Review of California Consumer Privacy Act (CCPA) and the amendment of California Privacy Rights Act (CPRA)

California Consumer Privacy Act (CCPA) became effective on 1st of January 2020 enhancing the privacy rights and consumer protection for the Californian residence of the United States. This was a significant advantage for consumers worldwide as well. Tech giants such as Google and Facebook are established in the state of California and are entitled to adhere to the new consumer protection laws. This is believed to have similar effects as GDPR, giving more power to the consumer. In addition on November 3, 2020, the California Privacy Rights Act (CPRA) was passed by Californian voters. This would amend CCPA by establishing a new privacy enforcement agency that posses the jurisdiction to implement and enforce the CCPA.

First, we will take a look at CCPA and then explore the new add on through CPRA. I will do a comparison of GDPR as we discuss the topic.

Personal Data in CCPA defines,

Information that identifies, relates, describes, or characteristics and behavior as well as personal, commercial, and instances are drawn from this information.

The broad scope covers,

• Government identifies 

• Family information

• Financial Information

• Sleeping Hobbits

• Sexual Orientation

• Emails and messages

• Genetic data

• Religious beliefs

• Philosophical beliefs

• Racial and ethical origins

And much more 

Even though CCPA covers a broad scope in defining personal data, Unlike GDPR it does not protect data that was gathered or purchased through a third party. On the other hand, GDPR does not consider the source but provides protection to all personal data.

CCPA exempts

• Financial Data

Financial institutes follow the California Financial Information Privacy Act or the Gramm-Leach-Bliley Act.

• Personal Health Information

Personal Health information is treated with HIPAA guidelines.

How CCPA Serves Consumers

• Businesses are entitled to disclose a clear privacy policy on their websites in case of the collection of personal information.

• By enforcing this law consumers are now able to demand to see their information that was collected by the companies. In addition, the companies should provide a list of all the third parties that the data was disclosed. Consumers have the right to request the deletion of their data as well. 

In GDPR processing of data should be done on 6 lawful bases. However, CCPA does not cover the data processing area. Instead, it provides an opportunity for consumers to opt-out of selling their personal data.

• Regardless of consumers' preferences on the way their personal data should be handles, businesses cannot discriminate against consumers. Equal services and prices should be provided to every consumer. However, businesses that are allowed to present discounts to the customers should comply with their data collection policies. 

• Consumers are allowed or sue companies that have violated privacy guidelines, even without a presence of a data breach. 

Who has to comply with CCPA

Businesses do not require to have a physical establishment in the state of California or the even United States. Any company that serves Californian residence

 and collects consumers personal data,

• That exceeds $25 million in annual gross revenue
• That buys, sells, or receive 50 000 or more consumer/household personal information
• That gain more than half of their annual revenue through selling the personal information of consumers.

Should comply with CCPA.

Fines in case of a CCPA in compliance

If regulators notify a company of CCPA violation,

• A 30 days window will be given to comply with the law
• If the issues are still not solved within this period, companies will be fined up to $7500 per record for intentional violation and up to $2500 per nonintentional violation.

If a company was a victim of data theft or a security breach,

• A civil class action lawsuit can be brought up to pay statutory damages of $100 to $750 per Californian resident or an incident or actual damage (Whichever is the higher)

California Privacy Rights Act (CPRA), An amendment to CCPA

With the enforcement of CPRA in January 2023,

• A new privacy enforcement agency will be established.
• The definition of personal information (sensitive data) will be broadened.
• Expansion of breach liability

Businesses that gain profit through collection and usage of the Californian residence personal information and either,

• Annual gross revenue surpasses 25 million 
• Buying, Selling or Sharing personal information of 100 000 Californians or households
• Gathering at least 50% of revenue from selling or sharing personal information 

Should comply with CPRA.

Key points

• The CPRA specifies the details of the notice that should be shared with Californian residence at or before collection of their personal information, according to CCPA.
• Limitations on personal information processing “reasonably necessary and proportionate” when collection, usage, retention, or sharing personal information to a specific purpose.
• When a company discloses personal information to a third party it is mandatory to execute an agreement for the counterparty to comply with CPRA.
• The privacy policies should disclose a list of categories of; personal information collected, sources, businesses that the information will be shared with
• CPRA provides an opportunity to request correction of inaccurate personal information
• CPRA allows owners to opt-out of the sale or sharing of personal data.

References

1. https://www.csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html
2. https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
3. https://www.varonis.com/blog/ccpa-vs-gdpr/
4. https://www.jdsupra.com/legalnews/the-california-privacy-rights-act-of-57046/
5. https://www.jdsupra.com/legalnews/the-california-privacy-rights-act-of-24679/

Authors note

I am new to CCPA and CPRA and went through research before writing this article. It took some time to write up. Please let me know of any corrections or additions. Hope this will help you to gain some idea about privacy laws.