The California Privacy Rights Act (CPRA) has to be viewed as an extension of its predecessor, California Consumer Privacy Act (CCPA) as it expands the scope and rights under the latter, making it more precise. Here’s a brief roundup of the key areas of difference between GDPR, CCPA and CPRA:
- Enforcement of the Law
- GDPR: The regional enforcement of GDPR takes places under the a DPA (Data Protection Authority) set up by each member state of the EU.
- CCPA: Under the office of California’s Attorney General.
- CPRA: An established CPPA (California Privacy Protection Agency) is vested with all administrative powers to implement the Act.
- Scope and Applicability
- GDPR: It has three kinds of scope:
- Geographic: Protects individuals in the EU, including an outside company doing business in EU.
- Type of data: It covers processing of personal data whether collected or processed.
- Use of data: Applies to both data ‘controllers’ and ‘processors’
- CCPA: It also applies in three contexts:
- Individuals: All residents of California.
- Businesses: Which have an annual gross revenue of more than $25 mn, holds consumer information of more than 50,000 individuals and derive 50% of their revenue from selling PI.
- Use of data: All collection, processing and sale of PI.
- CPRA: It has modified the breadth of CCPA’s scope for businesses in 3 ways:
- The consumer PI threshold has been increased to 100,000 and now excludes device information from the scope of PI.
- Now the 50% profit derived also applies in cases where the business shares PI.
- 2 kinds of advertising recognised: “cross-context behavioural advertising” and “non-personalized advertising.”
- Opt-in/Opt-out Restriction of Processing
- GDPR: It requires explicit consent of the user through mechanisms like ‘accept cookies or other tracking technologies. Further, data subjects may request restrictions on the processing of PI if:
- The data is inaccurate.
- The processing is unlawful.
- The controller no longer needs the PI for processing.
- CCPA: The opt out requirement under CCPA is such that businesses have a ‘do not seek my personal information’ or ‘do not sell my info’ link. Such opt out only restricts the selling of data and not other uses. It also requires that opt outs have minimal steps and are easy for users.
- CPRA: in addition to the CCPA, it adds a right to opt out of automated decision making technology, including ‘profiling’. Remarkably, opt out under CPRA is wider as:
- Extends to sharing of PI.
- Stricter opt in rights of minors
- Opt in right for sharing of PI for behavioural advertising
- Personal Data/Information
- GDPR: Focuses on personal data belonging to an identifiable natural person, including publicly available data.
- CCPA: Includes information that could be associated with a consumer or household. It emphasises on a ‘reasonable link’ between the PI and data subject. E.g. Info collected through a mobile application. Businesses should also provide just in time notices where a consumer would not reasonably expect collection of information.
- CPRA: Adds ‘sensitive personal information’ as a new regulated dataset. It includes information like race, ethnicity etc.
- Right to Erasure/ Deletion/ Correction/ Restriction
- GDPR: These rights are applicable to all kinds of data. Some situations where such right arises are: the purpose of collection has ceased to exist, no legal ground for processing etc.
- CCPA: It only applies to data directly collected from the consumer and not from third parties. Some exceptions to this right are when data is necessary to:
- Comply with a legal obligation
- Detect security incidents, fraudulent acts etc.
- CPRA: In addition to the pre-existing framework, it has introduced:
- Right to delete now extends to data collected from third parties as well.
- Right to correction of inaccurate data added.
- Right to restrict use and disclosure of sensitive PI for secondary purposes.
- Right to Access/ Disclosure
- GDPR: It requires businesses to inform the consumers of their rights. Data subjects also have a right to request access to their personal data and such request must be complied within a month.
- CCPA: With disclosure rights similar to GDPR, it requires businesses to disclose requested data within 45 days, the data belonging to upto 12 months prior to the request is included.
- CPRA: Allows consumers to make ‘access’ requests seeking meaningful information about automated decision making and the logic involved in its processes alongwith a description of the likely outcome based on that process.
- Portability Requirement
- GDPR: Data subjects have the right to request transmission of data to another controller without hindrance from the original controller.
- CCPA: No explicit right to data portability but if a consumer requests, they have a right to receive their information in a readable format.
- CPRA: Consumers may request that the business transmit specific pieces of PI to another entity, if its technically feasible.
- GDPR: Does not prescribe specific requirements for identity verification.
- CCPA: States that a business shall establish, document, and comply with a reasonable method for verifying that the person making a request is the consumer about whom the business has collected information.
- High-Risk Assessment/DPIA
- GDPR: Requires DPIAs for any processing likely to risk a data subject’s rights.
- CCPA: Does not require a DPIA but a duty to implement and maintain reasonable security procedures.
- CPRA: It requires businesses processing sensitive PII to:
- Perform an independent cybersecurity audit on an annual basis.
- Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of PI and whether such processing includes sensitive PII.
- Limits on Data Collection/Processing/Storage
- Both GDPR and CPRA have three broad limitations which include:
- Data minimisation: Limits data collection to only what is required to fulfil a specific purpose.
- Purpose limitation: Personal data collected for one purpose should not be used for a new, incompatible purpose.
- Storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- GDPR: National authorities assess fines that must be effective, proportionate, and dissuasive for each case. Fines can be up to 20 million euros, or up to 4% of the company’s total global turnover of the preceding fiscal year.
- CCPA: Penalties range from $2,500 for a nonintentional violation to $7,500 for an intentional violation. Finally, a business is not liable if its cures non-compliance within 20 days of the alleged violation.
- CPRA: Increases fines to $7,500 for each violation of CPRA involving personal information of consumers under the age of 16. It also eliminates the 30-day cure period.
Changes ahead of CPRA and how businesses can tackle them
- What’s new for consumers and companies?
CPRA has dedicated a new government agency for the handling of enforcement and compliance of the new laws. A new agency dedicated to CCPA would mean:
- Higher responsibility for companies
- Makes service providers responsible for helping the companies with requests related to that information, such as deleting it.
Consumers also benefit as they can now update personal information that has been collected by a company.
- What are the changes in kinds of data?
CPRA adds a subcategory called Sensitive Personal Information (SPI), which includes data like login credentials, race, ethnicity, biometric data and precise geolocation.
- How can businesses ensure better compliance with CPRA?
- Honour Opt ins and Opt outs: Ensure a uniform process to quickly address privacy requests and duly sought consent for processing any data.
- Ensure compliance regardless of where you are located: CPRA applies to California residents, irrespective of where they are at a particular point of time. This means that if a California resident can access your website, you fall within the scope of CPRA.
- Keep up to date with how PII standards change: Revisit how personally identifiable information is being used each time a privacy regulation change is announced.
- Keep customers in the loop: Customers should regularly be made aware of how their data is being collected and used.
- Who falls under its scope?
CPRA has modified the scope of CCPA as it applies to “businesses” which includes the following 4 categories:
- Directors of Processing
This simply means entities which direct the processing of personal information. To qualify as a business, an organisation must:
- Be a legal entity operating for the benefit of its shareholders.
- Collect personal information or have information collected on its behalf.
- Determine the purposes of processing personal data
- Meet one or more of the following criteria:
- Have a gross annual revenue of $25,000,000 in the previous year.
- Share the personal information of 1,00,000 or more consumers
- Derive 50 per cent of its revenue from selling personal information.
- Common Branding
Entities that control or are controlled by a business that directs the processing of personal information. To qualify, the potential business must:
- Share common branding with the covered business and;
- Receive personal information from the covered business for advertising purposes
- Joint Ventures
The joint venture or partnership and each business that composes the entity are separately considered independent businesses. This implies that:
- personal information in the possession of each business that is disclosed to the joint venture or partnership shall not be shared with the other business.
- Certified Business
An entity that does business in California and voluntarily certifies to the Agency that it is in compliance with, and agrees to be bound by, the CPRA.