CCPA: Understanding the California privacy act and its enhancement (CPRA)

California dreamin’? Well, it’s not so breezy when it comes to data privacy! Did you know that California has some of the most stringent data privacy laws in the United States? 

As a business owner, it’s essential to understand how these regulations affect you. In this post, we’ll explore the ins and outs of the California Consumer Privacy Act (CCPA) and its enhancement, the California Privacy Rights Act (CPRA). 

Short summary

• The CCPA is a set of laws that give Californian consumers control over their personal info and require businesses to protect it
• It includes the CCPA, which provides the right to privacy and regulations for data collectors, as well as the more recent CPRA, which includes additional consumer protections
• Businesses must comply or face penalties such as fines and damages. Understanding key definitions (such as “personal information”) helps ensure compliance

Overview 

In this article, we’ll look at:

1. The California Consumer Privacy Act (CCPA) and 
2. The California Privacy Rights Act (CPRA)

These laws aim to give Californian consumers more control over their personal information while requiring businesses to maintain reasonable security procedures to protect consumer data. The introduction of these laws has changed the privacy and data security landscape and forced companies to rethink their data collection and management practices.

Organizations need to understand their obligations under these laws, as they protect various types of personal information, including unique identifiers like a person’s driver’s license numbers and internet protocol addresses

The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) provides California residents with specific privacy rights and applies to businesses that collect personal data, operate in California, and meet certain criteria. These businesses must comply with California or federal law regarding data privacy and ensure they have secure procedures and practices in place to protect consumer data.

CCPA defines a “sale” of personal information as when a business sells, rents, releases, discloses, disseminates, makes available, transfers, or otherwise communicates a consumer’s personal information to another business or a third party for monetary or other valuable consideration. It also introduces the concept of a “service provider.”

A service provider is third-party entity that receives personal information from, or on behalf of, a business and processes that information based on a written contract provided the contract prohibits the entity from retaining, using, or disclosing personal information for any purpose other than for the specific purpose in performing the specified services under the contract.

The main goal of the CCPA is to give California residents the right to privacy, such as the right to delete, correct, know, and opt-out.

The California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) amends and adds provisions to the CCPA, further strengthening consumer privacy protections. One of the significant changes introduced by the CPRA is the establishment of the California Privacy Protection Agency, a dedicated enforcement authority for privacy laws.

The CPRA expands the scope of businesses liable under the CCPA, increasing the number of consumers it applies to and broadening its reach to include not just selling but also sharing personal information. 

It also introduces new requirements for websites, such as providing links labeled “Do Not Sell Or Share My Personal Information” and “Limit The Use Of My Sensitive Personal Information,” enabling California residents to limit the use and disclosure of their personal and sensitive personal information.

Additionally, the CPRA has rules in place for behavioral advertising, which uses personal information to target Californians with marketing based on profiling. Under the CPRA, businesses must limit collection, use, and retention of personal information to only those purposes (1) a consumer would reasonably expect (2) compatible with expectations disclosed to the consumer (3) by consent (as long as not obtained through dark patterns).  For all of these purposes, the collection, use, and retention must be reasonably necessary and proportionate to serve the ‘above’ purposes.

Key Definitions in California Privacy Laws

Overwhelmed yet? Okay, let’s break this down a bit more. To navigate California privacy laws effectively, it is crucial to understand the key definitions. These terms include personal information, sensitive personal information, and consumer information.

Each term plays a vital role in understanding the scope and applicability of the CCPA and CPRA.

1. Personal Information

Personal information, as defined by CCPA, includes any information that identifies, relates to, or could be linked to a specific individual or household, such as:

• Name
• Address
• Email
• Records of products purchased
• Internet browsing history
• Geolocation data
• Fingerprints
• Inferences from other personal information that could create a profile about the consumer’s preferences and characteristics. 

However, publicly available information from government records, information lawfully available to the public, and certain information a consumer shares are excluded from personal information under CCPA.

2. Sensitive Personal Information

Sensitive personal information is a subset of personally identifiable information that carries higher risks if mishandled. 

Examples of sensitive personal information include:

• Social Security number
• Driver’s license number
• Financial account numbers
• Health information
• Internet protocol address
• Precise geolocation data
• Biometric information

It is crucial to correct inaccurate personal information to minimize these risks, as inaccurate personal information can lead to further complications.

CPRA further expands the definition of sensitive personal information to include information revealing ethnicity, religious or philosophical beliefs, health information, and more.

3. Consumer

In the context of California privacy laws, a ‘consumer’ is a natural person who is a resident of California. This definition highlights the laws’ focus on protecting the privacy rights of California residents.

Many businesses are impacted by CCPA

California privacy laws apply to various types of businesses, including those that control or are controlled by a business or those with contractual obligations stemming from a business. 

Both CCPA and CPRA have specific criteria that businesses must meet to be subject to these laws.

Businesses must understand their obligations under these laws to protect consumer personal information and maintain compliance.

CCPA and CPRA applicability

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

• Have a gross annual revenue of over $25 million
• Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or
• Derive 50% or more of their annual revenue from selling California residents’ personal information.

If a business violates CCPA, a court may impose penalties that the court deems appropriate.

Some exceptions to personal information apply under CCPA, such as publicly available information from local government records and certain types of information.

CPRA brings changes to the applicability of privacy laws on businesses. It expands the scope of businesses liable under CCPA, increasing the number from 50,000 to 100,000, and includes sharing personal information in addition to selling it.

CPRA also introduces new requirements for websites to provide links for California residents to limit the use and disclosure of their sensitive personal information.

---

---

Consumer rights under CCPA

California privacy laws, including CCPA and CPRA, provide consumers with specific rights regarding their personal information. These rights empower consumers to have more control over their data and help ensure businesses handle personal information responsibly and transparently.

Businesses must comply with these laws or face potential fines and other penalties. Consumers can exercise their rights by submitting requests to businesses, such as the right to access, delete, or opt-out.

CCPA consumer rights

Under CCPA, consumers have 

• The right to know what personal information is being collected, and  
• The right to request deletion of personal information. 

Consumers can ask businesses to disclose the categories of personal information collected, used, shared, or sold about them and the reasons for doing so, including any instances of selling consumers’ personal information.

Businesses must provide consumers with at least two methods to submit their requests, such as email, website form, or hard copy form. Businesses have 45 calendar days to respond to a request, with the possibility of extending the deadline to 90 days if they inform the consumer.

CPRA Consumer Rights

The CPRA introduces new rights for consumers in addition to those provided by the CCPA. For example, California residents can now request businesses to stop sharing their personal information with providers of targeted advertising services.

This right to opt-out of behavioral advertising strengthens consumer privacy by giving them more control over their personal information.

Compliance challenges and best practices

Complying with California privacy laws can be challenging for businesses, especially those that handle large amounts of personal information. 

However, adopting best practices such as proper data collection and management and implementing effective consent and opt-out mechanisms can help businesses stay compliant and protect consumer privacy. Working with the experts at Thoropass will set you on a path to pain-free compliance!

Data collection and management

Proper data collection and management practices are essential for businesses to comply with California privacy laws. 

The CCPA requires businesses to inform consumers about the categories of personal information they collect and the purposes for which they use it. Additionally, businesses must provide consumers with the option to opt out of the sale of their personal information.

Implementing secure data collection and management practices can help businesses protect consumer personal information and maintain compliance with privacy laws.

Consent and opt-out mechanisms

Implementing effective consent and opt-out mechanisms is another crucial aspect of complying with the CCPA. The CPRA, for example, requires businesses to allow consumers to opt out of sharing their personal information for cross-context behavioral advertising.

By providing clear and easy-to-use consent and opt-out mechanisms, businesses can ensure they respect consumer privacy rights and maintain compliance with privacy laws.

Enforcement and penalties

What are the consequences of getting it wrong? Basically, you don’t want to end up there…

Understanding the enforcement authorities and potential penalties is essential for businesses to take privacy laws seriously and prioritize compliance.

Enforcement authorities

The California Privacy Protection Agency and the California Attorney General‘s office are responsible for enforcing California privacy laws. These authorities ensure businesses comply with the CCPA and CPRA, protecting consumer privacy and holding non-compliant businesses accountable.

Potential penalties

Businesses that fail to comply with California privacy laws can face penalties of up to $7,500 USD for intentional violations or $2,500 USD for unintentional ones. Consumers can also take legal action against businesses for damages, such as statutory damages ranging from $100 to $750 per consumer per incident, actual damages, injunctive or declaratory relief, and any other relief the court deems appropriate.

To minimize the risk of penalties, businesses must take privacy laws seriously, implement secure data practices, and prioritize compliance.

Conclusion: The CCPA plays a critical role in protecting consumers

The CCPA and CPRA play a critical role in protecting consumers’ personal information and holding businesses accountable for their data practices. As a business owner or consumer, understanding these laws and their implications is essential for navigating the evolving privacy landscape.

By implementing best practices in data collection and management, consent and opt-out mechanisms, and staying informed about enforcement and penalties, businesses can successfully comply with California privacy laws and protect consumer privacy. Remember, privacy is not just a legal requirement but also a fundamental right that builds trust between businesses and consumers.

FAQs about the CCPA and CPRA

Still confused? Here are some of the most frequent questions we’re asked about the California Privacy Act:

---