CCPA REFRESHER

The CCPA, broadly speaking, is a legislative initiative that intends to enhance privacy rights and protect consumers who reside in the state of California. The legislation makes the consumer the owner of their personal data. On June 28, 2018, the CCPA was signed into law, with an effective date of Jan. 1, 2020. The CCPA provides consumers with certain rights that can be divided into the following categories:

• Right to know (knowledge of the personal information collected by a business and how it is used or shared)
• Right to opt out (opt out of the sharing or sale of personal information)
• Right to request deletion (deletion of personal information, with some exceptions)
• Right to equal services and prices (nondiscrimination for exercising CCPA rights as a consumer)

Examples of data covered by the CCPA include, but are not limited to, the following:

• Identifying information such as names, addresses, IP addresses, and email addresses
• Internet activity records (including browsing and search history)
• Biometric information
• Commercial information
• Employment-related information

For additional information, see the State of California’s CCPA overview and FAQ page.

WHO MUST COMPLY WITH THE CCPA (AND THUS THE CPRA)?

For-profit businesses that collect personal information, determine how and/or why information is processed, do business in California, and meet one or more of the following criteria must comply with the CCPA:

• Gross annual revenue exceeding $25 million
• Buys, sells, or shares personal information of 100,000 or more consumers or households
• Derives 50% or more annual revenue from selling or sharing California residents’ personal information

In addition to for-profit businesses, some entities controlled by these businesses as well as certain joint ventures and partnerships are also subject to the CCPA. Generally, the CCPA does not apply to nonprofits or government agencies.

WILL THE CPRA REPLACE THE CCPA?

The short answer is no, the CPRA will not replace the CCPA. The CPRA is strictly an amendment to the CCPA in the California Civil Code that brings in new and additional privacy protection measures for consumers residing in California. Legally speaking, the CPRA is still referred to as “CCPA” or even “CCPA, as amended.”

ADMINISTRATIVE CONTROL OF THE CPRA

The CPRA amendment established the California Privacy Protection Agency (CPPA). The CPRA’s creation of the CPPA means that this agency now has full administrative control, authority, and jurisdiction to enforce and administer the CPRA. The CPPA takes control away from the attorney general’s office. Additionally, the CPPA’s rulemaking must comply with California’s Administrative Procedures Act (APA) and with the Bagley-Keene Open Meeting Act. These acts promote public transparency. Conveniently, and in alignment with the aforementioned transparency, the CPPA has a Laws & Regulations website to document its regulation-based activities.

NEW CONSUMER RIGHTS AND TERMS UNDER CPRA

The CPRA amendment brings with it two new consumer rights in addition to the rights listed in the CCPA:

1. Right to correct inaccurate personal information
2. Right to limit use, including disclosure, of sensitive personal information

The CPRA added a new definition in the amendment for sensitive personal information, which, per the Office of the Attorney General, “is a specific subset of personal information that includes certain government identifiers (such as social security numbers); an account log-in, financial account, debit card, or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation; contents of mail, email, and text messages; genetic data; biometric information processed to identify a consumer; information concerning a consumer’s health, sex life, or sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership. Consumers have the right to also limit a business’s use and disclosure of their sensitive personal information.” The new CPRA definition can be interpreted as a nod to the General Data Protection Regulation (GDPR) in Europe.

CRPA COMPLIANCE, ENFORCEMENT, AND PENALTIES

As noted, Jan. 1, 2023, was the date when all of the CPRA’s amendments to the CCPA went into effect. This was also the date that businesses were required to comply with the whole statute (CPRA and CCPA). With that understanding, the CPRA includes a provision that delayed enforcement until July 1, 2023. This enforcement date gave businesses some leeway to get their data ducks in a row to adhere to the new amendments of the CCPA. As of this writing, the CPPA now has the authority to enforce the CCPA, as amended. Therefore, businesses could face some significant penalties for noncompliance with the CPRA. Section 1798.155 of the CCPA, Administrative Enforcement, highlights the following potential fines:

• A business, services provider, contractor, or other person in violation could be liable for an administrative fine not exceeding $2,500 for each violation, or
• A $7,500 fine for each violation that is either intentional or involves children

MOVING FORWARD

The CPRA amendments bring additional privacy protections to the residents of California. Enforcement is in full effect, and it’s just a matter of time before we see what case examples the CPPA brings forward.

OVERVIEW OF THE CCPA, CPRA, AND CPPA

With so many acronyms presented in this article, this table will help define the relationship among the CCPA, CPRA, and CPPA.