The California Consumer Privacy Act (CCPA) of 2018 granted consumers a series of rights regarding how businesses collect their personal information, and required businesses to inform consumers about the collection, use, and retention methods and terms of the information.
In 2020, California voters approved Proposition 24, known as the California Privacy Rights Act (CPRA). The CPRA adds additional consumer privacy rights and obligations for businesses to fill the jurisdictional gaps of the CCPA. The CPRA amends the CCPA rather than establishing an independent new law. Therefore, the law is usually referred to as 'CCPA 2.0' or 'Revised CCPA'. The amendments to the CCPA by the CPRA took effect on January 1, 2023.
Although the CPRA has modified the CCPA, it will not completely replace the CCPA. The CCPA still retains some provisions and requirements, while the CPRA adds new provisions. Therefore, there is a complementary relationship between the CPRA and the CCPA, which together constitute the privacy legal framework of the state of California.
The most obvious differences between the CPRA and CCPA are as follows:
Scope of Application—— The differences between the CCPA and CPRA are that, on one hand, the CCPA applies to organizations that collect personal information of more than 50,000 consumers, while the CPRA applies to organizations that collect more than 100,000 consumer data. On the other hand, the CCPA applies to organizations with annual income reaching 50% or more, while the CPRA also includes the sharing of personal information, which refers to businesses disclosing personal information to third parties through oral, written, or electronic means or other ways for 'cross-contextual behavioral advertising'.
Sensitive Personal Information—— The CPRA adds new sensitive personal information, similar to the 'processing of special categories of personal data' covered by the General Data Protection Regulation (GDPR). The special category data of the GDPR (according to Article 9 of the GDPR) include information revealing a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; or information about a person's health, sexual life, or sexual orientation, as well as genetic or biometric data processed for the purpose of identifying a person. The CPRA does not include trade union membership in its provisions on sensitive personal information, but it includes all other categories covered by the GDPR, as well as additional categories, such as identifiers issued by the government, financial account information, consumer communications, and precise geolocation information.
Sensitive personal information includes consumers' social security numbers, driver's license numbers, ID card numbers, passport numbers, login accounts, financial accounts and credentials, precise geolocation, and data related to origin and beliefs. In the CCPA, these data are categorized as personal information.
Penalties—— The penalty standards for the CPRA and CCPA are the same; if a business deliberately violates the regulations, it will be fined $7,500, while non-deliberate violations will only be penalized $2,500. The difference lies in that the CPRA has increased penalties for violations of personal information of minors (under the age of 16), with penalties tripled.
Consumer Requests—— The CPRA has expanded the scope of information that consumers can request from businesses, including categories of personal information, categories of sources of collection, collection purposes, third-party access, and specific information collected.
Consumer Rights—— The CPRA has added four new consumer rights, such as the right to correct, the right to restrict sensitive personal information, the right to access and opt-out, and the right to data portability.
Right to Delete—— Article 1798.105 contains a key clause on the right to delete, which, while maintaining the basic framework established by the CCPA, provides consumers with the right to require businesses to 'delete any personal information collected from consumers by the business.' In addition, businesses that receive a consumer's deletion request must notify and instruct third parties that have purchased or received consumer personal information to delete such information, and certain service providers and contractors must also convey the deletion request to downstream departments.
评论已关闭