world. Per the CCPA’s specifications, anyone doing business in California, or with those living in the state, was required to comply with its regulations.
The CCPA provided California residents with the right to know what information was collected about them, the purpose of the collection and who it was shared with. It also gave them the right to delete their data and opt out of the sale of said data. Businesses were required to maintain a policy regarding data practices, as well as provide consumers with two-way opt-out mechanisms and disclosure about the types of data they collected and shared. Failing to do so, as some learned the hard way, could result in hefty fines.
Formally known as Assembly Bill No. 375, the CPRA was introduced in January of 2018 and signed into law by Governor Jerry Brown on June 28th, 2018. It was in effect between January 1st 2020 and December 31st, 2022, then replaced by the CPRA, which we’ll get on to next.
What Is the CPRA?
The CPRA, short for California Privacy Rights Act, is a state-level law that gives people living in California entitlements over the way their data is collected, stored and used by businesses online. It was initially known under the name Proposition 24 and tabled as an amendment to its predecessor, the CCPA, in 2020. A November vote that same year saw this new version approved by residents, after which it was fully fleshed out and officially dated for implementation on January 1st, 2023.
California lawmakers introduced the CPRA with the hope of bolstering the state’s laws on data protection. While the CCPA was already world-renowned for its stringent requirements and far-reaching implications, it was felt that some changes needed to be made in order to keep them relevant in the quickly-evolving digital landscape.
While the law itself has been in effect since the beginning of 2023, it won’t be fully enforced until July 1st, 2023. This period was allotted to give businesses time to make necessary adjustments for compliance with the CPRA’s added requirements.
In addition to the grace period, the government also included a look-back period of twelve months from the date of the law’s implementation. It subjects any qualifying information collected online to the information request rights provided to consumers under the CPRA.
California’s Data Privacy Laws: A Timeline of Events
Let’s make things a bit more straightforward by condensing the timeline of how California’s data privacy laws are where they stand today.
- January 3rd, 2018: The California Consumer Protection Act (or Assembly Bill No. 375) is introduced.
- June 28th, 2018: Governor Jerry Brown signs the CCPA into law.
- January 1st, 2020: The CCPA takes full effect and begins to regulate how businesses collect and use data in California.
- November 3rd, 2020: California residents vote in favor of Proposition 24, a ballot initiative that coincided with the 2020 United States presidential election.
- January 1st, 2023: The California Privacy Rights Act officially comes into effect and replaces the CCPA.
- July 1st, 2023: The CPRA becomes fully enforceable in the State of California, subjecting all businesses that meet its eligibility thresholds to fines for non-compliance.
Comparing the CPRA and CCPA
In passing the CPRA, the California government introduced a new era of data privacy law. Its first version in 2018 was strong, but the updated regulations stand to set even higher standards for how consumers’ rights are protected online – both in the state and around the world. This section will take a look at a few of the key changes implemented as of January 1st, 2023.
The biggest update of the CPRA was the addition of two new entitlements for California consumers: the right to correct inaccurate personal information and the right to limit the use and disclosure of sensitive personal information.
Elimination of Notice Period
The 2018 CCPA afforded businesses a 30-day notice period in the event of a violation. This was intended to give organizations a chance to rectify their breaches and avoid incurring a full penalty. However, with the CPRA, that 30-day notice period is no more. Companies are now subject to the punishments of non-compliance in every case, regardless of whether it’s remediated or not.
Higher Qualifying Threshold
The CPRA did make things a little bit easier for some businesses by increasing one of its qualifying thresholds. As opposed to the older law’s 50,000, an organization must now have to do business with at least 100,000 California residents to be subject to its rules and fines.
Establishment of the California Privacy Protection Agency
This independent regulatory body will have the responsibility of enforcing the state’s privacy laws, including providing guidance to businesses and responding to consumer complaints. The CPPA is also authorized to bring enforcement actions against non-compliant organizations and impose fines for violations.
What You Need to Know In 2023 and the Future As the effective date of the California
Privacy Rights Act Draws nearer, businesses and website operators should be prepared
for stricter privacy laws and regulations. The CPRA will give Californians more control over their personal information and require businesses to be more transparent about how they collect, use, and share that information.
Who the CPRA Applies To
A business or website operator is expected to follow the requirements of the California Privacy Rights Act if it meets one or more of the following conditions.
- Collecting the private information of at least 100,000 California residents.
This updated requirement increases the minimum from 50,000 and ensures that many small businesses aren’t required to follow the CPRA.
- Bringing in an annual global revenue of $25 million US dollars or more.
It’s important to note that this revenue does not have to come exclusively from residents of California.
- Earning more than half of global annual gross revenue from the collection or sale of personal data. Again, businesses do not need to have generated half of this revenue in the State of California, but rather on a broader scale.
As of July 1st, any and all websites that qualify under the CPRA will be subject to its fines for non-compliance. These are as follows:
- Up to $2,500 per violation
- 7,500 for violations that are intentional or involve children
Being aware of the new rules and implications of the CPRA is an important first step in achieving compliance. But it doesn’t promise a free ride. In order to fully protect your business from potential legal and financial consequences, there are a few next steps you should take:
- Conduct a comprehensive privacy audit: Evaluate your data collection, storage, and processing practices to ensure they align with the CPRA requirements. Identify areas of improvement and take necessary actions to implement changes.
- Train your employees: Educate your employees on the new rules and regulations. They should understand the importance of safeguarding data and be aware of the steps they need to take to comply with the CPRA.
- Work with third-party service providers: If you are using third-party service providers to process personal information, ensure they are also complying with the CPRA. Update your contracts with them to include specific provisions related to the new rules.
By implementing these next steps, you will not only protect your business from potential legal and financial consequences but also demonstrate to your customers that you respect their privacy and are committed to protecting their personal information.
FAQ – Frequently Asked Questions
The CPRA is enforced by the California Attorney General’s office, although it allows for private individuals to bring lawsuits in some circumstances. The California Privacy Protection Agency, once established, may also have some enforcement authority.
Yes, any website operator that does business with at least 100,000 California residents and meets relevant income thresholds is subject to the CPRA.
The biggest difference between the CPRA and GDPR is the type of consent they enforce. California’s law gives consumers the right to opt out, while the European Union’s requires businesses to receive clear consent.
The CPRA has been in effect since January 1st, 2023 but will become fully enforceable as of July 1st, 2023.
The CPRA is meant to protect the personal information of California residents. This includes individuals who are employees, customers, clients, patients, or any other individuals who entrust their personal data to businesses operating in California.
Get consent before loading third party tracking scripts
CookieFirst aims to make ePrivacy and GDPR compliance easy and quick to implement. The CookieFirst platform offers third-party script and consent management, statistics, periodic cookie scans, automated cookie declaration, banner customization, multiple language options, and more. Avoid large fines and get consent before loading third-party tracking scripts — try CookieFirst!
Agencies / Resellers
Yes! We also offer Agency / Reseller plans. Offer our GDPR, LGPD and CCPA compliance services to your customers and set your own pricing. The more sites you connect to your reseller plan the higher the discount. Curious?