LESSONS LEARNED FROM CCPA AND CPRA 

LESSONS LEARNED FROM CCPA AND CPRA 

Article by Tsaaro

7 min read

LESSONS LEARNED FROM CCPA AND CPRA 

Considering the importance of data privacy and protection, various countries are enacting privacy laws to protect the rights of the individual. Even the enacted laws are amended, based on the significance of privacy in today’s data-driven world. 

Today, organizations are obliged to protect the data of the individuals collected and processed, and compliance with the existing laws and regulations is considered a top priority. So, the people, as well as the organization, need to be aware of the existing laws, regulations, and amendments made to escape from sky-high fines and more importantly to protect the rights of the individual. 

One such notable amendment was made in the privacy laws of California. What’s new in this amendment? Let’s look into it. 

WHAT IS CCPA?  

The CCPA is expanded as California Consumer Privacy Act (CCPA), 2018.  

The CCPA provides consumer rights and control over the data of personal data of individuals. It mainly deals with two aspects that are consumer rights and business regulations. The CCPA is the main privacy legislation when it comes to California. 

Various rights are offered to the residents of California with respect to Privacy. The following are the rights that are offered to consumers by CCPA:  

  • RIGHT TO KNOW – about the usage, sharing, and purpose of collecting personal information of the consumers for the business. 
  • RIGHT TO DELETE – the personal data that are collected with some exceptions. 
  • RIGHT TO OPT OUT – or refuse the sale or sharing of personal data.  
  • RIGHT TO NON-DISCRIMINATION – for exercising the rights of CCPA by the consumers. 

The CCPA provides the rights to the consumers of California and the businesses that operate in California. It applies to business that has annual gross revenues above $25 million US dollars, which manage and deals with the personal information of 50,000 or more consumers that earn more than half of their annual revenue from selling the consumer’s data.  

The businesses that are subject to CCPA have several responsibilities, which include responding to the requests of the customer to exercise their rights and giving the customers certain notices to explain their privacy practices. The application of CCPA extends to businesses including data brokers. 

WHAT DO CCPA REGULATIONS CONTAIN?  

The CCPA also has regulations called the California Consumer Privacy Act Regulations where, through the privacy notices businesses are required to inform about their privacy practices.  

It also contains guidance to handle consumer requests, verifying the identity of the consumers who makes the requests, and how to apply the law in the case of minors. In executing this, these regulations make it easier for consumers to exercise their rights in CCPA.  

On a last note, CCPA regulations govern compliance with the California Consumer Privacy Act.  

WHAT IS CPRA WHY DO YOU NEED TO KNOW ABOUT IT?  

The expansion of CPRA is California Privacy Rights Act, 2020. In November 2020, the voters approved Proposition of 24, the California Privacy Rights Act of 2020. The CPRA is the amended version of the CCPA and added new rights and they came into effect on January 1, 2023. The enforcement will begin on July 1, 2023.  

The CPRA focuses on the rights of the residents of California that strengthen the existing rights. They also introduced new rights and agencies that will be responsible to take up the rulemaking responsibility. 

The introduction of CPRA further expands the obligation of the organization to comply with the new rights and regulations. 

So, the data-driven organization must be aware of the new regulations and rules of the residents of California to comply with the laws. 

WHAT’S NEW IN CPRA? 

ADDITION OF NEW RIGHTS AND CHANGES IN EXISTING RIGHTS:  

  • RIGHT TO CORRECT – the personal information of the consumers that were collected by the organizations. 
  • RIGHT TO LIMIT – the use and disclosure of the sensitive personal information that was collected about them.  
  • Addition of Right to access, right to data portability rights. 
  • CHANGES IN OPT-OUT RIGHT- the changes are done specifically to regulate coss-contextual behavioral advertising and its use of personal information. 

CALIFORNIA PRIVACY PROTECTION AGENCY (CPPA):  

The CPRA establishes the California Privacy Protection Agency (CPPA) to implement and enforce the California Consumer Privacy Act. On October 21, 2012, the CCPA provided notice to the Attorney General that it was prepared to assume rulemaking responsibilities. After six months of this notice, the rule-making authority transfers from the Attorney General to the CPPA.  

So, the CPPA enforces the CPRA and CCPA. The CPPA is also responsible for initiating public campaigns to increase awareness and understand privacy rights. It has the responsibility to initiate public campaigns to increase awareness and understand the privacy rights provided.  

The rights of California residents are protected by the CPPA and it has four main functions including education, rulemaking, enforcement, and certification. 

On the whole, The CPPA acts as a lead enforcer and supervisor of the CCPA and CPRA, data privacy regime. 

CHANGES IN DEFINITION:  

The CPRA changes the definition of a business to exclude smaller businesses and includes bigger businesses that generate a large income from collecting, sharing, and/or selling the Personal Information (PI) of California residents.  

The CPRA creates a new category Sensitive Personal Information (SPI) that is regulated separately and is stronger than Personal Information (PI).  

CONSUMER REQUESTS: 

The CPRA broadens the range of information that consumers can request from businesses, that includes the categories of personal information, categories of collection sources, third-party access, and the specific information collected. 

CHANGE IN PENALTIES 

Considering the CCPA, the violation of minors under the age of 16 and personal information are fined $2500 per violation it is the same for the violation of the personal information of adults. But considering CPRA, the fine is increased and per violation, it is fined $7500. 

OTHER INCLUSIONS:  

The CPRA makes a business responsible for how third parties use, share or sell personal information that the business collected in the first place 

It adds provisions similar to the European Union’s General Data Protection Regulation (GDPR)  

It also expands the requirement for consent.  

ARE CCPA AND CPRA DIFFERENT? 

The CPRA amends the CCPA, it is not considered separate but the improved version of the CCPA. The CPRA contains some changes and improvements for the strong protection of consumer rights for the residents of California. 

NEED FOR COMPLIANCE 

It needs to be noted that the businesses are fined for the offense or violation of CPRA, from July 1, 2023.  

So, if you’re an organization that uses a large amount of data for the business, then complying with the new law is advisable to get rid of the fine.  

Check out Tsaaro, where you can find skilled experts in the field of data protection and privacy, get compliance services with highly skilled data protection consultants, and get your organization to comply with laws and build your customer trust! Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Consulting today.  

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Shubham Bansal

INTRODUCTION:  GRC (for governance, risk, and compliance) is an organizational strategy for managing governance, risk management, and compliance with industry …

Shubham Bansal

Introduction A majority of the organizations across the globe use the cloud platforms for various purposes. A large portion of …

Shubham Bansal

INTRODUCTION:  The phrase “data is the new oil” is attributed to British mathematician Clive Humby, who purportedly coined it in …

Shubham Bansal

Today, technology continues to evolve, with companies all over the globe required to adapt to the constant evolution. It is …

Shubham Bansal

INTRODUCTION:  Data governance is an instrument for determining who within an organization is responsible for overseeing data assets and establishing …

Recent Comments

    SHARE THIS POST

    Would you like to read regular updates from Tsaaro.
    Subscribe to our newsletter

    Our Latest Blogs

    Read what the latest hapennings in the cyber world are and learn what the
    experts have to say about them