Today’s businesses operate in a global landscape where data privacy and security compliance are more complex than ever. Case in point, there is a significant amount of uncertainty about the upcoming CPRA requirements and how it differs from the CCPA. Let’s look at CPRA vs. CCPA.
CPRA Vs CCPA
The California Privacy Rights Act strengthens the consumer privacy rights outlined in the CCPA and establishes new data security requirements for businesses with enforcement beginning on July 1, 2023.
Businesses must protect the privacy of personal information, including taking steps to implement authentication procedures, updating policies, and securing user data. In addition, businesses must comply with CPRA by July 1, 2023, or face potential fines, lawsuits, and more.
In terms of CPRA vs. CCPA, it is important to note that the CPRA does not replace the CCPA. Instead, the CPRA amends CCPA by adding clarifications and strengthening provisions.
What is the California Consumer Privacy Act (CCPA)?
Enacted in 2018, the CCPA was the first significant privacy law in the US after the EU adopted the General Data Protection Regulation (GDPR).
The CCPA is a baseline law that created consumer privacy protections like the right to know what personal information a business collects and shares. It required companies to provide notice of their data practices and more. It applies to all businesses operating in California, whether they have a presence in the state or not.
What is the California Privacy Rights Act (CPRA)?
The CPRA builds upon the CCPA by further expanding consumer privacy rights and strengthening data protection requirements. For example, the CPRA grants consumers even more control over their personal information by requiring businesses to obtain explicit consent for data processing activities outside the scope of contractual necessity or legal obligation. It also adds more data security requirements and expands the scope of data security procedures covered by the law.
Key Differences Between CCPA and CPRA
Businesses should note that the main distinction between the CCPA and CPRA is the addition of strict consumer data privacy and security provisions. For example, the creation of a new category of sensitive personal information expands the data types that are subject to greater protection measures. Additionally, the mandatory cybersecurity and risk assessments and third-party audits required for some businesses will add additional layers of complexity to compliance programs.
CPRA Data Security Updates
Here are some data security requirements outlined in the CPRA:
- Reasonable security measures: California privacy law expects businesses to implement “reasonable” security measures to protect the personal data they collect.
- Sensitive personal information protection: CPRA expands the categories of personal information, and businesses must employ reasonable security measures to protect this data, including encryption and access controls.
- Annual security audits: The CPRA requires that businesses performing higher-risk processing (as defined by the CPPA) conduct annual cybersecurity and risk assessments, as well as vulnerability assessments and penetration testing.
- Third-party vendor security: Companies must conduct due diligence on vendors that handle personal information, ensure they have adequate data protection measures in place, and only transfer data to vendors with confidentiality agreements in place.
- Training and education: Businesses must train their employees to manage personal data and ensure they understand how to protect it.
- Data breaches: The CPRA now considers email account leaks as data breaches, particularly if such leaks result in the exposure of personal details linked to people residing in California, as well as when security question leaks occur.
- Data minimization and retention: Companies must limit the data they collect, store, and retain to a reasonable amount necessary for their operations.
Potential Consequences of Non-Compliance
The potential outcomes of non-compliance are significant. The CPRA clarifies consumers’ rights to sue for violations and creates the California Privacy Protection Agency (CPPA) to enforce the CCPA and CPRA. Companies that violate the laws can face hefty fines and sanctions, including criminal penalties or suspension of the company’s ability to conduct business in the state. Additionally, organizations that fail to comply could become subject to costly and time-consuming lawsuits.
Announced in August 2022, the first enforcement action of the CCPA was a $1.2 million settlement against Sephora for neglecting to inform consumers about the sale of their data and to adequately process sale consumer opt-outs.
Enforcement actions are expected to increase after the full force of the CPRA goes into effect in July 2023.
How to Navigate a Changing Regulatory Landscape
It is critical to know what data your business collects and how it is secured to ensure compliance with the CCPA and the CPRA. Working with an IT partner that understands data privacy laws and regulations and data security requirements is essential for organizations looking to stay compliant in this increasingly regulated environment.
Your organization may also be required to follow additional requirements like the European GDPR or New Yorks’s Shield Act. By enlisting the services of a qualified IT services provider, organizations can make certain they are up to date on all the latest regulations and utilizing best practices for data protection. In addition, having an experienced IT partner means businesses can avoid disruptions and safeguard operations and focus on growing their bottom line.