CCPA vs CPRA: What’s the difference?

The 2018 California Consumer Privacy Act (CCPA) protects the privacy of California residents by regulating how companies collect, store, share, and sell personal information.

The 2020 California Privacy Rights Act (CPRA) is an amendment to the CCPA. CPRA grants consumers additional rights to prevent the sharing of sensitive personal information, for example, in targeted advertising campaigns.

CPRA significantly changed the scope of the CCPA. Companies active in California must understand how the amendment affects their regulatory compliance strategy. This article will provide a comprehensive CCPA vs CPRA comparison to clarify critical differences.

Key takeaways

  • CCPA overview: The CCPA grants California residents six core privacy rights, including access to personal data, opt-out of data selling, and deletion of unnecessary information. The 2020 CPRA amendment strengthens CCPA by adding new consumer rights, stricter penalties for sensitive data breaches, and creating the California Privacy Protection Agency (CPPA) for enforcement.
  • Sensitive Personal Information (SPI): CPRA introduces SPI, a new category of highly sensitive data (e.g., SSNs, medical history) requiring stricter protection and higher penalties for breaches.
  • Expanded consumer rights: CPRA extends CCPA rights, allowing consumers to correct data, opt out of automated decision-making, and access historical data beyond the 12-month CCPA limit.
  • Compliance changes: CPRA raises data processing thresholds, mandates annual privacy risk assessments, and removes the 30-day cure period for violations, increasing compliance obligations for businesses.
  • Enforcement and penalties: CPRA shifts enforcement to the CPPA, increases penalties for violations involving minors, and expands private action rights for consumers in cases of data breaches.

What is CCPA?

The California Consumer Privacy Act was enacted in 2018. It protects the data privacy of California residents and seeks to make data processing activities more transparent and accountable.

The core of the CCPA defines six core rights relating to data privacy. California residents have the right to:

  • Access personal information held by covered entities
  • Opt out of data selling
  • Know about data collection policies
  • Know when companies share or sell their data to third parties
  • Delete unnecessary personal information
  • Enjoy equal treatment (non-discrimination)

Initially, covered entities included businesses active in California with revenues exceeding $25 million that processed the data of 50,000 Californian individuals or households, or derived more than 50% of their revenues from collecting or processing personal information.

What is CPRA?

The California Privacy Rights Act was enacted in 2020 as an amendment to the CCPA. Privacy groups fought for the amendment to extend the privacy protections and rights provided by the CCPA.

The amendment strengthened penalties for disclosing sensitive personal information, added new consumer rights, and added extra protection for the data privacy of children. It included a requirement for businesses to carry out privacy risk assessments and created the California Privacy Protection Agency (CPPA).

The California Privacy Protection Agency replaces the Office of the California State Attorney General as the owner and administrator of the CCPA. CPPA now investigates violations and launches enforcement actions if appropriate. It also receives and approves privacy audits from covered entities.

The CPRA also modified the scope of the CCPA. The CPRA only covers businesses that handle the data of over 100,000 individuals or households. The 50% data processing threshold remains in place, while the revenue threshold rises with inflation.

Does the CPRA replace the CCPA?

Yes and no. The CPRA is an amendment, and most CCPA components remain in force. Existing compliance measures cover many core privacy requirements. However, companies must adapt their CCPA compliance strategy to accommodate the new rules and rights.

The key takeaway is that the CPRA significantly extends the scope of the CCPA. More robust enforcement, additional consumer rights, and the creation of SPI complicate the risk landscape for companies operating in California. For instance, businesses now need to focus on data security to avoid SPI disclosure and invest in systematic risk assessments to satisfy CPPA requirements.

So while the California Privacy Rights Act is not a replacement for the CCPA, it requires a fresh assessment of compliance risks. In many cases, companies will need to change the way they collect, store, use, and share personal information.

Key differences between CCPA and CPRA

The best way to adapt your compliance strategy is by understanding new elements introduced under the CPRA and what remains from the original CCPA. Critical areas of difference include:

Key definitions

The CCPA failed to define critical concepts. This led to confusion for covered entities and inadequate regulatory outcomes for consumers. The CPRA tackled these gaps, introducing several new definitions to make the Act more effective. Definitions include:

  • Sharing: CPRA defines sharing as "The disclosure of personal information to third parties for the context of behavioral advertising and includes sharing for free, monetary gain, or any other value."
  • Contractor: Contractors are essentially third-party entities that handle personal data. CPRA defines a contractor as "An individual who an organization has made a consumer’s personal information available to for business purposes established by a written contract."
CCPA vs CPRA differences

Personal information

CCPA defined "personal information" as "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

This broad definition did not distinguish between different levels of disclosure. For example, information about the auto shop used by an individual is less sensitive than their medical history. Both pieces of information could be used to identify someone.

CPRA adds a new category of sensitive personal information (SPI). This data category qualifies for stricter security protection. Companies that disclose sensitive personal information are subject to higher penalties than organizations that disclose low-level information. SPI includes:

  • Social Security numbers
  • Driver's license numbers
  • Personal addresses
  • State ID numbers
  • Passport numbers
  • Financial credentials
  • Geolocation data
  • Immigration status
  • Citizenship status
  • Biometrics and genetic data
  • Information about religious beliefs
  • Information about an individual's sexuality
  • Medical data
  • Ethnic origins

Publicly available information

The CCPA defined publicly available information as "anything lawfully made available from federal, state, or local government records." CPRA tightens this vague definition to help covered entities determine what constitutes a consumer's personal information.

Under CPRA, publicly available information has three components:

  • Information available in federal, state, or local government records.
  • Information that companies "reasonably believe" is available via "widely distributed media or by the consumer."
  • Information disclosed by an individual to others, provided the individual has not "limited the information to a specific group or people."

Data sharing and selling

CCPA allowed consumers to opt out of data selling and required businesses to notify customers about data sharing and selling practices. The Act also covered all businesses that derived over 50% of their revenues from data processing.

CPRA extends the data protection clauses of CCPA. CPRA now applies to all companies that derive over 50% of revenues from data sharing and selling. Companies must allow customers to opt out of data sharing with third parties, as well as selling.

Data processing thresholds

Under CCPA, covered entities include businesses that handled the data of over 50,000 individuals or households.

CPRA eases the burden on some businesses with modified processing thresholds, increasing the threshold for companies handling the data of over 100,000 individuals or households.

Data minimization

The CCPA did not specify legitimate reasons to collect personal information or limits on how much data companies could collect.

The CPRA remedies this gap. Businesses can only collect personal information that is "reasonably necessary" for a specific business purpose. Companies must state the reasons for data collection when requesting consent.

Deleting data

The CCPA included a right to delete personal data. The CPRA extends this right to third parties. Companies must now ask data processing partners to delete personal information if requested by individuals.

Consumer rights

The CCPA defined six data privacy rights: the right of access, deletion, non-discrimination, opt-out of data selling, and to know about data sharing or selling practices.

CPRA extends the consumer rights protected by CCPA. The amendment requires companies to:

  • Inform individuals if their data will be processed by automated tools.
  • Enable opt-outs of automated data profiling or decision-making tools.
  • Allow consumers to correct data.
  • Prevent sharing data with third parties if consumers desire.
  • Provide user data in a standardized, machine-readable format (portability).

Look-back periods

Under CCPA, individuals could request personal information held by companies over the past 12 months. CPRA removes this restriction. Individuals can now request historical data. Businesses must comply unless they show that doing so is impossible or incurs disproportionate costs.

Risk assessments

CCPA did not include any clauses relating to risk assessments. Companies did not need to submit mandatory risk assessments to regulators.

CPRA changes this. Companies must now assess data privacy risks. They must submit an annual risk assessment to the CPPA. Failure to do so can result in enforcement actions and higher fines when regulatory violations occur.

Consent

The CCPA included relatively loose consent requirements. The CPRA tightens consent policies, aligning California privacy law closely with the EU's GDPR. Now, companies must request consent to:

  • Share personal information after consumers have previously opted out of data collection.
  • Sell or share the personal data of minors.
  • Share or sell personal information to third parties.
  • Use personal information for research.
  • Use personal information as part of financial incentive products.

Companies must provide detailed consent forms before they start gathering data. According to the CPRA, individuals must consent to share data for "a narrowly defined particular purpose."

Protecting the data of minors

The CCPA required companies to gain consent from customers aged 13 to 16 and their legal guardians before gathering personal information.

The CPRA strengthens this consent requirement. Companies must wait 12 months before repeating consent requests. CPRA also reinforces CCPA protections for the data of minors under 16. Now, all data breaches involving children count as "intentional" violations.

Enforcement methods

Under CCPA, the Office of the California Attorney General was responsible for enforcement. CPRA changes this arrangement by creating the California Privacy Protection Agency. The CPPA now registers covered entities, handles risk assessments, and launches enforcement actions.

The CCPA also provided a 30-day cure period to remedy privacy issues before launching enforcement lawsuits. The CPRA removes this cure period.

Private actions and data security

CCPA allowed individuals to bring private civil actions against businesses that violated their privacy rights. Private actions were allowable if companies failed to encrypt or redact personal information, and this data was subsequently exposed in a data breach.

CPRA extends the scope for private actions. Consumers can bring lawsuits against companies that:

  • Expose email addresses or login credentials to external actors.
  • Expose private data via poor encryption and redaction.
  • Took reasonable security measures following a data breach, not before.

These extensions place additional data security obligations on covered entities. Measures to remedy security risks must not be part of annual risk assessments, and failure to secure personal information may incur maximum CCPA penalties.

Compliance penalties

The original CCPA mandated a maximum fine of $2,500 per violation for unintentional offenses and a $7,500 per violation maximum for serious intentional violations. Private actions following enforcement action could also incur $750 penalties per violation.

The CPRA retains these penalties but adds a new element. All violations involving the data of minors now count as "intentional" and incur the maximum penalty.

As noted above, the enforcement body has changed, as has the scope for private actions. Overall, these changes expand the options available to individuals and slightly raise compliance risks for covered entities.

Who needs to comply with CCPA and CPRA?

The scope of the 2018 CCPA included companies with turnover greater than $25 million, companies that handle the personal information of over 50,000 Californians, and companies where data processing accounted for greater than 50% of revenues.

The CPRA slightly changes who falls under the CCPA umbrella. The turnover threshold is now indexed to inflation and reached $26,625,000 in 2024. This will likely rise further in step with general price levels.

Who needs to comply with CCPA and CPRA?

Companies earning over half of their revenues from data processing must still comply. The major change is in the data collection threshold. Now, only companies that handle the personal information of over 100,000 Californians must comply.

In summary: CCPA vs CPRA

The California Privacy Rights Act significantly amends the California Consumer Privacy Act by strengthening the protection of sensitive personal information.

Companies active in California must now assess privacy risks and submit annual reports to a new regulator, the CPPA. The CPRA demands robust data security measures to prevent data breaches and expands the right to correct and control a consumer's personal information.

CCPA vs CPRA summary

Other amendments protected the data of minors, enhanced access to historical data, and removed the cure period to remedy privacy issues.

The overall result is a more robust regulatory environment that safeguards individual privacy and gives Californians greater control over how companies use their data.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consult a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.

Learn next

Network security
Zero Trust
Secure Access Service Edge (SASE)
Cloud security
Virtual Private Network (VPN)
Identity access management (IAM)
Firewall
Access control
PCI-DSS
Regulatory compliance